Windows Analysis Report
faktura proforma pdf.exe

Overview

General Information

Sample name: faktura proforma pdf.exe
Analysis ID: 1540850
MD5: a2769ba56f8b84de34deee154f4bfba2
SHA1: 01771e5df223fac2315e8ab9ba72234a1a41f0ba
SHA256: 9f7da651412232824c868086dd48a7d63af0dbb007cef4db8c24edda9b2fcdbb
Tags: exeuser-Adamek
Infos:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected FormBook
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Found direct / indirect Syscall (likely to bypass EDR)
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Switches to a custom stack to bypass stack traces
Tries to detect virtualization through RDTSC time measurements
Tries to resolve many domain names, but no domain seems valid
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection
barindex
Found malware configuration
Source: 00000000.00000002.1737166544.00000000045C8000.00000004.00000800.00020000.00000000.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.asposted.online/gy15/"], "decoy": ["hairsdeals.today", "acob-saaad.buzz", "9955.club", "gild6222.vip", "nline-shopping-56055.bond", "lmadulles.top", "utemodels.info", "ighdd4675.online", "nqqkk146.xyz", "avasales.online", "ortas-de-madeira.today", "haad.xyz", "races-dental-splints-15439.bond", "hilohcreekpemf.online", "rrivalgetaways.info", "orktoday-2507-02-sap.click", "eceriyayinlari.xyz", "lsurfer.click", "aston-saaae.buzz", "etrot.pro", "68mp269rf.autos", "ndia567.vip", "jinni.buzz", "rey.app", "enior-living-72184.bond", "rogramdokpirdarmowy.today", "ejcloud.info", "ools-59989.bond", "astbiz.net", "ixaahx.shop", "hqaiop.xyz", "indow-replacement-46487.bond", "rogramdokpirdarmowy.today", "remoter.net", "ecorationworld.net", "ilkool.info", "bandoned-houses-50880.bond", "andscaping-services-2507.today", "42ve.shop", "orthfitness.net", "ink-gluwty.online", "18721.club", "ahrump.homes", "uuxe6hi1l.lol", "hopbestdeals.online", "rocbotserver2.online", "8210.app", "oftware-download-44761.bond", "78ex.net", "lake-paaab.buzz", "olocal.app", "oxpal.best", "hetinkerfoundation.net", "eleerm-czjp.top", "omaininformaniacion.fun", "ahadevindia.info", "j11.online", "isax.xyz", "lennuser.shop", "48691640.top", "6747.asia", "stralvoyage.website", "aihora.info", "0372.photo"]}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe ReversingLabs: Detection: 34%
Multi AV Scanner detection for submitted file
Source: faktura proforma pdf.exe ReversingLabs: Detection: 34%
Yara detected FormBook
Source: Yara match File source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.faktura proforma pdf.exe.4809f88.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.xmAdkuQjxrS.exe.41fb088.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.xmAdkuQjxrS.exe.426aea8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.faktura proforma pdf.exe.479a168.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000006.00000002.1780724008.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.1791235982.0000000003000000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1737166544.00000000045C8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.1773933452.0000000004028000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.4142797665.00000000036A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.4142425418.00000000032C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.4142752695.0000000003670000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: faktura proforma pdf.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: faktura proforma pdf.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: faktura proforma pdf.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: RegSvcs.pdb, source: explorer.exe, 00000007.00000002.4158146718.00000000110CF000.00000004.80000000.00040000.00000000.sdmp, mstsc.exe, 0000000D.00000002.4143827334.000000000579F000.00000004.10000000.00040000.00000000.sdmp, mstsc.exe, 0000000D.00000002.4142597154.00000000033E4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: RegSvcs.exe, 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, mstsc.exe, 0000000D.00000003.1788289388.00000000050A3000.00000004.00000020.00020000.00000000.sdmp, mstsc.exe, 0000000D.00000002.4143220844.0000000005250000.00000040.00001000.00020000.00000000.sdmp, mstsc.exe, 0000000D.00000003.1781032119.0000000004EF8000.00000004.00000020.00020000.00000000.sdmp, mstsc.exe, 0000000D.00000002.4143220844.00000000053EE000.00000040.00001000.00020000.00000000.sdmp, raserver.exe, 0000000E.00000002.1791709211.00000000050CE000.00000040.00001000.00020000.00000000.sdmp, raserver.exe, 0000000E.00000003.1785605859.0000000004BCB000.00000004.00000020.00020000.00000000.sdmp, raserver.exe, 0000000E.00000002.1791709211.0000000004F30000.00000040.00001000.00020000.00000000.sdmp, raserver.exe, 0000000E.00000003.1789576741.0000000004D7C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: RegSvcs.exe, RegSvcs.exe, 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, mstsc.exe, 0000000D.00000003.1788289388.00000000050A3000.00000004.00000020.00020000.00000000.sdmp, mstsc.exe, 0000000D.00000002.4143220844.0000000005250000.00000040.00001000.00020000.00000000.sdmp, mstsc.exe, 0000000D.00000003.1781032119.0000000004EF8000.00000004.00000020.00020000.00000000.sdmp, mstsc.exe, 0000000D.00000002.4143220844.00000000053EE000.00000040.00001000.00020000.00000000.sdmp, raserver.exe, 0000000E.00000002.1791709211.00000000050CE000.00000040.00001000.00020000.00000000.sdmp, raserver.exe, 0000000E.00000003.1785605859.0000000004BCB000.00000004.00000020.00020000.00000000.sdmp, raserver.exe, 0000000E.00000002.1791709211.0000000004F30000.00000040.00001000.00020000.00000000.sdmp, raserver.exe, 0000000E.00000003.1789576741.0000000004D7C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: RAServer.pdb source: RegSvcs.exe, 0000000C.00000002.1792619106.00000000017E0000.00000040.10000000.00040000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.1788861011.0000000000EE8000.00000004.00000020.00020000.00000000.sdmp, raserver.exe, 0000000E.00000002.1791022734.0000000000270000.00000040.80000000.00040000.00000000.sdmp
Source: Binary string: mstsc.pdbGCTL source: RegSvcs.exe, 00000006.00000002.1787815352.0000000003130000.00000040.10000000.00040000.00000000.sdmp, mstsc.exe, 0000000D.00000002.4142141459.00000000008F0000.00000040.80000000.00040000.00000000.sdmp
Source: Binary string: RegSvcs.pdb source: explorer.exe, 00000007.00000002.4158146718.00000000110CF000.00000004.80000000.00040000.00000000.sdmp, mstsc.exe, 0000000D.00000002.4143827334.000000000579F000.00000004.10000000.00040000.00000000.sdmp, mstsc.exe, 0000000D.00000002.4142597154.00000000033E4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mstsc.pdb source: RegSvcs.exe, 00000006.00000002.1787815352.0000000003130000.00000040.10000000.00040000.00000000.sdmp, mstsc.exe, 0000000D.00000002.4142141459.00000000008F0000.00000040.80000000.00040000.00000000.sdmp
Source: Binary string: RAServer.pdbGCTL source: RegSvcs.exe, 0000000C.00000002.1792619106.00000000017E0000.00000040.10000000.00040000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.1788861011.0000000000EE8000.00000004.00000020.00020000.00000000.sdmp, raserver.exe, 0000000E.00000002.1791022734.0000000000270000.00000040.80000000.00040000.00000000.sdmp
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Code function: 4x nop then jmp 0EAF0FC5h 0_2_0EAF10C4
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Code function: 4x nop then jmp 0EAF0FC5h 0_2_0EAF1860
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then pop ebx 6_2_00407B1C
Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe Code function: 4x nop then jmp 0E620225h 9_2_0E620324
Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe Code function: 4x nop then jmp 0E620225h 9_2_0E620AC0

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2031412 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.4:50007 -> 13.248.252.114:80
Source: Network traffic Suricata IDS: 2031449 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.4:50007 -> 13.248.252.114:80
Source: Network traffic Suricata IDS: 2031453 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.4:50007 -> 13.248.252.114:80
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.asposted.online/gy15/
Performs DNS queries to domains with low reputation
Source: DNS query: www.isax.xyz
Source: DNS query: www.haad.xyz
Tries to resolve many domain names, but no domain seems valid
Source: unknown DNS traffic detected: query: www.asposted.online replaycode: Name error (3)
Source: unknown DNS traffic detected: query: www.hetinkerfoundation.net replaycode: Name error (3)
Source: unknown DNS traffic detected: query: www.hopbestdeals.online replaycode: Name error (3)
Source: unknown DNS traffic detected: query: www.isax.xyz replaycode: Name error (3)
Source: unknown DNS traffic detected: query: www.nline-shopping-56055.bond replaycode: Name error (3)
Source: unknown DNS traffic detected: query: www.ixaahx.shop replaycode: Name error (3)
Source: unknown DNS traffic detected: query: www.omaininformaniacion.fun replaycode: Name error (3)
Source: unknown DNS traffic detected: query: www.rrivalgetaways.info replaycode: Name error (3)
Source: unknown DNS traffic detected: query: www.hilohcreekpemf.online replaycode: Name error (3)
Source: unknown DNS traffic detected: query: www.indow-replacement-46487.bond replaycode: Name error (3)
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Windows\explorer.exe Code function: 7_2_0FCACF82 getaddrinfo,setsockopt,recv, 7_2_0FCACF82
Source: global traffic DNS traffic detected: DNS query: www.hilohcreekpemf.online
Source: global traffic DNS traffic detected: DNS query: www.indow-replacement-46487.bond
Source: global traffic DNS traffic detected: DNS query: www.isax.xyz
Source: global traffic DNS traffic detected: DNS query: www.hopbestdeals.online
Source: global traffic DNS traffic detected: DNS query: www.asposted.online
Source: global traffic DNS traffic detected: DNS query: www.ixaahx.shop
Source: global traffic DNS traffic detected: DNS query: www.haad.xyz
Source: global traffic DNS traffic detected: DNS query: www.omaininformaniacion.fun
Source: global traffic DNS traffic detected: DNS query: www.hetinkerfoundation.net
Source: global traffic DNS traffic detected: DNS query: www.nline-shopping-56055.bond
Source: global traffic DNS traffic detected: DNS query: www.rrivalgetaways.info
Source: explorer.exe, 00000007.00000002.4149087756.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3111719104.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1725514053.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4145487064.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1720478261.00000000079FB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: explorer.exe, 00000007.00000002.4149087756.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3111719104.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1725514053.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4145487064.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1720478261.00000000079FB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: explorer.exe, 00000007.00000002.4149087756.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3111719104.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1725514053.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4145487064.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1720478261.00000000079FB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: explorer.exe, 00000007.00000002.4149087756.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3111719104.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1725514053.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4145487064.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1720478261.00000000079FB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: explorer.exe, 00000007.00000002.4145487064.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1720478261.00000000078AD000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: explorer.exe, 00000007.00000002.4147185768.0000000007F40000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000002.4147904937.0000000008720000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.1727350481.0000000009B60000.00000002.00000001.00040000.00000000.sdmp String found in binary or memory: http://schemas.micro
Source: faktura proforma pdf.exe, 00000000.00000002.1736105667.0000000002F5A000.00000004.00000800.00020000.00000000.sdmp, xmAdkuQjxrS.exe, 00000009.00000002.1772272518.00000000029C0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: explorer.exe, 00000007.00000003.3105400926.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106217278.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4156869744.000000000CB4F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3107161768.000000000CB4B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.0372.photo
Source: explorer.exe, 00000007.00000003.3105400926.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106217278.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4156869744.000000000CB4F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3107161768.000000000CB4B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.0372.photo/gy15/
Source: explorer.exe, 00000007.00000003.3105400926.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106217278.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4156869744.000000000CB4F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3107161768.000000000CB4B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.0372.photo/gy15/www.rogramdokpirdarmowy.today
Source: explorer.exe, 00000007.00000003.3105400926.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106217278.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4156869744.000000000CB4F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3107161768.000000000CB4B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.0372.photoReferer:
Source: faktura proforma pdf.exe, 00000000.00000002.1739821654.0000000006CF2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000007.00000003.3105400926.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106217278.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4156869744.000000000CB4F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3107161768.000000000CB4B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.asposted.online
Source: explorer.exe, 00000007.00000003.3105400926.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106217278.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4156869744.000000000CB4F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3107161768.000000000CB4B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.asposted.online/gy15/
Source: explorer.exe, 00000007.00000003.3105400926.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106217278.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4156869744.000000000CB4F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3107161768.000000000CB4B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.asposted.online/gy15/www.ixaahx.shop
Source: explorer.exe, 00000007.00000003.3105400926.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106217278.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4156869744.000000000CB4F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3107161768.000000000CB4B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.asposted.onlineReferer:
Source: explorer.exe, 00000007.00000003.3108552283.000000000C9AE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1733763393.000000000C964000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: faktura proforma pdf.exe, 00000000.00000002.1739821654.0000000006CF2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: faktura proforma pdf.exe, 00000000.00000002.1739821654.0000000006CF2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com
Source: faktura proforma pdf.exe, 00000000.00000002.1739821654.0000000006CF2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: faktura proforma pdf.exe, 00000000.00000002.1739821654.0000000006CF2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: faktura proforma pdf.exe, 00000000.00000002.1739821654.0000000006CF2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: faktura proforma pdf.exe, 00000000.00000002.1739821654.0000000006CF2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: faktura proforma pdf.exe, 00000000.00000002.1739821654.0000000006CF2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: faktura proforma pdf.exe, 00000000.00000002.1739821654.0000000006CF2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: faktura proforma pdf.exe, 00000000.00000002.1739821654.0000000006CF2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: faktura proforma pdf.exe, 00000000.00000002.1739821654.0000000006CF2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fonts.com
Source: faktura proforma pdf.exe, 00000000.00000002.1739821654.0000000006CF2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: faktura proforma pdf.exe, 00000000.00000002.1739821654.0000000006CF2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: faktura proforma pdf.exe, 00000000.00000002.1739821654.0000000006CF2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: faktura proforma pdf.exe, 00000000.00000002.1739821654.0000000006CF2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: faktura proforma pdf.exe, 00000000.00000002.1739821654.0000000006CF2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: faktura proforma pdf.exe, 00000000.00000002.1739821654.0000000006CF2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 00000007.00000003.3105400926.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106217278.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4156869744.000000000CB4F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3107161768.000000000CB4B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.haad.xyz
Source: explorer.exe, 00000007.00000003.3105400926.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106217278.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4156869744.000000000CB4F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3107161768.000000000CB4B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.haad.xyz/gy15/
Source: explorer.exe, 00000007.00000003.3105400926.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106217278.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4156869744.000000000CB4F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3107161768.000000000CB4B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.haad.xyz/gy15/www.omaininformaniacion.fun
Source: explorer.exe, 00000007.00000003.3105400926.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106217278.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4156869744.000000000CB4F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3107161768.000000000CB4B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.haad.xyzReferer:
Source: explorer.exe, 00000007.00000003.3105400926.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106217278.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4156869744.000000000CB4F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3107161768.000000000CB4B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.hetinkerfoundation.net
Source: explorer.exe, 00000007.00000003.3105400926.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106217278.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4156869744.000000000CB4F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3107161768.000000000CB4B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.hetinkerfoundation.net/gy15/
Source: explorer.exe, 00000007.00000003.3105400926.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106217278.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4156869744.000000000CB4F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3107161768.000000000CB4B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.hetinkerfoundation.net/gy15/www.nline-shopping-56055.bond
Source: explorer.exe, 00000007.00000003.3105400926.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106217278.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4156869744.000000000CB4F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3107161768.000000000CB4B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.hetinkerfoundation.netReferer:
Source: explorer.exe, 00000007.00000003.3105400926.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106217278.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4156869744.000000000CB4F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3107161768.000000000CB4B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.hilohcreekpemf.online
Source: explorer.exe, 00000007.00000003.3105400926.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106217278.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4156869744.000000000CB4F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3107161768.000000000CB4B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.hilohcreekpemf.online/gy15/
Source: explorer.exe, 00000007.00000003.3105400926.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106217278.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4156869744.000000000CB4F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3107161768.000000000CB4B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.hilohcreekpemf.online/gy15/www.indow-replacement-46487.bond
Source: explorer.exe, 00000007.00000003.3105400926.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106217278.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4156869744.000000000CB4F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3107161768.000000000CB4B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.hilohcreekpemf.onlineReferer:
Source: explorer.exe, 00000007.00000003.3105400926.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106217278.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4156869744.000000000CB4F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3107161768.000000000CB4B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.hopbestdeals.online
Source: explorer.exe, 00000007.00000003.3105400926.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106217278.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4156869744.000000000CB4F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3107161768.000000000CB4B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.hopbestdeals.online/gy15/
Source: explorer.exe, 00000007.00000003.3105400926.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106217278.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4156869744.000000000CB4F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3107161768.000000000CB4B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.hopbestdeals.online/gy15/www.hqaiop.xyz
Source: explorer.exe, 00000007.00000003.3105400926.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106217278.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4156869744.000000000CB4F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3107161768.000000000CB4B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.hopbestdeals.onlineReferer:
