Windows Analysis Report
Invoice & Packing list For Sea Shipment.exe

Overview

General Information

Sample name: Invoice & Packing list For Sea Shipment.exe
Analysis ID: 1650980
MD5: 0dd55fefa69cfb836b9d03765d943726
SHA1: a2825325c6aae44ec72a916d99ec101a4d2acc75
SHA256: d37c856c37f289af0a5cf37c5e2c9ab7b115d401d945426faadc6b48234dc2ba
Tags: exeInvoiceuser-cocaman
Infos:

Detection

FormBook
Score: 100
Range: 0 - 100
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Yara detected AntiVM3
Yara detected FormBook
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Found direct / indirect Syscall (likely to bypass EDR)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Switches to a custom stack to bypass stack traces
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates processes with suspicious names
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Tries to resolve many domain names, but no domain seems valid
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: Invoice & Packing list For Sea Shipment.exe Avira: detected
Antivirus detection for URL or domain
Source: http://www.aportsystems.store/a03d/ Avira URL Cloud: Label: malware
Source: http://www.0090.pizza/a03d/www.ings-hu-13.today Avira URL Cloud: Label: malware
Source: http://www.aportsystems.store/a03d/www.lphatechblog.xyz Avira URL Cloud: Label: malware
Source: http://www.asglobalaz.shop/a03d/ Avira URL Cloud: Label: malware
Source: http://www.itiz.xyz/a03d/?06A=1S/Ml8MhhZcgUxSbm7ZuM2rP7Vmm5l/lyuGuBD/BitQWsLFnZM8smPnB3Q7M7Y+/UA9Kc3248g==&wZAD=pBZTFP-XZbx0Fd1P Avira URL Cloud: Label: malware
Source: http://www.asglobalaz.shop/a03d/www.gmgslzdc.sbs Avira URL Cloud: Label: malware
Source: http://www.ings-hu-13.today/a03d/www.asglobalaz.shop Avira URL Cloud: Label: malware
Source: http://www.voyagu.info/a03d/www.itiz.xyz Avira URL Cloud: Label: malware
Source: https://www.itiz.xyz/a03d/?06A=1S/Ml8MhhZcgUxSbm7ZuM2rP7Vmm5l/lyuGuBD/BitQWsLFnZM8smPnB3Q7M7Y Avira URL Cloud: Label: malware
Source: http://www.aportsystems.store Avira URL Cloud: Label: malware
Source: http://www.argloscaremedia.info/a03d/ Avira URL Cloud: Label: malware
Source: http://www.cebepu.info/a03d/www.olourclubbet.shop Avira URL Cloud: Label: malware
Source: http://www.itiz.xyz/a03d/www.enelog.xyz Avira URL Cloud: Label: malware
Source: http://www.ensentoto.cloud/a03d/ Avira URL Cloud: Label: malware
Source: http://www.itiz.xyz/a03d/ Avira URL Cloud: Label: malware
Source: http://www.0090.pizza Avira URL Cloud: Label: malware
Source: http://www.ings-hu-13.today Avira URL Cloud: Label: malware
Source: http://www.argloscaremedia.info/a03d/www.urvivalflashlights.shop Avira URL Cloud: Label: malware
Source: http://www.olourclubbet.shop/a03d/ Avira URL Cloud: Label: malware
Source: http://www.ings-hu-13.today/a03d/ Avira URL Cloud: Label: malware
Source: http://www.rumpchiefofstaff.store/a03d/ Avira URL Cloud: Label: malware
Source: http://www.enelog.xyz/a03d/www.argloscaremedia.info Avira URL Cloud: Label: malware
Source: http://www.voyagu.info/a03d/ Avira URL Cloud: Label: malware
Source: http://www.urvivalflashlights.shop/a03d/www.cebepu.info Avira URL Cloud: Label: malware
Source: http://www.0090.pizza/a03d/ Avira URL Cloud: Label: malware
Source: http://www.ensentoto.cloud/a03d/www.duxrib.xyz Avira URL Cloud: Label: malware
Source: http://www.ensentoto.cloud Avira URL Cloud: Label: malware
Source: http://www.lphatechblog.xyz/a03d/www.ensentoto.cloud Avira URL Cloud: Label: malware
Source: http://www.rumpchiefofstaff.store/a03d/www.aportsystems.store Avira URL Cloud: Label: malware
Source: http://www.gmgslzdc.sbs/a03d/www.voyagu.info Avira URL Cloud: Label: malware
Source: http://www.urvivalflashlights.shop/a03d/ Avira URL Cloud: Label: malware
Source: http://www.cebepu.info/a03d/ Avira URL Cloud: Label: malware
Source: http://www.olourclubbet.shop/a03d/www.rumpchiefofstaff.store Avira URL Cloud: Label: malware
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Roaming\XXyQpOLIcjn.exe Avira: detection malicious, Label: HEUR/AGEN.1306904
Found malware configuration
Source: 00000007.00000002.955570993.0000000000400000.00000040.00000400.00020000.00000000.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.enelog.xyz/a03d/"], "decoy": ["nfluencer-marketing-13524.bond", "cebepu.info", "lphatechblog.xyz", "haoyun.website", "itiz.xyz", "orld-visa-center.online", "si.art", "alata.xyz", "mmarketing.xyz", "elnqdjc.shop", "ensentoto.cloud", "voyagu.info", "onvert.today", "1fuli9902.shop", "otelhafnia.info", "rumpchiefofstaff.store", "urvivalflashlights.shop", "0090.pizza", "ings-hu-13.today", "oliticalpatriot.net", "5970.pizza", "arimatch-in.legal", "eepvid.xyz", "bfootball.net", "otorcycle-loans-19502.bond", "nline-advertising-34790.bond", "behm.info", "aportsystems.store", "agiararoma.net", "agfov4u.xyz", "9769.mobi", "ome-renovation-86342.bond", "kkkk.shop", "duxrib.xyz", "xurobo.info", "leurdivin.online", "ive-neurozoom.store", "ndogaming.online", "dj1.lat", "yselection.xyz", "52628.xyz", "lsaadmart.store", "oftware-download-92806.bond", "avid-hildebrand.info", "orashrine.store", "erpangina-treatment-views.sbs", "ategorie-polecane-831.buzz", "oonlightshadow.shop", "istromarmitaria.online", "gmgslzdc.sbs", "asglobalaz.shop", "locarry.store", "eleefmestreech.online", "inggraphic.pro", "atidiri.fun", "olourclubbet.shop", "eatbox.store", "romatografia.online", "encortex.beauty", "8oosnny.xyz", "72266.vip", "aja168e.live", "fath.shop", "argloscaremedia.info"]}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\XXyQpOLIcjn.exe ReversingLabs: Detection: 72%
Multi AV Scanner detection for submitted file
Source: Invoice & Packing list For Sea Shipment.exe Virustotal: Detection: 32% Perma Link
Source: Invoice & Packing list For Sea Shipment.exe ReversingLabs: Detection: 72%
Yara detected FormBook
Source: Yara match File source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000002.955570993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.3322884312.0000000002840000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.921854884.00000000038A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.921854884.00000000040FD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.3322242898.0000000002600000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.951007561.0000000003516000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.969807785.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.3322996222.0000000002870000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Joe Sandbox ML detected suspicious sample
Source: Submited Sample Neural Call Log Analysis: 99.9%
Uses 32bit PE files
Source: Invoice & Packing list For Sea Shipment.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: Invoice & Packing list For Sea Shipment.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: RegSvcs.pdb, source: explorer.exe, 00000008.00000002.3335412300.000000001047F000.00000004.80000000.00040000.00000000.sdmp, help.exe, 0000000E.00000002.3324662584.000000000339F000.00000004.10000000.00040000.00000000.sdmp, help.exe, 0000000E.00000002.3323113364.00000000028E1000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: RegSvcs.exe, 00000007.00000002.956746038.00000000018B0000.00000040.00001000.00020000.00000000.sdmp, help.exe, 0000000E.00000002.3323891524.0000000002FEE000.00000040.00001000.00020000.00000000.sdmp, help.exe, 0000000E.00000003.955913528.0000000002AEF000.00000004.00000020.00020000.00000000.sdmp, help.exe, 0000000E.00000003.958906105.0000000002C9E000.00000004.00000020.00020000.00000000.sdmp, help.exe, 0000000E.00000002.3323891524.0000000002E50000.00000040.00001000.00020000.00000000.sdmp, raserver.exe, 0000000F.00000002.970360026.000000000468E000.00000040.00001000.00020000.00000000.sdmp, raserver.exe, 0000000F.00000003.962674106.000000000419D000.00000004.00000020.00020000.00000000.sdmp, raserver.exe, 0000000F.00000002.970360026.00000000044F0000.00000040.00001000.00020000.00000000.sdmp, raserver.exe, 0000000F.00000003.965560879.0000000004342000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: RegSvcs.exe, RegSvcs.exe, 00000007.00000002.956746038.00000000018B0000.00000040.00001000.00020000.00000000.sdmp, help.exe, 0000000E.00000002.3323891524.0000000002FEE000.00000040.00001000.00020000.00000000.sdmp, help.exe, 0000000E.00000003.955913528.0000000002AEF000.00000004.00000020.00020000.00000000.sdmp, help.exe, 0000000E.00000003.958906105.0000000002C9E000.00000004.00000020.00020000.00000000.sdmp, help.exe, 0000000E.00000002.3323891524.0000000002E50000.00000040.00001000.00020000.00000000.sdmp, raserver.exe, 0000000F.00000002.970360026.000000000468E000.00000040.00001000.00020000.00000000.sdmp, raserver.exe, 0000000F.00000003.962674106.000000000419D000.00000004.00000020.00020000.00000000.sdmp, raserver.exe, 0000000F.00000002.970360026.00000000044F0000.00000040.00001000.00020000.00000000.sdmp, raserver.exe, 0000000F.00000003.965560879.0000000004342000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: RAServer.pdb source: RegSvcs.exe, 0000000D.00000002.963241216.0000000001080000.00000040.10000000.00040000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.962400543.0000000000B98000.00000004.00000020.00020000.00000000.sdmp, raserver.exe, 0000000F.00000002.970122815.0000000000700000.00000040.80000000.00040000.00000000.sdmp
Source: Binary string: RegSvcs.pdb source: explorer.exe, 00000008.00000002.3335412300.000000001047F000.00000004.80000000.00040000.00000000.sdmp, help.exe, 0000000E.00000002.3324662584.000000000339F000.00000004.10000000.00040000.00000000.sdmp, help.exe, 0000000E.00000002.3323113364.00000000028E1000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: help.pdbGCTL source: RegSvcs.exe, 00000007.00000002.956449177.0000000001388000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.956339132.0000000001330000.00000040.10000000.00040000.00000000.sdmp, help.exe, 0000000E.00000002.3321973864.0000000000130000.00000040.80000000.00040000.00000000.sdmp
Source: Binary string: help.pdb source: RegSvcs.exe, 00000007.00000002.956449177.0000000001388000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.956339132.0000000001330000.00000040.10000000.00040000.00000000.sdmp, help.exe, 0000000E.00000002.3321973864.0000000000130000.00000040.80000000.00040000.00000000.sdmp
Source: Binary string: RAServer.pdbGCTL source: RegSvcs.exe, 0000000D.00000002.963241216.0000000001080000.00000040.10000000.00040000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.962400543.0000000000B98000.00000004.00000020.00020000.00000000.sdmp, raserver.exe, 0000000F.00000002.970122815.0000000000700000.00000040.80000000.00040000.00000000.sdmp
Source: C:\Users\user\Desktop\Invoice & Packing list For Sea Shipment.exe File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx Jump to behavior
Source: C:\Users\user\Desktop\Invoice & Packing list For Sea Shipment.exe File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\NULL Jump to behavior
Source: C:\Users\user\Desktop\Invoice & Packing list For Sea Shipment.exe File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\Acrobat Jump to behavior
Source: C:\Users\user\Desktop\Invoice & Packing list For Sea Shipment.exe File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\NULL Jump to behavior
Source: C:\Users\user\Desktop\Invoice & Packing list For Sea Shipment.exe File opened: C:\Users\user\AppData\Local\Temp\acrocef_low\NULL Jump to behavior
Source: C:\Users\user\Desktop\Invoice & Packing list For Sea Shipment.exe File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe Jump to behavior
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\Invoice & Packing list For Sea Shipment.exe Code function: 4x nop then jmp 083CF607h 0_2_083CEC5B
Source: C:\Users\user\Desktop\Invoice & Packing list For Sea Shipment.exe Code function: 4x nop then jmp 083CF607h 0_2_083CEC95
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then pop ebx 7_2_00407B1E
Source: C:\Users\user\AppData\Roaming\XXyQpOLIcjn.exe Code function: 4x nop then jmp 06A3EB07h 9_2_06A3E15B
Source: C:\Users\user\AppData\Roaming\XXyQpOLIcjn.exe Code function: 4x nop then jmp 06A3EB07h 9_2_06A3E195

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.enelog.xyz/a03d/
Performs DNS queries to domains with low reputation
Source: DNS query: www.itiz.xyz
Source: DNS query: www.enelog.xyz
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /a03d/?06A=1S/Ml8MhhZcgUxSbm7ZuM2rP7Vmm5l/lyuGuBD/BitQWsLFnZM8smPnB3Q7M7Y+/UA9Kc3248g==&wZAD=pBZTFP-XZbx0Fd1P HTTP/1.1Host: www.itiz.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 104.21.32.1 104.21.32.1
Source: Joe Sandbox View IP Address: 104.21.32.1 104.21.32.1
Source: Joe Sandbox View IP Address: 204.79.197.203 204.79.197.203
Source: Joe Sandbox View IP Address: 204.79.197.203 204.79.197.203
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Tries to resolve many domain names, but no domain seems valid
Source: unknown DNS traffic detected: query: www.olourclubbet.shop replaycode: Name error (3)
Source: unknown DNS traffic detected: query: www.gmgslzdc.sbs replaycode: Name error (3)
Source: unknown DNS traffic detected: query: www.asglobalaz.shop replaycode: Name error (3)
Source: unknown DNS traffic detected: query: www.urvivalflashlights.shop replaycode: Name error (3)
Source: unknown DNS traffic detected: query: www.voyagu.info replaycode: Name error (3)
Source: unknown DNS traffic detected: query: www.cebepu.info replaycode: Name error (3)
Source: unknown DNS traffic detected: query: www.0090.pizza replaycode: Name error (3)
Source: unknown DNS traffic detected: query: www.argloscaremedia.info replaycode: Name error (3)
Source: unknown DNS traffic detected: query: www.ings-hu-13.today replaycode: Name error (3)
Source: unknown DNS traffic detected: query: www.rumpchiefofstaff.store replaycode: Name error (3)
Source: unknown DNS traffic detected: query: www.enelog.xyz replaycode: Name error (3)
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Windows\explorer.exe Code function: 8_2_10CC2F82 getaddrinfo,setsockopt,recv, 8_2_10CC2F82
Source: global traffic HTTP traffic detected: GET /a03d/?06A=1S/Ml8MhhZcgUxSbm7ZuM2rP7Vmm5l/lyuGuBD/BitQWsLFnZM8smPnB3Q7M7Y+/UA9Kc3248g==&wZAD=pBZTFP-XZbx0Fd1P HTTP/1.1Host: www.itiz.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic DNS traffic detected: DNS query: www.0090.pizza
Source: global traffic DNS traffic detected: DNS query: www.ings-hu-13.today
Source: global traffic DNS traffic detected: DNS query: www.asglobalaz.shop
Source: global traffic DNS traffic detected: DNS query: www.gmgslzdc.sbs
Source: global traffic DNS traffic detected: DNS query: www.voyagu.info
Source: global traffic DNS traffic detected: DNS query: www.itiz.xyz
Source: global traffic DNS traffic detected: DNS query: www.enelog.xyz
Source: global traffic DNS traffic detected: DNS query: www.argloscaremedia.info
Source: global traffic DNS traffic detected: DNS query: www.urvivalflashlights.shop
Source: global traffic DNS traffic detected: DNS query: www.cebepu.info
Source: global traffic DNS traffic detected: DNS query: www.olourclubbet.shop
Source: global traffic DNS traffic detected: DNS query: www.rumpchiefofstaff.store
Source: explorer.exe, 00000008.00000003.2673703001.0000000008687000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3326987195.0000000006BCF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.903365582.0000000006B9B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2673122710.0000000006BCC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2670860260.0000000008669000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2673081230.0000000006BB8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.906949066.000000000867B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3329010599.0000000008689000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
Source: svchost.exe, 00000013.00000002.2814137412.000002EAE388D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.ver)
Source: explorer.exe, 00000008.00000003.2673703001.0000000008687000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3326987195.0000000006BCF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.903365582.0000000006B9B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2673122710.0000000006BCC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2670860260.0000000008669000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2673081230.0000000006BB8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.906949066.000000000867B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3329010599.0000000008689000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
Source: qmgr.db.19.dr String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: qmgr.db.19.dr String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: qmgr.db.19.dr String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: qmgr.db.19.dr String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: qmgr.db.19.dr String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: qmgr.db.19.dr String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: svchost.exe, 00000013.00000003.1205848009.000002EAE7A00000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.19.dr String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: explorer.exe, 00000008.00000003.2673703001.0000000008687000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3326987195.0000000006BCF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.903365582.0000000006B9B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2673122710.0000000006BCC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2670860260.0000000008669000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2673081230.0000000006BB8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.906949066.000000000867B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3329010599.0000000008689000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: explorer.exe, 00000008.00000002.3328325402.0000000008610000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.906949066.0000000008610000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2670860260.0000000008610000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crl$
Source: explorer.exe, 00000008.00000000.905793806.0000000007010000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000008.00000000.909577339.0000000008D80000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000008.00000002.3327549102.00000000070C0000.00000002.00000001.00040000.00000000.sdmp String found in binary or memory: http://schemas.micro
Source: Invoice & Packing list For Sea Shipment.exe, 00000000.00000002.919900217.0000000002887000.00000004.00000800.00020000.00000000.sdmp, XXyQpOLIcjn.exe, 00000009.00000002.947967629.00000000024F7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: explorer.exe, 00000008.00000002.3328325402.0000000008669000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2670860260.0000000008669000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.0090.pizza
Source: explorer.exe, 00000008.00000002.3328325402.0000000008669000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2670860260.0000000008669000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.0090.pizza/a03d/
Source: explorer.exe, 00000008.00000002.3328325402.0000000008669000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2670860260.0000000008669000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.0090.pizza/a03d/www.ings-hu-13.today
Source: explorer.exe, 00000008.00000002.3328325402.0000000008669000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2670860260.0000000008669000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.0090.pizzaReferer:
Source: explorer.exe, 00000008.00000002.3328325402.0000000008669000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2670860260.0000000008669000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.aportsystems.store
Source: explorer.exe, 00000008.00000002.3328325402.0000000008669000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2670860260.0000000008669000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.aportsystems.store/a03d/
Source: explorer.exe, 00000008.00000002.3328325402.0000000008669000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2670860260.0000000008669000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.aportsystems.store/a03d/www.lphatechblog.xyz
Source: explorer.exe, 00000008.00000002.3328325402.0000000008669000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2670860260.0000000008669000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.aportsystems.storeReferer:
Source: explorer.exe, 00000008.00000002.3328325402.0000000008669000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2670860260.0000000008669000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.argloscaremedia.info
Source: explorer.exe, 00000008.00000002.3328325402.0000000008669000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2670860260.0000000008669000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.argloscaremedia.info/a03d/