Source: explorer.exe, 00000007.00000003.3105400926.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106217278.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4156869744.000000000CB4F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3107161768.000000000CB4B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.hqaiop.xyz
Source: explorer.exe, 00000007.00000003.3105400926.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106217278.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4156869744.000000000CB4F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3107161768.000000000CB4B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.hqaiop.xyz/gy15/
Source: explorer.exe, 00000007.00000003.3105400926.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106217278.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4156869744.000000000CB4F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3107161768.000000000CB4B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.hqaiop.xyz/gy15/www.asposted.online
Source: explorer.exe, 00000007.00000003.3105400926.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106217278.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4156869744.000000000CB4F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3107161768.000000000CB4B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.hqaiop.xyzReferer:
Source: explorer.exe, 00000007.00000003.3105400926.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106217278.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4156869744.000000000CB4F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3107161768.000000000CB4B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.indow-replacement-46487.bond
Source: explorer.exe, 00000007.00000003.3105400926.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106217278.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4156869744.000000000CB4F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3107161768.000000000CB4B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.indow-replacement-46487.bond/gy15/
Source: explorer.exe, 00000007.00000003.3105400926.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106217278.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4156869744.000000000CB4F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3107161768.000000000CB4B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.indow-replacement-46487.bond/gy15/www.isax.xyz
Source: explorer.exe, 00000007.00000003.3105400926.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106217278.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4156869744.000000000CB4F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3107161768.000000000CB4B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.indow-replacement-46487.bondReferer:
Source: explorer.exe, 00000007.00000003.3105400926.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106217278.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4156869744.000000000CB4F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3107161768.000000000CB4B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.isax.xyz
Source: explorer.exe, 00000007.00000003.3105400926.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106217278.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4156869744.000000000CB4F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3107161768.000000000CB4B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.isax.xyz/gy15/
Source: explorer.exe, 00000007.00000003.3105400926.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106217278.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4156869744.000000000CB4F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3107161768.000000000CB4B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.isax.xyz/gy15/www.hopbestdeals.online
Source: explorer.exe, 00000007.00000003.3105400926.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106217278.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4156869744.000000000CB4F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3107161768.000000000CB4B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.isax.xyzReferer:
Source: explorer.exe, 00000007.00000003.3105400926.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106217278.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4156869744.000000000CB4F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3107161768.000000000CB4B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.ixaahx.shop
Source: explorer.exe, 00000007.00000003.3105400926.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106217278.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4156869744.000000000CB4F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3107161768.000000000CB4B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.ixaahx.shop/gy15/
Source: explorer.exe, 00000007.00000003.3105400926.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106217278.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4156869744.000000000CB4F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3107161768.000000000CB4B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.ixaahx.shop/gy15/www.haad.xyz
Source: explorer.exe, 00000007.00000003.3105400926.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106217278.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4156869744.000000000CB4F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3107161768.000000000CB4B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.ixaahx.shopReferer:
Source: faktura proforma pdf.exe, 00000000.00000002.1739821654.0000000006CF2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 00000007.00000003.3105400926.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106217278.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4156869744.000000000CB4F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3107161768.000000000CB4B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.nline-shopping-56055.bond
Source: explorer.exe, 00000007.00000003.3105400926.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106217278.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4156869744.000000000CB4F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3107161768.000000000CB4B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.nline-shopping-56055.bond/gy15/
Source: explorer.exe, 00000007.00000003.3105400926.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106217278.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4156869744.000000000CB4F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3107161768.000000000CB4B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.nline-shopping-56055.bond/gy15/www.rrivalgetaways.info
Source: explorer.exe, 00000007.00000003.3105400926.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106217278.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4156869744.000000000CB4F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3107161768.000000000CB4B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.nline-shopping-56055.bondReferer:
Source: explorer.exe, 00000007.00000003.3105400926.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106217278.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4156869744.000000000CB4F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3107161768.000000000CB4B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.oftware-download-44761.bond
Source: explorer.exe, 00000007.00000003.3105400926.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106217278.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4156869744.000000000CB4F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3107161768.000000000CB4B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.oftware-download-44761.bond/gy15/
Source: explorer.exe, 00000007.00000003.3105400926.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106217278.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4156869744.000000000CB4F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3107161768.000000000CB4B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.oftware-download-44761.bond/gy15/www.0372.photo
Source: explorer.exe, 00000007.00000003.3105400926.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106217278.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4156869744.000000000CB4F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3107161768.000000000CB4B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.oftware-download-44761.bondReferer:
Source: explorer.exe, 00000007.00000003.3105400926.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106217278.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4156869744.000000000CB4F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3107161768.000000000CB4B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.omaininformaniacion.fun
Source: explorer.exe, 00000007.00000003.3105400926.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106217278.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4156869744.000000000CB4F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3107161768.000000000CB4B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.omaininformaniacion.fun/gy15/
Source: explorer.exe, 00000007.00000003.3105400926.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106217278.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4156869744.000000000CB4F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3107161768.000000000CB4B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.omaininformaniacion.fun/gy15/www.hetinkerfoundation.net
Source: explorer.exe, 00000007.00000003.3105400926.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106217278.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4156869744.000000000CB4F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3107161768.000000000CB4B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.omaininformaniacion.funReferer:
Source: explorer.exe, 00000007.00000003.3105400926.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106217278.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4156869744.000000000CB4F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3107161768.000000000CB4B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.orthfitness.net
Source: explorer.exe, 00000007.00000003.3105400926.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106217278.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4156869744.000000000CB4F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3107161768.000000000CB4B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.orthfitness.net/gy15/
Source: explorer.exe, 00000007.00000003.3105400926.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106217278.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4156869744.000000000CB4F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3107161768.000000000CB4B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.orthfitness.net/gy15/www.oftware-download-44761.bond
Source: explorer.exe, 00000007.00000003.3105400926.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106217278.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4156869744.000000000CB4F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3107161768.000000000CB4B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.orthfitness.netReferer:
Source: explorer.exe, 00000007.00000003.3105400926.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106217278.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4156869744.000000000CB4F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3107161768.000000000CB4B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.rogramdokpirdarmowy.today
Source: explorer.exe, 00000007.00000003.3107161768.000000000CB4B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.rogramdokpirdarmowy.today/gy15/
Source: explorer.exe, 00000007.00000003.3105400926.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106217278.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4156869744.000000000CB4F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3107161768.000000000CB4B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.rogramdokpirdarmowy.todayReferer:
Source: explorer.exe, 00000007.00000003.3105400926.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106217278.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4156869744.000000000CB4F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3107161768.000000000CB4B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.rrivalgetaways.info
Source: explorer.exe, 00000007.00000003.3105400926.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106217278.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4156869744.000000000CB4F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3107161768.000000000CB4B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.rrivalgetaways.info/gy15/
Source: explorer.exe, 00000007.00000003.3105400926.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106217278.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4156869744.000000000CB4F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3107161768.000000000CB4B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.rrivalgetaways.info/gy15/www.orthfitness.net
Source: explorer.exe, 00000007.00000003.3105400926.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106217278.000000000CB4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4156869744.000000000CB4F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3107161768.000000000CB4B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.rrivalgetaways.infoReferer:
Source: faktura proforma pdf.exe, 00000000.00000002.1739821654.0000000006CF2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: faktura proforma pdf.exe, 00000000.00000002.1739742053.0000000005C24000.00000004.00000020.00020000.00000000.sdmp, faktura proforma pdf.exe, 00000000.00000002.1739821654.0000000006CF2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sakkal.com
Source: faktura proforma pdf.exe, 00000000.00000002.1739821654.0000000006CF2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: faktura proforma pdf.exe, 00000000.00000002.1739821654.0000000006CF2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.tiro.com
Source: faktura proforma pdf.exe, 00000000.00000002.1739821654.0000000006CF2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.typography.netD
Source: faktura proforma pdf.exe, 00000000.00000002.1739821654.0000000006CF2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: faktura proforma pdf.exe, 00000000.00000002.1739821654.0000000006CF2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: explorer.exe, 00000007.00000002.4154353746.000000000C893000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1733763393.000000000C893000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe
Source: explorer.exe, 00000007.00000002.4145487064.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1720478261.00000000079FB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/Vh5j3k
Source: explorer.exe, 00000007.00000002.4145487064.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1720478261.00000000079FB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/odirmr
Source: explorer.exe, 00000007.00000000.1733763393.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4154353746.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 00000007.00000002.4149087756.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3111719104.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1725514053.00000000097D4000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 00000007.00000002.4149087756.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3111719104.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1725514053.00000000097D4000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/q
Source: explorer.exe, 00000007.00000000.1718182616.0000000003700000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3109263077.000000000370C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4143785522.000000000371D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3114567156.000000000371C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4142527749.0000000001240000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1716988722.0000000001240000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 00000007.00000002.4149087756.0000000009702000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3111719104.0000000009701000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1725514053.00000000096DF000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?&
Source: explorer.exe, 00000007.00000000.1720478261.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4145487064.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=0CC40BF291614022B7DF6E2143E8A6AF&timeOut=5000&oc
Source: explorer.exe, 00000007.00000000.1720478261.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4145487064.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4149087756.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3111719104.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1725514053.00000000097D4000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
Source: explorer.exe, 00000007.00000002.4149087756.0000000009702000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3111719104.0000000009701000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1725514053.00000000096DF000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://arc.msn.comi
Source: explorer.exe, 00000007.00000002.4145487064.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://assets.msn.com/staticsb/statics/latest/traffic/Notification/desktop/svg/RoadHazard.svg
Source: explorer.exe, 00000007.00000002.4145487064.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
Source: explorer.exe, 00000007.00000002.4145487064.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svg
Source: explorer.exe, 00000007.00000000.1720478261.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4145487064.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/humidity.svg
Source: explorer.exe, 00000007.00000000.1720478261.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4145487064.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
Source: explorer.exe, 00000007.00000000.1720478261.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4145487064.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
Source: explorer.exe, 00000007.00000002.4145487064.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1720478261.00000000078AD000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu
Source: explorer.exe, 00000007.00000002.4145487064.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1720478261.00000000078AD000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu-dark
Source: explorer.exe, 00000007.00000000.1720478261.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4145487064.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu
Source: explorer.exe, 00000007.00000000.1720478261.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4145487064.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu-dark
Source: explorer.exe, 00000007.00000000.1720478261.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4145487064.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY
Source: explorer.exe, 00000007.00000000.1720478261.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4145487064.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY-dark
Source: explorer.exe, 00000007.00000000.1733763393.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4154353746.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://excel.office.com
Source: explorer.exe, 00000007.00000000.1720478261.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4145487064.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
Source: explorer.exe, 00000007.00000000.1720478261.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4145487064.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1hlXIY.img
Source: explorer.exe, 00000007.00000000.1720478261.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4145487064.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAKSoFp.img
Source: explorer.exe, 00000007.00000000.1720478261.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4145487064.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAXaopi.img
Source: explorer.exe, 00000007.00000000.1720478261.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4145487064.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAgi0nZ.img
Source: explorer.exe, 00000007.00000000.1720478261.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4145487064.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBqlLky.img
Source: explorer.exe, 00000007.00000002.4145487064.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1720478261.00000000078AD000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://img.s-msn.com/tenant/amp/entityid/AAbC0oi.img
Source: explorer.exe, 00000007.00000000.1733763393.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4154353746.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://outlook.com_
Source: explorer.exe, 00000007.00000000.1733763393.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4154353746.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://powerpoint.office.comcember
Source: explorer.exe, 00000007.00000000.1720478261.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4145487064.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://simpleflying.com/how-do-you-become-an-air-traffic-controller/
Source: explorer.exe, 00000007.00000000.1720478261.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4145487064.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000007.00000000.1720478261.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4145487064.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000007.00000000.1733763393.000000000C557000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://wns.windows.com/L
Source: explorer.exe, 00000007.00000000.1733763393.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4154353746.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://word.office.com
Source: explorer.exe, 00000007.00000000.1720478261.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4145487064.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/lifestyle/lifestyle-buzz/biden-makes-decision-that-will-impact-more-than-1
Source: explorer.exe, 00000007.00000000.1720478261.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4145487064.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/lifestyle/travel/i-ve-worked-at-a-campsite-for-5-years-these-are-the-15-mi
Source: explorer.exe, 00000007.00000000.1720478261.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4145487064.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4145487064.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1720478261.00000000078AD000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/13-states-that-don-t-tax-your-retirement-income/ar-A
Source: explorer.exe, 00000007.00000000.1720478261.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4145487064.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/no-wonder-the-american-public-is-confused-if-you-re-
Source: explorer.exe, 00000007.00000000.1720478261.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4145487064.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/politics/clarence-thomas-in-spotlight-as-supreme-court-delivers-blow-
Source: explorer.exe, 00000007.00000000.1720478261.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4145487064.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/politics/exclusive-john-kelly-goes-on-the-record-to-confirm-several-d
Source: explorer.exe, 00000007.00000000.1720478261.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4145487064.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/topic/breast%20cancer%20awareness%20month?ocid=winp1headerevent
Source: explorer.exe, 00000007.00000000.1720478261.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4145487064.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/us/a-nationwide-emergency-alert-will-be-sent-to-all-u-s-cellphones-we
Source: explorer.exe, 00000007.00000000.1720478261.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4145487064.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/us/metro-officials-still-investigating-friday-s-railcar-derailment/ar
Source: explorer.exe, 00000007.00000000.1720478261.00000000078AD000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/us/when-does-daylight-saving-time-end-2023-here-s-when-to-set-your-cl
Source: explorer.exe, 00000007.00000000.1720478261.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4145487064.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/world/agostini-krausz-and-l-huillier-win-physics-nobel-for-looking-at
Source: explorer.exe, 00000007.00000000.1720478261.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4145487064.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/weather/topstories/rest-of-hurricane-season-in-uncharted-waters-because-of
Source: explorer.exe, 00000007.00000000.1720478261.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4145487064.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/weather/topstories/us-weather-super-el-nino-to-bring-more-flooding-and-win
Source: explorer.exe, 00000007.00000000.1720478261.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4145487064.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com:443/en-us/feed
Source: explorer.exe, 00000007.00000000.1720478261.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4145487064.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.rd.com/list/polite-habits-campers-dislike/
Source: explorer.exe, 00000007.00000000.1720478261.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4145487064.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.rd.com/newsletter/?int_source=direct&int_medium=rd.com&int_campaign=nlrda_20221001_toppe

E-Banking Fraud
barindex
Yara detected FormBook
Source: Yara match File source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.faktura proforma pdf.exe.4809f88.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.xmAdkuQjxrS.exe.41fb088.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.xmAdkuQjxrS.exe.426aea8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.faktura proforma pdf.exe.479a168.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000006.00000002.1780724008.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.1791235982.0000000003000000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1737166544.00000000045C8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.1773933452.0000000004028000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.4142797665.00000000036A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.4142425418.00000000032C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.4142752695.0000000003670000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 6.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 6.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 6.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.faktura proforma pdf.exe.4809f88.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0.2.faktura proforma pdf.exe.4809f88.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.faktura proforma pdf.exe.4809f88.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 9.2.xmAdkuQjxrS.exe.41fb088.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 9.2.xmAdkuQjxrS.exe.41fb088.1.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 9.2.xmAdkuQjxrS.exe.41fb088.1.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 9.2.xmAdkuQjxrS.exe.426aea8.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 9.2.xmAdkuQjxrS.exe.426aea8.2.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 9.2.xmAdkuQjxrS.exe.426aea8.2.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.faktura proforma pdf.exe.479a168.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0.2.faktura proforma pdf.exe.479a168.2.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.faktura proforma pdf.exe.479a168.2.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.1780724008.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000006.00000002.1780724008.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.1780724008.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000E.00000002.1791235982.0000000003000000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000E.00000002.1791235982.0000000003000000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000E.00000002.1791235982.0000000003000000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.1737166544.00000000045C8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000000.00000002.1737166544.00000000045C8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.1737166544.00000000045C8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.1773933452.0000000004028000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000009.00000002.1773933452.0000000004028000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.1773933452.0000000004028000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000002.4142797665.00000000036A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000D.00000002.4142797665.00000000036A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000D.00000002.4142797665.00000000036A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000002.4142425418.00000000032C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000D.00000002.4142425418.00000000032C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000D.00000002.4142425418.00000000032C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000002.4142752695.0000000003670000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000D.00000002.4142752695.0000000003670000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000D.00000002.4142752695.0000000003670000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.4157647117.000000000FCC4000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_772cc62d Author: unknown
Source: Process Memory Space: faktura proforma pdf.exe PID: 2692, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: RegSvcs.exe PID: 7188, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: xmAdkuQjxrS.exe PID: 7332, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: mstsc.exe PID: 7524, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: raserver.exe PID: 7540, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Contains functionality to call native functions
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Code function: 0_2_07691E70 NtQueryInformationProcess, 0_2_07691E70
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Code function: 0_2_07691E68 NtQueryInformationProcess, 0_2_07691E68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0041A330 NtCreateFile, 6_2_0041A330
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0041A3E0 NtReadFile, 6_2_0041A3E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0041A460 NtClose, 6_2_0041A460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0041A510 NtAllocateVirtualMemory, 6_2_0041A510
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0041A2EB NtCreateFile, 6_2_0041A2EB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0041A3DA NtReadFile, 6_2_0041A3DA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0041A45A NtClose, 6_2_0041A45A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0041A50C NtAllocateVirtualMemory, 6_2_0041A50C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01502B60 NtClose,LdrInitializeThunk, 6_2_01502B60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01502BF0 NtAllocateVirtualMemory,LdrInitializeThunk, 6_2_01502BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01502AD0 NtReadFile,LdrInitializeThunk, 6_2_01502AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01502D10 NtMapViewOfSection,LdrInitializeThunk, 6_2_01502D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01502D30 NtUnmapViewOfSection,LdrInitializeThunk, 6_2_01502D30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01502DD0 NtDelayExecution,LdrInitializeThunk, 6_2_01502DD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01502DF0 NtQuerySystemInformation,LdrInitializeThunk, 6_2_01502DF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01502C70 NtFreeVirtualMemory,LdrInitializeThunk, 6_2_01502C70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01502CA0 NtQueryInformationToken,LdrInitializeThunk, 6_2_01502CA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01502F30 NtCreateSection,LdrInitializeThunk, 6_2_01502F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01502FE0 NtCreateFile,LdrInitializeThunk, 6_2_01502FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01502F90 NtProtectVirtualMemory,LdrInitializeThunk, 6_2_01502F90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01502FB0 NtResumeThread,LdrInitializeThunk, 6_2_01502FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01502E80 NtReadVirtualMemory,LdrInitializeThunk, 6_2_01502E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01502EA0 NtAdjustPrivilegesToken,LdrInitializeThunk, 6_2_01502EA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01504340 NtSetContextThread, 6_2_01504340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01504650 NtSuspendThread, 6_2_01504650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01502BE0 NtQueryValueKey, 6_2_01502BE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01502B80 NtQueryInformationFile, 6_2_01502B80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01502BA0 NtEnumerateValueKey, 6_2_01502BA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01502AF0 NtWriteFile, 6_2_01502AF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01502AB0 NtWaitForSingleObject, 6_2_01502AB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01502D00 NtSetInformationFile, 6_2_01502D00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01502DB0 NtEnumerateKey, 6_2_01502DB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01502C60 NtCreateKey, 6_2_01502C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01502C00 NtQueryInformationProcess, 6_2_01502C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01502CC0 NtQueryVirtualMemory, 6_2_01502CC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01502CF0 NtOpenProcess, 6_2_01502CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01502F60 NtCreateProcessEx, 6_2_01502F60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01502FA0 NtQuerySection, 6_2_01502FA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01502E30 NtWriteVirtualMemory, 6_2_01502E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01502EE0 NtQueueApcThread, 6_2_01502EE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01503010 NtOpenDirectoryObject, 6_2_01503010
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01503090 NtSetValueKey, 6_2_01503090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_015035C0 NtCreateMutant, 6_2_015035C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_015039B0 NtGetContextThread, 6_2_015039B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01503D70 NtOpenThread, 6_2_01503D70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01503D10 NtOpenProcessToken, 6_2_01503D10
Source: C:\Windows\explorer.exe Code function: 7_2_0FCADE12 NtProtectVirtualMemory, 7_2_0FCADE12
Source: C:\Windows\explorer.exe Code function: 7_2_0FCAC232 NtCreateFile, 7_2_0FCAC232
Source: C:\Windows\explorer.exe Code function: 7_2_0FCADE0A NtProtectVirtualMemory, 7_2_0FCADE0A
Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe Code function: 9_2_06D61F48 NtQueryInformationProcess, 9_2_06D61F48
Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe Code function: 9_2_06D61FF8 NtQueryInformationProcess, 9_2_06D61FF8
Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe Code function: 9_2_06D61F43 NtQueryInformationProcess, 9_2_06D61F43
Detected potential crypto function
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Code function: 0_2_0118DC1C 0_2_0118DC1C
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Code function: 0_2_0561B4E0 0_2_0561B4E0
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Code function: 0_2_056184B8 0_2_056184B8
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Code function: 0_2_0561DED0 0_2_0561DED0
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Code function: 0_2_0561F1A0 0_2_0561F1A0
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Code function: 0_2_0561DEC0 0_2_0561DEC0
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Code function: 0_2_0561F190 0_2_0561F190
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Code function: 0_2_0561D228 0_2_0561D228
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Code function: 0_2_0769268C 0_2_0769268C
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Code function: 0_2_07691740 0_2_07691740
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Code function: 0_2_07694528 0_2_07694528
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Code function: 0_2_07694518 0_2_07694518
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Code function: 0_2_0769D308 0_2_0769D308
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Code function: 0_2_07691272 0_2_07691272
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Code function: 0_2_0769B228 0_2_0769B228
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Code function: 0_2_0769D2F8 0_2_0769D2F8
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Code function: 0_2_07691280 0_2_07691280
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Code function: 0_2_07694282 0_2_07694282
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Code function: 0_2_07694290 0_2_07694290
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Code function: 0_2_07691FF0 0_2_07691FF0
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Code function: 0_2_07691FA2 0_2_07691FA2
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Code function: 0_2_07690E48 0_2_07690E48
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Code function: 0_2_07690E37 0_2_07690E37
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Code function: 0_2_0769ADE1 0_2_0769ADE1
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Code function: 0_2_0769ADF0 0_2_0769ADF0
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Code function: 0_2_0769CA20 0_2_0769CA20
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Code function: 0_2_0769CA30 0_2_0769CA30
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Code function: 0_2_0769A9B8 0_2_0769A9B8
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Code function: 0_2_0769A985 0_2_0769A985
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Code function: 0_2_0EAF2958 0_2_0EAF2958
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00401030 6_2_00401030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0041D946 6_2_0041D946
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0041D9F3 6_2_0041D9F3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0041E3C9 6_2_0041E3C9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0041E567 6_2_0041E567
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0041D573 6_2_0041D573
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00402D87 6_2_00402D87
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00402D90 6_2_00402D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00409E5B 6_2_00409E5B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00409E60 6_2_00409E60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0041E7D9 6_2_0041E7D9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00402FB0 6_2_00402FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01558158 6_2_01558158
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014C0100 6_2_014C0100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0156A118 6_2_0156A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_015881CC 6_2_015881CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_015901AA 6_2_015901AA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_015841A2 6_2_015841A2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01562000 6_2_01562000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0158A352 6_2_0158A352
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014DE3F0 6_2_014DE3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_015903E6 6_2_015903E6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01570274 6_2_01570274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_015502C0 6_2_015502C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014D0535 6_2_014D0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01590591 6_2_01590591
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01582446 6_2_01582446
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01574420 6_2_01574420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0157E4F6 6_2_0157E4F6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014F4750 6_2_014F4750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014D0770 6_2_014D0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014CC7C0 6_2_014CC7C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014EC6E0 6_2_014EC6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014E6962 6_2_014E6962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014D29A0 6_2_014D29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0159A9A6 6_2_0159A9A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014D2840 6_2_014D2840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014DA840 6_2_014DA840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014FE8F0 6_2_014FE8F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014B68B8 6_2_014B68B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0158AB40 6_2_0158AB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01586BD7 6_2_01586BD7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014CEA80 6_2_014CEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0156CD1F 6_2_0156CD1F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014DAD00 6_2_014DAD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014CADE0 6_2_014CADE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014E8DBF 6_2_014E8DBF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014D0C00 6_2_014D0C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014C0CF2 6_2_014C0CF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01570CB5 6_2_01570CB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01544F40 6_2_01544F40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01572F30 6_2_01572F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01512F28 6_2_01512F28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014F0F30 6_2_014F0F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014C2FC8 6_2_014C2FC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0154EFA0 6_2_0154EFA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014D0E59 6_2_014D0E59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0158EE26 6_2_0158EE26
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0158EEDB 6_2_0158EEDB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0158CE93 6_2_0158CE93
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014E2E90 6_2_014E2E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0159B16B 6_2_0159B16B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014BF172 6_2_014BF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0150516C 6_2_0150516C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014DB1B0 6_2_014DB1B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014D70C0 6_2_014D70C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0157F0CC 6_2_0157F0CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_015870E9 6_2_015870E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0158F0E0 6_2_0158F0E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014BD34C 6_2_014BD34C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0158132D 6_2_0158132D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0151739A 6_2_0151739A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014EB2C0 6_2_014EB2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_015712ED 6_2_015712ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014ED2F0 6_2_014ED2F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014D52A0 6_2_014D52A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01587571 6_2_01587571
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_015995C3 6_2_015995C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0156D5B0 6_2_0156D5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014C1460 6_2_014C1460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0158F43F 6_2_0158F43F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0158F7B0 6_2_0158F7B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01515630 6_2_01515630
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_015816CC 6_2_015816CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014D9950 6_2_014D9950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014EB950 6_2_014EB950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01565910 6_2_01565910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0153D800 6_2_0153D800
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014D38E0 6_2_014D38E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0158FB76 6_2_0158FB76
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01545BF0 6_2_01545BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0150DBF9 6_2_0150DBF9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014EFB80 6_2_014EFB80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0158FA49 6_2_0158FA49
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01587A46 6_2_01587A46
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01543A6C 6_2_01543A6C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0157DAC6 6_2_0157DAC6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01515AA0 6_2_01515AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01571AA3 6_2_01571AA3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0156DAAC 6_2_0156DAAC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01581D5A 6_2_01581D5A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014D3D40 6_2_014D3D40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01587D73 6_2_01587D73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014EFDC0 6_2_014EFDC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01549C32 6_2_01549C32
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0158FCF2 6_2_0158FCF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0158FF09 6_2_0158FF09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01493FD2 6_2_01493FD2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01493FD5 6_2_01493FD5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014D1F92 6_2_014D1F92