Source: explorer.exe, 00000008.00000002.3328325402.0000000008669000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2670860260.0000000008669000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.argloscaremedia.info/a03d/www.urvivalflashlights.shop
Source: explorer.exe, 00000008.00000002.3328325402.0000000008669000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2670860260.0000000008669000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.argloscaremedia.infoReferer:
Source: explorer.exe, 00000008.00000002.3328325402.0000000008669000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2670860260.0000000008669000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.asglobalaz.shop
Source: explorer.exe, 00000008.00000002.3328325402.0000000008669000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2670860260.0000000008669000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.asglobalaz.shop/a03d/
Source: explorer.exe, 00000008.00000002.3328325402.0000000008669000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2670860260.0000000008669000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.asglobalaz.shop/a03d/www.gmgslzdc.sbs
Source: explorer.exe, 00000008.00000002.3328325402.0000000008669000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2670860260.0000000008669000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.asglobalaz.shopReferer:
Source: explorer.exe, 00000008.00000002.3328325402.0000000008669000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2670860260.0000000008669000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.cebepu.info
Source: explorer.exe, 00000008.00000002.3328325402.0000000008669000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2670860260.0000000008669000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.cebepu.info/a03d/
Source: explorer.exe, 00000008.00000002.3328325402.0000000008669000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2670860260.0000000008669000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.cebepu.info/a03d/www.olourclubbet.shop
Source: explorer.exe, 00000008.00000002.3328325402.0000000008669000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2670860260.0000000008669000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.cebepu.infoReferer:
Source: explorer.exe, 00000008.00000002.3328325402.0000000008669000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2670860260.0000000008669000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.duxrib.xyz
Source: explorer.exe, 00000008.00000003.2670860260.0000000008669000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.duxrib.xyz/a03d/
Source: explorer.exe, 00000008.00000002.3328325402.0000000008669000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2670860260.0000000008669000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.duxrib.xyzReferer:
Source: explorer.exe, 00000008.00000002.3328325402.0000000008669000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2670860260.0000000008669000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.enelog.xyz
Source: explorer.exe, 00000008.00000002.3328325402.0000000008669000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2670860260.0000000008669000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.enelog.xyz/a03d/
Source: explorer.exe, 00000008.00000002.3328325402.0000000008669000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2670860260.0000000008669000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.enelog.xyz/a03d/www.argloscaremedia.info
Source: explorer.exe, 00000008.00000002.3328325402.0000000008669000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2670860260.0000000008669000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.enelog.xyzReferer:
Source: explorer.exe, 00000008.00000002.3328325402.0000000008669000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2670860260.0000000008669000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.ensentoto.cloud
Source: explorer.exe, 00000008.00000002.3328325402.0000000008669000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2670860260.0000000008669000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.ensentoto.cloud/a03d/
Source: explorer.exe, 00000008.00000002.3328325402.0000000008669000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2670860260.0000000008669000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.ensentoto.cloud/a03d/www.duxrib.xyz
Source: explorer.exe, 00000008.00000002.3328325402.0000000008669000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2670860260.0000000008669000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.ensentoto.cloudReferer:
Source: explorer.exe, 00000008.00000002.3328325402.0000000008669000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2670860260.0000000008669000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.gmgslzdc.sbs
Source: explorer.exe, 00000008.00000002.3328325402.0000000008669000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2670860260.0000000008669000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.gmgslzdc.sbs/a03d/
Source: explorer.exe, 00000008.00000002.3328325402.0000000008669000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2670860260.0000000008669000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.gmgslzdc.sbs/a03d/www.voyagu.info
Source: explorer.exe, 00000008.00000002.3328325402.0000000008669000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2670860260.0000000008669000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.gmgslzdc.sbsReferer:
Source: explorer.exe, 00000008.00000002.3328325402.0000000008669000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2670860260.0000000008669000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.ings-hu-13.today
Source: explorer.exe, 00000008.00000002.3328325402.0000000008669000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2670860260.0000000008669000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.ings-hu-13.today/a03d/
Source: explorer.exe, 00000008.00000002.3328325402.0000000008669000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2670860260.0000000008669000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.ings-hu-13.today/a03d/www.asglobalaz.shop
Source: explorer.exe, 00000008.00000002.3328325402.0000000008669000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2670860260.0000000008669000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.ings-hu-13.todayReferer:
Source: explorer.exe, 00000008.00000002.3328325402.0000000008669000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2670860260.0000000008669000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.itiz.xyz
Source: explorer.exe, 00000008.00000002.3328325402.0000000008669000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2670860260.0000000008669000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.itiz.xyz/a03d/
Source: explorer.exe, 00000008.00000002.3328325402.0000000008669000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2670860260.0000000008669000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.itiz.xyz/a03d/www.enelog.xyz
Source: explorer.exe, 00000008.00000002.3328325402.0000000008669000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2670860260.0000000008669000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.itiz.xyzReferer:
Source: explorer.exe, 00000008.00000002.3328325402.0000000008669000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2670860260.0000000008669000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.lphatechblog.xyz
Source: explorer.exe, 00000008.00000002.3328325402.0000000008669000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2670860260.0000000008669000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.lphatechblog.xyz/a03d/
Source: explorer.exe, 00000008.00000002.3328325402.0000000008669000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2670860260.0000000008669000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.lphatechblog.xyz/a03d/www.ensentoto.cloud
Source: explorer.exe, 00000008.00000002.3328325402.0000000008669000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2670860260.0000000008669000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.lphatechblog.xyzReferer:
Source: explorer.exe, 00000008.00000002.3328325402.0000000008669000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2670860260.0000000008669000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.olourclubbet.shop
Source: explorer.exe, 00000008.00000002.3328325402.0000000008669000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2670860260.0000000008669000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.olourclubbet.shop/a03d/
Source: explorer.exe, 00000008.00000002.3328325402.0000000008669000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2670860260.0000000008669000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.olourclubbet.shop/a03d/www.rumpchiefofstaff.store
Source: explorer.exe, 00000008.00000002.3328325402.0000000008669000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2670860260.0000000008669000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.olourclubbet.shopReferer:
Source: explorer.exe, 00000008.00000002.3328325402.0000000008669000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2670860260.0000000008669000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.rumpchiefofstaff.store
Source: explorer.exe, 00000008.00000002.3328325402.0000000008669000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2670860260.0000000008669000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.rumpchiefofstaff.store/a03d/
Source: explorer.exe, 00000008.00000002.3328325402.0000000008669000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2670860260.0000000008669000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.rumpchiefofstaff.store/a03d/www.aportsystems.store
Source: explorer.exe, 00000008.00000002.3328325402.0000000008669000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2670860260.0000000008669000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.rumpchiefofstaff.storeReferer:
Source: explorer.exe, 00000008.00000002.3328325402.0000000008669000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2670860260.0000000008669000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.urvivalflashlights.shop
Source: explorer.exe, 00000008.00000002.3328325402.0000000008669000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2670860260.0000000008669000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.urvivalflashlights.shop/a03d/
Source: explorer.exe, 00000008.00000002.3328325402.0000000008669000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2670860260.0000000008669000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.urvivalflashlights.shop/a03d/www.cebepu.info
Source: explorer.exe, 00000008.00000002.3328325402.0000000008669000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2670860260.0000000008669000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.urvivalflashlights.shopReferer:
Source: explorer.exe, 00000008.00000002.3328325402.0000000008669000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2670860260.0000000008669000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.voyagu.info
Source: explorer.exe, 00000008.00000002.3328325402.0000000008669000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2670860260.0000000008669000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.voyagu.info/a03d/
Source: explorer.exe, 00000008.00000002.3328325402.0000000008669000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2670860260.0000000008669000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.voyagu.info/a03d/www.itiz.xyz
Source: explorer.exe, 00000008.00000002.3328325402.0000000008669000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2670860260.0000000008669000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.voyagu.infoReferer:
Source: explorer.exe, 00000008.00000003.2672424848.000000000BE47000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3331877734.000000000BE1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.913286442.000000000BE1A000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp
Source: explorer.exe, 00000008.00000003.2672424848.000000000BE47000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.913286442.000000000BE1A000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 00000008.00000003.2672424848.000000000BE47000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.913286442.000000000BE1A000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://android.notify.windows.com/iOS(
Source: explorer.exe, 00000008.00000000.903365582.0000000006AA3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3326417208.0000000006A9B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 00000008.00000002.3326417208.0000000006AC4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.903365582.0000000006AC4000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=DD4083B70FE54739AB05D6BBA3484042&timeOut=5000&oc
Source: explorer.exe, 00000008.00000002.3326417208.0000000006AC4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.903365582.0000000006AC4000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
Source: explorer.exe, 00000008.00000003.2670860260.00000000084DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.906949066.00000000084DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3328325402.00000000084DE000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://arc.msn.com
Source: explorer.exe, 00000008.00000000.903365582.0000000006AC4000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
Source: explorer.exe, 00000008.00000000.903365582.0000000006AC4000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehwh2.svg
Source: explorer.exe, 00000008.00000002.3326417208.0000000006AC4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.903365582.0000000006AC4000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
Source: explorer.exe, 00000008.00000002.3326417208.0000000006AC4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.903365582.0000000006AC4000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
Source: explorer.exe, 00000008.00000002.3326417208.0000000006AC4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.903365582.0000000006AC4000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT
Source: explorer.exe, 00000008.00000002.3326417208.0000000006AC4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.903365582.0000000006AC4000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT-dark
Source: explorer.exe, 00000008.00000002.3326417208.0000000006AC4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.903365582.0000000006AC4000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gRmH-
Source: explorer.exe, 00000008.00000000.906949066.0000000008669000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
Source: explorer.exe, 00000008.00000002.3331877734.000000000BE1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2675781345.000000000BE3B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3072922605.000000000BE3B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.913286442.000000000BE1A000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://excel.office.com
Source: qmgr.db.19.dr String found in binary or memory: https://g.live.com/odclientsettings/Prod1C:
Source: svchost.exe, 00000013.00000003.1205848009.000002EAE7A00000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.19.dr String found in binary or memory: https://g.live.com/odclientsettings/ProdV21C:
Source: explorer.exe, 00000008.00000002.3326417208.0000000006AC4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.903365582.0000000006AC4000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA11f7Wa.img
Source: explorer.exe, 00000008.00000002.3326417208.0000000006AC4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.903365582.0000000006AC4000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
Source: explorer.exe, 00000008.00000002.3326417208.0000000006AC4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.903365582.0000000006AC4000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1bjET8.img
Source: explorer.exe, 00000008.00000002.3326417208.0000000006AC4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.903365582.0000000006AC4000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1c9Jin.img
Source: explorer.exe, 00000008.00000002.3326417208.0000000006AC4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.903365582.0000000006AC4000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBNvr53.img
Source: qmgr.db.19.dr String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe1C:
Source: explorer.exe, 00000008.00000002.3331877734.000000000BE1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2675781345.000000000BE3B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3072922605.000000000BE3B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.913286442.000000000BE1A000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://outlook.come
Source: explorer.exe, 00000008.00000002.3331877734.000000000BE1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.913286442.000000000BE1A000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://powerpoint.office.com
Source: explorer.exe, 00000008.00000002.3326417208.0000000006AC4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.903365582.0000000006AC4000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000008.00000002.3326417208.0000000006AC4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.903365582.0000000006AC4000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000008.00000003.3075472724.000000000885E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3072046805.000000000885E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2672127415.000000000885E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.906949066.000000000885E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3329163385.000000000885E000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://wns.windows.com/b
Source: explorer.exe, 00000008.00000002.3331877734.000000000BE1A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2675781345.000000000BE3B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3072922605.000000000BE3B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.913286442.000000000BE1A000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://word.office.com
Source: explorer.exe, 00000008.00000002.3335412300.000000001096F000.00000004.80000000.00040000.00000000.sdmp, help.exe, 0000000E.00000002.3324662584.000000000388F000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: https://www.itiz.xyz/a03d/?06A=1S/Ml8MhhZcgUxSbm7ZuM2rP7Vmm5l/lyuGuBD/BitQWsLFnZM8smPnB3Q7M7Y
Source: explorer.exe, 00000008.00000002.3326417208.0000000006AC4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.903365582.0000000006AC4000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/lifestyle/lifestyle-buzz/what-to-do-if-a-worst-case-nuclear-scenario-actua
Source: explorer.exe, 00000008.00000002.3326417208.0000000006AC4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.903365582.0000000006AC4000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/money/careersandeducation/student-loan-debt-forgiveness-arrives-for-some-b
Source: explorer.exe, 00000008.00000002.3326417208.0000000006AC4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.903365582.0000000006AC4000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/money/markets/costco-is-seeing-a-gold-rush-what-s-behind-the-demand-for-it
Source: explorer.exe, 00000008.00000002.3326417208.0000000006AC4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.903365582.0000000006AC4000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/money/realestate/why-this-florida-city-is-a-safe-haven-from-hurricanes/ar-
Source: explorer.exe, 00000008.00000002.3326417208.0000000006AC4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.903365582.0000000006AC4000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/music/news/6-rock-ballads-that-tug-at-the-heartstrings/ar-AA1hIdsm
Source: explorer.exe, 00000008.00000002.3326417208.0000000006AC4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.903365582.0000000006AC4000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/politics/kinzinger-has-theory-about-who-next-house-speaker-will-be/vi
Source: explorer.exe, 00000008.00000002.3326417208.0000000006AC4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.903365582.0000000006AC4000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/politics/republicans-already-barred-trump-from-being-speaker-of-the-h
Source: explorer.exe, 00000008.00000002.3326417208.0000000006AC4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.903365582.0000000006AC4000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/technology/prehistoric-comet-impacted-earth-and-triggered-the-switch-