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0158FFB1 6_2_0158FFB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014D9EB0 6_2_014D9EB0
Source: C:\Windows\explorer.exe Code function: 7_2_0E83E232 7_2_0E83E232
Source: C:\Windows\explorer.exe Code function: 7_2_0E838B32 7_2_0E838B32
Source: C:\Windows\explorer.exe Code function: 7_2_0E838B30 7_2_0E838B30
Source: C:\Windows\explorer.exe Code function: 7_2_0E834082 7_2_0E834082
Source: C:\Windows\explorer.exe Code function: 7_2_0E83D036 7_2_0E83D036
Source: C:\Windows\explorer.exe Code function: 7_2_0E8415CD 7_2_0E8415CD
Source: C:\Windows\explorer.exe Code function: 7_2_0E835D02 7_2_0E835D02
Source: C:\Windows\explorer.exe Code function: 7_2_0E83B912 7_2_0E83B912
Source: C:\Windows\explorer.exe Code function: 7_2_0F6E8B32 7_2_0F6E8B32
Source: C:\Windows\explorer.exe Code function: 7_2_0F6E8B30 7_2_0F6E8B30
Source: C:\Windows\explorer.exe Code function: 7_2_0F6EE232 7_2_0F6EE232
Source: C:\Windows\explorer.exe Code function: 7_2_0F6E5D02 7_2_0F6E5D02
Source: C:\Windows\explorer.exe Code function: 7_2_0F6EB912 7_2_0F6EB912
Source: C:\Windows\explorer.exe Code function: 7_2_0F6F15CD 7_2_0F6F15CD
Source: C:\Windows\explorer.exe Code function: 7_2_0F6ED036 7_2_0F6ED036
Source: C:\Windows\explorer.exe Code function: 7_2_0F6E4082 7_2_0F6E4082
Source: C:\Windows\explorer.exe Code function: 7_2_0FCAC232 7_2_0FCAC232
Source: C:\Windows\explorer.exe Code function: 7_2_0FCAF5CD 7_2_0FCAF5CD
Source: C:\Windows\explorer.exe Code function: 7_2_0FCA3D02 7_2_0FCA3D02
Source: C:\Windows\explorer.exe Code function: 7_2_0FCA9912 7_2_0FCA9912
Source: C:\Windows\explorer.exe Code function: 7_2_0FCA6B32 7_2_0FCA6B32
Source: C:\Windows\explorer.exe Code function: 7_2_0FCA6B30 7_2_0FCA6B30
Source: C:\Windows\explorer.exe Code function: 7_2_0FCA2082 7_2_0FCA2082
Source: C:\Windows\explorer.exe Code function: 7_2_0FCAB036 7_2_0FCAB036
Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe Code function: 9_2_008ADC1C 9_2_008ADC1C
Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe Code function: 9_2_026C7ED0 9_2_026C7ED0
Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe Code function: 9_2_026C0120 9_2_026C0120
Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe Code function: 9_2_026C0130 9_2_026C0130
Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe Code function: 9_2_052184B8 9_2_052184B8
Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe Code function: 9_2_0521B4E0 9_2_0521B4E0
Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe Code function: 9_2_0521DED0 9_2_0521DED0
Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe Code function: 9_2_0521F1A0 9_2_0521F1A0
Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe Code function: 9_2_0521DEC0 9_2_0521DEC0
Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe Code function: 9_2_0521F190 9_2_0521F190
Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe Code function: 9_2_06D626BC 9_2_06D626BC
Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe Code function: 9_2_06D64550 9_2_06D64550
Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe Code function: 9_2_06D64540 9_2_06D64540
Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe Code function: 9_2_06D642C0 9_2_06D642C0
Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe Code function: 9_2_06D642B3 9_2_06D642B3
Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe Code function: 9_2_06D6B250 9_2_06D6B250
Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe Code function: 9_2_06D61358 9_2_06D61358
Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe Code function: 9_2_06D6D330 9_2_06D6D330
Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe Code function: 9_2_06D620C8 9_2_06D620C8
Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe Code function: 9_2_06D6AE18 9_2_06D6AE18
Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe Code function: 9_2_06D6AE09 9_2_06D6AE09
Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe Code function: 9_2_06D60F10 9_2_06D60F10
Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe Code function: 9_2_06D60F20 9_2_06D60F20
Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe Code function: 9_2_06D6CA58 9_2_06D6CA58
Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe Code function: 9_2_06D6CA48 9_2_06D6CA48
Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe Code function: 9_2_06D61818 9_2_06D61818
Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe Code function: 9_2_06D61807 9_2_06D61807
Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe Code function: 9_2_06D6A9E0 9_2_06D6A9E0
Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe Code function: 9_2_06D6A9AD 9_2_06D6A9AD
Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe Code function: 9_2_0E621BB8 9_2_0E621BB8
Found potential string decryption / allocating functions
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: String function: 01505130 appears 58 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: String function: 0153EA12 appears 86 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: String function: 01517E54 appears 107 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: String function: 0154F290 appears 103 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: String function: 014BB970 appears 262 times
Sample file is different than original file name gathered from version info
Source: faktura proforma pdf.exe, 00000000.00000002.1742954449.000000000B560000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs faktura proforma pdf.exe
Source: faktura proforma pdf.exe, 00000000.00000002.1737166544.00000000045C8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs faktura proforma pdf.exe
Source: faktura proforma pdf.exe, 00000000.00000002.1733508497.0000000000C4E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs faktura proforma pdf.exe
Source: faktura proforma pdf.exe, 00000000.00000002.1736105667.0000000002D31000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename vs faktura proforma pdf.exe
Source: faktura proforma pdf.exe Binary or memory string: OriginalFilenamexRzP.exe* vs faktura proforma pdf.exe
Uses 32bit PE files
Source: faktura proforma pdf.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 6.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 6.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 6.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.faktura proforma pdf.exe.4809f88.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0.2.faktura proforma pdf.exe.4809f88.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.faktura proforma pdf.exe.4809f88.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 9.2.xmAdkuQjxrS.exe.41fb088.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 9.2.xmAdkuQjxrS.exe.41fb088.1.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 9.2.xmAdkuQjxrS.exe.41fb088.1.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 9.2.xmAdkuQjxrS.exe.426aea8.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 9.2.xmAdkuQjxrS.exe.426aea8.2.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 9.2.xmAdkuQjxrS.exe.426aea8.2.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.faktura proforma pdf.exe.479a168.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0.2.faktura proforma pdf.exe.479a168.2.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.faktura proforma pdf.exe.479a168.2.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.1780724008.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000006.00000002.1780724008.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.1780724008.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000E.00000002.1791235982.0000000003000000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000E.00000002.1791235982.0000000003000000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000E.00000002.1791235982.0000000003000000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.1737166544.00000000045C8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000000.00000002.1737166544.00000000045C8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.1737166544.00000000045C8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.1773933452.0000000004028000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000009.00000002.1773933452.0000000004028000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.1773933452.0000000004028000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000002.4142797665.00000000036A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000D.00000002.4142797665.00000000036A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000D.00000002.4142797665.00000000036A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000002.4142425418.00000000032C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000D.00000002.4142425418.00000000032C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000D.00000002.4142425418.00000000032C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000002.4142752695.0000000003670000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000D.00000002.4142752695.0000000003670000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000D.00000002.4142752695.0000000003670000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.4157647117.000000000FCC4000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_772cc62d os = windows, severity = x86, creation_date = 2022-05-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8343b5d02d74791ba2d5d52d19a759f761de2b5470d935000bc27ea6c0633f5, id = 772cc62d-345c-42d8-97ab-f67e447ddca4, last_modified = 2022-07-18
Source: Process Memory Space: faktura proforma pdf.exe PID: 2692, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: RegSvcs.exe PID: 7188, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: xmAdkuQjxrS.exe PID: 7332, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: mstsc.exe PID: 7524, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: raserver.exe PID: 7540, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: faktura proforma pdf.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: xmAdkuQjxrS.exe.0.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 0.2.faktura proforma pdf.exe.479a168.2.raw.unpack, lkSy2S4jDXNLhokqZE.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 9.2.xmAdkuQjxrS.exe.426aea8.2.raw.unpack, VPSRVttg1LtLEvE5p6.cs Security API names: _0020.SetAccessControl
Source: 9.2.xmAdkuQjxrS.exe.426aea8.2.raw.unpack, VPSRVttg1LtLEvE5p6.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 9.2.xmAdkuQjxrS.exe.426aea8.2.raw.unpack, VPSRVttg1LtLEvE5p6.cs Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.2.faktura proforma pdf.exe.b560000.4.raw.unpack, lkSy2S4jDXNLhokqZE.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.faktura proforma pdf.exe.b560000.4.raw.unpack, VPSRVttg1LtLEvE5p6.cs Security API names: _0020.SetAccessControl
Source: 0.2.faktura proforma pdf.exe.b560000.4.raw.unpack, VPSRVttg1LtLEvE5p6.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.faktura proforma pdf.exe.b560000.4.raw.unpack, VPSRVttg1LtLEvE5p6.cs Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.2.faktura proforma pdf.exe.4809f88.0.raw.unpack, lkSy2S4jDXNLhokqZE.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.faktura proforma pdf.exe.4809f88.0.raw.unpack, VPSRVttg1LtLEvE5p6.cs Security API names: _0020.SetAccessControl
Source: 0.2.faktura proforma pdf.exe.4809f88.0.raw.unpack, VPSRVttg1LtLEvE5p6.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.faktura proforma pdf.exe.4809f88.0.raw.unpack, VPSRVttg1LtLEvE5p6.cs Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 9.2.xmAdkuQjxrS.exe.426aea8.2.raw.unpack, lkSy2S4jDXNLhokqZE.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.faktura proforma pdf.exe.479a168.2.raw.unpack, VPSRVttg1LtLEvE5p6.cs Security API names: _0020.SetAccessControl
Source: 0.2.faktura proforma pdf.exe.479a168.2.raw.unpack, VPSRVttg1LtLEvE5p6.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.faktura proforma pdf.exe.479a168.2.raw.unpack, VPSRVttg1LtLEvE5p6.cs Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: classification engine Classification label: mal100.troj.evad.winEXE@23/11@11/0
Source: C:\Users\user\Desktop\faktura proforma pdf.exe File created: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe Mutant created: NULL
Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe Mutant created: \Sessions\1\BaseNamedObjects\YBJDWrmWsCm
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1376:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7608:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3852:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7468:120:WilError_03
Source: C:\Users\user\Desktop\faktura proforma pdf.exe File created: C:\Users\user\AppData\Local\Temp\tmp69A7.tmp Jump to behavior
Source: faktura proforma pdf.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: faktura proforma pdf.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
Source: C:\Users\user\Desktop\faktura proforma pdf.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: faktura proforma pdf.exe ReversingLabs: Detection: 34%
Source: C:\Users\user\Desktop\faktura proforma pdf.exe File read: C:\Users\user\Desktop\faktura proforma pdf.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\faktura proforma pdf.exe "C:\Users\user\Desktop\faktura proforma pdf.exe"
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xmAdkuQjxrS" /XML "C:\Users\user\AppData\Local\Temp\tmp69A7.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: unknown Process created: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe
Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xmAdkuQjxrS" /XML "C:\Users\user\AppData\Local\Temp\tmp77D0.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\mstsc.exe "C:\Windows\SysWOW64\mstsc.exe"
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\raserver.exe "C:\Windows\SysWOW64\raserver.exe"
Source: C:\Windows\SysWOW64\mstsc.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe" Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xmAdkuQjxrS" /XML "C:\Users\user\AppData\Local\Temp\tmp69A7.tmp" Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\mstsc.exe "C:\Windows\SysWOW64\mstsc.exe" Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\raserver.exe "C:\Windows\SysWOW64\raserver.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xmAdkuQjxrS" /XML "C:\Users\user\AppData\Local\Temp\tmp77D0.tmp" Jump to behavior
Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Section loaded: riched20.dll Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Section loaded: usp10.dll Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Section loaded: msls31.dll Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: fastprox.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: ncobjapi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mpclient.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wmitomi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe Section loaded: riched20.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe Section loaded: usp10.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe Section loaded: msls31.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe Section loaded: credui.dll Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe Section loaded: cryptui.dll Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe Section loaded: ktmw32.dll Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe Section loaded: wtsapi32.dll
Source: C:\Windows\SysWOW64\raserver.exe Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\raserver.exe Section loaded: netutils.dll
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\faktura proforma pdf.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: faktura proforma pdf.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: faktura proforma pdf.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: RegSvcs.pdb, source: explorer.exe, 00000007.00000002.4158146718.00000000110CF000.00000004.80000000.00040000.00000000.sdmp, mstsc.exe, 0000000D.00000002.4143827334.000000000579F000.00000004.10000000.00040000.00000000.sdmp, mstsc.exe, 0000000D.00000002.4142597154.00000000033E4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: RegSvcs.exe, 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, mstsc.exe, 0000000D.00000003.1788289388.00000000050A3000.00000004.00000020.00020000.00000000.sdmp, mstsc.exe, 0000000D.00000002.4143220844.0000000005250000.00000040.00001000.00020000.00000000.sdmp, mstsc.exe, 0000000D.00000003.1781032119.0000000004EF8000.00000004.00000020.00020000.00000000.sdmp, mstsc.exe, 0000000D.00000002.4143220844.00000000053EE000.00000040.00001000.00020000.00000000.sdmp, raserver.exe, 0000000E.00000002.1791709211.00000000050CE000.00000040.00001000.00020000.00000000.sdmp, raserver.exe, 0000000E.00000003.1785605859.0000000004BCB000.00000004.00000020.00020000.00000000.sdmp, raserver.exe, 0000000E.00000002.1791709211.0000000004F30000.00000040.00001000.00020000.00000000.sdmp, raserver.exe, 0000000E.00000003.1789576741.0000000004D7C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: RegSvcs.exe, RegSvcs.exe, 00000006.00000002.1785186199.0000000001490000.00000040.00001000.00020000.00000000.sdmp, mstsc.exe, 0000000D.00000003.1788289388.00000000050A3000.00000004.00000020.00020000.00000000.sdmp, mstsc.exe, 0000000D.00000002.4143220844.0000000005250000.00000040.00001000.00020000.00000000.sdmp, mstsc.exe, 0000000D.00000003.1781032119.0000000004EF8000.00000004.00000020.00020000.00000000.sdmp, mstsc.exe, 0000000D.00000002.4143220844.00000000053EE000.00000040.00001000.00020000.00000000.sdmp, raserver.exe, 0000000E.00000002.1791709211.00000000050CE000.00000040.00001000.00020000.00000000.sdmp, raserver.exe, 0000000E.00000003.1785605859.0000000004BCB000.00000004.00000020.00020000.00000000.sdmp, raserver.exe, 0000000E.00000002.1791709211.0000000004F30000.00000040.00001000.00020000.00000000.sdmp, raserver.exe, 0000000E.00000003.1789576741.0000000004D7C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: RAServer.pdb source: RegSvcs.exe, 0000000C.00000002.1792619106.00000000017E0000.00000040.10000000.00040000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.1788861011.0000000000EE8000.00000004.00000020.00020000.00000000.sdmp, raserver.exe, 0000000E.00000002.1791022734.0000000000270000.00000040.80000000.00040000.00000000.sdmp
Source: Binary string: mstsc.pdbGCTL source: RegSvcs.exe, 00000006.00000002.1787815352.0000000003130000.00000040.10000000.00040000.00000000.sdmp, mstsc.exe, 0000000D.00000002.4142141459.00000000008F0000.00000040.80000000.00040000.00000000.sdmp
Source: Binary string: RegSvcs.pdb source: explorer.exe, 00000007.00000002.4158146718.00000000110CF000.00000004.80000000.00040000.00000000.sdmp, mstsc.exe, 0000000D.00000002.4143827334.000000000579F000.00000004.10000000.00040000.00000000.sdmp, mstsc.exe, 0000000D.00000002.4142597154.00000000033E4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mstsc.pdb source: RegSvcs.exe, 00000006.00000002.1787815352.0000000003130000.00000040.10000000.00040000.00000000.sdmp, mstsc.exe, 0000000D.00000002.4142141459.00000000008F0000.00000040.80000000.00040000.00000000.sdmp
Source: Binary string: RAServer.pdbGCTL source: RegSvcs.exe, 0000000C.00000002.1792619106.00000000017E0000.00000040.10000000.00040000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.1788861011.0000000000EE8000.00000004.00000020.00020000.00000000.sdmp, raserver.exe, 0000000E.00000002.1791022734.0000000000270000.00000040.80000000.00040000.00000000.sdmp

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: 0.2.faktura proforma pdf.exe.4809f88.0.raw.unpack, VPSRVttg1LtLEvE5p6.cs .Net Code: x0QXKL6ev7 System.Reflection.Assembly.Load(byte[])
Source: 0.2.faktura proforma pdf.exe.3d50b90.1.raw.unpack, Uo.cs .Net Code: _202A_202E_206E_206A_202B_206A_200E_200D_206F_200D_200C_200B_206E_202C_202B_200E_206A_202D_202A_202C_202E_206B_202C_202E_202D_206F_206C_200E_202D_206B_202D_206D_202A_200C_200C_200B_200C_202B_200D_202E_202E System.Reflection.Assembly.Load(byte[])
Source: 0.2.faktura proforma pdf.exe.b560000.4.raw.unpack, VPSRVttg1LtLEvE5p6.cs .Net Code: x0QXKL6ev7 System.Reflection.Assembly.Load(byte[])
Source: 0.2.faktura proforma pdf.exe.7320000.3.raw.unpack, Uo.cs .Net Code: _202A_202E_206E_206A_202B_206A_200E_200D_206F_200D_200C_200B_206E_202C_202B_200E_206A_202D_202A_202C_202E_206B_202C_202E_202D_206F_206C_200E_202D_206B_202D_206D_202A_200C_200C_200B_200C_202B_200D_202E_202E System.Reflection.Assembly.Load(byte[])
Source: 0.2.faktura proforma pdf.exe.479a168.2.raw.unpack, VPSRVttg1LtLEvE5p6.cs .Net Code: x0QXKL6ev7 System.Reflection.Assembly.Load(byte[])
Source: 9.2.xmAdkuQjxrS.exe.426aea8.2.raw.unpack, VPSRVttg1LtLEvE5p6.cs .Net Code: x0QXKL6ev7 System.Reflection.Assembly.Load(byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Code function: 0_2_0118A340 pushfd ; iretd 0_2_0118A342
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Code function: 0_2_0118475B push ebp; iretd 0_2_01184762
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Code function: 0_2_01184791 push esi; iretd 0_2_01184792
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Code function: 0_2_01184659 push edx; iretd 0_2_0118465A
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Code function: 0_2_01184699 push edx; iretd 0_2_0118469A
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Code function: 0_2_05616292 pushad ; retf 0_2_05616299
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0041685B push edi; ret 6_2_00416876
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0041703D push 0000002Ah; ret 6_2_0041703F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0041D946 push dword ptr [637AF8F0h]; ret 6_2_0041D944
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0041D9F3 push dword ptr [637AF8F0h]; ret 6_2_0041D944
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00416A1F pushfd ; ret 6_2_00416A20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0041E3C9 push dword ptr [637AF8F0h]; ret 6_2_0041D944
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0041D4D2 push eax; ret 6_2_0041D4D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0041D4DB push eax; ret 6_2_0041D542
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0041D485 push eax; ret 6_2_0041D4D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0041648C push es; iretd 6_2_00416492
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0041D573 push dword ptr [637AF8F0h]; ret 6_2_0041D944
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0041D53C push eax; ret 6_2_0041D542
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00418759 pushad ; iretd 6_2_0041875C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_004167F8 push edi; ret 6_2_00416876
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0149225F pushad ; ret 6_2_014927F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014927FA pushad ; ret 6_2_014927F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014C09AD push ecx; mov dword ptr [esp], ecx 6_2_014C09B6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0149283D push eax; iretd 6_2_01492858
Source: C:\Windows\explorer.exe Code function: 7_2_0E841B02 push esp; retn 0000h 7_2_0E841B03
Source: C:\Windows\explorer.exe Code function: 7_2_0E841B1E push esp; retn 0000h 7_2_0E841B1F
Source: C:\Windows\explorer.exe Code function: 7_2_0E8419B5 push esp; retn 0000h 7_2_0E841AE7
Source: C:\Windows\explorer.exe Code function: 7_2_0F6F1B02 push esp; retn 0000h 7_2_0F6F1B03