Source: explorer.exe, 00000008.00000002.3326417208.0000000006AC4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.903365582.0000000006AC4000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-the
Source: explorer.exe, 00000008.00000002.3326417208.0000000006AC4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.903365582.0000000006AC4000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/sports/other/simone-biles-leads-u-s-women-s-team-to-seventh-straight-world
Source: explorer.exe, 00000008.00000002.3326417208.0000000006AC4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.903365582.0000000006AC4000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/weather/topstories/accuweather-el-ni
Source: explorer.exe, 00000008.00000002.3326417208.0000000006AC4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.903365582.0000000006AC4000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/weather/topstories/here-s-who-could-see-above-average-snowfall-this-winter
Source: explorer.exe, 00000008.00000002.3326417208.0000000006AC4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.903365582.0000000006AC4000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/weather/topstories/us-winter-forecast-for-the-2023-2024-season/ar-AA1hGINt
Source: explorer.exe, 00000008.00000002.3326417208.0000000006AC4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.903365582.0000000006AC4000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com:443/en-us/feed
Source: unknown Network traffic detected: HTTP traffic on port 49671 -> 443

E-Banking Fraud
barindex
Yara detected FormBook
Source: Yara match File source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000002.955570993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.3322884312.0000000002840000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.921854884.00000000038A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.921854884.00000000040FD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.3322242898.0000000002600000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.951007561.0000000003516000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.969807785.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.3322996222.0000000002870000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 7.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 7.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 7.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.955570993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000007.00000002.955570993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.955570993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000E.00000002.3322884312.0000000002840000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000E.00000002.3322884312.0000000002840000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000E.00000002.3322884312.0000000002840000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.921854884.00000000038A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000000.00000002.921854884.00000000038A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.921854884.00000000038A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.921854884.00000000040FD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000000.00000002.921854884.00000000040FD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.921854884.00000000040FD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000E.00000002.3322242898.0000000002600000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000E.00000002.3322242898.0000000002600000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000E.00000002.3322242898.0000000002600000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.951007561.0000000003516000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000009.00000002.951007561.0000000003516000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.951007561.0000000003516000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000002.969807785.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000F.00000002.969807785.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000F.00000002.969807785.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000E.00000002.3322996222.0000000002870000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000E.00000002.3322996222.0000000002870000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000E.00000002.3322996222.0000000002870000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: Invoice & Packing list For Sea Shipment.exe PID: 7104, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: RegSvcs.exe PID: 6852, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: XXyQpOLIcjn.exe PID: 6912, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: help.exe PID: 1376, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: raserver.exe PID: 5204, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: Invoice & Packing list For Sea Shipment.exe
Contains functionality to call native functions
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0041A320 NtCreateFile, 7_2_0041A320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0041A3D0 NtReadFile, 7_2_0041A3D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0041A450 NtClose, 7_2_0041A450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0041A500 NtAllocateVirtualMemory, 7_2_0041A500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0041A31B NtCreateFile, 7_2_0041A31B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0041A44B NtClose, 7_2_0041A44B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0041A4FF NtAllocateVirtualMemory, 7_2_0041A4FF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_01922BF0 NtAllocateVirtualMemory,LdrInitializeThunk, 7_2_01922BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_01922B60 NtClose,LdrInitializeThunk, 7_2_01922B60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_01922AD0 NtReadFile,LdrInitializeThunk, 7_2_01922AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_01922DD0 NtDelayExecution,LdrInitializeThunk, 7_2_01922DD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_01922DF0 NtQuerySystemInformation,LdrInitializeThunk, 7_2_01922DF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_01922D10 NtMapViewOfSection,LdrInitializeThunk, 7_2_01922D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_01922D30 NtUnmapViewOfSection,LdrInitializeThunk, 7_2_01922D30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_01922CA0 NtQueryInformationToken,LdrInitializeThunk, 7_2_01922CA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_01922C70 NtFreeVirtualMemory,LdrInitializeThunk, 7_2_01922C70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_01922F90 NtProtectVirtualMemory,LdrInitializeThunk, 7_2_01922F90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_01922FB0 NtResumeThread,LdrInitializeThunk, 7_2_01922FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_01922FE0 NtCreateFile,LdrInitializeThunk, 7_2_01922FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_01922F30 NtCreateSection,LdrInitializeThunk, 7_2_01922F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_01922E80 NtReadVirtualMemory,LdrInitializeThunk, 7_2_01922E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_01922EA0 NtAdjustPrivilegesToken,LdrInitializeThunk, 7_2_01922EA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_01924340 NtSetContextThread, 7_2_01924340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_01924650 NtSuspendThread, 7_2_01924650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_01922B80 NtQueryInformationFile, 7_2_01922B80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_01922BA0 NtEnumerateValueKey, 7_2_01922BA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_01922BE0 NtQueryValueKey, 7_2_01922BE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_01922AB0 NtWaitForSingleObject, 7_2_01922AB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_01922AF0 NtWriteFile, 7_2_01922AF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_01922DB0 NtEnumerateKey, 7_2_01922DB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_01922D00 NtSetInformationFile, 7_2_01922D00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_01922CC0 NtQueryVirtualMemory, 7_2_01922CC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_01922CF0 NtOpenProcess, 7_2_01922CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_01922C00 NtQueryInformationProcess, 7_2_01922C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_01922C60 NtCreateKey, 7_2_01922C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_01922FA0 NtQuerySection, 7_2_01922FA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_01922F60 NtCreateProcessEx, 7_2_01922F60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_01922EE0 NtQueueApcThread, 7_2_01922EE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_01922E30 NtWriteVirtualMemory, 7_2_01922E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_01923090 NtSetValueKey, 7_2_01923090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_01923010 NtOpenDirectoryObject, 7_2_01923010
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_019235C0 NtCreateMutant, 7_2_019235C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_019239B0 NtGetContextThread, 7_2_019239B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_01923D10 NtOpenProcessToken, 7_2_01923D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_01923D70 NtOpenThread, 7_2_01923D70
Source: C:\Windows\explorer.exe Code function: 8_2_10CC3E12 NtProtectVirtualMemory, 8_2_10CC3E12
Source: C:\Windows\explorer.exe Code function: 8_2_10CC2232 NtCreateFile, 8_2_10CC2232
Source: C:\Windows\explorer.exe Code function: 8_2_10CC3E0A NtProtectVirtualMemory, 8_2_10CC3E0A
Creates files inside the system directory
Source: C:\Windows\System32\svchost.exe File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
Detected potential crypto function
Source: C:\Users\user\Desktop\Invoice & Packing list For Sea Shipment.exe Code function: 0_2_00A63E40 0_2_00A63E40
Source: C:\Users\user\Desktop\Invoice & Packing list For Sea Shipment.exe Code function: 0_2_00A66F90 0_2_00A66F90
Source: C:\Users\user\Desktop\Invoice & Packing list For Sea Shipment.exe Code function: 0_2_00A6DCAC 0_2_00A6DCAC
Source: C:\Users\user\Desktop\Invoice & Packing list For Sea Shipment.exe Code function: 0_2_083C5A88 0_2_083C5A88
Source: C:\Users\user\Desktop\Invoice & Packing list For Sea Shipment.exe Code function: 0_2_083CAA20 0_2_083CAA20
Source: C:\Users\user\Desktop\Invoice & Packing list For Sea Shipment.exe Code function: 0_2_083C5A77 0_2_083C5A77
Source: C:\Users\user\Desktop\Invoice & Packing list For Sea Shipment.exe Code function: 0_2_083C8AA0 0_2_083C8AA0
Source: C:\Users\user\Desktop\Invoice & Packing list For Sea Shipment.exe Code function: 0_2_083C8ED8 0_2_083C8ED8
Source: C:\Users\user\Desktop\Invoice & Packing list For Sea Shipment.exe Code function: 0_2_083C8EC8 0_2_083C8EC8
Source: C:\Users\user\Desktop\Invoice & Packing list For Sea Shipment.exe Code function: 0_2_083CAF30 0_2_083CAF30
Source: C:\Users\user\Desktop\Invoice & Packing list For Sea Shipment.exe Code function: 0_2_083C8668 0_2_083C8668
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_00401030 7_2_00401030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0041EAC3 7_2_0041EAC3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0041E524 7_2_0041E524
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0041D580 7_2_0041D580
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_00402D90 7_2_00402D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_00409E50 7_2_00409E50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_00409E0A 7_2_00409E0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0041EFDF 7_2_0041EFDF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_00402FB0 7_2_00402FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_019B01AA 7_2_019B01AA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_019A41A2 7_2_019A41A2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_019A81CC 7_2_019A81CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0198A118 7_2_0198A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018E0100 7_2_018E0100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_01978158 7_2_01978158
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_01982000 7_2_01982000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_019B03E6 7_2_019B03E6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018FE3F0 7_2_018FE3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_019AA352 7_2_019AA352
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_019702C0 7_2_019702C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_01990274 7_2_01990274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_019B0591 7_2_019B0591
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018F0535 7_2_018F0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0199E4F6 7_2_0199E4F6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_01994420 7_2_01994420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_019A2446 7_2_019A2446
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018EC7C0 7_2_018EC7C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_01914750 7_2_01914750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018F0770 7_2_018F0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0190C6E0 7_2_0190C6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018F29A0 7_2_018F29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_019BA9A6 7_2_019BA9A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_01906962 7_2_01906962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018D68B8 7_2_018D68B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0191E8F0 7_2_0191E8F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018F2840 7_2_018F2840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018FA840 7_2_018FA840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_019A6BD7 7_2_019A6BD7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_019AAB40 7_2_019AAB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018EEA80 7_2_018EEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_01908DBF 7_2_01908DBF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018EADE0 7_2_018EADE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0198CD1F 7_2_0198CD1F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018FAD00 7_2_018FAD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_01990CB5 7_2_01990CB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018E0CF2 7_2_018E0CF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018F0C00 7_2_018F0C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0196EFA0 7_2_0196EFA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018E2FC8 7_2_018E2FC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018FCFE0 7_2_018FCFE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_01910F30 7_2_01910F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_01992F30 7_2_01992F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_01932F28 7_2_01932F28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_01964F40 7_2_01964F40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_01902E90 7_2_01902E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_019ACE93 7_2_019ACE93
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_019AEEDB 7_2_019AEEDB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_019AEE26 7_2_019AEE26
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018F0E59 7_2_018F0E59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018FB1B0 7_2_018FB1B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_019BB16B 7_2_019BB16B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0192516C 7_2_0192516C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018DF172 7_2_018DF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018F70C0 7_2_018F70C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0199F0CC 7_2_0199F0CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_019A70E9 7_2_019A70E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_019AF0E0 7_2_019AF0E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0193739A 7_2_0193739A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_019A132D 7_2_019A132D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018DD34C 7_2_018DD34C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018F52A0 7_2_018F52A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0190B2C0 7_2_0190B2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_019912ED 7_2_019912ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0198D5B0 7_2_0198D5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_019B95C3 7_2_019B95C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_019A7571 7_2_019A7571
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_019AF43F 7_2_019AF43F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018E1460 7_2_018E1460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_019AF7B0 7_2_019AF7B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_019A16CC 7_2_019A16CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_01935630 7_2_01935630
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_01985910 7_2_01985910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0190B950 7_2_0190B950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018F9950 7_2_018F9950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018F38E0 7_2_018F38E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0195D800 7_2_0195D800
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0190FB80 7_2_0190FB80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_01965BF0 7_2_01965BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0192DBF9 7_2_0192DBF9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_019AFB76 7_2_019AFB76
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_01935AA0 7_2_01935AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0198DAAC 7_2_0198DAAC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_01991AA3 7_2_01991AA3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0199DAC6 7_2_0199DAC6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_019AFA49 7_2_019AFA49
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_019A7A46 7_2_019A7A46
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_01963A6C 7_2_01963A6C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0190FDC0 7_2_0190FDC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_019A1D5A 7_2_019A1D5A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018F3D40 7_2_018F3D40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_019A7D73 7_2_019A7D73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_019AFCF2 7_2_019AFCF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_01969C32 7_2_01969C32
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018F1F92 7_2_018F1F92
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_019AFFB1 7_2_019AFFB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018B3FD2 7_2_018B3FD2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018B3FD5 7_2_018B3FD5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_019AFF09 7_2_019AFF09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018F9EB0 7_2_018F9EB0
Source: C:\Windows\explorer.exe Code function: 8_2_0DF4C5CD 8_2_0DF4C5CD
Source: C:\Windows\explorer.exe Code function: 8_2_0DF46912 8_2_0DF46912
Source: C:\Windows\explorer.exe Code function: 8_2_0DF40D02 8_2_0DF40D02
Source: C:\Windows\explorer.exe Code function: 8_2_0DF3F082 8_2_0DF3F082
Source: C:\Windows\explorer.exe Code function: 8_2_0DF48036 8_2_0DF48036
Source: C:\Windows\explorer.exe Code function: 8_2_0DF43B30 8_2_0DF43B30
Source: C:\Windows\explorer.exe Code function: 8_2_0DF43B32 8_2_0DF43B32
Source: C:\Windows\explorer.exe Code function: 8_2_0DF49232 8_2_0DF49232
Source: C:\Windows\explorer.exe Code function: 8_2_0E08F232 8_2_0E08F232
Source: C:\Windows\explorer.exe Code function: 8_2_0E089B30 8_2_0E089B30
Source: C:\Windows\explorer.exe Code function: 8_2_0E089B32 8_2_0E089B32
Source: C:\Windows\explorer.exe Code function: 8_2_0E08E036 8_2_0E08E036
Source: C:\Windows\explorer.exe Code function: 8_2_0E085082 8_2_0E085082
Source: C:\Windows\explorer.exe Code function: 8_2_0E086D02 8_2_0E086D02
Source: C:\Windows\explorer.exe Code function: 8_2_0E08C912 8_2_0E08C912
Source: C:\Windows\explorer.exe Code function: 8_2_0E0925CD 8_2_0E0925CD
Source: C:\Windows\explorer.exe Code function: 8_2_10CC2232 8_2_10CC2232
Source: C:\Windows\explorer.exe Code function: 8_2_10CB8082 8_2_10CB8082
Source: C:\Windows\explorer.exe Code function: 8_2_10CC1036 8_2_10CC1036
Source: C:\Windows\explorer.exe Code function: 8_2_10CC55CD 8_2_10CC55CD
Source: C:\Windows\explorer.exe Code function: 8_2_10CB9D02 8_2_10CB9D02
Source: C:\Windows\explorer.exe Code function: 8_2_10CBF912 8_2_10CBF912
Source: C:\Windows\explorer.exe Code function: 8_2_10CBCB32 8_2_10CBCB32
Source: C:\Windows\explorer.exe Code function: 8_2_10CBCB30 8_2_10CBCB30
Source: C:\Users\user\AppData\Roaming\XXyQpOLIcjn.exe Code function: 9_2_00CC3E40 9_2_00CC3E40
Source: C:\Users\user\AppData\Roaming\XXyQpOLIcjn.exe Code function: 9_2_00CC6F90 9_2_00CC6F90
Source: C:\Users\user\AppData\Roaming\XXyQpOLIcjn.exe Code function: 9_2_00CCDCAC 9_2_00CCDCAC
Source: C:\Users\user\AppData\Roaming\XXyQpOLIcjn.exe Code function: 9_2_06A35A88 9_2_06A35A88
Source: C:\Users\user\AppData\Roaming\XXyQpOLIcjn.exe Code function: 9_2_06A38668 9_2_06A38668
Source: C:\Users\user\AppData\Roaming\XXyQpOLIcjn.exe Code function: 9_2_06A34170 9_2_06A34170
Source: C:\Users\user\AppData\Roaming\XXyQpOLIcjn.exe Code function: 9_2_06A38EC8 9_2_06A38EC8
Source: C:\Users\user\AppData\Roaming\XXyQpOLIcjn.exe Code function: 9_2_06A38ED8 9_2_06A38ED8
Source: C:\Users\user\AppData\Roaming\XXyQpOLIcjn.exe Code function: 9_2_06A3AF30 9_2_06A3AF30
Source: C:\Users\user\AppData\Roaming\XXyQpOLIcjn.exe Code function: 9_2_06A38AA0 9_2_06A38AA0
Source: C:\Users\user\AppData\Roaming\XXyQpOLIcjn.exe Code function: 9_2_06A3AA20 9_2_06A3AA20
Source: C:\Users\user\AppData\Roaming\XXyQpOLIcjn.exe Code function: 9_2_06A35A7B 9_2_06A35A7B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_010F0100 13_2_010F0100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_01146000 13_2_01146000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_0110E3F0 13_2_0110E3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_011802C0 13_2_011802C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_01100535 13_2_01100535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_011565B2 13_2_011565B2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_011565D0 13_2_011565D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_01124750 13_2_01124750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_01100770 13_2_01100770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_0111C6E0 13_2_0111C6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_01116962 13_2_01116962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_0110A840 13_2_0110A840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_01138890 13_2_01138890
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_0112E8F0 13_2_0112E8F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_010F28F0 13_2_010F28F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_010E68F1 13_2_010E68F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_01102A45 13_2_01102A45
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_010FEA80 13_2_010FEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_0110AD00 13_2_0110AD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_0110ED7A 13_2_0110ED7A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_01118DBF 13_2_01118DBF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_01108DC0 13_2_01108DC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_01100C00 13_2_01100C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_010F0CF2 13_2_010F0CF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_01120F30 13_2_01120F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_01142F28 13_2_01142F28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_01174F40 13_2_01174F40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_0117EFA0 13_2_0117EFA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_010F2FC8 13_2_010F2FC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_01100E59 13_2_01100E59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_01112ED9 13_2_01112ED9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_010EF172 13_2_010EF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_0113516C 13_2_0113516C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_0110B1B0 13_2_0110B1B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_011033F3 13_2_011033F3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_011052A0 13_2_011052A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_0111D2F0 13_2_0111D2F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_01103497 13_2_01103497
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_011474E0 13_2_011474E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_0110B730 13_2_0110B730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_01109950 13_2_01109950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_0111B950 13_2_0111B950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_010F1979 13_2_010F1979
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_011059DA 13_2_011059DA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_0116D800 13_2_0116D800
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_011038E0 13_2_011038E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_0111FB80 13_2_0111FB80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_01175BF0 13_2_01175BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_0113DBF9 13_2_0113DBF9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_01173A6C 13_2_01173A6C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_01103D40 13_2_01103D40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_0111FDC0 13_2_0111FDC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_01179C32 13_2_01179C32
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_01119C20 13_2_01119C20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_01101F92 13_2_01101F92
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_01109EB0 13_2_01109EB0
Found potential string decryption / allocating functions
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: String function: 0196F290 appears 105 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: String function: 018DB970 appears 280 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: String function: 0195EA12 appears 86 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: String function: 01937E54 appears 111 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: String function: 01147E54 appears 97 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: String function: 0116EA12 appears 37 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: String function: 01925130 appears 58 times
Sample file is different than original file name gathered from version info
Source: Invoice & Packing list For Sea Shipment.exe, 00000000.00000002.919900217.000000000292A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameTL.dll" vs Invoice & Packing list For Sea Shipment.exe
Source: Invoice & Packing list For Sea Shipment.exe, 00000000.00000000.875714645.0000000000418000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamealKc.exe8 vs Invoice & Packing list For Sea Shipment.exe
Source: Invoice & Packing list For Sea Shipment.exe, 00000000.00000002.917652634.0000000000A7E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs Invoice & Packing list For Sea Shipment.exe
Source: Invoice & Packing list For Sea Shipment.exe, 00000000.00000002.924369509.0000000006C20000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameTL.dll" vs Invoice & Packing list For Sea Shipment.exe
Source: Invoice & Packing list For Sea Shipment.exe, 00000000.00000002.924046042.0000000006B91000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamePowerShell.EXEj% vs Invoice & Packing list For Sea Shipment.exe
Source: Invoice & Packing list For Sea Shipment.exe, 00000000.00000002.924538910.0000000006C60000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameMontero.dll8 vs Invoice & Packing list For Sea Shipment.exe
Source: Invoice & Packing list For Sea Shipment.exe Binary or memory string: OriginalFilenamealKc.exe8 vs Invoice & Packing list For Sea Shipment.exe
Uses 32bit PE files
Source: Invoice & Packing list For Sea Shipment.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 7.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 7.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 7.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.955570993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000007.00000002.955570993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.955570993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000E.00000002.3322884312.0000000002840000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000E.00000002.3322884312.0000000002840000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000E.00000002.3322884312.0000000002840000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.921854884.00000000038A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000000.00000002.921854884.00000000038A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.921854884.00000000038A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.921854884.00000000040FD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000000.00000002.921854884.00000000040FD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.921854884.00000000040FD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000E.00000002.3322242898.0000000002600000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000E.00000002.3322242898.0000000002600000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000E.00000002.3322242898.0000000002600000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.951007561.0000000003516000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000009.00000002.951007561.0000000003516000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.951007561.0000000003516000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000002.969807785.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000F.00000002.969807785.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000F.00000002.969807785.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000E.00000002.3322996222.0000000002870000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000E.00000002.3322996222.0000000002870000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000E.00000002.3322996222.0000000002870000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: Invoice & Packing list For Sea Shipment.exe PID: 7104, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: RegSvcs.exe PID: 6852, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: XXyQpOLIcjn.exe PID: 6912, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: help.exe PID: 1376, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: raserver.exe PID: 5204, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Invoice & Packing list For Sea Shipment.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: XXyQpOLIcjn.exe.0.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 0.2.Invoice & Packing list For Sea Shipment.exe.6c60000.2.raw.unpack, mTFlZHIjYiOR7Pt9rQ.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.Invoice & Packing list For Sea Shipment.exe.6c60000.2.raw.unpack, mTFlZHIjYiOR7Pt9rQ.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Invoice & Packing list For Sea Shipment.exe.6c60000.2.raw.unpack, uxhwEVMeyu1TZlXYQm.cs Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.Invoice & Packing list For Sea Shipment.exe.6c60000.2.raw.unpack, uxhwEVMeyu1TZlXYQm.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Invoice & Packing list For Sea Shipment.exe.6c60000.2.raw.unpack, uxhwEVMeyu1TZlXYQm.cs Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: classification engine Classification label: mal100.troj.evad.winEXE@27/15@12/3
Source: C:\Users\user\Desktop\Invoice & Packing list For Sea Shipment.exe File created: C:\Users\user\AppData\Roaming\XXyQpOLIcjn.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\XXyQpOLIcjn.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6568:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6316:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6160:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5264:120:WilError_03
Source: C:\Users\user\AppData\Roaming\XXyQpOLIcjn.exe Mutant created: \Sessions\1\BaseNamedObjects\rkHcBzdJwTmphPjqNGoeTKNVquT
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6892:120:WilError_03
Source: C:\Users\user\Desktop\Invoice & Packing list For Sea Shipment.exe File created: C:\Users\user\AppData\Local\Temp\tmpAE3C.tmp Jump to behavior
Source: Invoice & Packing list For Sea Shipment.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: Invoice & Packing list For Sea Shipment.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
Source: C:\Users\user\Desktop\Invoice & Packing list For Sea Shipment.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\Invoice & Packing list For Sea Shipment.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: Invoice & Packing list For Sea Shipment.exe Virustotal: Detection: 32%
Source: Invoice & Packing list For Sea Shipment.exe ReversingLabs: Detection: 72%
Source: C:\Users\user\Desktop\Invoice & Packing list For Sea Shipment.exe File read: C:\Users\user\Desktop\Invoice & Packing list For Sea Shipment.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Invoice & Packing list For Sea Shipment.exe "C:\Users\user\Desktop\Invoice & Packing list For Sea Shipment.exe"
Source: C:\Users\user\Desktop\Invoice & Packing list For Sea Shipment.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Invoice & Packing list For Sea Shipment.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Invoice & Packing list For Sea Shipment.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\XXyQpOLIcjn.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Invoice & Packing list For Sea Shipment.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XXyQpOLIcjn" /XML "C:\Users\user\AppData\Local\Temp\tmpAE3C.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Invoice & Packing list For Sea Shipment.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\XXyQpOLIcjn.exe C:\Users\user\AppData\Roaming\XXyQpOLIcjn.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\XXyQpOLIcjn.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XXyQpOLIcjn" /XML "C:\Users\user\AppData\Local\Temp\tmpB9C5.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\XXyQpOLIcjn.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\help.exe "C:\Windows\SysWOW64\help.exe"
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\raserver.exe "C:\Windows\SysWOW64\raserver.exe"
Source: C:\Windows\SysWOW64\help.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Users\user\Desktop\Invoice & Packing list For Sea Shipment.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Invoice & Packing list For Sea Shipment.exe" Jump to behavior
Source: C:\Users\user\Desktop\Invoice & Packing list For Sea Shipment.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\XXyQpOLIcjn.exe" Jump to behavior
Source: C:\Users\user\Desktop\Invoice & Packing list For Sea Shipment.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XXyQpOLIcjn" /XML "C:\Users\user\AppData\Local\Temp\tmpAE3C.tmp" Jump to behavior
Source: C:\Users\user\Desktop\Invoice & Packing list For Sea Shipment.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\help.exe "C:\Windows\SysWOW64\help.exe" Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\raserver.exe "C:\Windows\SysWOW64\raserver.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\XXyQpOLIcjn.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XXyQpOLIcjn" /XML "C:\Users\user\AppData\Local\Temp\tmpB9C5.tmp" Jump to behavior
Source: C:\Users\user\AppData\Roaming\XXyQpOLIcjn.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" Jump to behavior
Source: C:\Windows\SysWOW64\help.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Users\user\Desktop\Invoice & Packing list For Sea Shipment.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\Invoice & Packing list For Sea Shipment.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\Invoice & Packing list For Sea Shipment.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Invoice & Packing list For Sea Shipment.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\Invoice & Packing list For Sea Shipment.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Invoice & Packing list For Sea Shipment.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Invoice & Packing list For Sea Shipment.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Invoice & Packing list For Sea Shipment.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\Invoice & Packing list For Sea Shipment.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\Invoice & Packing list For Sea Shipment.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\Invoice & Packing list For Sea Shipment.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Invoice & Packing list For Sea Shipment.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\Invoice & Packing list For Sea Shipment.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\Invoice & Packing list For Sea Shipment.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\Invoice & Packing list For Sea Shipment.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\Desktop\Invoice & Packing list For Sea Shipment.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\Invoice & Packing list For Sea Shipment.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\Invoice & Packing list For Sea Shipment.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\Invoice & Packing list For Sea Shipment.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\Invoice & Packing list For Sea Shipment.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Invoice & Packing list For Sea Shipment.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\Invoice & Packing list For Sea Shipment.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\Invoice & Packing list For Sea Shipment.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\Invoice & Packing list For Sea Shipment.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\Invoice & Packing list For Sea Shipment.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\Invoice & Packing list For Sea Shipment.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\Invoice & Packing list For Sea Shipment.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\Invoice & Packing list For Sea Shipment.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\Invoice & Packing list For Sea Shipment.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\Invoice & Packing list For Sea Shipment.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\Invoice & Packing list For Sea Shipment.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\Invoice & Packing list For Sea Shipment.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\Invoice & Packing list For Sea Shipment.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\Invoice & Packing list For Sea Shipment.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\Invoice & Packing list For Sea Shipment.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\Invoice & Packing list For Sea Shipment.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\Invoice & Packing list For Sea Shipment.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: wscinterop.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: wscapi.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: werconcpl.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: framedynos.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: wer.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: hcproviders.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\XXyQpOLIcjn.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\XXyQpOLIcjn.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\XXyQpOLIcjn.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\XXyQpOLIcjn.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\XXyQpOLIcjn.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\XXyQpOLIcjn.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\XXyQpOLIcjn.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\XXyQpOLIcjn.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\XXyQpOLIcjn.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\XXyQpOLIcjn.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\XXyQpOLIcjn.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\XXyQpOLIcjn.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\XXyQpOLIcjn.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\XXyQpOLIcjn.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\XXyQpOLIcjn.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\XXyQpOLIcjn.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\XXyQpOLIcjn.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\XXyQpOLIcjn.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\XXyQpOLIcjn.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\XXyQpOLIcjn.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\XXyQpOLIcjn.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\XXyQpOLIcjn.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\XXyQpOLIcjn.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\XXyQpOLIcjn.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\XXyQpOLIcjn.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\XXyQpOLIcjn.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\XXyQpOLIcjn.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\XXyQpOLIcjn.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\XXyQpOLIcjn.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\XXyQpOLIcjn.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\XXyQpOLIcjn.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\XXyQpOLIcjn.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\XXyQpOLIcjn.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\XXyQpOLIcjn.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\XXyQpOLIcjn.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\XXyQpOLIcjn.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\help.exe Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\raserver.exe Section loaded: wtsapi32.dll