Source: C:\Windows\explorer.exe Code function: 7_2_0F6F1B1E push esp; retn 0000h 7_2_0F6F1B1F
Source: C:\Windows\explorer.exe Code function: 7_2_0F6F19B5 push esp; retn 0000h 7_2_0F6F1AE7
Source: C:\Windows\explorer.exe Code function: 7_2_0FCAF9B5 push esp; retn 0000h 7_2_0FCAFAE7
Source: faktura proforma pdf.exe Static PE information: section name: .text entropy: 7.97774115801193
Source: xmAdkuQjxrS.exe.0.dr Static PE information: section name: .text entropy: 7.97774115801193
Source: 0.2.faktura proforma pdf.exe.4809f88.0.raw.unpack, FMyhnsUxgMA6O8A9GH.cs High entropy of concatenated method names: 'WbJNAQ7kCD', 'Oq0NoA14fC', 'HafNQt5gOY', 'XGTNhN7NKw', 'yblNfSp071', 'rvrNZSIk5y', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.faktura proforma pdf.exe.4809f88.0.raw.unpack, DOo1k736pip6ICyI6b.cs High entropy of concatenated method names: 'eYI836nBBa', 'Qrl8jBal2Z', 'Xvf8DomcW2', 'iFL8p6uf65', 'Sln8RcajZV', 'wbT8Fh70FP', 'Ioc8mclGEv', 'Hwp8N4Ryw9', 'StC8BJ6SsR', 'Wk68Cgnghf'
Source: 0.2.faktura proforma pdf.exe.4809f88.0.raw.unpack, CcAfC1OrNeHV7bQuJk.cs High entropy of concatenated method names: 'TaAPqhrjjq', 'F1hPctVLDx', 'dmnP0UxeCe', 'eTKP2LytVZ', 'IB6PRb5MqW', 'zwrPFUHFOS', 'ObLQ6R4g1niwcadnyj', 'k3j8G9uY7RurgnGcca', 'st0PPJnoaV', 'tO3PtAfenI'
Source: 0.2.faktura proforma pdf.exe.4809f88.0.raw.unpack, kjQP3XvYlJsebvrJgI.cs High entropy of concatenated method names: 'nU5NnFOdxi', 'i9yNJWHQmB', 'n6SN8f1RJe', 'CmQNUyW3Ke', 'OjDNlRQEEm', 'jYfNq6cIjY', 'i8JNcLTdg4', 'KCSNVev2uT', 'dkAN0u2pLH', 'jvtN2S1Ggi'
Source: 0.2.faktura proforma pdf.exe.4809f88.0.raw.unpack, VPSRVttg1LtLEvE5p6.cs High entropy of concatenated method names: 'hDst7t3gsu', 'wONtnSi8tR', 'pVttJTIsjm', 'riNt8FATbN', 'tW6tU9xY5I', 'WuTtlR3svy', 'w1qtqIEpTl', 'CIOtcpov05', 'LvXtVA87aF', 'T76t0AEZyb'
Source: 0.2.faktura proforma pdf.exe.4809f88.0.raw.unpack, KO2KmAhG1EsYFfTuj0.cs High entropy of concatenated method names: 'exElvl6Sx2', 'B9Xl4b1DOw', 'phtlK5arW1', 'Qb4l3Fi6la', 'vo6ljqYcL0', 'N95l56BQsV', 'd46lpv7TGa', 'zP2lxPeMW3', 'RY1AQMCIBkvci8GkOXi', 'gF2i2uCNaXXGqlehIYb'
Source: 0.2.faktura proforma pdf.exe.4809f88.0.raw.unpack, wmMGZOVAEqfjbWjTXT.cs High entropy of concatenated method names: 'lUJqn1mir5', 'R8Nq8pFB2e', 'Lf5ql5Bt6j', 'ylflwsnwqr', 'Q4nlzhk7gh', 'HX0qIN4Q0U', 'S5tqPH71e3', 'YyVq1YQjeK', 'cbEqtf4hHB', 'AZCqXgMfSd'
Source: 0.2.faktura proforma pdf.exe.4809f88.0.raw.unpack, x8aOvJwTL6qZyb9b1N.cs High entropy of concatenated method names: 'mgrq4RMmQZ', 'nNcqu2uIKb', 'f6wqKUHppg', 'uvtq3UQEv3', 'nQWqgR76JE', 'f1BqjEjYJc', 'i66q5aqXA4', 'xAJqDVlc2T', 'r51qpvhRca', 'leBqxxtbaQ'
Source: 0.2.faktura proforma pdf.exe.4809f88.0.raw.unpack, RZLMukS7XMclQYg4eD.cs High entropy of concatenated method names: 'wQNBPXSfGo', 'HNQBtQMYuI', 'CJbBXeiwsX', 'fkUBn5xsWj', 'l96BJQRAfT', 'VgWBUqcw9J', 'vXNBl7waxh', 'uLXNEHC6wO', 'FXZNkyjsxs', 'RpwNMEFeee'
Source: 0.2.faktura proforma pdf.exe.4809f88.0.raw.unpack, c0jyp8jGb8Bw0VYbsp.cs High entropy of concatenated method names: 'Dispose', 'pKAPMGnyET', 'tLP1oKnany', 'SSFHHxN76t', 'IGQPwMJPFP', 'XDWPzGs3bc', 'ProcessDialogKey', 'PRc1IIvOv9', 'CUO1P7HFpM', 'UcN11NGDh7'
Source: 0.2.faktura proforma pdf.exe.4809f88.0.raw.unpack, LWQJq7cibjCtlnPLtrc.cs High entropy of concatenated method names: 'iugB40l1Rw', 'vbKBuGxT2D', 'oCbBKxihko', 'KuxB3kxyW5', 'YRXBgeR6oD', 'ms1BjedPXj', 'iBeB5cYQkW', 'BAxBDaeg0o', 'nyqBpVdjXI', 'CDKBxmb7B5'
Source: 0.2.faktura proforma pdf.exe.4809f88.0.raw.unpack, dHSW6m6n0RQuICnouD.cs High entropy of concatenated method names: 'qCtmknviMM', 'XltmwFtKUk', 'EjyNIogVts', 'U1gNP7YWhK', 'h4Dm6HNCnE', 'rPsmy6jFYR', 'ugcmsmPr0E', 'N5imfe47I6', 'UeTmTvUmRx', 'RqZmW6XOAI'
Source: 0.2.faktura proforma pdf.exe.4809f88.0.raw.unpack, Ah72wsQxdG1EWBZjQc.cs High entropy of concatenated method names: 'T9TeDv4pd7', 'CA7ep9iqUd', 'q8teAWZ6Ra', 'AmVeoi7efr', 'lxeehWaGlU', 'GY5eZ1vBot', 'G1cerCmgJ4', 'ftaeiwVnoc', 'ALNeL7VJAe', 'aoce65kZQT'
Source: 0.2.faktura proforma pdf.exe.4809f88.0.raw.unpack, GpWooulZSBMfpZYOqI.cs High entropy of concatenated method names: 'QJxl7RUA1j', 'qsPlJu3VJd', 'hfllUeuytr', 'jYDlqUybxU', 'l7nlce2K4e', 'tb4Ub4Nj6A', 'QXXUO2VbmH', 'OYAUEwsRyi', 'fW1Uks3JEQ', 'BVKUM0Jgld'
Source: 0.2.faktura proforma pdf.exe.4809f88.0.raw.unpack, rinCIsxKt2b2sY0kNr.cs High entropy of concatenated method names: 'ORMKGuhWw', 'AMr3hvwIZ', 'x5ejjyqLn', 'tVL5jjytI', 'd6tp2A4ov', 'cx0xNwssK', 'sci4UYywI2Q4IYFEtP', 'NV8t9OcHju3F3BGbXQ', 'DPANKprnU', 'NTsCqF8On'
Source: 0.2.faktura proforma pdf.exe.4809f88.0.raw.unpack, QEwiPrzwevouwMIeAy.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'JP6BeNjCAC', 'UtsBRf170h', 'IO6BFOvs8p', 'FvxBmKQbTc', 'LLKBNbNFG6', 'FnaBBPjfHZ', 'gMIBCGSStP'
Source: 0.2.faktura proforma pdf.exe.4809f88.0.raw.unpack, oOAciwf8r4hTgD9C4H.cs High entropy of concatenated method names: 'pylRLr1tFi', 'WcORycGa49', 'TcnRfb892E', 'twhRTpHNnG', 'ecNRow2hs2', 'RqYRQJmXCt', 'GI0RhUrbo7', 'KGvRZRI7Cu', 'b3bRYiWoLt', 'LoNRrvkDqm'
Source: 0.2.faktura proforma pdf.exe.4809f88.0.raw.unpack, Dn5S64c2THrPeWHTug2.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'xnGCfNnZJr', 'NPZCTkM0QE', 'yWwCWddwfA', 'pUnCG0qUVa', 'trDCbkqXG7', 'KukCOcwbM9', 'Yo4CEsFPLN'
Source: 0.2.faktura proforma pdf.exe.4809f88.0.raw.unpack, GK88Kn16WEEAbPvejc.cs High entropy of concatenated method names: 'Mutm0LN3Jy', 'dR2m2xs5hs', 'ToString', 'pBomnyAtkY', 'XN0mJTbJUp', 'W9em8v4jVP', 'g04mUq0sN1', 'U7ImlCOnox', 'wYmmqCvceV', 'PAUmclGk63'
Source: 0.2.faktura proforma pdf.exe.4809f88.0.raw.unpack, OMnd3l81OsuRldy2rR.cs High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'pFo1MD0sVo', 'EPA1w3sxTZ', 'UwW1zNiNq7', 'n6StIaQC9O', 'bTctPZtRVW', 'WJSt1iHv7V', 'DlWttSkFnj', 'GSDEfyVsoGuhi8QgZM7'
Source: 0.2.faktura proforma pdf.exe.4809f88.0.raw.unpack, lkSy2S4jDXNLhokqZE.cs High entropy of concatenated method names: 'OFPJfkXMcN', 'c6OJTPY9Y3', 'QgaJWfYKoI', 'KdGJGOfrGU', 'EqVJbWtTdl', 'MgqJO4JWKF', 'buWJEnrtdX', 'LuQJkMQ4cY', 'mvNJMK4Jjn', 'r57Jwnoyrs'
Source: 0.2.faktura proforma pdf.exe.b560000.4.raw.unpack, FMyhnsUxgMA6O8A9GH.cs High entropy of concatenated method names: 'WbJNAQ7kCD', 'Oq0NoA14fC', 'HafNQt5gOY', 'XGTNhN7NKw', 'yblNfSp071', 'rvrNZSIk5y', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.faktura proforma pdf.exe.b560000.4.raw.unpack, DOo1k736pip6ICyI6b.cs High entropy of concatenated method names: 'eYI836nBBa', 'Qrl8jBal2Z', 'Xvf8DomcW2', 'iFL8p6uf65', 'Sln8RcajZV', 'wbT8Fh70FP', 'Ioc8mclGEv', 'Hwp8N4Ryw9', 'StC8BJ6SsR', 'Wk68Cgnghf'
Source: 0.2.faktura proforma pdf.exe.b560000.4.raw.unpack, CcAfC1OrNeHV7bQuJk.cs High entropy of concatenated method names: 'TaAPqhrjjq', 'F1hPctVLDx', 'dmnP0UxeCe', 'eTKP2LytVZ', 'IB6PRb5MqW', 'zwrPFUHFOS', 'ObLQ6R4g1niwcadnyj', 'k3j8G9uY7RurgnGcca', 'st0PPJnoaV', 'tO3PtAfenI'
Source: 0.2.faktura proforma pdf.exe.b560000.4.raw.unpack, kjQP3XvYlJsebvrJgI.cs High entropy of concatenated method names: 'nU5NnFOdxi', 'i9yNJWHQmB', 'n6SN8f1RJe', 'CmQNUyW3Ke', 'OjDNlRQEEm', 'jYfNq6cIjY', 'i8JNcLTdg4', 'KCSNVev2uT', 'dkAN0u2pLH', 'jvtN2S1Ggi'
Source: 0.2.faktura proforma pdf.exe.b560000.4.raw.unpack, VPSRVttg1LtLEvE5p6.cs High entropy of concatenated method names: 'hDst7t3gsu', 'wONtnSi8tR', 'pVttJTIsjm', 'riNt8FATbN', 'tW6tU9xY5I', 'WuTtlR3svy', 'w1qtqIEpTl', 'CIOtcpov05', 'LvXtVA87aF', 'T76t0AEZyb'
Source: 0.2.faktura proforma pdf.exe.b560000.4.raw.unpack, KO2KmAhG1EsYFfTuj0.cs High entropy of concatenated method names: 'exElvl6Sx2', 'B9Xl4b1DOw', 'phtlK5arW1', 'Qb4l3Fi6la', 'vo6ljqYcL0', 'N95l56BQsV', 'd46lpv7TGa', 'zP2lxPeMW3', 'RY1AQMCIBkvci8GkOXi', 'gF2i2uCNaXXGqlehIYb'
Source: 0.2.faktura proforma pdf.exe.b560000.4.raw.unpack, wmMGZOVAEqfjbWjTXT.cs High entropy of concatenated method names: 'lUJqn1mir5', 'R8Nq8pFB2e', 'Lf5ql5Bt6j', 'ylflwsnwqr', 'Q4nlzhk7gh', 'HX0qIN4Q0U', 'S5tqPH71e3', 'YyVq1YQjeK', 'cbEqtf4hHB', 'AZCqXgMfSd'
Source: 0.2.faktura proforma pdf.exe.b560000.4.raw.unpack, x8aOvJwTL6qZyb9b1N.cs High entropy of concatenated method names: 'mgrq4RMmQZ', 'nNcqu2uIKb', 'f6wqKUHppg', 'uvtq3UQEv3', 'nQWqgR76JE', 'f1BqjEjYJc', 'i66q5aqXA4', 'xAJqDVlc2T', 'r51qpvhRca', 'leBqxxtbaQ'
Source: 0.2.faktura proforma pdf.exe.b560000.4.raw.unpack, RZLMukS7XMclQYg4eD.cs High entropy of concatenated method names: 'wQNBPXSfGo', 'HNQBtQMYuI', 'CJbBXeiwsX', 'fkUBn5xsWj', 'l96BJQRAfT', 'VgWBUqcw9J', 'vXNBl7waxh', 'uLXNEHC6wO', 'FXZNkyjsxs', 'RpwNMEFeee'
Source: 0.2.faktura proforma pdf.exe.b560000.4.raw.unpack, c0jyp8jGb8Bw0VYbsp.cs High entropy of concatenated method names: 'Dispose', 'pKAPMGnyET', 'tLP1oKnany', 'SSFHHxN76t', 'IGQPwMJPFP', 'XDWPzGs3bc', 'ProcessDialogKey', 'PRc1IIvOv9', 'CUO1P7HFpM', 'UcN11NGDh7'
Source: 0.2.faktura proforma pdf.exe.b560000.4.raw.unpack, LWQJq7cibjCtlnPLtrc.cs High entropy of concatenated method names: 'iugB40l1Rw', 'vbKBuGxT2D', 'oCbBKxihko', 'KuxB3kxyW5', 'YRXBgeR6oD', 'ms1BjedPXj', 'iBeB5cYQkW', 'BAxBDaeg0o', 'nyqBpVdjXI', 'CDKBxmb7B5'
Source: 0.2.faktura proforma pdf.exe.b560000.4.raw.unpack, dHSW6m6n0RQuICnouD.cs High entropy of concatenated method names: 'qCtmknviMM', 'XltmwFtKUk', 'EjyNIogVts', 'U1gNP7YWhK', 'h4Dm6HNCnE', 'rPsmy6jFYR', 'ugcmsmPr0E', 'N5imfe47I6', 'UeTmTvUmRx', 'RqZmW6XOAI'
Source: 0.2.faktura proforma pdf.exe.b560000.4.raw.unpack, Ah72wsQxdG1EWBZjQc.cs High entropy of concatenated method names: 'T9TeDv4pd7', 'CA7ep9iqUd', 'q8teAWZ6Ra', 'AmVeoi7efr', 'lxeehWaGlU', 'GY5eZ1vBot', 'G1cerCmgJ4', 'ftaeiwVnoc', 'ALNeL7VJAe', 'aoce65kZQT'
Source: 0.2.faktura proforma pdf.exe.b560000.4.raw.unpack, GpWooulZSBMfpZYOqI.cs High entropy of concatenated method names: 'QJxl7RUA1j', 'qsPlJu3VJd', 'hfllUeuytr', 'jYDlqUybxU', 'l7nlce2K4e', 'tb4Ub4Nj6A', 'QXXUO2VbmH', 'OYAUEwsRyi', 'fW1Uks3JEQ', 'BVKUM0Jgld'
Source: 0.2.faktura proforma pdf.exe.b560000.4.raw.unpack, rinCIsxKt2b2sY0kNr.cs High entropy of concatenated method names: 'ORMKGuhWw', 'AMr3hvwIZ', 'x5ejjyqLn', 'tVL5jjytI', 'd6tp2A4ov', 'cx0xNwssK', 'sci4UYywI2Q4IYFEtP', 'NV8t9OcHju3F3BGbXQ', 'DPANKprnU', 'NTsCqF8On'
Source: 0.2.faktura proforma pdf.exe.b560000.4.raw.unpack, QEwiPrzwevouwMIeAy.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'JP6BeNjCAC', 'UtsBRf170h', 'IO6BFOvs8p', 'FvxBmKQbTc', 'LLKBNbNFG6', 'FnaBBPjfHZ', 'gMIBCGSStP'
Source: 0.2.faktura proforma pdf.exe.b560000.4.raw.unpack, oOAciwf8r4hTgD9C4H.cs High entropy of concatenated method names: 'pylRLr1tFi', 'WcORycGa49', 'TcnRfb892E', 'twhRTpHNnG', 'ecNRow2hs2', 'RqYRQJmXCt', 'GI0RhUrbo7', 'KGvRZRI7Cu', 'b3bRYiWoLt', 'LoNRrvkDqm'
Source: 0.2.faktura proforma pdf.exe.b560000.4.raw.unpack, Dn5S64c2THrPeWHTug2.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'xnGCfNnZJr', 'NPZCTkM0QE', 'yWwCWddwfA', 'pUnCG0qUVa', 'trDCbkqXG7', 'KukCOcwbM9', 'Yo4CEsFPLN'
Source: 0.2.faktura proforma pdf.exe.b560000.4.raw.unpack, GK88Kn16WEEAbPvejc.cs High entropy of concatenated method names: 'Mutm0LN3Jy', 'dR2m2xs5hs', 'ToString', 'pBomnyAtkY', 'XN0mJTbJUp', 'W9em8v4jVP', 'g04mUq0sN1', 'U7ImlCOnox', 'wYmmqCvceV', 'PAUmclGk63'
Source: 0.2.faktura proforma pdf.exe.b560000.4.raw.unpack, OMnd3l81OsuRldy2rR.cs High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'pFo1MD0sVo', 'EPA1w3sxTZ', 'UwW1zNiNq7', 'n6StIaQC9O', 'bTctPZtRVW', 'WJSt1iHv7V', 'DlWttSkFnj', 'GSDEfyVsoGuhi8QgZM7'
Source: 0.2.faktura proforma pdf.exe.b560000.4.raw.unpack, lkSy2S4jDXNLhokqZE.cs High entropy of concatenated method names: 'OFPJfkXMcN', 'c6OJTPY9Y3', 'QgaJWfYKoI', 'KdGJGOfrGU', 'EqVJbWtTdl', 'MgqJO4JWKF', 'buWJEnrtdX', 'LuQJkMQ4cY', 'mvNJMK4Jjn', 'r57Jwnoyrs'
Source: 0.2.faktura proforma pdf.exe.479a168.2.raw.unpack, FMyhnsUxgMA6O8A9GH.cs High entropy of concatenated method names: 'WbJNAQ7kCD', 'Oq0NoA14fC', 'HafNQt5gOY', 'XGTNhN7NKw', 'yblNfSp071', 'rvrNZSIk5y', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.faktura proforma pdf.exe.479a168.2.raw.unpack, DOo1k736pip6ICyI6b.cs High entropy of concatenated method names: 'eYI836nBBa', 'Qrl8jBal2Z', 'Xvf8DomcW2', 'iFL8p6uf65', 'Sln8RcajZV', 'wbT8Fh70FP', 'Ioc8mclGEv', 'Hwp8N4Ryw9', 'StC8BJ6SsR', 'Wk68Cgnghf'
Source: 0.2.faktura proforma pdf.exe.479a168.2.raw.unpack, CcAfC1OrNeHV7bQuJk.cs High entropy of concatenated method names: 'TaAPqhrjjq', 'F1hPctVLDx', 'dmnP0UxeCe', 'eTKP2LytVZ', 'IB6PRb5MqW', 'zwrPFUHFOS', 'ObLQ6R4g1niwcadnyj', 'k3j8G9uY7RurgnGcca', 'st0PPJnoaV', 'tO3PtAfenI'
Source: 0.2.faktura proforma pdf.exe.479a168.2.raw.unpack, kjQP3XvYlJsebvrJgI.cs High entropy of concatenated method names: 'nU5NnFOdxi', 'i9yNJWHQmB', 'n6SN8f1RJe', 'CmQNUyW3Ke', 'OjDNlRQEEm', 'jYfNq6cIjY', 'i8JNcLTdg4', 'KCSNVev2uT', 'dkAN0u2pLH', 'jvtN2S1Ggi'
Source: 0.2.faktura proforma pdf.exe.479a168.2.raw.unpack, VPSRVttg1LtLEvE5p6.cs High entropy of concatenated method names: 'hDst7t3gsu', 'wONtnSi8tR', 'pVttJTIsjm', 'riNt8FATbN', 'tW6tU9xY5I', 'WuTtlR3svy', 'w1qtqIEpTl', 'CIOtcpov05', 'LvXtVA87aF', 'T76t0AEZyb'
Source: 0.2.faktura proforma pdf.exe.479a168.2.raw.unpack, KO2KmAhG1EsYFfTuj0.cs High entropy of concatenated method names: 'exElvl6Sx2', 'B9Xl4b1DOw', 'phtlK5arW1', 'Qb4l3Fi6la', 'vo6ljqYcL0', 'N95l56BQsV', 'd46lpv7TGa', 'zP2lxPeMW3', 'RY1AQMCIBkvci8GkOXi', 'gF2i2uCNaXXGqlehIYb'
Source: 0.2.faktura proforma pdf.exe.479a168.2.raw.unpack, wmMGZOVAEqfjbWjTXT.cs High entropy of concatenated method names: 'lUJqn1mir5', 'R8Nq8pFB2e', 'Lf5ql5Bt6j', 'ylflwsnwqr', 'Q4nlzhk7gh', 'HX0qIN4Q0U', 'S5tqPH71e3', 'YyVq1YQjeK', 'cbEqtf4hHB', 'AZCqXgMfSd'
Source: 0.2.faktura proforma pdf.exe.479a168.2.raw.unpack, x8aOvJwTL6qZyb9b1N.cs High entropy of concatenated method names: 'mgrq4RMmQZ', 'nNcqu2uIKb', 'f6wqKUHppg', 'uvtq3UQEv3', 'nQWqgR76JE', 'f1BqjEjYJc', 'i66q5aqXA4', 'xAJqDVlc2T', 'r51qpvhRca', 'leBqxxtbaQ'
Source: 0.2.faktura proforma pdf.exe.479a168.2.raw.unpack, RZLMukS7XMclQYg4eD.cs High entropy of concatenated method names: 'wQNBPXSfGo', 'HNQBtQMYuI', 'CJbBXeiwsX', 'fkUBn5xsWj', 'l96BJQRAfT', 'VgWBUqcw9J', 'vXNBl7waxh', 'uLXNEHC6wO', 'FXZNkyjsxs', 'RpwNMEFeee'
Source: 0.2.faktura proforma pdf.exe.479a168.2.raw.unpack, c0jyp8jGb8Bw0VYbsp.cs High entropy of concatenated method names: 'Dispose', 'pKAPMGnyET', 'tLP1oKnany', 'SSFHHxN76t', 'IGQPwMJPFP', 'XDWPzGs3bc', 'ProcessDialogKey', 'PRc1IIvOv9', 'CUO1P7HFpM', 'UcN11NGDh7'
Source: 0.2.faktura proforma pdf.exe.479a168.2.raw.unpack, LWQJq7cibjCtlnPLtrc.cs High entropy of concatenated method names: 'iugB40l1Rw', 'vbKBuGxT2D', 'oCbBKxihko', 'KuxB3kxyW5', 'YRXBgeR6oD', 'ms1BjedPXj', 'iBeB5cYQkW', 'BAxBDaeg0o', 'nyqBpVdjXI', 'CDKBxmb7B5'
Source: 0.2.faktura proforma pdf.exe.479a168.2.raw.unpack, dHSW6m6n0RQuICnouD.cs High entropy of concatenated method names: 'qCtmknviMM', 'XltmwFtKUk', 'EjyNIogVts', 'U1gNP7YWhK', 'h4Dm6HNCnE', 'rPsmy6jFYR', 'ugcmsmPr0E', 'N5imfe47I6', 'UeTmTvUmRx', 'RqZmW6XOAI'
Source: 0.2.faktura proforma pdf.exe.479a168.2.raw.unpack, Ah72wsQxdG1EWBZjQc.cs High entropy of concatenated method names: 'T9TeDv4pd7', 'CA7ep9iqUd', 'q8teAWZ6Ra', 'AmVeoi7efr', 'lxeehWaGlU', 'GY5eZ1vBot', 'G1cerCmgJ4', 'ftaeiwVnoc', 'ALNeL7VJAe', 'aoce65kZQT'
Source: 0.2.faktura proforma pdf.exe.479a168.2.raw.unpack, GpWooulZSBMfpZYOqI.cs High entropy of concatenated method names: 'QJxl7RUA1j', 'qsPlJu3VJd', 'hfllUeuytr', 'jYDlqUybxU', 'l7nlce2K4e', 'tb4Ub4Nj6A', 'QXXUO2VbmH', 'OYAUEwsRyi', 'fW1Uks3JEQ', 'BVKUM0Jgld'
Source: 0.2.faktura proforma pdf.exe.479a168.2.raw.unpack, rinCIsxKt2b2sY0kNr.cs High entropy of concatenated method names: 'ORMKGuhWw', 'AMr3hvwIZ', 'x5ejjyqLn', 'tVL5jjytI', 'd6tp2A4ov', 'cx0xNwssK', 'sci4UYywI2Q4IYFEtP', 'NV8t9OcHju3F3BGbXQ', 'DPANKprnU', 'NTsCqF8On'
Source: 0.2.faktura proforma pdf.exe.479a168.2.raw.unpack, QEwiPrzwevouwMIeAy.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'JP6BeNjCAC', 'UtsBRf170h', 'IO6BFOvs8p', 'FvxBmKQbTc', 'LLKBNbNFG6', 'FnaBBPjfHZ', 'gMIBCGSStP'
Source: 0.2.faktura proforma pdf.exe.479a168.2.raw.unpack, oOAciwf8r4hTgD9C4H.cs High entropy of concatenated method names: 'pylRLr1tFi', 'WcORycGa49', 'TcnRfb892E', 'twhRTpHNnG', 'ecNRow2hs2', 'RqYRQJmXCt', 'GI0RhUrbo7', 'KGvRZRI7Cu', 'b3bRYiWoLt', 'LoNRrvkDqm'
Source: 0.2.faktura proforma pdf.exe.479a168.2.raw.unpack, Dn5S64c2THrPeWHTug2.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'xnGCfNnZJr', 'NPZCTkM0QE', 'yWwCWddwfA', 'pUnCG0qUVa', 'trDCbkqXG7', 'KukCOcwbM9', 'Yo4CEsFPLN'
Source: 0.2.faktura proforma pdf.exe.479a168.2.raw.unpack, GK88Kn16WEEAbPvejc.cs High entropy of concatenated method names: 'Mutm0LN3Jy', 'dR2m2xs5hs', 'ToString', 'pBomnyAtkY', 'XN0mJTbJUp', 'W9em8v4jVP', 'g04mUq0sN1', 'U7ImlCOnox', 'wYmmqCvceV', 'PAUmclGk63'
Source: 0.2.faktura proforma pdf.exe.479a168.2.raw.unpack, OMnd3l81OsuRldy2rR.cs High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'pFo1MD0sVo', 'EPA1w3sxTZ', 'UwW1zNiNq7', 'n6StIaQC9O', 'bTctPZtRVW', 'WJSt1iHv7V', 'DlWttSkFnj', 'GSDEfyVsoGuhi8QgZM7'
Source: 0.2.faktura proforma pdf.exe.479a168.2.raw.unpack, lkSy2S4jDXNLhokqZE.cs High entropy of concatenated method names: 'OFPJfkXMcN', 'c6OJTPY9Y3', 'QgaJWfYKoI', 'KdGJGOfrGU', 'EqVJbWtTdl', 'MgqJO4JWKF', 'buWJEnrtdX', 'LuQJkMQ4cY', 'mvNJMK4Jjn', 'r57Jwnoyrs'
Source: 9.2.xmAdkuQjxrS.exe.426aea8.2.raw.unpack, FMyhnsUxgMA6O8A9GH.cs High entropy of concatenated method names: 'WbJNAQ7kCD', 'Oq0NoA14fC', 'HafNQt5gOY', 'XGTNhN7NKw', 'yblNfSp071', 'rvrNZSIk5y', 'Next', 'Next', 'Next', 'NextBytes'
Source: 9.2.xmAdkuQjxrS.exe.426aea8.2.raw.unpack, DOo1k736pip6ICyI6b.cs High entropy of concatenated method names: 'eYI836nBBa', 'Qrl8jBal2Z', 'Xvf8DomcW2', 'iFL8p6uf65', 'Sln8RcajZV', 'wbT8Fh70FP', 'Ioc8mclGEv', 'Hwp8N4Ryw9', 'StC8BJ6SsR', 'Wk68Cgnghf'
Source: 9.2.xmAdkuQjxrS.exe.426aea8.2.raw.unpack, CcAfC1OrNeHV7bQuJk.cs High entropy of concatenated method names: 'TaAPqhrjjq', 'F1hPctVLDx', 'dmnP0UxeCe', 'eTKP2LytVZ', 'IB6PRb5MqW', 'zwrPFUHFOS', 'ObLQ6R4g1niwcadnyj', 'k3j8G9uY7RurgnGcca', 'st0PPJnoaV', 'tO3PtAfenI'
Source: 9.2.xmAdkuQjxrS.exe.426aea8.2.raw.unpack, kjQP3XvYlJsebvrJgI.cs High entropy of concatenated method names: 'nU5NnFOdxi', 'i9yNJWHQmB', 'n6SN8f1RJe', 'CmQNUyW3Ke', 'OjDNlRQEEm', 'jYfNq6cIjY', 'i8JNcLTdg4', 'KCSNVev2uT', 'dkAN0u2pLH', 'jvtN2S1Ggi'
Source: 9.2.xmAdkuQjxrS.exe.426aea8.2.raw.unpack, VPSRVttg1LtLEvE5p6.cs High entropy of concatenated method names: 'hDst7t3gsu', 'wONtnSi8tR', 'pVttJTIsjm', 'riNt8FATbN', 'tW6tU9xY5I', 'WuTtlR3svy', 'w1qtqIEpTl', 'CIOtcpov05', 'LvXtVA87aF', 'T76t0AEZyb'
Source: 9.2.xmAdkuQjxrS.exe.426aea8.2.raw.unpack, KO2KmAhG1EsYFfTuj0.cs High entropy of concatenated method names: 'exElvl6Sx2', 'B9Xl4b1DOw', 'phtlK5arW1', 'Qb4l3Fi6la', 'vo6ljqYcL0', 'N95l56BQsV', 'd46lpv7TGa', 'zP2lxPeMW3', 'RY1AQMCIBkvci8GkOXi', 'gF2i2uCNaXXGqlehIYb'
Source: 9.2.xmAdkuQjxrS.exe.426aea8.2.raw.unpack, wmMGZOVAEqfjbWjTXT.cs High entropy of concatenated method names: 'lUJqn1mir5', 'R8Nq8pFB2e', 'Lf5ql5Bt6j', 'ylflwsnwqr', 'Q4nlzhk7gh', 'HX0qIN4Q0U', 'S5tqPH71e3', 'YyVq1YQjeK', 'cbEqtf4hHB', 'AZCqXgMfSd'
Source: 9.2.xmAdkuQjxrS.exe.426aea8.2.raw.unpack, x8aOvJwTL6qZyb9b1N.cs High entropy of concatenated method names: 'mgrq4RMmQZ', 'nNcqu2uIKb', 'f6wqKUHppg', 'uvtq3UQEv3', 'nQWqgR76JE', 'f1BqjEjYJc', 'i66q5aqXA4', 'xAJqDVlc2T', 'r51qpvhRca', 'leBqxxtbaQ'
Source: 9.2.xmAdkuQjxrS.exe.426aea8.2.raw.unpack, RZLMukS7XMclQYg4eD.cs High entropy of concatenated method names: 'wQNBPXSfGo', 'HNQBtQMYuI', 'CJbBXeiwsX', 'fkUBn5xsWj', 'l96BJQRAfT', 'VgWBUqcw9J', 'vXNBl7waxh', 'uLXNEHC6wO', 'FXZNkyjsxs', 'RpwNMEFeee'
Source: 9.2.xmAdkuQjxrS.exe.426aea8.2.raw.unpack, c0jyp8jGb8Bw0VYbsp.cs High entropy of concatenated method names: 'Dispose', 'pKAPMGnyET', 'tLP1oKnany', 'SSFHHxN76t', 'IGQPwMJPFP', 'XDWPzGs3bc', 'ProcessDialogKey', 'PRc1IIvOv9', 'CUO1P7HFpM', 'UcN11NGDh7'
Source: 9.2.xmAdkuQjxrS.exe.426aea8.2.raw.unpack, LWQJq7cibjCtlnPLtrc.cs High entropy of concatenated method names: 'iugB40l1Rw', 'vbKBuGxT2D', 'oCbBKxihko', 'KuxB3kxyW5', 'YRXBgeR6oD', 'ms1BjedPXj', 'iBeB5cYQkW', 'BAxBDaeg0o', 'nyqBpVdjXI', 'CDKBxmb7B5'
Source: 9.2.xmAdkuQjxrS.exe.426aea8.2.raw.unpack, dHSW6m6n0RQuICnouD.cs High entropy of concatenated method names: 'qCtmknviMM', 'XltmwFtKUk', 'EjyNIogVts', 'U1gNP7YWhK', 'h4Dm6HNCnE', 'rPsmy6jFYR', 'ugcmsmPr0E', 'N5imfe47I6', 'UeTmTvUmRx', 'RqZmW6XOAI'
Source: 9.2.xmAdkuQjxrS.exe.426aea8.2.raw.unpack, Ah72wsQxdG1EWBZjQc.cs High entropy of concatenated method names: 'T9TeDv4pd7', 'CA7ep9iqUd', 'q8teAWZ6Ra', 'AmVeoi7efr', 'lxeehWaGlU', 'GY5eZ1vBot', 'G1cerCmgJ4', 'ftaeiwVnoc', 'ALNeL7VJAe', 'aoce65kZQT'
Source: 9.2.xmAdkuQjxrS.exe.426aea8.2.raw.unpack, GpWooulZSBMfpZYOqI.cs High entropy of concatenated method names: 'QJxl7RUA1j', 'qsPlJu3VJd', 'hfllUeuytr', 'jYDlqUybxU', 'l7nlce2K4e', 'tb4Ub4Nj6A', 'QXXUO2VbmH', 'OYAUEwsRyi', 'fW1Uks3JEQ', 'BVKUM0Jgld'
Source: 9.2.xmAdkuQjxrS.exe.426aea8.2.raw.unpack, rinCIsxKt2b2sY0kNr.cs High entropy of concatenated method names: 'ORMKGuhWw', 'AMr3hvwIZ', 'x5ejjyqLn', 'tVL5jjytI', 'd6tp2A4ov', 'cx0xNwssK', 'sci4UYywI2Q4IYFEtP', 'NV8t9OcHju3F3BGbXQ', 'DPANKprnU', 'NTsCqF8On'
Source: 9.2.xmAdkuQjxrS.exe.426aea8.2.raw.unpack, QEwiPrzwevouwMIeAy.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'JP6BeNjCAC', 'UtsBRf170h', 'IO6BFOvs8p', 'FvxBmKQbTc', 'LLKBNbNFG6', 'FnaBBPjfHZ', 'gMIBCGSStP'
Source: 9.2.xmAdkuQjxrS.exe.426aea8.2.raw.unpack, oOAciwf8r4hTgD9C4H.cs High entropy of concatenated method names: 'pylRLr1tFi', 'WcORycGa49', 'TcnRfb892E', 'twhRTpHNnG', 'ecNRow2hs2', 'RqYRQJmXCt', 'GI0RhUrbo7', 'KGvRZRI7Cu', 'b3bRYiWoLt', 'LoNRrvkDqm'
Source: 9.2.xmAdkuQjxrS.exe.426aea8.2.raw.unpack, Dn5S64c2THrPeWHTug2.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'xnGCfNnZJr', 'NPZCTkM0QE', 'yWwCWddwfA', 'pUnCG0qUVa', 'trDCbkqXG7', 'KukCOcwbM9', 'Yo4CEsFPLN'
Source: 9.2.xmAdkuQjxrS.exe.426aea8.2.raw.unpack, GK88Kn16WEEAbPvejc.cs High entropy of concatenated method names: 'Mutm0LN3Jy', 'dR2m2xs5hs', 'ToString', 'pBomnyAtkY', 'XN0mJTbJUp', 'W9em8v4jVP', 'g04mUq0sN1', 'U7ImlCOnox', 'wYmmqCvceV', 'PAUmclGk63'
Source: 9.2.xmAdkuQjxrS.exe.426aea8.2.raw.unpack, OMnd3l81OsuRldy2rR.cs High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'pFo1MD0sVo', 'EPA1w3sxTZ', 'UwW1zNiNq7', 'n6StIaQC9O', 'bTctPZtRVW', 'WJSt1iHv7V', 'DlWttSkFnj', 'GSDEfyVsoGuhi8QgZM7'
Source: 9.2.xmAdkuQjxrS.exe.426aea8.2.raw.unpack, lkSy2S4jDXNLhokqZE.cs High entropy of concatenated method names: 'OFPJfkXMcN', 'c6OJTPY9Y3', 'QgaJWfYKoI', 'KdGJGOfrGU', 'EqVJbWtTdl', 'MgqJO4JWKF', 'buWJEnrtdX', 'LuQJkMQ4cY', 'mvNJMK4Jjn', 'r57Jwnoyrs'
Drops PE files
Source: C:\Users\user\Desktop\faktura proforma pdf.exe File created: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe Jump to dropped file

Boot Survival
barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xmAdkuQjxrS" /XML "C:\Users\user\AppData\Local\Temp\tmp69A7.tmp"

Hooking and other Techniques for Hiding and Protection
barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: faktura proforma pdf.exe PID: 2692, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: xmAdkuQjxrS.exe PID: 7332, type: MEMORYSTR
Switches to a custom stack to bypass stack traces
Source: C:\Windows\SysWOW64\mstsc.exe API/Special instruction interceptor: Address: 7FFE2220D324
Source: C:\Windows\SysWOW64\mstsc.exe API/Special instruction interceptor: Address: 7FFE22210774
Source: C:\Windows\SysWOW64\mstsc.exe API/Special instruction interceptor: Address: 7FFE2220D944
Source: C:\Windows\SysWOW64\mstsc.exe API/Special instruction interceptor: Address: 7FFE2220D504
Source: C:\Windows\SysWOW64\mstsc.exe API/Special instruction interceptor: Address: 7FFE2220D544
Source: C:\Windows\SysWOW64\mstsc.exe API/Special instruction interceptor: Address: 7FFE2220D1E4