Source: C:\Windows\SysWOW64\raserver.exe Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\raserver.exe Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe Section loaded: qmgr.dll
Source: C:\Windows\System32\svchost.exe Section loaded: bitsperf.dll
Source: C:\Windows\System32\svchost.exe Section loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exe Section loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exe Section loaded: firewallapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: esent.dll
Source: C:\Windows\System32\svchost.exe Section loaded: umpdc.dll
Source: C:\Windows\System32\svchost.exe Section loaded: dnsapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: iphlpapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: fwbase.dll
Source: C:\Windows\System32\svchost.exe Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ntmarta.dll
Source: C:\Windows\System32\svchost.exe Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: flightsettings.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: netprofm.dll
Source: C:\Windows\System32\svchost.exe Section loaded: npmproxy.dll
Source: C:\Windows\System32\svchost.exe Section loaded: bitsigd.dll
Source: C:\Windows\System32\svchost.exe Section loaded: upnp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ssdpapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\svchost.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\svchost.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\svchost.exe Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe Section loaded: appxdeploymentclient.dll
Source: C:\Windows\System32\svchost.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\svchost.exe Section loaded: wsmauto.dll
Source: C:\Windows\System32\svchost.exe Section loaded: miutils.dll
Source: C:\Windows\System32\svchost.exe Section loaded: wsmsvc.dll
Source: C:\Windows\System32\svchost.exe Section loaded: dsrole.dll
Source: C:\Windows\System32\svchost.exe Section loaded: pcwum.dll
Source: C:\Windows\System32\svchost.exe Section loaded: mi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: userenv.dll
Source: C:\Windows\System32\svchost.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: wkscli.dll
Source: C:\Windows\System32\svchost.exe Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msv1_0.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ntlmshared.dll
Source: C:\Windows\System32\svchost.exe Section loaded: cryptdll.dll
Source: C:\Windows\System32\svchost.exe Section loaded: webio.dll
Source: C:\Windows\System32\svchost.exe Section loaded: mswsock.dll
Source: C:\Windows\System32\svchost.exe Section loaded: winnsi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\svchost.exe Section loaded: rasadhlp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: rmclient.dll
Source: C:\Windows\System32\svchost.exe Section loaded: usermgrcli.dll
Source: C:\Windows\System32\svchost.exe Section loaded: execmodelclient.dll
Source: C:\Windows\System32\svchost.exe Section loaded: propsys.dll
Source: C:\Windows\System32\svchost.exe Section loaded: coremessaging.dll
Source: C:\Windows\System32\svchost.exe Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\svchost.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\svchost.exe Section loaded: execmodelproxy.dll
Source: C:\Windows\System32\svchost.exe Section loaded: resourcepolicyclient.dll
Source: C:\Windows\System32\svchost.exe Section loaded: vssapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: vsstrace.dll
Source: C:\Windows\System32\svchost.exe Section loaded: samcli.dll
Source: C:\Windows\System32\svchost.exe Section loaded: samlib.dll
Source: C:\Windows\System32\svchost.exe Section loaded: es.dll
Source: C:\Windows\System32\svchost.exe Section loaded: bitsproxy.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\svchost.exe Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\svchost.exe Section loaded: schannel.dll
Source: C:\Windows\System32\svchost.exe Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ntasn1.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ncrypt.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\svchost.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\svchost.exe Section loaded: dpapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: mpr.dll
Source: C:\Users\user\Desktop\Invoice & Packing list For Sea Shipment.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\Invoice & Packing list For Sea Shipment.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: Invoice & Packing list For Sea Shipment.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: Invoice & Packing list For Sea Shipment.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Invoice & Packing list For Sea Shipment.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: RegSvcs.pdb, source: explorer.exe, 00000008.00000002.3335412300.000000001047F000.00000004.80000000.00040000.00000000.sdmp, help.exe, 0000000E.00000002.3324662584.000000000339F000.00000004.10000000.00040000.00000000.sdmp, help.exe, 0000000E.00000002.3323113364.00000000028E1000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: RegSvcs.exe, 00000007.00000002.956746038.00000000018B0000.00000040.00001000.00020000.00000000.sdmp, help.exe, 0000000E.00000002.3323891524.0000000002FEE000.00000040.00001000.00020000.00000000.sdmp, help.exe, 0000000E.00000003.955913528.0000000002AEF000.00000004.00000020.00020000.00000000.sdmp, help.exe, 0000000E.00000003.958906105.0000000002C9E000.00000004.00000020.00020000.00000000.sdmp, help.exe, 0000000E.00000002.3323891524.0000000002E50000.00000040.00001000.00020000.00000000.sdmp, raserver.exe, 0000000F.00000002.970360026.000000000468E000.00000040.00001000.00020000.00000000.sdmp, raserver.exe, 0000000F.00000003.962674106.000000000419D000.00000004.00000020.00020000.00000000.sdmp, raserver.exe, 0000000F.00000002.970360026.00000000044F0000.00000040.00001000.00020000.00000000.sdmp, raserver.exe, 0000000F.00000003.965560879.0000000004342000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: RegSvcs.exe, RegSvcs.exe, 00000007.00000002.956746038.00000000018B0000.00000040.00001000.00020000.00000000.sdmp, help.exe, 0000000E.00000002.3323891524.0000000002FEE000.00000040.00001000.00020000.00000000.sdmp, help.exe, 0000000E.00000003.955913528.0000000002AEF000.00000004.00000020.00020000.00000000.sdmp, help.exe, 0000000E.00000003.958906105.0000000002C9E000.00000004.00000020.00020000.00000000.sdmp, help.exe, 0000000E.00000002.3323891524.0000000002E50000.00000040.00001000.00020000.00000000.sdmp, raserver.exe, 0000000F.00000002.970360026.000000000468E000.00000040.00001000.00020000.00000000.sdmp, raserver.exe, 0000000F.00000003.962674106.000000000419D000.00000004.00000020.00020000.00000000.sdmp, raserver.exe, 0000000F.00000002.970360026.00000000044F0000.00000040.00001000.00020000.00000000.sdmp, raserver.exe, 0000000F.00000003.965560879.0000000004342000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: RAServer.pdb source: RegSvcs.exe, 0000000D.00000002.963241216.0000000001080000.00000040.10000000.00040000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.962400543.0000000000B98000.00000004.00000020.00020000.00000000.sdmp, raserver.exe, 0000000F.00000002.970122815.0000000000700000.00000040.80000000.00040000.00000000.sdmp
Source: Binary string: RegSvcs.pdb source: explorer.exe, 00000008.00000002.3335412300.000000001047F000.00000004.80000000.00040000.00000000.sdmp, help.exe, 0000000E.00000002.3324662584.000000000339F000.00000004.10000000.00040000.00000000.sdmp, help.exe, 0000000E.00000002.3323113364.00000000028E1000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: help.pdbGCTL source: RegSvcs.exe, 00000007.00000002.956449177.0000000001388000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.956339132.0000000001330000.00000040.10000000.00040000.00000000.sdmp, help.exe, 0000000E.00000002.3321973864.0000000000130000.00000040.80000000.00040000.00000000.sdmp
Source: Binary string: help.pdb source: RegSvcs.exe, 00000007.00000002.956449177.0000000001388000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.956339132.0000000001330000.00000040.10000000.00040000.00000000.sdmp, help.exe, 0000000E.00000002.3321973864.0000000000130000.00000040.80000000.00040000.00000000.sdmp
Source: Binary string: RAServer.pdbGCTL source: RegSvcs.exe, 0000000D.00000002.963241216.0000000001080000.00000040.10000000.00040000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.962400543.0000000000B98000.00000004.00000020.00020000.00000000.sdmp, raserver.exe, 0000000F.00000002.970122815.0000000000700000.00000040.80000000.00040000.00000000.sdmp

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: 0.2.Invoice & Packing list For Sea Shipment.exe.2a93e3c.0.raw.unpack, zWIRjNncx7HQusCeV9.cs .Net Code: System.Reflection.Assembly.Load(byte[])
Source: 0.2.Invoice & Packing list For Sea Shipment.exe.6c20000.1.raw.unpack, zWIRjNncx7HQusCeV9.cs .Net Code: System.Reflection.Assembly.Load(byte[])
Source: 0.2.Invoice & Packing list For Sea Shipment.exe.6c60000.2.raw.unpack, uxhwEVMeyu1TZlXYQm.cs .Net Code: DblxS2qFe6 System.Reflection.Assembly.Load(byte[])
Source: 9.2.XXyQpOLIcjn.exe.2703bf4.0.raw.unpack, zWIRjNncx7HQusCeV9.cs .Net Code: System.Reflection.Assembly.Load(byte[])
Binary contains a suspicious time stamp
Source: Invoice & Packing list For Sea Shipment.exe Static PE information: 0xE0EAD909 [Fri Jul 29 14:56:09 2089 UTC]
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Invoice & Packing list For Sea Shipment.exe Code function: 0_2_0ADA1C05 push FFFFFF8Bh; iretd 0_2_0ADA1C07
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0041E1FC pushfd ; retf 7_2_0041E1FD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_004172AE push ebp; retf 7_2_004172B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0041D475 push eax; ret 7_2_0041D4C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0041D4C2 push eax; ret 7_2_0041D4C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0041D4CB push eax; ret 7_2_0041D532
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0041D52C push eax; ret 7_2_0041D532
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0041D580 push edx; ret 7_2_0041D957
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018B225F pushad ; ret 7_2_018B27F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018B27FA pushad ; ret 7_2_018B27F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018E09AD push ecx; mov dword ptr [esp], ecx 7_2_018E09B6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018B283D push eax; iretd 7_2_018B2858
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018B1368 push eax; iretd 7_2_018B1369
Source: C:\Windows\explorer.exe Code function: 8_2_0DF4C9B5 push esp; retn 0000h 8_2_0DF4CAE7
Source: C:\Windows\explorer.exe Code function: 8_2_0DF4CB1E push esp; retn 0000h 8_2_0DF4CB1F
Source: C:\Windows\explorer.exe Code function: 8_2_0DF4CB02 push esp; retn 0000h 8_2_0DF4CB03
Source: C:\Windows\explorer.exe Code function: 8_2_0E092B02 push esp; retn 0000h 8_2_0E092B03
Source: C:\Windows\explorer.exe Code function: 8_2_0E092B1E push esp; retn 0000h 8_2_0E092B1F
Source: C:\Windows\explorer.exe Code function: 8_2_0E0929B5 push esp; retn 0000h 8_2_0E092AE7
Source: C:\Windows\explorer.exe Code function: 8_2_10CC59B5 push esp; retn 0000h 8_2_10CC5AE7
Source: C:\Windows\explorer.exe Code function: 8_2_10CC5B02 push esp; retn 0000h 8_2_10CC5B03
Source: C:\Windows\explorer.exe Code function: 8_2_10CC5B1E push esp; retn 0000h 8_2_10CC5B1F
Source: C:\Users\user\AppData\Roaming\XXyQpOLIcjn.exe Code function: 9_2_06A24D98 pushfd ; iretd 9_2_06A24D9E
Source: C:\Users\user\AppData\Roaming\XXyQpOLIcjn.exe Code function: 9_2_06A24801 pushfd ; iretd 9_2_06A24806
Source: C:\Users\user\AppData\Roaming\XXyQpOLIcjn.exe Code function: 9_2_0B281395 push FFFFFF8Bh; iretd 9_2_0B281397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_010F09AD push ecx; mov dword ptr [esp], ecx 13_2_010F09B6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_010C1FEC push eax; iretd 13_2_010C1FED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_01147E99 push ecx; ret 13_2_01147EAC
Source: Invoice & Packing list For Sea Shipment.exe Static PE information: section name: .text entropy: 7.740580059559909
Source: XXyQpOLIcjn.exe.0.dr Static PE information: section name: .text entropy: 7.740580059559909
Source: 0.2.Invoice & Packing list For Sea Shipment.exe.6c60000.2.raw.unpack, T24P1H8KVkfU3M39ge.cs High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'M0bWGv60PG', 'aKEWvwdyjs', 'dVSWzqMRGG', 'RSXoFo7ks5', 'YihoCAEaEr', 'eHToWFl8F8', 'GLEooPVjnW', 'qjy6DoXqTBh5i5bueYp'
Source: 0.2.Invoice & Packing list For Sea Shipment.exe.6c60000.2.raw.unpack, uxhwEVMeyu1TZlXYQm.cs High entropy of concatenated method names: 'EkKogr6KZF', 'q3Po26oxq5', 'otIoELdjZo', 'JiZo8QflB4', 'H5Zo0s3yMA', 'tY5oZhUFnv', 'oq7ouup10b', 'MEAoMsNeMA', 'r8ro5QxRk3', 'Un8opU7PVO'
Source: 0.2.Invoice & Packing list For Sea Shipment.exe.6c60000.2.raw.unpack, Y3XyRIfdUYjENskwHn.cs High entropy of concatenated method names: 'slq0KyibWD', 'k1O0J2hSup', 'HaA8PBZtfm', 'r1L8VxdHnC', 'gnr8b05tRi', 'zoR8w0lF6s', 'H3Y8nu9J0N', 'fve8RBibtY', 'Ouy87cZWaF', 'T9Y8O7utoN'
Source: 0.2.Invoice & Packing list For Sea Shipment.exe.6c60000.2.raw.unpack, Tn5ZR6HXfgGeJdBfwa.cs High entropy of concatenated method names: 'KXHLOghyj1', 'iIdL1xP83X', 'W50LHv7vdu', 'uD4LBS7ugd', 'n0ULhGDSyH', 'X0GLPddGC9', 'WTjLVn9xsv', 'Ej8LbkKS8s', 'WBaLwHpnJA', 'g5ILnIoVqM'
Source: 0.2.Invoice & Packing list For Sea Shipment.exe.6c60000.2.raw.unpack, A98ZJl7UD7ghNOpqN4.cs High entropy of concatenated method names: 'XsGuq9L22t', 'dGTu957GnR', 'fZBuSaDuTE', 'GsSuD3A0pJ', 'xM2uK3u1cf', 'cc0ucnPn0v', 'XoLuJIUskP', 'cPSuIlHYHn', 'FlIukfALOW', 'IY9ufmSW5h'
Source: 0.2.Invoice & Packing list For Sea Shipment.exe.6c60000.2.raw.unpack, ebPZ7ZxwheHKEjh95P.cs High entropy of concatenated method names: 'vipCuTFlZH', 'uYiCMOR7Pt', 'SvXCpDZegb', 'PCmCQwv3Xy', 'rkwCLHnP0U', 'lfmCYlbsoW', 'DoPLyobChZEXYiDrFS', 'O9QaByofMb6MVQZUm7', 'FZTCCK9YK7', 'GNQCoKLRlG'
Source: 0.2.Invoice & Packing list For Sea Shipment.exe.6c60000.2.raw.unpack, MwFTTuCCt2QKcZUIjPo.cs High entropy of concatenated method names: 'T3eUvqR0T4', 'HnRUzWfbgW', 'i7x6FqCrnL', 'OgP6CgmPrV', 'X0R6WSUSoY', 'kPk6o3tVgF', 'sm46xOIwSN', 'LwR6ghV8DP', 'Lrq62iwRUE', 'HZv6EBn5Dr'
Source: 0.2.Invoice & Packing list For Sea Shipment.exe.6c60000.2.raw.unpack, T9JemMn4aRH3LNvEuK.cs High entropy of concatenated method names: 'QSWu2msoRx', 'Lfru83CI0i', 'sVjuZTo9BC', 'F20ZvNZJpd', 'h7DZzwf47T', 'JMJuFZlSK1', 'np6uCmx8gT', 'NV8uWJtJjg', 'AwkuoLOAr2', 'LIguxGQG0x'
Source: 0.2.Invoice & Packing list For Sea Shipment.exe.6c60000.2.raw.unpack, H0U5fmdlbsoWeFO73V.cs High entropy of concatenated method names: 'ykDZgCcfgJ', 'mcVZEuwGqS', 'MX2Z0F9ZPD', 'fQ7ZuV7H9h', 'DhZZMAbvxR', 'WYw0X8YYJR', 'VAJ03G4Rrj', 'AA804JO9fW', 'MxA0t5SkEw', 'VI50GrpWl4'
Source: 0.2.Invoice & Packing list For Sea Shipment.exe.6c60000.2.raw.unpack, TmE1lLWfGsOipviPbn.cs High entropy of concatenated method names: 'FxJSfoopT', 'KW2DKwn6u', 'aTOcACGTX', 'XAVJe28Yy', 'DOJksBsxk', 'yO5fGg6Wg', 'oRvuXqOjNaKdHx5w58', 'TxQPT69n345NTLrX1e', 'hZNs8Hj3i', 'jfhUaTlcH'
Source: 0.2.Invoice & Packing list For Sea Shipment.exe.6c60000.2.raw.unpack, mTFlZHIjYiOR7Pt9rQ.cs High entropy of concatenated method names: 'M2SEHItFEg', 'bwEEBYuFJ5', 'RRmEe1XGWa', 'EZbErFZmsj', 'rh6EXMDFnT', 'GMVE3YxUO7', 'MjrE46gB7R', 'Lr4EtmhSYr', 'qJREGbhnRL', 'a0hEv64kN5'
Source: 0.2.Invoice & Packing list For Sea Shipment.exe.6c60000.2.raw.unpack, wq53FxEWes5CKpqdOP.cs High entropy of concatenated method names: 'Dispose', 'QKkCGnCe89', 'dfLWhV7LqK', 'OHQwoUVP7G', 'PGMCv6Onsn', 'pW4Cz5bX31', 'ProcessDialogKey', 'HtHWF1WsFH', 'b87WCW2TLv', 'BW4WWlkWab'
Source: 0.2.Invoice & Packing list For Sea Shipment.exe.6c60000.2.raw.unpack, rLJQXxVO6tdbc5QiTM.cs High entropy of concatenated method names: 'E12ZaK4dtY', 'tuZZqdDtos', 'CgpZS3g9Ll', 'bBZZDopEWZ', 'mS5ZcfFG4d', 'zoNZJbQURY', 'PCKZkP08Sy', 'mrnZfEFJsa', 'E1mJsxLBX47gr2yl0qY', 'YmceVULvyRdWagS5Bbu'
Source: 0.2.Invoice & Packing list For Sea Shipment.exe.6c60000.2.raw.unpack, mDfaH8e51FoJOfVpmK.cs High entropy of concatenated method names: 'ToString', 'hSwYmKLvBd', 'f99YhCO409', 'qaKYP65u9O', 'SMFYVDBHVp', 'th0Ybum2lL', 'pAqYwFEl5w', 'LsyYn7coPf', 'LH3YRH8eHZ', 'H47Y7knC9n'
Source: 0.2.Invoice & Packing list For Sea Shipment.exe.6c60000.2.raw.unpack, vkWabHvlkek5okT1fr.cs High entropy of concatenated method names: 'MNtU8jSYWr', 'oioU06WDU4', 'JuOUZUDi1u', 'kjqUuGhDSo', 'TPXUAN73XO', 'y8IUMHTFqq', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Invoice & Packing list For Sea Shipment.exe.6c60000.2.raw.unpack, BG8kmUyNMSB9eLWijp.cs High entropy of concatenated method names: 'bYrNITk993', 'XLKNkm5xCJ', 'hLLNdRcrsn', 'QgtNhOTtoK', 'zXQNVqtcn8', 'Or4NbTGNtW', 'hfoNnGiH9S', 'v62NR2g9C4', 'FebNOQhWpH', 'B3NNmUf2pk'
Source: 0.2.Invoice & Packing list For Sea Shipment.exe.6c60000.2.raw.unpack, U6DEnyz0NMiRhi4XkC.cs High entropy of concatenated method names: 'pOZUcNgSgS', 'LWmUIoawUr', 'uTCUkvP3D3', 'A7JUd37c96', 'mKHUhJEjKp', 'MwiUVakx6C', 'RUSUbEhO71', 'uI9UaHjunt', 'r47Uq6YTL0', 'TA9U9OXUVF'
Source: 0.2.Invoice & Packing list For Sea Shipment.exe.6c60000.2.raw.unpack, y5DumekvXDZegb1Cmw.cs High entropy of concatenated method names: 'Dwi8DGFABH', 'm848c4lfT1', 'JmV8IFio7L', 'deY8k5w0KC', 'xqy8LFW7EJ', 'e8j8Ya7h8B', 'Pbx8T37Fj1', 'cgr8skVebN', 'lNh8A4A01U', 'Nt98U8h1Qa'
Source: 0.2.Invoice & Packing list For Sea Shipment.exe.6c60000.2.raw.unpack, KLNyHoCFwVLOd5dmbIe.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'LHLUmfA1I8', 'h32U1vDs5n', 'a5aUyjaqp9', 'NurUHaqkA4', 'glWUBtOqZp', 'OFCUePx1O5', 'wgsUrkjE7x'
Source: 0.2.Invoice & Packing list For Sea Shipment.exe.6c60000.2.raw.unpack, koBAdv47qyKknCe891.cs High entropy of concatenated method names: 'U4tALHdmqr', 'lBQATdSZum', 'JKgAAEIU3v', 'dI3A6eDpw7', 'ujrAlgDWWL', 'PZnAa5f8M5', 'Dispose', 'VKMs2NWIkI', 'idesEpPCcW', 'Nqls88yy1W'
Source: 0.2.Invoice & Packing list For Sea Shipment.exe.6c60000.2.raw.unpack, R1WsFHGC87W2TLvKW4.cs High entropy of concatenated method names: 'cKFAdLKikE', 'UduAhavpVO', 'f11APiRVZy', 'ibIAVbuMbe', 'sTfAbsbnVC', 'LPJAwEOPKO', 'arDAnd61sG', 'lGeAREkJSO', 'aokA7l19Yv', 'NhqAOiQsCC'
Creates processes with suspicious names
Source: C:\Users\user\Desktop\Invoice & Packing list For Sea Shipment.exe File created: \invoice & packing list for sea shipment.exe
Source: C:\Users\user\Desktop\Invoice & Packing list For Sea Shipment.exe File created: \invoice & packing list for sea shipment.exe
Source: C:\Users\user\Desktop\Invoice & Packing list For Sea Shipment.exe File created: \invoice & packing list for sea shipment.exe
Source: C:\Users\user\Desktop\Invoice & Packing list For Sea Shipment.exe File created: \invoice & packing list for sea shipment.exe
Source: C:\Users\user\Desktop\Invoice & Packing list For Sea Shipment.exe File created: \invoice & packing list for sea shipment.exe Jump to behavior
Source: C:\Users\user\Desktop\Invoice & Packing list For Sea Shipment.exe File created: \invoice & packing list for sea shipment.exe Jump to behavior
Source: C:\Users\user\Desktop\Invoice & Packing list For Sea Shipment.exe File created: \invoice & packing list for sea shipment.exe Jump to behavior
Source: C:\Users\user\Desktop\Invoice & Packing list For Sea Shipment.exe File created: \invoice & packing list for sea shipment.exe Jump to behavior
Drops PE files
Source: C:\Users\user\Desktop\Invoice & Packing list For Sea Shipment.exe File created: C:\Users\user\AppData\Roaming\XXyQpOLIcjn.exe Jump to dropped file

Boot Survival
barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\Invoice & Packing list For Sea Shipment.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XXyQpOLIcjn" /XML "C:\Users\user\AppData\Local\Temp\tmpAE3C.tmp"

Hooking and other Techniques for Hiding and Protection
barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Users\user\Desktop\Invoice & Packing list For Sea Shipment.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoice & Packing list For Sea Shipment.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoice & Packing list For Sea Shipment.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoice & Packing list For Sea Shipment.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoice & Packing list For Sea Shipment.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoice & Packing list For Sea Shipment.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoice & Packing list For Sea Shipment.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoice & Packing list For Sea Shipment.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoice & Packing list For Sea Shipment.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoice & Packing list For Sea Shipment.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoice & Packing list For Sea Shipment.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoice & Packing list For Sea Shipment.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoice & Packing list For Sea Shipment.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoice & Packing list For Sea Shipment.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoice & Packing list For Sea Shipment.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoice & Packing list For Sea Shipment.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoice & Packing list For Sea Shipment.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoice & Packing list For Sea Shipment.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoice & Packing list For Sea Shipment.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoice & Packing list For Sea Shipment.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoice & Packing list For Sea Shipment.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoice & Packing list For Sea Shipment.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoice & Packing list For Sea Shipment.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoice & Packing list For Sea Shipment.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoice & Packing list For Sea Shipment.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoice & Packing list For Sea Shipment.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoice & Packing list For Sea Shipment.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoice & Packing list For Sea Shipment.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoice & Packing list For Sea Shipment.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoice & Packing list For Sea Shipment.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoice & Packing list For Sea Shipment.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoice & Packing list For Sea Shipment.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoice & Packing list For Sea Shipment.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoice & Packing list For Sea Shipment.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoice & Packing list For Sea Shipment.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoice & Packing list For Sea Shipment.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoice & Packing list For Sea Shipment.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoice & Packing list For Sea Shipment.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoice & Packing list For Sea Shipment.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoice & Packing list For Sea Shipment.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoice & Packing list For Sea Shipment.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoice & Packing list For Sea Shipment.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoice & Packing list For Sea Shipment.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoice & Packing list For Sea Shipment.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoice & Packing list For Sea Shipment.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XXyQpOLIcjn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XXyQpOLIcjn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XXyQpOLIcjn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XXyQpOLIcjn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XXyQpOLIcjn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XXyQpOLIcjn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XXyQpOLIcjn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XXyQpOLIcjn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XXyQpOLIcjn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XXyQpOLIcjn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XXyQpOLIcjn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XXyQpOLIcjn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XXyQpOLIcjn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XXyQpOLIcjn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XXyQpOLIcjn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XXyQpOLIcjn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XXyQpOLIcjn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XXyQpOLIcjn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XXyQpOLIcjn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XXyQpOLIcjn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XXyQpOLIcjn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XXyQpOLIcjn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XXyQpOLIcjn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XXyQpOLIcjn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XXyQpOLIcjn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XXyQpOLIcjn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XXyQpOLIcjn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XXyQpOLIcjn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XXyQpOLIcjn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XXyQpOLIcjn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XXyQpOLIcjn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XXyQpOLIcjn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XXyQpOLIcjn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XXyQpOLIcjn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XXyQpOLIcjn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XXyQpOLIcjn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XXyQpOLIcjn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XXyQpOLIcjn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XXyQpOLIcjn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XXyQpOLIcjn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XXyQpOLIcjn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XXyQpOLIcjn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XXyQpOLIcjn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XXyQpOLIcjn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\help.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: Invoice & Packing list For Sea Shipment.exe PID: 7104, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: XXyQpOLIcjn.exe PID: 6912, type: MEMORYSTR
Switches to a custom stack to bypass stack traces
Source: C:\Windows\SysWOW64\help.exe API/Special instruction interceptor: Address: 7FFC1B60D324
Source: C:\Windows\SysWOW64\help.exe API/Special instruction interceptor: Address: 7FFC1B610774
Source: C:\Windows\SysWOW64\help.exe API/Special instruction interceptor: Address: 7FFC1B60D944
Source: C:\Windows\SysWOW64\help.exe API/Special instruction interceptor: Address: 7FFC1B60D504
Source: C:\Windows\SysWOW64\help.exe API/Special instruction interceptor: Address: 7FFC1B60D544
Source: C:\Windows\SysWOW64\help.exe API/Special instruction interceptor: Address: 7FFC1B60D1E4
Source: C:\Windows\SysWOW64\help.exe API/Special instruction interceptor: Address: 7FFC1B610154
Source: C:\Windows\SysWOW64\help.exe API/Special instruction interceptor: Address: 7FFC1B60D8A4
Source: C:\Windows\SysWOW64\help.exe API/Special instruction interceptor: Address: 7FFC1B60DA44
Tries to detect virtualization through RDTSC time measurements
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe RDTSC instruction interceptor: First address: 409904 second address: 40990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe RDTSC instruction interceptor: First address: 409B6E second address: 409B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\help.exe RDTSC instruction interceptor: First address: 2609904 second address: 260990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\help.exe RDTSC instruction interceptor: First address: 2609B6E second address: 2609B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\raserver.exe RDTSC instruction interceptor: First address: 409904 second address: 40990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\raserver.exe RDTSC instruction interceptor: First address: 409B6E second address: 409B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\Invoice & Packing list For Sea Shipment.exe Memory allocated: A40000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Invoice & Packing list For Sea Shipment.exe Memory allocated: 2840000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Invoice & Packing list For Sea Shipment.exe Memory allocated: 26A0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Invoice & Packing list For Sea Shipment.exe Memory allocated: 8600000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Invoice & Packing list For Sea Shipment.exe Memory allocated: 6E20000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Invoice & Packing list For Sea Shipment.exe Memory allocated: 9600000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Invoice & Packing list For Sea Shipment.exe Memory allocated: A600000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\XXyQpOLIcjn.exe Memory allocated: CC0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\XXyQpOLIcjn.exe Memory allocated: 24B0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\XXyQpOLIcjn.exe Memory allocated: 44B0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\XXyQpOLIcjn.exe Memory allocated: 8190000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\XXyQpOLIcjn.exe Memory allocated: 9190000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\XXyQpOLIcjn.exe Memory allocated: 9380000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\XXyQpOLIcjn.exe Memory allocated: A380000 memory reserve | memory write watch Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_00409AA0 rdtsc 7_2_00409AA0
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\Invoice & Packing list For Sea Shipment.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\XXyQpOLIcjn.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1348 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 427 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 7141 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 2399 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 2370 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 7576 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: foregroundWindowGot 879 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: foregroundWindowGot 870 Jump to behavior
Source: C:\Windows\SysWOW64\help.exe Window / User API: threadDelayed 9636
Found large amount of non-executed APIs
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe API coverage: 1.6 %
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe API coverage: 1.2 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\Invoice & Packing list For Sea Shipment.exe TID: 7124 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6452 Thread sleep count: 1348 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6484 Thread sleep count: 427 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6744 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6916 Thread sleep time: -6456360425798339s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 6760 Thread sleep count: 2370 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 6760 Thread sleep time: -4740000s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 6760 Thread sleep count: 7576 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 6760 Thread sleep time: -15152000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\XXyQpOLIcjn.exe TID: 6904 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\help.exe TID: 6640 Thread sleep count: 336 > 30
Source: C:\Windows\SysWOW64\help.exe TID: 6640 Thread sleep time: -672000s >= -30000s
Source: C:\Windows\SysWOW64\help.exe TID: 6640 Thread sleep count: 9636 > 30
Source: C:\Windows\SysWOW64\help.exe TID: 6640 Thread sleep time: -19272000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 2372 Thread sleep time: -30000s >= -30000s
Queries disk information (often used to detect virtual machines)
Source: C:\Windows\System32\svchost.exe File opened: PhysicalDrive0
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\help.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\help.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\Invoice & Packing list For Sea Shipment.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\XXyQpOLIcjn.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\Invoice & Packing list For Sea Shipment.exe File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx Jump to behavior
Source: C:\Users\user\Desktop\Invoice & Packing list For Sea Shipment.exe File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\NULL Jump to behavior
Source: C:\Users\user\Desktop\Invoice & Packing list For Sea Shipment.exe File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\Acrobat Jump to behavior
Source: C:\Users\user\Desktop\Invoice & Packing list For Sea Shipment.exe File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\NULL Jump to behavior
Source: C:\Users\user\Desktop\Invoice & Packing list For Sea Shipment.exe File opened: C:\Users\user\AppData\Local\Temp\acrocef_low\NULL Jump to behavior
Source: C:\Users\user\Desktop\Invoice & Packing list For Sea Shipment.exe File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe Jump to behavior
Source: explorer.exe, 00000008.00000003.2673378792.0000000008823000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware SATA CD00ssB1n
Source: svchost.exe, 00000013.00000002.2813303451.000002EAE222B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWP
Source: explorer.exe, 00000008.00000003.2670860260.0000000008610000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: NXTVMWare
Source: explorer.exe, 00000008.00000003.2670860260.00000000084DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.906949066.00000000084DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3328325402.00000000084DE000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWystem32\DriverStore\en-GB\vhdmp.inf_loc
Source: explorer.exe, 00000008.00000002.3328325402.0000000008669000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.906949066.0000000008669000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2670860260.0000000008669000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.2814092002.000002EAE385E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000008.00000003.2670860260.000000000874E000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000erf
Source: explorer.exe, 00000008.00000002.3322917350.0000000000584000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000a;
Source: explorer.exe, 00000008.00000002.3329010599.0000000008689000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: explorer.exe, 00000008.00000002.3328325402.0000000008610000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.906949066.0000000008610000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2670860260.0000000008610000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW`
Source: explorer.exe, 00000008.00000003.2670860260.0000000008610000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: =War&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: explorer.exe, 00000008.00000002.3322917350.0000000000584000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: explorer.exe, 00000008.00000003.2673703001.000000000874E000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}/
Source: explorer.exe, 00000008.00000003.2673703001.000000000874E000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000008.00000003.2673703001.000000000874E000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}o
Source: explorer.exe, 00000008.00000002.3328325402.00000000084DE000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000I
Source: explorer.exe, 00000008.00000002.3322917350.0000000000584000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: C:\Users\user\Desktop\Invoice & Packing list For Sea Shipment.exe Process information queried: ProcessInformation Jump to behavior
Checks if the current process is being debugged
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process queried: DebugPort
Source: C:\Windows\SysWOW64\help.exe Process queried: DebugPort
Source: C:\Windows\SysWOW64\raserver.exe Process queried: DebugPort
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_00409AA0 rdtsc 7_2_00409AA0
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0040ACE0 LdrLoadDll, 7_2_0040ACE0
Contains functionality to read the PEB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0196019F mov eax, dword ptr fs:[00000030h] 7_2_0196019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0196019F mov eax, dword ptr fs:[00000030h] 7_2_0196019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0196019F mov eax, dword ptr fs:[00000030h] 7_2_0196019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0196019F mov eax, dword ptr fs:[00000030h] 7_2_0196019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0199C188 mov eax, dword ptr fs:[00000030h] 7_2_0199C188
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0199C188 mov eax, dword ptr fs:[00000030h] 7_2_0199C188
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_01920185 mov eax, dword ptr fs:[00000030h] 7_2_01920185
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_01984180 mov eax, dword ptr fs:[00000030h] 7_2_01984180
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_01984180 mov eax, dword ptr fs:[00000030h] 7_2_01984180
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018DA197 mov eax, dword ptr fs:[00000030h] 7_2_018DA197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018DA197 mov eax, dword ptr fs:[00000030h] 7_2_018DA197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018DA197 mov eax, dword ptr fs:[00000030h] 7_2_018DA197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0195E1D0 mov eax, dword ptr fs:[00000030h] 7_2_0195E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0195E1D0 mov eax, dword ptr fs:[00000030h] 7_2_0195E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0195E1D0 mov ecx, dword ptr fs:[00000030h] 7_2_0195E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0195E1D0 mov eax, dword ptr fs:[00000030h] 7_2_0195E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0195E1D0 mov eax, dword ptr fs:[00000030h] 7_2_0195E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_019A61C3 mov eax, dword ptr fs:[00000030h] 7_2_019A61C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_019A61C3 mov eax, dword ptr fs:[00000030h] 7_2_019A61C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_019101F8 mov eax, dword ptr fs:[00000030h] 7_2_019101F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_019B61E5 mov eax, dword ptr fs:[00000030h] 7_2_019B61E5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0198A118 mov ecx, dword ptr fs:[00000030h] 7_2_0198A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0198A118 mov eax, dword ptr fs:[00000030h] 7_2_0198A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0198A118 mov eax, dword ptr fs:[00000030h] 7_2_0198A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0198A118 mov eax, dword ptr fs:[00000030h] 7_2_0198A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_019A0115 mov eax, dword ptr fs:[00000030h] 7_2_019A0115
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0198E10E mov eax, dword ptr fs:[00000030h] 7_2_0198E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0198E10E mov ecx, dword ptr fs:[00000030h] 7_2_0198E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0198E10E mov eax, dword ptr fs:[00000030h] 7_2_0198E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0198E10E mov eax, dword ptr fs:[00000030h] 7_2_0198E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0198E10E mov ecx, dword ptr fs:[00000030h] 7_2_0198E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0198E10E mov eax, dword ptr fs:[00000030h] 7_2_0198E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0198E10E mov eax, dword ptr fs:[00000030h] 7_2_0198E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0198E10E mov ecx, dword ptr fs:[00000030h] 7_2_0198E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0198E10E mov eax, dword ptr fs:[00000030h] 7_2_0198E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0198E10E mov ecx, dword ptr fs:[00000030h] 7_2_0198E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_01910124 mov eax, dword ptr fs:[00000030h] 7_2_01910124