Source: C:\Windows\SysWOW64\mstsc.exe API/Special instruction interceptor: Address: 7FFE22210154
Source: C:\Windows\SysWOW64\mstsc.exe API/Special instruction interceptor: Address: 7FFE2220D8A4
Source: C:\Windows\SysWOW64\mstsc.exe API/Special instruction interceptor: Address: 7FFE2220DA44
Tries to detect virtualization through RDTSC time measurements
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe RDTSC instruction interceptor: First address: 409904 second address: 40990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe RDTSC instruction interceptor: First address: 409B7E second address: 409B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\mstsc.exe RDTSC instruction interceptor: First address: 32C9904 second address: 32C990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\raserver.exe RDTSC instruction interceptor: First address: 3009904 second address: 300990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\mstsc.exe RDTSC instruction interceptor: First address: 32C9B7E second address: 32C9B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\raserver.exe RDTSC instruction interceptor: First address: 3009B7E second address: 3009B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Memory allocated: 1180000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Memory allocated: 2D30000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Memory allocated: 2B30000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Memory allocated: 8B80000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Memory allocated: 7490000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Memory allocated: 9B80000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Memory allocated: AB80000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Memory allocated: B5F0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Memory allocated: C5F0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Memory allocated: D5F0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe Memory allocated: 8A0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe Memory allocated: 2790000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe Memory allocated: 4790000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe Memory allocated: 81B0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe Memory allocated: 6B80000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe Memory allocated: 91B0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe Memory allocated: A1B0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe Memory allocated: ABC0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe Memory allocated: BBC0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe Memory allocated: CBC0000 memory reserve | memory write watch Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00409AB0 rdtsc 6_2_00409AB0
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 6832 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 2911 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 3696 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 6247 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: foregroundWindowGot 893 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: foregroundWindowGot 857 Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe Window / User API: threadDelayed 9819
Found large amount of non-executed APIs
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe API coverage: 1.7 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\faktura proforma pdf.exe TID: 4944 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7216 Thread sleep time: -5534023222112862s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 7832 Thread sleep count: 3696 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 7832 Thread sleep time: -7392000s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 7832 Thread sleep count: 6247 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 7832 Thread sleep time: -12494000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe TID: 7352 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe TID: 7656 Thread sleep count: 153 > 30
Source: C:\Windows\SysWOW64\mstsc.exe TID: 7656 Thread sleep time: -306000s >= -30000s
Source: C:\Windows\SysWOW64\mstsc.exe TID: 7656 Thread sleep count: 9819 > 30
Source: C:\Windows\SysWOW64\mstsc.exe TID: 7656 Thread sleep time: -19638000s >= -30000s
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\mstsc.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\mstsc.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: explorer.exe, 00000007.00000000.1726963968.00000000098A8000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: k&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 00000007.00000003.3111719104.0000000009815000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: NECVMWar VMware SATA CD00\w
Source: explorer.exe, 00000007.00000003.3111719104.0000000009815000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}$
Source: explorer.exe, 00000007.00000000.1720478261.00000000079FB000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}'
Source: explorer.exe, 00000007.00000000.1726963968.00000000098A8000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 00000007.00000000.1716988722.0000000001240000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&0000000}
Source: explorer.exe, 00000007.00000000.1720478261.00000000079FB000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000007.00000000.1726963968.0000000009977000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000007.00000000.1720478261.00000000078AD000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: NXTTAVMWare
Source: explorer.exe, 00000007.00000003.3111719104.0000000009815000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f&0&000000
Source: explorer.exe, 00000007.00000002.4149087756.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3111719104.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1725514053.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4149087756.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3111719104.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1725514053.00000000097D4000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000007.00000000.1726963968.0000000009977000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: explorer.exe, 00000007.00000002.4145487064.0000000007A34000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1720478261.0000000007A34000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWen-GBnx
Source: explorer.exe, 00000007.00000000.1725514053.0000000009660000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000er
Source: explorer.exe, 00000007.00000000.1716988722.0000000001240000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: explorer.exe, 00000007.00000000.1716988722.0000000001240000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Process information queried: ProcessInformation Jump to behavior
Checks if the current process is being debugged
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe Process queried: DebugPort
Source: C:\Windows\SysWOW64\raserver.exe Process queried: DebugPort
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00409AB0 rdtsc 6_2_00409AB0
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0040ACF0 LdrLoadDll, 6_2_0040ACF0
Contains functionality to read the PEB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01558158 mov eax, dword ptr fs:[00000030h] 6_2_01558158
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01554144 mov eax, dword ptr fs:[00000030h] 6_2_01554144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01554144 mov eax, dword ptr fs:[00000030h] 6_2_01554144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01554144 mov ecx, dword ptr fs:[00000030h] 6_2_01554144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01554144 mov eax, dword ptr fs:[00000030h] 6_2_01554144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01554144 mov eax, dword ptr fs:[00000030h] 6_2_01554144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014C6154 mov eax, dword ptr fs:[00000030h] 6_2_014C6154
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014C6154 mov eax, dword ptr fs:[00000030h] 6_2_014C6154
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014BC156 mov eax, dword ptr fs:[00000030h] 6_2_014BC156
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01594164 mov eax, dword ptr fs:[00000030h] 6_2_01594164
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01594164 mov eax, dword ptr fs:[00000030h] 6_2_01594164
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01580115 mov eax, dword ptr fs:[00000030h] 6_2_01580115
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0156A118 mov ecx, dword ptr fs:[00000030h] 6_2_0156A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0156A118 mov eax, dword ptr fs:[00000030h] 6_2_0156A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0156A118 mov eax, dword ptr fs:[00000030h] 6_2_0156A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0156A118 mov eax, dword ptr fs:[00000030h] 6_2_0156A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0156E10E mov eax, dword ptr fs:[00000030h] 6_2_0156E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0156E10E mov ecx, dword ptr fs:[00000030h] 6_2_0156E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0156E10E mov eax, dword ptr fs:[00000030h] 6_2_0156E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0156E10E mov eax, dword ptr fs:[00000030h] 6_2_0156E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0156E10E mov ecx, dword ptr fs:[00000030h] 6_2_0156E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0156E10E mov eax, dword ptr fs:[00000030h] 6_2_0156E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0156E10E mov eax, dword ptr fs:[00000030h] 6_2_0156E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0156E10E mov ecx, dword ptr fs:[00000030h] 6_2_0156E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0156E10E mov eax, dword ptr fs:[00000030h] 6_2_0156E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0156E10E mov ecx, dword ptr fs:[00000030h] 6_2_0156E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014F0124 mov eax, dword ptr fs:[00000030h] 6_2_014F0124
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0153E1D0 mov eax, dword ptr fs:[00000030h] 6_2_0153E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0153E1D0 mov eax, dword ptr fs:[00000030h] 6_2_0153E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0153E1D0 mov ecx, dword ptr fs:[00000030h] 6_2_0153E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0153E1D0 mov eax, dword ptr fs:[00000030h] 6_2_0153E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0153E1D0 mov eax, dword ptr fs:[00000030h] 6_2_0153E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_015861C3 mov eax, dword ptr fs:[00000030h] 6_2_015861C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_015861C3 mov eax, dword ptr fs:[00000030h] 6_2_015861C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014F01F8 mov eax, dword ptr fs:[00000030h] 6_2_014F01F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_015961E5 mov eax, dword ptr fs:[00000030h] 6_2_015961E5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0154019F mov eax, dword ptr fs:[00000030h] 6_2_0154019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0154019F mov eax, dword ptr fs:[00000030h] 6_2_0154019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0154019F mov eax, dword ptr fs:[00000030h] 6_2_0154019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0154019F mov eax, dword ptr fs:[00000030h] 6_2_0154019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01500185 mov eax, dword ptr fs:[00000030h] 6_2_01500185
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01564180 mov eax, dword ptr fs:[00000030h] 6_2_01564180
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01564180 mov eax, dword ptr fs:[00000030h] 6_2_01564180
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014BA197 mov eax, dword ptr fs:[00000030h] 6_2_014BA197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014BA197 mov eax, dword ptr fs:[00000030h] 6_2_014BA197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014BA197 mov eax, dword ptr fs:[00000030h] 6_2_014BA197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0157C188 mov eax, dword ptr fs:[00000030h] 6_2_0157C188
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0157C188 mov eax, dword ptr fs:[00000030h] 6_2_0157C188
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01546050 mov eax, dword ptr fs:[00000030h] 6_2_01546050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014C2050 mov eax, dword ptr fs:[00000030h] 6_2_014C2050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014EC073 mov eax, dword ptr fs:[00000030h] 6_2_014EC073
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01544000 mov ecx, dword ptr fs:[00000030h] 6_2_01544000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01562000 mov eax, dword ptr fs:[00000030h] 6_2_01562000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01562000 mov eax, dword ptr fs:[00000030h] 6_2_01562000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01562000 mov eax, dword ptr fs:[00000030h] 6_2_01562000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01562000 mov eax, dword ptr fs:[00000030h] 6_2_01562000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01562000 mov eax, dword ptr fs:[00000030h] 6_2_01562000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01562000 mov eax, dword ptr fs:[00000030h] 6_2_01562000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01562000 mov eax, dword ptr fs:[00000030h] 6_2_01562000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01562000 mov eax, dword ptr fs:[00000030h] 6_2_01562000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014DE016 mov eax, dword ptr fs:[00000030h] 6_2_014DE016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014DE016 mov eax, dword ptr fs:[00000030h] 6_2_014DE016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014DE016 mov eax, dword ptr fs:[00000030h] 6_2_014DE016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014DE016 mov eax, dword ptr fs:[00000030h] 6_2_014DE016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01556030 mov eax, dword ptr fs:[00000030h] 6_2_01556030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014BA020 mov eax, dword ptr fs:[00000030h] 6_2_014BA020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014BC020 mov eax, dword ptr fs:[00000030h] 6_2_014BC020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_015420DE mov eax, dword ptr fs:[00000030h] 6_2_015420DE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_015020F0 mov ecx, dword ptr fs:[00000030h] 6_2_015020F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014C80E9 mov eax, dword ptr fs:[00000030h] 6_2_014C80E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014BA0E3 mov ecx, dword ptr fs:[00000030h] 6_2_014BA0E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_015460E0 mov eax, dword ptr fs:[00000030h] 6_2_015460E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014BC0F0 mov eax, dword ptr fs:[00000030h] 6_2_014BC0F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014C208A mov eax, dword ptr fs:[00000030h] 6_2_014C208A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_015860B8 mov eax, dword ptr fs:[00000030h] 6_2_015860B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_015860B8 mov ecx, dword ptr fs:[00000030h] 6_2_015860B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014B80A0 mov eax, dword ptr fs:[00000030h] 6_2_014B80A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_015580A8 mov eax, dword ptr fs:[00000030h] 6_2_015580A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01568350 mov ecx, dword ptr fs:[00000030h] 6_2_01568350
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0154035C mov eax, dword ptr fs:[00000030h] 6_2_0154035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0154035C mov eax, dword ptr fs:[00000030h] 6_2_0154035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0154035C mov eax, dword ptr fs:[00000030h] 6_2_0154035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0154035C mov ecx, dword ptr fs:[00000030h] 6_2_0154035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0154035C mov eax, dword ptr fs:[00000030h] 6_2_0154035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0154035C mov eax, dword ptr fs:[00000030h] 6_2_0154035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0158A352 mov eax, dword ptr fs:[00000030h] 6_2_0158A352
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0159634F mov eax, dword ptr fs:[00000030h] 6_2_0159634F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01542349 mov eax, dword ptr fs:[00000030h] 6_2_01542349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01542349 mov eax, dword ptr fs:[00000030h] 6_2_01542349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01542349 mov eax, dword ptr fs:[00000030h] 6_2_01542349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01542349 mov eax, dword ptr fs:[00000030h] 6_2_01542349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01542349 mov eax, dword ptr fs:[00000030h] 6_2_01542349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01542349 mov eax, dword ptr fs:[00000030h] 6_2_01542349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01542349 mov eax, dword ptr fs:[00000030h] 6_2_01542349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01542349 mov eax, dword ptr fs:[00000030h] 6_2_01542349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01542349 mov eax, dword ptr fs:[00000030h] 6_2_01542349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01542349 mov eax, dword ptr fs:[00000030h] 6_2_01542349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01542349 mov eax, dword ptr fs:[00000030h] 6_2_01542349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01542349 mov eax, dword ptr fs:[00000030h] 6_2_01542349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01542349 mov eax, dword ptr fs:[00000030h] 6_2_01542349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01542349 mov eax, dword ptr fs:[00000030h] 6_2_01542349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01542349 mov eax, dword ptr fs:[00000030h] 6_2_01542349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0156437C mov eax, dword ptr fs:[00000030h] 6_2_0156437C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014FA30B mov eax, dword ptr fs:[00000030h] 6_2_014FA30B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014FA30B mov eax, dword ptr fs:[00000030h] 6_2_014FA30B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014FA30B mov eax, dword ptr fs:[00000030h] 6_2_014FA30B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014BC310 mov ecx, dword ptr fs:[00000030h] 6_2_014BC310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014E0310 mov ecx, dword ptr fs:[00000030h] 6_2_014E0310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01598324 mov eax, dword ptr fs:[00000030h] 6_2_01598324
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01598324 mov ecx, dword ptr fs:[00000030h] 6_2_01598324
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01598324 mov eax, dword ptr fs:[00000030h] 6_2_01598324
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01598324 mov eax, dword ptr fs:[00000030h] 6_2_01598324
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_015643D4 mov eax, dword ptr fs:[00000030h] 6_2_015643D4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_015643D4 mov eax, dword ptr fs:[00000030h] 6_2_015643D4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014CA3C0 mov eax, dword ptr fs:[00000030h] 6_2_014CA3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014CA3C0 mov eax, dword ptr fs:[00000030h] 6_2_014CA3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014CA3C0 mov eax, dword ptr fs:[00000030h] 6_2_014CA3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014CA3C0 mov eax, dword ptr fs:[00000030h] 6_2_014CA3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014CA3C0 mov eax, dword ptr fs:[00000030h] 6_2_014CA3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014CA3C0 mov eax, dword ptr fs:[00000030h] 6_2_014CA3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014C83C0 mov eax, dword ptr fs:[00000030h] 6_2_014C83C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014C83C0 mov eax, dword ptr fs:[00000030h] 6_2_014C83C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014C83C0 mov eax, dword ptr fs:[00000030h] 6_2_014C83C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014C83C0 mov eax, dword ptr fs:[00000030h] 6_2_014C83C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0156E3DB mov eax, dword ptr fs:[00000030h] 6_2_0156E3DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0156E3DB mov eax, dword ptr fs:[00000030h] 6_2_0156E3DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0156E3DB mov ecx, dword ptr fs:[00000030h] 6_2_0156E3DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0156E3DB mov eax, dword ptr fs:[00000030h] 6_2_0156E3DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_015463C0 mov eax, dword ptr fs:[00000030h] 6_2_015463C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0157C3CD mov eax, dword ptr fs:[00000030h] 6_2_0157C3CD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014D03E9 mov eax, dword ptr fs:[00000030h] 6_2_014D03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014D03E9 mov eax, dword ptr fs:[00000030h] 6_2_014D03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014D03E9 mov eax, dword ptr fs:[00000030h] 6_2_014D03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014D03E9 mov eax, dword ptr fs:[00000030h] 6_2_014D03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014D03E9 mov eax, dword ptr fs:[00000030h] 6_2_014D03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014D03E9 mov eax, dword ptr fs:[00000030h] 6_2_014D03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014D03E9 mov eax, dword ptr fs:[00000030h] 6_2_014D03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014D03E9 mov eax, dword ptr fs:[00000030h] 6_2_014D03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014F63FF mov eax, dword ptr fs:[00000030h] 6_2_014F63FF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014DE3F0 mov eax, dword ptr fs:[00000030h] 6_2_014DE3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014DE3F0 mov eax, dword ptr fs:[00000030h] 6_2_014DE3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014DE3F0 mov eax, dword ptr fs:[00000030h] 6_2_014DE3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014E438F mov eax, dword ptr fs:[00000030h] 6_2_014E438F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014E438F mov eax, dword ptr fs:[00000030h] 6_2_014E438F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014BE388 mov eax, dword ptr fs:[00000030h] 6_2_014BE388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014BE388 mov eax, dword ptr fs:[00000030h] 6_2_014BE388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014BE388 mov eax, dword ptr fs:[00000030h] 6_2_014BE388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014B8397 mov eax, dword ptr fs:[00000030h] 6_2_014B8397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014B8397 mov eax, dword ptr fs:[00000030h] 6_2_014B8397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014B8397 mov eax, dword ptr fs:[00000030h] 6_2_014B8397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0159625D mov eax, dword ptr fs:[00000030h] 6_2_0159625D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0157A250 mov eax, dword ptr fs:[00000030h] 6_2_0157A250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0157A250 mov eax, dword ptr fs:[00000030h] 6_2_0157A250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014C6259 mov eax, dword ptr fs:[00000030h] 6_2_014C6259