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_01978158 mov eax, dword ptr fs:[00000030h] 7_2_01978158
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_01974144 mov eax, dword ptr fs:[00000030h] 7_2_01974144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_01974144 mov eax, dword ptr fs:[00000030h] 7_2_01974144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_01974144 mov ecx, dword ptr fs:[00000030h] 7_2_01974144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_01974144 mov eax, dword ptr fs:[00000030h] 7_2_01974144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_01974144 mov eax, dword ptr fs:[00000030h] 7_2_01974144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018E6154 mov eax, dword ptr fs:[00000030h] 7_2_018E6154
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018E6154 mov eax, dword ptr fs:[00000030h] 7_2_018E6154
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018DC156 mov eax, dword ptr fs:[00000030h] 7_2_018DC156
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_019B4164 mov eax, dword ptr fs:[00000030h] 7_2_019B4164
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_019B4164 mov eax, dword ptr fs:[00000030h] 7_2_019B4164
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018E208A mov eax, dword ptr fs:[00000030h] 7_2_018E208A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_019A60B8 mov eax, dword ptr fs:[00000030h] 7_2_019A60B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_019A60B8 mov ecx, dword ptr fs:[00000030h] 7_2_019A60B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018D80A0 mov eax, dword ptr fs:[00000030h] 7_2_018D80A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_019780A8 mov eax, dword ptr fs:[00000030h] 7_2_019780A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_019620DE mov eax, dword ptr fs:[00000030h] 7_2_019620DE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_019220F0 mov ecx, dword ptr fs:[00000030h] 7_2_019220F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018E80E9 mov eax, dword ptr fs:[00000030h] 7_2_018E80E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018DA0E3 mov ecx, dword ptr fs:[00000030h] 7_2_018DA0E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_019660E0 mov eax, dword ptr fs:[00000030h] 7_2_019660E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018DC0F0 mov eax, dword ptr fs:[00000030h] 7_2_018DC0F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_01964000 mov ecx, dword ptr fs:[00000030h] 7_2_01964000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_01982000 mov eax, dword ptr fs:[00000030h] 7_2_01982000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_01982000 mov eax, dword ptr fs:[00000030h] 7_2_01982000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_01982000 mov eax, dword ptr fs:[00000030h] 7_2_01982000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_01982000 mov eax, dword ptr fs:[00000030h] 7_2_01982000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_01982000 mov eax, dword ptr fs:[00000030h] 7_2_01982000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_01982000 mov eax, dword ptr fs:[00000030h] 7_2_01982000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_01982000 mov eax, dword ptr fs:[00000030h] 7_2_01982000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_01982000 mov eax, dword ptr fs:[00000030h] 7_2_01982000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018FE016 mov eax, dword ptr fs:[00000030h] 7_2_018FE016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018FE016 mov eax, dword ptr fs:[00000030h] 7_2_018FE016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018FE016 mov eax, dword ptr fs:[00000030h] 7_2_018FE016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018FE016 mov eax, dword ptr fs:[00000030h] 7_2_018FE016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_01976030 mov eax, dword ptr fs:[00000030h] 7_2_01976030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018DA020 mov eax, dword ptr fs:[00000030h] 7_2_018DA020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018DC020 mov eax, dword ptr fs:[00000030h] 7_2_018DC020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_01966050 mov eax, dword ptr fs:[00000030h] 7_2_01966050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018E2050 mov eax, dword ptr fs:[00000030h] 7_2_018E2050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0190C073 mov eax, dword ptr fs:[00000030h] 7_2_0190C073
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018DE388 mov eax, dword ptr fs:[00000030h] 7_2_018DE388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018DE388 mov eax, dword ptr fs:[00000030h] 7_2_018DE388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018DE388 mov eax, dword ptr fs:[00000030h] 7_2_018DE388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018D8397 mov eax, dword ptr fs:[00000030h] 7_2_018D8397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018D8397 mov eax, dword ptr fs:[00000030h] 7_2_018D8397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018D8397 mov eax, dword ptr fs:[00000030h] 7_2_018D8397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0190438F mov eax, dword ptr fs:[00000030h] 7_2_0190438F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0190438F mov eax, dword ptr fs:[00000030h] 7_2_0190438F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0198E3DB mov eax, dword ptr fs:[00000030h] 7_2_0198E3DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0198E3DB mov eax, dword ptr fs:[00000030h] 7_2_0198E3DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0198E3DB mov ecx, dword ptr fs:[00000030h] 7_2_0198E3DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0198E3DB mov eax, dword ptr fs:[00000030h] 7_2_0198E3DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_019843D4 mov eax, dword ptr fs:[00000030h] 7_2_019843D4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_019843D4 mov eax, dword ptr fs:[00000030h] 7_2_019843D4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018EA3C0 mov eax, dword ptr fs:[00000030h] 7_2_018EA3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018EA3C0 mov eax, dword ptr fs:[00000030h] 7_2_018EA3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018EA3C0 mov eax, dword ptr fs:[00000030h] 7_2_018EA3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018EA3C0 mov eax, dword ptr fs:[00000030h] 7_2_018EA3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018EA3C0 mov eax, dword ptr fs:[00000030h] 7_2_018EA3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018EA3C0 mov eax, dword ptr fs:[00000030h] 7_2_018EA3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018E83C0 mov eax, dword ptr fs:[00000030h] 7_2_018E83C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018E83C0 mov eax, dword ptr fs:[00000030h] 7_2_018E83C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018E83C0 mov eax, dword ptr fs:[00000030h] 7_2_018E83C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018E83C0 mov eax, dword ptr fs:[00000030h] 7_2_018E83C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0199C3CD mov eax, dword ptr fs:[00000030h] 7_2_0199C3CD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_019663C0 mov eax, dword ptr fs:[00000030h] 7_2_019663C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018F03E9 mov eax, dword ptr fs:[00000030h] 7_2_018F03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018F03E9 mov eax, dword ptr fs:[00000030h] 7_2_018F03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018F03E9 mov eax, dword ptr fs:[00000030h] 7_2_018F03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018F03E9 mov eax, dword ptr fs:[00000030h] 7_2_018F03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018F03E9 mov eax, dword ptr fs:[00000030h] 7_2_018F03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018F03E9 mov eax, dword ptr fs:[00000030h] 7_2_018F03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018F03E9 mov eax, dword ptr fs:[00000030h] 7_2_018F03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018F03E9 mov eax, dword ptr fs:[00000030h] 7_2_018F03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_019163FF mov eax, dword ptr fs:[00000030h] 7_2_019163FF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018FE3F0 mov eax, dword ptr fs:[00000030h] 7_2_018FE3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018FE3F0 mov eax, dword ptr fs:[00000030h] 7_2_018FE3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018FE3F0 mov eax, dword ptr fs:[00000030h] 7_2_018FE3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_01900310 mov ecx, dword ptr fs:[00000030h] 7_2_01900310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0191A30B mov eax, dword ptr fs:[00000030h] 7_2_0191A30B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0191A30B mov eax, dword ptr fs:[00000030h] 7_2_0191A30B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0191A30B mov eax, dword ptr fs:[00000030h] 7_2_0191A30B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018DC310 mov ecx, dword ptr fs:[00000030h] 7_2_018DC310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_019B8324 mov eax, dword ptr fs:[00000030h] 7_2_019B8324
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_019B8324 mov ecx, dword ptr fs:[00000030h] 7_2_019B8324
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_019B8324 mov eax, dword ptr fs:[00000030h] 7_2_019B8324
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_019B8324 mov eax, dword ptr fs:[00000030h] 7_2_019B8324
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_019AA352 mov eax, dword ptr fs:[00000030h] 7_2_019AA352
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_01988350 mov ecx, dword ptr fs:[00000030h] 7_2_01988350
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0196035C mov eax, dword ptr fs:[00000030h] 7_2_0196035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0196035C mov eax, dword ptr fs:[00000030h] 7_2_0196035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0196035C mov eax, dword ptr fs:[00000030h] 7_2_0196035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0196035C mov ecx, dword ptr fs:[00000030h] 7_2_0196035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0196035C mov eax, dword ptr fs:[00000030h] 7_2_0196035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0196035C mov eax, dword ptr fs:[00000030h] 7_2_0196035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_019B634F mov eax, dword ptr fs:[00000030h] 7_2_019B634F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_01962349 mov eax, dword ptr fs:[00000030h] 7_2_01962349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_01962349 mov eax, dword ptr fs:[00000030h] 7_2_01962349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_01962349 mov eax, dword ptr fs:[00000030h] 7_2_01962349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_01962349 mov eax, dword ptr fs:[00000030h] 7_2_01962349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_01962349 mov eax, dword ptr fs:[00000030h] 7_2_01962349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_01962349 mov eax, dword ptr fs:[00000030h] 7_2_01962349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_01962349 mov eax, dword ptr fs:[00000030h] 7_2_01962349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_01962349 mov eax, dword ptr fs:[00000030h] 7_2_01962349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_01962349 mov eax, dword ptr fs:[00000030h] 7_2_01962349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_01962349 mov eax, dword ptr fs:[00000030h] 7_2_01962349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_01962349 mov eax, dword ptr fs:[00000030h] 7_2_01962349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_01962349 mov eax, dword ptr fs:[00000030h] 7_2_01962349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_01962349 mov eax, dword ptr fs:[00000030h] 7_2_01962349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_01962349 mov eax, dword ptr fs:[00000030h] 7_2_01962349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_01962349 mov eax, dword ptr fs:[00000030h] 7_2_01962349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0198437C mov eax, dword ptr fs:[00000030h] 7_2_0198437C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_01960283 mov eax, dword ptr fs:[00000030h] 7_2_01960283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_01960283 mov eax, dword ptr fs:[00000030h] 7_2_01960283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_01960283 mov eax, dword ptr fs:[00000030h] 7_2_01960283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0191E284 mov eax, dword ptr fs:[00000030h] 7_2_0191E284
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0191E284 mov eax, dword ptr fs:[00000030h] 7_2_0191E284
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018F02A0 mov eax, dword ptr fs:[00000030h] 7_2_018F02A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018F02A0 mov eax, dword ptr fs:[00000030h] 7_2_018F02A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_019762A0 mov eax, dword ptr fs:[00000030h] 7_2_019762A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_019762A0 mov ecx, dword ptr fs:[00000030h] 7_2_019762A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_019762A0 mov eax, dword ptr fs:[00000030h] 7_2_019762A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_019762A0 mov eax, dword ptr fs:[00000030h] 7_2_019762A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_019762A0 mov eax, dword ptr fs:[00000030h] 7_2_019762A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_019762A0 mov eax, dword ptr fs:[00000030h] 7_2_019762A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_019B62D6 mov eax, dword ptr fs:[00000030h] 7_2_019B62D6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018F02E1 mov eax, dword ptr fs:[00000030h] 7_2_018F02E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018F02E1 mov eax, dword ptr fs:[00000030h] 7_2_018F02E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018F02E1 mov eax, dword ptr fs:[00000030h] 7_2_018F02E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018D823B mov eax, dword ptr fs:[00000030h] 7_2_018D823B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_019B625D mov eax, dword ptr fs:[00000030h] 7_2_019B625D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0199A250 mov eax, dword ptr fs:[00000030h] 7_2_0199A250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0199A250 mov eax, dword ptr fs:[00000030h] 7_2_0199A250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_01968243 mov eax, dword ptr fs:[00000030h] 7_2_01968243
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_01968243 mov ecx, dword ptr fs:[00000030h] 7_2_01968243
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018E6259 mov eax, dword ptr fs:[00000030h] 7_2_018E6259
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018DA250 mov eax, dword ptr fs:[00000030h] 7_2_018DA250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018D826B mov eax, dword ptr fs:[00000030h] 7_2_018D826B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_01990274 mov eax, dword ptr fs:[00000030h] 7_2_01990274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_01990274 mov eax, dword ptr fs:[00000030h] 7_2_01990274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_01990274 mov eax, dword ptr fs:[00000030h] 7_2_01990274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_01990274 mov eax, dword ptr fs:[00000030h] 7_2_01990274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_01990274 mov eax, dword ptr fs:[00000030h] 7_2_01990274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_01990274 mov eax, dword ptr fs:[00000030h] 7_2_01990274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_01990274 mov eax, dword ptr fs:[00000030h] 7_2_01990274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_01990274 mov eax, dword ptr fs:[00000030h] 7_2_01990274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_01990274 mov eax, dword ptr fs:[00000030h] 7_2_01990274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_01990274 mov eax, dword ptr fs:[00000030h] 7_2_01990274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_01990274 mov eax, dword ptr fs:[00000030h] 7_2_01990274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_01990274 mov eax, dword ptr fs:[00000030h] 7_2_01990274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018E4260 mov eax, dword ptr fs:[00000030h] 7_2_018E4260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018E4260 mov eax, dword ptr fs:[00000030h] 7_2_018E4260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018E4260 mov eax, dword ptr fs:[00000030h] 7_2_018E4260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018E2582 mov eax, dword ptr fs:[00000030h] 7_2_018E2582
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018E2582 mov ecx, dword ptr fs:[00000030h] 7_2_018E2582
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0191E59C mov eax, dword ptr fs:[00000030h] 7_2_0191E59C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_01914588 mov eax, dword ptr fs:[00000030h] 7_2_01914588
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_019045B1 mov eax, dword ptr fs:[00000030h] 7_2_019045B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_019045B1 mov eax, dword ptr fs:[00000030h] 7_2_019045B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_019605A7 mov eax, dword ptr fs:[00000030h] 7_2_019605A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_019605A7 mov eax, dword ptr fs:[00000030h] 7_2_019605A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_019605A7 mov eax, dword ptr fs:[00000030h] 7_2_019605A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0191A5D0 mov eax, dword ptr fs:[00000030h] 7_2_0191A5D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0191A5D0 mov eax, dword ptr fs:[00000030h] 7_2_0191A5D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0191E5CF mov eax, dword ptr fs:[00000030h] 7_2_0191E5CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0191E5CF mov eax, dword ptr fs:[00000030h] 7_2_0191E5CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018E65D0 mov eax, dword ptr fs:[00000030h] 7_2_018E65D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018E25E0 mov eax, dword ptr fs:[00000030h] 7_2_018E25E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0190E5E7 mov eax, dword ptr fs:[00000030h] 7_2_0190E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0190E5E7 mov eax, dword ptr fs:[00000030h] 7_2_0190E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0190E5E7 mov eax, dword ptr fs:[00000030h] 7_2_0190E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0190E5E7 mov eax, dword ptr fs:[00000030h] 7_2_0190E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0190E5E7 mov eax, dword ptr fs:[00000030h] 7_2_0190E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0190E5E7 mov eax, dword ptr fs:[00000030h] 7_2_0190E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0190E5E7 mov eax, dword ptr fs:[00000030h] 7_2_0190E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0190E5E7 mov eax, dword ptr fs:[00000030h] 7_2_0190E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0191C5ED mov eax, dword ptr fs:[00000030h] 7_2_0191C5ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0191C5ED mov eax, dword ptr fs:[00000030h] 7_2_0191C5ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_01976500 mov eax, dword ptr fs:[00000030h] 7_2_01976500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_019B4500 mov eax, dword ptr fs:[00000030h] 7_2_019B4500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_019B4500 mov eax, dword ptr fs:[00000030h] 7_2_019B4500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_019B4500 mov eax, dword ptr fs:[00000030h] 7_2_019B4500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_019B4500 mov eax, dword ptr fs:[00000030h] 7_2_019B4500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_019B4500 mov eax, dword ptr fs:[00000030h] 7_2_019B4500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_019B4500 mov eax, dword ptr fs:[00000030h] 7_2_019B4500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_019B4500 mov eax, dword ptr fs:[00000030h] 7_2_019B4500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0190E53E mov eax, dword ptr fs:[00000030h] 7_2_0190E53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0190E53E mov eax, dword ptr fs:[00000030h] 7_2_0190E53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0190E53E mov eax, dword ptr fs:[00000030h] 7_2_0190E53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0190E53E mov eax, dword ptr fs:[00000030h] 7_2_0190E53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0190E53E mov eax, dword ptr fs:[00000030h] 7_2_0190E53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018F0535 mov eax, dword ptr fs:[00000030h] 7_2_018F0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018F0535 mov eax, dword ptr fs:[00000030h] 7_2_018F0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018F0535 mov eax, dword ptr fs:[00000030h] 7_2_018F0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018F0535 mov eax, dword ptr fs:[00000030h] 7_2_018F0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018F0535 mov eax, dword ptr fs:[00000030h] 7_2_018F0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018F0535 mov eax, dword ptr fs:[00000030h] 7_2_018F0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018E8550 mov eax, dword ptr fs:[00000030h] 7_2_018E8550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018E8550 mov eax, dword ptr fs:[00000030h] 7_2_018E8550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0191656A mov eax, dword ptr fs:[00000030h] 7_2_0191656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0191656A mov eax, dword ptr fs:[00000030h] 7_2_0191656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0191656A mov eax, dword ptr fs:[00000030h] 7_2_0191656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0199A49A mov eax, dword ptr fs:[00000030h] 7_2_0199A49A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_019144B0 mov ecx, dword ptr fs:[00000030h] 7_2_019144B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018E64AB mov eax, dword ptr fs:[00000030h] 7_2_018E64AB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0196A4B0 mov eax, dword ptr fs:[00000030h] 7_2_0196A4B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018E04E5 mov ecx, dword ptr fs:[00000030h] 7_2_018E04E5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_01918402 mov eax, dword ptr fs:[00000030h] 7_2_01918402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_01918402 mov eax, dword ptr fs:[00000030h] 7_2_01918402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_01918402 mov eax, dword ptr fs:[00000030h] 7_2_01918402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0191A430 mov eax, dword ptr fs:[00000030h] 7_2_0191A430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018DC427 mov eax, dword ptr fs:[00000030h] 7_2_018DC427