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01548243 mov eax, dword ptr fs:[00000030h] 6_2_01548243
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01548243 mov ecx, dword ptr fs:[00000030h] 6_2_01548243
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014BA250 mov eax, dword ptr fs:[00000030h] 6_2_014BA250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014B826B mov eax, dword ptr fs:[00000030h] 6_2_014B826B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01570274 mov eax, dword ptr fs:[00000030h] 6_2_01570274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01570274 mov eax, dword ptr fs:[00000030h] 6_2_01570274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01570274 mov eax, dword ptr fs:[00000030h] 6_2_01570274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01570274 mov eax, dword ptr fs:[00000030h] 6_2_01570274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01570274 mov eax, dword ptr fs:[00000030h] 6_2_01570274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01570274 mov eax, dword ptr fs:[00000030h] 6_2_01570274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01570274 mov eax, dword ptr fs:[00000030h] 6_2_01570274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01570274 mov eax, dword ptr fs:[00000030h] 6_2_01570274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01570274 mov eax, dword ptr fs:[00000030h] 6_2_01570274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01570274 mov eax, dword ptr fs:[00000030h] 6_2_01570274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01570274 mov eax, dword ptr fs:[00000030h] 6_2_01570274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01570274 mov eax, dword ptr fs:[00000030h] 6_2_01570274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014C4260 mov eax, dword ptr fs:[00000030h] 6_2_014C4260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014C4260 mov eax, dword ptr fs:[00000030h] 6_2_014C4260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014C4260 mov eax, dword ptr fs:[00000030h] 6_2_014C4260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014B823B mov eax, dword ptr fs:[00000030h] 6_2_014B823B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014CA2C3 mov eax, dword ptr fs:[00000030h] 6_2_014CA2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014CA2C3 mov eax, dword ptr fs:[00000030h] 6_2_014CA2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014CA2C3 mov eax, dword ptr fs:[00000030h] 6_2_014CA2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014CA2C3 mov eax, dword ptr fs:[00000030h] 6_2_014CA2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014CA2C3 mov eax, dword ptr fs:[00000030h] 6_2_014CA2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_015962D6 mov eax, dword ptr fs:[00000030h] 6_2_015962D6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014D02E1 mov eax, dword ptr fs:[00000030h] 6_2_014D02E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014D02E1 mov eax, dword ptr fs:[00000030h] 6_2_014D02E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014D02E1 mov eax, dword ptr fs:[00000030h] 6_2_014D02E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014FE284 mov eax, dword ptr fs:[00000030h] 6_2_014FE284
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014FE284 mov eax, dword ptr fs:[00000030h] 6_2_014FE284
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01540283 mov eax, dword ptr fs:[00000030h] 6_2_01540283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01540283 mov eax, dword ptr fs:[00000030h] 6_2_01540283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01540283 mov eax, dword ptr fs:[00000030h] 6_2_01540283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014D02A0 mov eax, dword ptr fs:[00000030h] 6_2_014D02A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014D02A0 mov eax, dword ptr fs:[00000030h] 6_2_014D02A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_015562A0 mov eax, dword ptr fs:[00000030h] 6_2_015562A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_015562A0 mov ecx, dword ptr fs:[00000030h] 6_2_015562A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_015562A0 mov eax, dword ptr fs:[00000030h] 6_2_015562A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_015562A0 mov eax, dword ptr fs:[00000030h] 6_2_015562A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_015562A0 mov eax, dword ptr fs:[00000030h] 6_2_015562A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_015562A0 mov eax, dword ptr fs:[00000030h] 6_2_015562A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014C8550 mov eax, dword ptr fs:[00000030h] 6_2_014C8550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014C8550 mov eax, dword ptr fs:[00000030h] 6_2_014C8550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014F656A mov eax, dword ptr fs:[00000030h] 6_2_014F656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014F656A mov eax, dword ptr fs:[00000030h] 6_2_014F656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014F656A mov eax, dword ptr fs:[00000030h] 6_2_014F656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01556500 mov eax, dword ptr fs:[00000030h] 6_2_01556500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01594500 mov eax, dword ptr fs:[00000030h] 6_2_01594500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01594500 mov eax, dword ptr fs:[00000030h] 6_2_01594500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01594500 mov eax, dword ptr fs:[00000030h] 6_2_01594500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01594500 mov eax, dword ptr fs:[00000030h] 6_2_01594500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01594500 mov eax, dword ptr fs:[00000030h] 6_2_01594500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01594500 mov eax, dword ptr fs:[00000030h] 6_2_01594500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01594500 mov eax, dword ptr fs:[00000030h] 6_2_01594500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014EE53E mov eax, dword ptr fs:[00000030h] 6_2_014EE53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014EE53E mov eax, dword ptr fs:[00000030h] 6_2_014EE53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014EE53E mov eax, dword ptr fs:[00000030h] 6_2_014EE53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014EE53E mov eax, dword ptr fs:[00000030h] 6_2_014EE53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014EE53E mov eax, dword ptr fs:[00000030h] 6_2_014EE53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014D0535 mov eax, dword ptr fs:[00000030h] 6_2_014D0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014D0535 mov eax, dword ptr fs:[00000030h] 6_2_014D0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014D0535 mov eax, dword ptr fs:[00000030h] 6_2_014D0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014D0535 mov eax, dword ptr fs:[00000030h] 6_2_014D0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014D0535 mov eax, dword ptr fs:[00000030h] 6_2_014D0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014D0535 mov eax, dword ptr fs:[00000030h] 6_2_014D0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014FE5CF mov eax, dword ptr fs:[00000030h] 6_2_014FE5CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014FE5CF mov eax, dword ptr fs:[00000030h] 6_2_014FE5CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014C65D0 mov eax, dword ptr fs:[00000030h] 6_2_014C65D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014FA5D0 mov eax, dword ptr fs:[00000030h] 6_2_014FA5D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014FA5D0 mov eax, dword ptr fs:[00000030h] 6_2_014FA5D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014FC5ED mov eax, dword ptr fs:[00000030h] 6_2_014FC5ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014FC5ED mov eax, dword ptr fs:[00000030h] 6_2_014FC5ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014EE5E7 mov eax, dword ptr fs:[00000030h] 6_2_014EE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014EE5E7 mov eax, dword ptr fs:[00000030h] 6_2_014EE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014EE5E7 mov eax, dword ptr fs:[00000030h] 6_2_014EE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014EE5E7 mov eax, dword ptr fs:[00000030h] 6_2_014EE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014EE5E7 mov eax, dword ptr fs:[00000030h] 6_2_014EE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014EE5E7 mov eax, dword ptr fs:[00000030h] 6_2_014EE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014EE5E7 mov eax, dword ptr fs:[00000030h] 6_2_014EE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014EE5E7 mov eax, dword ptr fs:[00000030h] 6_2_014EE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014C25E0 mov eax, dword ptr fs:[00000030h] 6_2_014C25E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014F4588 mov eax, dword ptr fs:[00000030h] 6_2_014F4588
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014C2582 mov eax, dword ptr fs:[00000030h] 6_2_014C2582
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014C2582 mov ecx, dword ptr fs:[00000030h] 6_2_014C2582
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014FE59C mov eax, dword ptr fs:[00000030h] 6_2_014FE59C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_015405A7 mov eax, dword ptr fs:[00000030h] 6_2_015405A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_015405A7 mov eax, dword ptr fs:[00000030h] 6_2_015405A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_015405A7 mov eax, dword ptr fs:[00000030h] 6_2_015405A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014E45B1 mov eax, dword ptr fs:[00000030h] 6_2_014E45B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014E45B1 mov eax, dword ptr fs:[00000030h] 6_2_014E45B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0157A456 mov eax, dword ptr fs:[00000030h] 6_2_0157A456
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014FE443 mov eax, dword ptr fs:[00000030h] 6_2_014FE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014FE443 mov eax, dword ptr fs:[00000030h] 6_2_014FE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014FE443 mov eax, dword ptr fs:[00000030h] 6_2_014FE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014FE443 mov eax, dword ptr fs:[00000030h] 6_2_014FE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014FE443 mov eax, dword ptr fs:[00000030h] 6_2_014FE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014FE443 mov eax, dword ptr fs:[00000030h] 6_2_014FE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014FE443 mov eax, dword ptr fs:[00000030h] 6_2_014FE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014FE443 mov eax, dword ptr fs:[00000030h] 6_2_014FE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014E245A mov eax, dword ptr fs:[00000030h] 6_2_014E245A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014B645D mov eax, dword ptr fs:[00000030h] 6_2_014B645D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0154C460 mov ecx, dword ptr fs:[00000030h] 6_2_0154C460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014EA470 mov eax, dword ptr fs:[00000030h] 6_2_014EA470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014EA470 mov eax, dword ptr fs:[00000030h] 6_2_014EA470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014EA470 mov eax, dword ptr fs:[00000030h] 6_2_014EA470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014F8402 mov eax, dword ptr fs:[00000030h] 6_2_014F8402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014F8402 mov eax, dword ptr fs:[00000030h] 6_2_014F8402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014F8402 mov eax, dword ptr fs:[00000030h] 6_2_014F8402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014BE420 mov eax, dword ptr fs:[00000030h] 6_2_014BE420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014BE420 mov eax, dword ptr fs:[00000030h] 6_2_014BE420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014BE420 mov eax, dword ptr fs:[00000030h] 6_2_014BE420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014BC427 mov eax, dword ptr fs:[00000030h] 6_2_014BC427
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01546420 mov eax, dword ptr fs:[00000030h] 6_2_01546420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01546420 mov eax, dword ptr fs:[00000030h] 6_2_01546420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01546420 mov eax, dword ptr fs:[00000030h] 6_2_01546420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01546420 mov eax, dword ptr fs:[00000030h] 6_2_01546420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01546420 mov eax, dword ptr fs:[00000030h] 6_2_01546420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01546420 mov eax, dword ptr fs:[00000030h] 6_2_01546420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01546420 mov eax, dword ptr fs:[00000030h] 6_2_01546420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014C04E5 mov ecx, dword ptr fs:[00000030h] 6_2_014C04E5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0157A49A mov eax, dword ptr fs:[00000030h] 6_2_0157A49A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0154A4B0 mov eax, dword ptr fs:[00000030h] 6_2_0154A4B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014C64AB mov eax, dword ptr fs:[00000030h] 6_2_014C64AB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014F44B0 mov ecx, dword ptr fs:[00000030h] 6_2_014F44B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01502750 mov eax, dword ptr fs:[00000030h] 6_2_01502750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01502750 mov eax, dword ptr fs:[00000030h] 6_2_01502750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01544755 mov eax, dword ptr fs:[00000030h] 6_2_01544755
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014F674D mov esi, dword ptr fs:[00000030h] 6_2_014F674D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014F674D mov eax, dword ptr fs:[00000030h] 6_2_014F674D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014F674D mov eax, dword ptr fs:[00000030h] 6_2_014F674D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0154E75D mov eax, dword ptr fs:[00000030h] 6_2_0154E75D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014C0750 mov eax, dword ptr fs:[00000030h] 6_2_014C0750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014C8770 mov eax, dword ptr fs:[00000030h] 6_2_014C8770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014D0770 mov eax, dword ptr fs:[00000030h] 6_2_014D0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014D0770 mov eax, dword ptr fs:[00000030h] 6_2_014D0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014D0770 mov eax, dword ptr fs:[00000030h] 6_2_014D0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014D0770 mov eax, dword ptr fs:[00000030h] 6_2_014D0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014D0770 mov eax, dword ptr fs:[00000030h] 6_2_014D0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014D0770 mov eax, dword ptr fs:[00000030h] 6_2_014D0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014D0770 mov eax, dword ptr fs:[00000030h] 6_2_014D0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014D0770 mov eax, dword ptr fs:[00000030h] 6_2_014D0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014D0770 mov eax, dword ptr fs:[00000030h] 6_2_014D0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014D0770 mov eax, dword ptr fs:[00000030h] 6_2_014D0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014D0770 mov eax, dword ptr fs:[00000030h] 6_2_014D0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014D0770 mov eax, dword ptr fs:[00000030h] 6_2_014D0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014FC700 mov eax, dword ptr fs:[00000030h] 6_2_014FC700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014C0710 mov eax, dword ptr fs:[00000030h] 6_2_014C0710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014F0710 mov eax, dword ptr fs:[00000030h] 6_2_014F0710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0153C730 mov eax, dword ptr fs:[00000030h] 6_2_0153C730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014FC720 mov eax, dword ptr fs:[00000030h] 6_2_014FC720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014FC720 mov eax, dword ptr fs:[00000030h] 6_2_014FC720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014F273C mov eax, dword ptr fs:[00000030h] 6_2_014F273C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014F273C mov ecx, dword ptr fs:[00000030h] 6_2_014F273C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014F273C mov eax, dword ptr fs:[00000030h] 6_2_014F273C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014CC7C0 mov eax, dword ptr fs:[00000030h] 6_2_014CC7C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_015407C3 mov eax, dword ptr fs:[00000030h] 6_2_015407C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014E27ED mov eax, dword ptr fs:[00000030h] 6_2_014E27ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014E27ED mov eax, dword ptr fs:[00000030h] 6_2_014E27ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014E27ED mov eax, dword ptr fs:[00000030h] 6_2_014E27ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0154E7E1 mov eax, dword ptr fs:[00000030h] 6_2_0154E7E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014C47FB mov eax, dword ptr fs:[00000030h] 6_2_014C47FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014C47FB mov eax, dword ptr fs:[00000030h] 6_2_014C47FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0156678E mov eax, dword ptr fs:[00000030h] 6_2_0156678E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014C07AF mov eax, dword ptr fs:[00000030h] 6_2_014C07AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_015747A0 mov eax, dword ptr fs:[00000030h] 6_2_015747A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014DC640 mov eax, dword ptr fs:[00000030h] 6_2_014DC640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014FA660 mov eax, dword ptr fs:[00000030h] 6_2_014FA660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014FA660 mov eax, dword ptr fs:[00000030h] 6_2_014FA660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0158866E mov eax, dword ptr fs:[00000030h] 6_2_0158866E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0158866E mov eax, dword ptr fs:[00000030h] 6_2_0158866E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014F2674 mov eax, dword ptr fs:[00000030h] 6_2_014F2674
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014D260B mov eax, dword ptr fs:[00000030h] 6_2_014D260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014D260B mov eax, dword ptr fs:[00000030h] 6_2_014D260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014D260B mov eax, dword ptr fs:[00000030h] 6_2_014D260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014D260B mov eax, dword ptr fs:[00000030h] 6_2_014D260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014D260B mov eax, dword ptr fs:[00000030h] 6_2_014D260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014D260B mov eax, dword ptr fs:[00000030h] 6_2_014D260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014D260B mov eax, dword ptr fs:[00000030h] 6_2_014D260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01502619 mov eax, dword ptr fs:[00000030h] 6_2_01502619
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0153E609 mov eax, dword ptr fs:[00000030h] 6_2_0153E609
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014C262C mov eax, dword ptr fs:[00000030h] 6_2_014C262C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014DE627 mov eax, dword ptr fs:[00000030h] 6_2_014DE627
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014F6620 mov eax, dword ptr fs:[00000030h] 6_2_014F6620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014F8620 mov eax, dword ptr fs:[00000030h] 6_2_014F8620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014FA6C7 mov ebx, dword ptr fs:[00000030h] 6_2_014FA6C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014FA6C7 mov eax, dword ptr fs:[00000030h] 6_2_014FA6C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0153E6F2 mov eax, dword ptr fs:[00000030h] 6_2_0153E6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0153E6F2 mov eax, dword ptr fs:[00000030h] 6_2_0153E6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0153E6F2 mov eax, dword ptr fs:[00000030h] 6_2_0153E6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0153E6F2 mov eax, dword ptr fs:[00000030h] 6_2_0153E6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_015406F1 mov eax, dword ptr fs:[00000030h] 6_2_015406F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_015406F1 mov eax, dword ptr fs:[00000030h] 6_2_015406F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014C4690 mov eax, dword ptr fs:[00000030h] 6_2_014C4690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014C4690 mov eax, dword ptr fs:[00000030h] 6_2_014C4690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014FC6A6 mov eax, dword ptr fs:[00000030h] 6_2_014FC6A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014F66B0 mov eax, dword ptr fs:[00000030h] 6_2_014F66B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01540946 mov eax, dword ptr fs:[00000030h] 6_2_01540946
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01594940 mov eax, dword ptr fs:[00000030h] 6_2_01594940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0154C97C mov eax, dword ptr fs:[00000030h] 6_2_0154C97C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014E6962 mov eax, dword ptr fs:[00000030h] 6_2_014E6962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014E6962 mov eax, dword ptr fs:[00000030h] 6_2_014E6962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014E6962 mov eax, dword ptr fs:[00000030h] 6_2_014E6962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01564978 mov eax, dword ptr fs:[00000030h] 6_2_01564978
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01564978 mov eax, dword ptr fs:[00000030h] 6_2_01564978
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0150096E mov eax, dword ptr fs:[00000030h] 6_2_0150096E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0150096E mov edx, dword ptr fs:[00000030h] 6_2_0150096E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0150096E mov eax, dword ptr fs:[00000030h] 6_2_0150096E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0154C912 mov eax, dword ptr fs:[00000030h] 6_2_0154C912
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014B8918 mov eax, dword ptr fs:[00000030h] 6_2_014B8918
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014B8918 mov eax, dword ptr fs:[00000030h] 6_2_014B8918
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0153E908 mov eax, dword ptr fs:[00000030h] 6_2_0153E908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0153E908 mov eax, dword ptr fs:[00000030h] 6_2_0153E908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0154892A mov eax, dword ptr fs:[00000030h] 6_2_0154892A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0155892B mov eax, dword ptr fs:[00000030h] 6_2_0155892B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0158A9D3 mov eax, dword ptr fs:[00000030h] 6_2_0158A9D3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_015569C0 mov eax, dword ptr fs:[00000030h] 6_2_015569C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014CA9D0 mov eax, dword ptr fs:[00000030h] 6_2_014CA9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014CA9D0 mov eax, dword ptr fs:[00000030h] 6_2_014CA9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014CA9D0 mov eax, dword ptr fs:[00000030h] 6_2_014CA9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014CA9D0 mov eax, dword ptr fs:[00000030h] 6_2_014CA9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014CA9D0 mov eax, dword ptr fs:[00000030h] 6_2_014CA9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014CA9D0 mov eax, dword ptr fs:[00000030h] 6_2_014CA9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014F49D0 mov eax, dword ptr fs:[00000030h] 6_2_014F49D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0154E9E0 mov eax, dword ptr fs:[00000030h] 6_2_0154E9E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014F29F9 mov eax, dword ptr fs:[00000030h] 6_2_014F29F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014F29F9 mov eax, dword ptr fs:[00000030h] 6_2_014F29F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014C09AD mov eax, dword ptr fs:[00000030h] 6_2_014C09AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014C09AD mov eax, dword ptr fs:[00000030h] 6_2_014C09AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_015489B3 mov esi, dword ptr fs:[00000030h] 6_2_015489B3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_015489B3 mov eax, dword ptr fs:[00000030h] 6_2_015489B3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_015489B3 mov eax, dword ptr fs:[00000030h] 6_2_015489B3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014D29A0 mov eax, dword ptr fs:[00000030h] 6_2_014D29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014D29A0 mov eax, dword ptr fs:[00000030h] 6_2_014D29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014D29A0 mov eax, dword ptr fs:[00000030h] 6_2_014D29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014D29A0 mov eax, dword ptr fs:[00000030h] 6_2_014D29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014D29A0 mov eax, dword ptr fs:[00000030h] 6_2_014D29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014D29A0 mov eax, dword ptr fs:[00000030h] 6_2_014D29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014D29A0 mov eax, dword ptr fs:[00000030h] 6_2_014D29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014D29A0 mov eax, dword ptr fs:[00000030h] 6_2_014D29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014D29A0 mov eax, dword ptr fs:[00000030h] 6_2_014D29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014D29A0 mov eax, dword ptr fs:[00000030h] 6_2_014D29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014D29A0 mov eax, dword ptr fs:[00000030h] 6_2_014D29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014D29A0 mov eax, dword ptr fs:[00000030h] 6_2_014D29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014D29A0 mov eax, dword ptr fs:[00000030h] 6_2_014D29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014D2840 mov ecx, dword ptr fs:[00000030h] 6_2_014D2840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014C4859 mov eax, dword ptr fs:[00000030h] 6_2_014C4859
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014C4859 mov eax, dword ptr fs:[00000030h] 6_2_014C4859
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014F0854 mov eax, dword ptr fs:[00000030h] 6_2_014F0854
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01556870 mov eax, dword ptr fs:[00000030h] 6_2_01556870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01556870 mov eax, dword ptr fs:[00000030h] 6_2_01556870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0154E872 mov eax, dword ptr fs:[00000030h] 6_2_0154E872
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0154E872 mov eax, dword ptr fs:[00000030h] 6_2_0154E872
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0154C810 mov eax, dword ptr fs:[00000030h] 6_2_0154C810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0156483A mov eax, dword ptr fs:[00000030h] 6_2_0156483A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0156483A mov eax, dword ptr fs:[00000030h] 6_2_0156483A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014E2835 mov eax, dword ptr fs:[00000030h] 6_2_014E2835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014E2835 mov eax, dword ptr fs:[00000030h] 6_2_014E2835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014E2835 mov eax, dword ptr fs:[00000030h] 6_2_014E2835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014E2835 mov ecx, dword ptr fs:[00000030h] 6_2_014E2835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014E2835 mov eax, dword ptr fs:[00000030h] 6_2_014E2835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014E2835 mov eax, dword ptr fs:[00000030h] 6_2_014E2835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014FA830 mov eax, dword ptr fs:[00000030h] 6_2_014FA830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014EE8C0 mov eax, dword ptr fs:[00000030h] 6_2_014EE8C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_015908C0 mov eax, dword ptr fs:[00000030h] 6_2_015908C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014FC8F9 mov eax, dword ptr fs:[00000030h] 6_2_014FC8F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014FC8F9 mov eax, dword ptr fs:[00000030h] 6_2_014FC8F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0158A8E4 mov eax, dword ptr fs:[00000030h] 6_2_0158A8E4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0154C89D mov eax, dword ptr fs:[00000030h] 6_2_0154C89D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014C0887 mov eax, dword ptr fs:[00000030h] 6_2_014C0887
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0156EB50 mov eax, dword ptr fs:[00000030h] 6_2_0156EB50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01592B57 mov eax, dword ptr fs:[00000030h] 6_2_01592B57
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01592B57 mov eax, dword ptr fs:[00000030h] 6_2_01592B57
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01592B57 mov eax, dword ptr fs:[00000030h] 6_2_01592B57
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01592B57 mov eax, dword ptr fs:[00000030h] 6_2_01592B57
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01568B42 mov eax, dword ptr fs:[00000030h] 6_2_01568B42
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01556B40 mov eax, dword ptr fs:[00000030h] 6_2_01556B40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01556B40 mov eax, dword ptr fs:[00000030h] 6_2_01556B40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0158AB40 mov eax, dword ptr fs:[00000030h] 6_2_0158AB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014B8B50 mov eax, dword ptr fs:[00000030h] 6_2_014B8B50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01574B4B mov eax, dword ptr fs:[00000030h] 6_2_01574B4B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01574B4B mov eax, dword ptr fs:[00000030h] 6_2_01574B4B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014BCB7E mov eax, dword ptr fs:[00000030h] 6_2_014BCB7E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0153EB1D mov eax, dword ptr fs:[00000030h] 6_2_0153EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0153EB1D mov eax, dword ptr fs:[00000030h] 6_2_0153EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0153EB1D mov eax, dword ptr fs:[00000030h] 6_2_0153EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0153EB1D mov eax, dword ptr fs:[00000030h] 6_2_0153EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0153EB1D mov eax, dword ptr fs:[00000030h] 6_2_0153EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0153EB1D mov eax, dword ptr fs:[00000030h] 6_2_0153EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0153EB1D mov eax, dword ptr fs:[00000030h] 6_2_0153EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0153EB1D mov eax, dword ptr fs:[00000030h] 6_2_0153EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0153EB1D mov eax, dword ptr fs:[00000030h] 6_2_0153EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01594B00 mov eax, dword ptr fs:[00000030h] 6_2_01594B00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014EEB20 mov eax, dword ptr fs:[00000030h] 6_2_014EEB20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014EEB20 mov eax, dword ptr fs:[00000030h] 6_2_014EEB20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01588B28 mov eax, dword ptr fs:[00000030h] 6_2_01588B28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01588B28 mov eax, dword ptr fs:[00000030h] 6_2_01588B28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014C0BCD mov eax, dword ptr fs:[00000030h] 6_2_014C0BCD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014C0BCD mov eax, dword ptr fs:[00000030h] 6_2_014C0BCD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014C0BCD mov eax, dword ptr fs:[00000030h] 6_2_014C0BCD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014E0BCB mov eax, dword ptr fs:[00000030h] 6_2_014E0BCB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014E0BCB mov eax, dword ptr fs:[00000030h] 6_2_014E0BCB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014E0BCB mov eax, dword ptr fs:[00000030h] 6_2_014E0BCB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0156EBD0 mov eax, dword ptr fs:[00000030h] 6_2_0156EBD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0154CBF0 mov eax, dword ptr fs:[00000030h] 6_2_0154CBF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014EEBFC mov eax, dword ptr fs:[00000030h] 6_2_014EEBFC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014C8BF0 mov eax, dword ptr fs:[00000030h] 6_2_014C8BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014C8BF0 mov eax, dword ptr fs:[00000030h] 6_2_014C8BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014C8BF0 mov eax, dword ptr fs:[00000030h] 6_2_014C8BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01574BB0 mov eax, dword ptr fs:[00000030h] 6_2_01574BB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01574BB0 mov eax, dword ptr fs:[00000030h] 6_2_01574BB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014D0BBE mov eax, dword ptr fs:[00000030h] 6_2_014D0BBE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014D0BBE mov eax, dword ptr fs:[00000030h] 6_2_014D0BBE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014D0A5B mov eax, dword ptr fs:[00000030h] 6_2_014D0A5B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014D0A5B mov eax, dword ptr fs:[00000030h] 6_2_014D0A5B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014C6A50 mov eax, dword ptr fs:[00000030h] 6_2_014C6A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014C6A50 mov eax, dword ptr fs:[00000030h] 6_2_014C6A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014C6A50 mov eax, dword ptr fs:[00000030h] 6_2_014C6A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014C6A50 mov eax, dword ptr fs:[00000030h] 6_2_014C6A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014C6A50 mov eax, dword ptr fs:[00000030h] 6_2_014C6A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014C6A50 mov eax, dword ptr fs:[00000030h] 6_2_014C6A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014C6A50 mov eax, dword ptr fs:[00000030h] 6_2_014C6A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014FCA6F mov eax, dword ptr fs:[00000030h] 6_2_014FCA6F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014FCA6F mov eax, dword ptr fs:[00000030h] 6_2_014FCA6F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014FCA6F mov eax, dword ptr fs:[00000030h] 6_2_014FCA6F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0153CA72 mov eax, dword ptr fs:[00000030h] 6_2_0153CA72
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0153CA72 mov eax, dword ptr fs:[00000030h] 6_2_0153CA72
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0156EA60 mov eax, dword ptr fs:[00000030h] 6_2_0156EA60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0154CA11 mov eax, dword ptr fs:[00000030h] 6_2_0154CA11
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014EEA2E mov eax, dword ptr fs:[00000030h] 6_2_014EEA2E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014FCA24 mov eax, dword ptr fs:[00000030h] 6_2_014FCA24
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014E4A35 mov eax, dword ptr fs:[00000030h] 6_2_014E4A35
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014E4A35 mov eax, dword ptr fs:[00000030h] 6_2_014E4A35
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014C0AD0 mov eax, dword ptr fs:[00000030h] 6_2_014C0AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01516ACC mov eax, dword ptr fs:[00000030h] 6_2_01516ACC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01516ACC mov eax, dword ptr fs:[00000030h] 6_2_01516ACC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01516ACC mov eax, dword ptr fs:[00000030h] 6_2_01516ACC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014F4AD0 mov eax, dword ptr fs:[00000030h] 6_2_014F4AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014F4AD0 mov eax, dword ptr fs:[00000030h] 6_2_014F4AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014FAAEE mov eax, dword ptr fs:[00000030h] 6_2_014FAAEE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014FAAEE mov eax, dword ptr fs:[00000030h] 6_2_014FAAEE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014CEA80 mov eax, dword ptr fs:[00000030h] 6_2_014CEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014CEA80 mov eax, dword ptr fs:[00000030h] 6_2_014CEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014CEA80 mov eax, dword ptr fs:[00000030h] 6_2_014CEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014CEA80 mov eax, dword ptr fs:[00000030h] 6_2_014CEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_014CEA80 mov eax, dword ptr fs:[00000030h] 6_2_014CEA80
Enables debug privileges
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe"
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe" Jump to behavior
Allocates memory in foreign processes
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and write Jump to behavior
Found direct / indirect Syscall (likely to bypass EDR)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe NtClose: Indirect: 0x180A56C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe NtQueueApcThread: Indirect: 0x180A4F2 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe NtClose: Indirect: 0x17BA56C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe NtQueueApcThread: Indirect: 0x17BA4F2 Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Section loaded: NULL target: C:\Windows\SysWOW64\mstsc.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Section loaded: NULL target: C:\Windows\SysWOW64\mstsc.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Section loaded: NULL target: C:\Windows\SysWOW64\raserver.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Section loaded: NULL target: C:\Windows\SysWOW64\raserver.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe Section loaded: NULL target: C:\Windows\explorer.exe protection: read write
Source: C:\Windows\SysWOW64\mstsc.exe Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write
Modifies the context of a thread in another process (thread injection)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread register set: target process: 2580 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread register set: target process: 2580 Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe Thread register set: target process: 2580
Queues an APC in another process (thread injection)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Sample uses process hollowing technique
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Section unmapped: C:\Windows\SysWOW64\mstsc.exe base address: 8F0000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Section unmapped: C:\Windows\SysWOW64\raserver.exe base address: 270000 Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 401000 Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: C8D008 Jump to behavior
Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 401000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: B2A008 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe" Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xmAdkuQjxrS" /XML "C:\Users\user\AppData\Local\Temp\tmp69A7.tmp" Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xmAdkuQjxrS" /XML "C:\Users\user\AppData\Local\Temp\tmp77D0.tmp" Jump to behavior
Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: explorer.exe, 00000007.00000002.4143182866.00000000018A1000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000002.4144949157.0000000004CE0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1725514053.0000000009815000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000007.00000002.4143182866.00000000018A1000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.1717518008.00000000018A0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000007.00000002.4142527749.0000000001240000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1716988722.0000000001240000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 1Progman$
Source: explorer.exe, 00000007.00000002.4143182866.00000000018A1000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.1717518008.00000000018A0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Source: explorer.exe, 00000007.00000002.4143182866.00000000018A1000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.1717518008.00000000018A0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: }Program Manager
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Queries volume information: C:\Users\user\Desktop\faktura proforma pdf.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Queries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Queries volume information: C:\Windows\Fonts\DUBAI-LIGHT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe Queries volume information: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\xmAdkuQjxrS.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\faktura proforma pdf.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected FormBook
Source: Yara match File source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.faktura proforma pdf.exe.4809f88.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.xmAdkuQjxrS.exe.41fb088.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.xmAdkuQjxrS.exe.426aea8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.faktura proforma pdf.exe.479a168.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000006.00000002.1780724008.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.1791235982.0000000003000000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1737166544.00000000045C8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.1773933452.0000000004028000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.4142797665.00000000036A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.4142425418.00000000032C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.4142752695.0000000003670000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Remote Access Functionality
barindex
Yara detected FormBook
Source: Yara match File source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.faktura proforma pdf.exe.4809f88.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.xmAdkuQjxrS.exe.41fb088.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.xmAdkuQjxrS.exe.426aea8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.faktura proforma pdf.exe.479a168.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000006.00000002.1780724008.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.1791235982.0000000003000000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1737166544.00000000045C8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.1773933452.0000000004028000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.4142797665.00000000036A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.4142425418.00000000032C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.4142752695.0000000003670000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1540850 Sample: faktura proforma pdf.exe Startdate: 24/10/2024 Architecture: WINDOWS Score: 100 55 www.isax.xyz 2->55 57 www.haad.xyz 2->57 59 9 other IPs or domains 2->59 73 Suricata IDS alerts for network traffic 2->73 75 Found malware configuration 2->75 77 Malicious sample detected (through community Yara rule) 2->77 81 12 other signatures 2->81 11 faktura proforma pdf.exe 7 2->11         started        15 xmAdkuQjxrS.exe 5 2->15         started        signatures3 79 Performs DNS queries to domains with low reputation 57->79 process4 file5 47 C:\Users\user\AppData\...\xmAdkuQjxrS.exe, PE32 11->47 dropped 49 C:\Users\...\xmAdkuQjxrS.exe:Zone.Identifier, ASCII 11->49 dropped 51 C:\Users\user\AppData\Local\...\tmp69A7.tmp, XML 11->51 dropped 53 C:\Users\...\faktura proforma pdf.exe.log, ASCII 11->53 dropped 91 Writes to foreign memory regions 11->91 93 Allocates memory in foreign processes 11->93 95 Adds a directory exclusion to Windows Defender 11->95 17 RegSvcs.exe 11->17         started        20 powershell.exe 23 11->20         started        22 schtasks.exe 1 11->22         started        97 Multi AV Scanner detection for dropped file 15->97 99 Machine Learning detection for dropped file 15->99 101 Injects a PE file into a foreign processes 15->101 24 RegSvcs.exe 15->24         started        26 schtasks.exe 1 15->26         started        signatures6 process7 signatures8 61 Modifies the context of a thread in another process (thread injection) 17->61 63 Maps a DLL or memory area into another process 17->63 65 Sample uses process hollowing technique 17->65 71 2 other signatures 17->71 28 explorer.exe 57 1 17->28 injected 67 Loading BitLocker PowerShell Module 20->67 30 WmiPrvSE.exe 20->30         started        32 conhost.exe 20->32         started        34 conhost.exe 22->34         started        69 Found direct / indirect Syscall (likely to bypass EDR) 24->69 36 conhost.exe 26->36         started        process9 process10 38 mstsc.exe 28->38         started        41 raserver.exe 28->41         started        signatures11 83 Modifies the context of a thread in another process (thread injection) 38->83 85 Maps a DLL or memory area into another process 38->85 87 Tries to detect virtualization through RDTSC time measurements 38->87 89 Switches to a custom stack to bypass stack traces 38->89 43 cmd.exe 38->43         started        process12 process13 45 conhost.exe 43->45         started       
No contacted IP infos

Contacted Domains

Name IP Active
www.haad.xyz 13.248.252.114 true
www.isax.xyz unknown unknown
www.nline-shopping-56055.bond unknown unknown
www.omaininformaniacion.fun unknown unknown
www.rrivalgetaways.info unknown unknown
www.asposted.online unknown unknown
www.hopbestdeals.online unknown unknown
www.hilohcreekpemf.online unknown unknown
www.indow-replacement-46487.bond unknown unknown
www.hetinkerfoundation.net unknown unknown
www.ixaahx.shop unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
www.asposted.online/gy15/ true
    		unknown