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018DE420 mov eax, dword ptr fs:[00000030h] 7_2_018DE420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018DE420 mov eax, dword ptr fs:[00000030h] 7_2_018DE420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018DE420 mov eax, dword ptr fs:[00000030h] 7_2_018DE420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_01966420 mov eax, dword ptr fs:[00000030h] 7_2_01966420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_01966420 mov eax, dword ptr fs:[00000030h] 7_2_01966420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_01966420 mov eax, dword ptr fs:[00000030h] 7_2_01966420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_01966420 mov eax, dword ptr fs:[00000030h] 7_2_01966420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_01966420 mov eax, dword ptr fs:[00000030h] 7_2_01966420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_01966420 mov eax, dword ptr fs:[00000030h] 7_2_01966420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_01966420 mov eax, dword ptr fs:[00000030h] 7_2_01966420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0190245A mov eax, dword ptr fs:[00000030h] 7_2_0190245A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0199A456 mov eax, dword ptr fs:[00000030h] 7_2_0199A456
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018D645D mov eax, dword ptr fs:[00000030h] 7_2_018D645D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0191E443 mov eax, dword ptr fs:[00000030h] 7_2_0191E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0191E443 mov eax, dword ptr fs:[00000030h] 7_2_0191E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0191E443 mov eax, dword ptr fs:[00000030h] 7_2_0191E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0191E443 mov eax, dword ptr fs:[00000030h] 7_2_0191E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0191E443 mov eax, dword ptr fs:[00000030h] 7_2_0191E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0191E443 mov eax, dword ptr fs:[00000030h] 7_2_0191E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0191E443 mov eax, dword ptr fs:[00000030h] 7_2_0191E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0191E443 mov eax, dword ptr fs:[00000030h] 7_2_0191E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0190A470 mov eax, dword ptr fs:[00000030h] 7_2_0190A470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0190A470 mov eax, dword ptr fs:[00000030h] 7_2_0190A470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0190A470 mov eax, dword ptr fs:[00000030h] 7_2_0190A470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0196C460 mov ecx, dword ptr fs:[00000030h] 7_2_0196C460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0198678E mov eax, dword ptr fs:[00000030h] 7_2_0198678E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018E07AF mov eax, dword ptr fs:[00000030h] 7_2_018E07AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_019947A0 mov eax, dword ptr fs:[00000030h] 7_2_019947A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018EC7C0 mov eax, dword ptr fs:[00000030h] 7_2_018EC7C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_019607C3 mov eax, dword ptr fs:[00000030h] 7_2_019607C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018E47FB mov eax, dword ptr fs:[00000030h] 7_2_018E47FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018E47FB mov eax, dword ptr fs:[00000030h] 7_2_018E47FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0196E7E1 mov eax, dword ptr fs:[00000030h] 7_2_0196E7E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_019027ED mov eax, dword ptr fs:[00000030h] 7_2_019027ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_019027ED mov eax, dword ptr fs:[00000030h] 7_2_019027ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_019027ED mov eax, dword ptr fs:[00000030h] 7_2_019027ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_01910710 mov eax, dword ptr fs:[00000030h] 7_2_01910710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0191C700 mov eax, dword ptr fs:[00000030h] 7_2_0191C700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018E0710 mov eax, dword ptr fs:[00000030h] 7_2_018E0710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0195C730 mov eax, dword ptr fs:[00000030h] 7_2_0195C730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0191273C mov eax, dword ptr fs:[00000030h] 7_2_0191273C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0191273C mov ecx, dword ptr fs:[00000030h] 7_2_0191273C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0191273C mov eax, dword ptr fs:[00000030h] 7_2_0191273C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0191C720 mov eax, dword ptr fs:[00000030h] 7_2_0191C720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0191C720 mov eax, dword ptr fs:[00000030h] 7_2_0191C720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_01922750 mov eax, dword ptr fs:[00000030h] 7_2_01922750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_01922750 mov eax, dword ptr fs:[00000030h] 7_2_01922750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_01964755 mov eax, dword ptr fs:[00000030h] 7_2_01964755
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0196E75D mov eax, dword ptr fs:[00000030h] 7_2_0196E75D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0191674D mov esi, dword ptr fs:[00000030h] 7_2_0191674D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0191674D mov eax, dword ptr fs:[00000030h] 7_2_0191674D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0191674D mov eax, dword ptr fs:[00000030h] 7_2_0191674D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018E0750 mov eax, dword ptr fs:[00000030h] 7_2_018E0750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018E8770 mov eax, dword ptr fs:[00000030h] 7_2_018E8770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018F0770 mov eax, dword ptr fs:[00000030h] 7_2_018F0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018F0770 mov eax, dword ptr fs:[00000030h] 7_2_018F0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018F0770 mov eax, dword ptr fs:[00000030h] 7_2_018F0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018F0770 mov eax, dword ptr fs:[00000030h] 7_2_018F0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018F0770 mov eax, dword ptr fs:[00000030h] 7_2_018F0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018F0770 mov eax, dword ptr fs:[00000030h] 7_2_018F0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018F0770 mov eax, dword ptr fs:[00000030h] 7_2_018F0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018F0770 mov eax, dword ptr fs:[00000030h] 7_2_018F0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018F0770 mov eax, dword ptr fs:[00000030h] 7_2_018F0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018F0770 mov eax, dword ptr fs:[00000030h] 7_2_018F0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018F0770 mov eax, dword ptr fs:[00000030h] 7_2_018F0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018F0770 mov eax, dword ptr fs:[00000030h] 7_2_018F0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018E4690 mov eax, dword ptr fs:[00000030h] 7_2_018E4690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018E4690 mov eax, dword ptr fs:[00000030h] 7_2_018E4690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_019166B0 mov eax, dword ptr fs:[00000030h] 7_2_019166B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0191C6A6 mov eax, dword ptr fs:[00000030h] 7_2_0191C6A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0191A6C7 mov ebx, dword ptr fs:[00000030h] 7_2_0191A6C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0191A6C7 mov eax, dword ptr fs:[00000030h] 7_2_0191A6C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0195E6F2 mov eax, dword ptr fs:[00000030h] 7_2_0195E6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0195E6F2 mov eax, dword ptr fs:[00000030h] 7_2_0195E6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0195E6F2 mov eax, dword ptr fs:[00000030h] 7_2_0195E6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0195E6F2 mov eax, dword ptr fs:[00000030h] 7_2_0195E6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_019606F1 mov eax, dword ptr fs:[00000030h] 7_2_019606F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_019606F1 mov eax, dword ptr fs:[00000030h] 7_2_019606F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018F260B mov eax, dword ptr fs:[00000030h] 7_2_018F260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018F260B mov eax, dword ptr fs:[00000030h] 7_2_018F260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018F260B mov eax, dword ptr fs:[00000030h] 7_2_018F260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018F260B mov eax, dword ptr fs:[00000030h] 7_2_018F260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018F260B mov eax, dword ptr fs:[00000030h] 7_2_018F260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018F260B mov eax, dword ptr fs:[00000030h] 7_2_018F260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018F260B mov eax, dword ptr fs:[00000030h] 7_2_018F260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_01922619 mov eax, dword ptr fs:[00000030h] 7_2_01922619
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0195E609 mov eax, dword ptr fs:[00000030h] 7_2_0195E609
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018E262C mov eax, dword ptr fs:[00000030h] 7_2_018E262C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018FE627 mov eax, dword ptr fs:[00000030h] 7_2_018FE627
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_01916620 mov eax, dword ptr fs:[00000030h] 7_2_01916620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_01918620 mov eax, dword ptr fs:[00000030h] 7_2_01918620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018FC640 mov eax, dword ptr fs:[00000030h] 7_2_018FC640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_01912674 mov eax, dword ptr fs:[00000030h] 7_2_01912674
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0191A660 mov eax, dword ptr fs:[00000030h] 7_2_0191A660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0191A660 mov eax, dword ptr fs:[00000030h] 7_2_0191A660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_019A866E mov eax, dword ptr fs:[00000030h] 7_2_019A866E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_019A866E mov eax, dword ptr fs:[00000030h] 7_2_019A866E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018E09AD mov eax, dword ptr fs:[00000030h] 7_2_018E09AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018E09AD mov eax, dword ptr fs:[00000030h] 7_2_018E09AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_019689B3 mov esi, dword ptr fs:[00000030h] 7_2_019689B3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_019689B3 mov eax, dword ptr fs:[00000030h] 7_2_019689B3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_019689B3 mov eax, dword ptr fs:[00000030h] 7_2_019689B3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018F29A0 mov eax, dword ptr fs:[00000030h] 7_2_018F29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018F29A0 mov eax, dword ptr fs:[00000030h] 7_2_018F29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018F29A0 mov eax, dword ptr fs:[00000030h] 7_2_018F29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018F29A0 mov eax, dword ptr fs:[00000030h] 7_2_018F29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018F29A0 mov eax, dword ptr fs:[00000030h] 7_2_018F29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018F29A0 mov eax, dword ptr fs:[00000030h] 7_2_018F29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018F29A0 mov eax, dword ptr fs:[00000030h] 7_2_018F29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018F29A0 mov eax, dword ptr fs:[00000030h] 7_2_018F29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018F29A0 mov eax, dword ptr fs:[00000030h] 7_2_018F29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018F29A0 mov eax, dword ptr fs:[00000030h] 7_2_018F29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018F29A0 mov eax, dword ptr fs:[00000030h] 7_2_018F29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018F29A0 mov eax, dword ptr fs:[00000030h] 7_2_018F29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018F29A0 mov eax, dword ptr fs:[00000030h] 7_2_018F29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_019149D0 mov eax, dword ptr fs:[00000030h] 7_2_019149D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_019AA9D3 mov eax, dword ptr fs:[00000030h] 7_2_019AA9D3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_019769C0 mov eax, dword ptr fs:[00000030h] 7_2_019769C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018EA9D0 mov eax, dword ptr fs:[00000030h] 7_2_018EA9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018EA9D0 mov eax, dword ptr fs:[00000030h] 7_2_018EA9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018EA9D0 mov eax, dword ptr fs:[00000030h] 7_2_018EA9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018EA9D0 mov eax, dword ptr fs:[00000030h] 7_2_018EA9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018EA9D0 mov eax, dword ptr fs:[00000030h] 7_2_018EA9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018EA9D0 mov eax, dword ptr fs:[00000030h] 7_2_018EA9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_019129F9 mov eax, dword ptr fs:[00000030h] 7_2_019129F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_019129F9 mov eax, dword ptr fs:[00000030h] 7_2_019129F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0196E9E0 mov eax, dword ptr fs:[00000030h] 7_2_0196E9E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0196C912 mov eax, dword ptr fs:[00000030h] 7_2_0196C912
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018D8918 mov eax, dword ptr fs:[00000030h] 7_2_018D8918
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018D8918 mov eax, dword ptr fs:[00000030h] 7_2_018D8918
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0195E908 mov eax, dword ptr fs:[00000030h] 7_2_0195E908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0195E908 mov eax, dword ptr fs:[00000030h] 7_2_0195E908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0196892A mov eax, dword ptr fs:[00000030h] 7_2_0196892A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0197892B mov eax, dword ptr fs:[00000030h] 7_2_0197892B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_01960946 mov eax, dword ptr fs:[00000030h] 7_2_01960946
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_019B4940 mov eax, dword ptr fs:[00000030h] 7_2_019B4940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_01984978 mov eax, dword ptr fs:[00000030h] 7_2_01984978
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_01984978 mov eax, dword ptr fs:[00000030h] 7_2_01984978
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0196C97C mov eax, dword ptr fs:[00000030h] 7_2_0196C97C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_01906962 mov eax, dword ptr fs:[00000030h] 7_2_01906962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_01906962 mov eax, dword ptr fs:[00000030h] 7_2_01906962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_01906962 mov eax, dword ptr fs:[00000030h] 7_2_01906962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0192096E mov eax, dword ptr fs:[00000030h] 7_2_0192096E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0192096E mov edx, dword ptr fs:[00000030h] 7_2_0192096E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0192096E mov eax, dword ptr fs:[00000030h] 7_2_0192096E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018E0887 mov eax, dword ptr fs:[00000030h] 7_2_018E0887
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0196C89D mov eax, dword ptr fs:[00000030h] 7_2_0196C89D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0190E8C0 mov eax, dword ptr fs:[00000030h] 7_2_0190E8C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_019B08C0 mov eax, dword ptr fs:[00000030h] 7_2_019B08C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0191C8F9 mov eax, dword ptr fs:[00000030h] 7_2_0191C8F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0191C8F9 mov eax, dword ptr fs:[00000030h] 7_2_0191C8F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_019AA8E4 mov eax, dword ptr fs:[00000030h] 7_2_019AA8E4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0196C810 mov eax, dword ptr fs:[00000030h] 7_2_0196C810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0191A830 mov eax, dword ptr fs:[00000030h] 7_2_0191A830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0198483A mov eax, dword ptr fs:[00000030h] 7_2_0198483A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0198483A mov eax, dword ptr fs:[00000030h] 7_2_0198483A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_01902835 mov eax, dword ptr fs:[00000030h] 7_2_01902835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_01902835 mov eax, dword ptr fs:[00000030h] 7_2_01902835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_01902835 mov eax, dword ptr fs:[00000030h] 7_2_01902835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_01902835 mov ecx, dword ptr fs:[00000030h] 7_2_01902835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_01902835 mov eax, dword ptr fs:[00000030h] 7_2_01902835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_01902835 mov eax, dword ptr fs:[00000030h] 7_2_01902835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_01910854 mov eax, dword ptr fs:[00000030h] 7_2_01910854
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018F2840 mov ecx, dword ptr fs:[00000030h] 7_2_018F2840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018E4859 mov eax, dword ptr fs:[00000030h] 7_2_018E4859
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018E4859 mov eax, dword ptr fs:[00000030h] 7_2_018E4859
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0196E872 mov eax, dword ptr fs:[00000030h] 7_2_0196E872
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0196E872 mov eax, dword ptr fs:[00000030h] 7_2_0196E872
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_01976870 mov eax, dword ptr fs:[00000030h] 7_2_01976870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_01976870 mov eax, dword ptr fs:[00000030h] 7_2_01976870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_01994BB0 mov eax, dword ptr fs:[00000030h] 7_2_01994BB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_01994BB0 mov eax, dword ptr fs:[00000030h] 7_2_01994BB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018F0BBE mov eax, dword ptr fs:[00000030h] 7_2_018F0BBE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018F0BBE mov eax, dword ptr fs:[00000030h] 7_2_018F0BBE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018E0BCD mov eax, dword ptr fs:[00000030h] 7_2_018E0BCD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018E0BCD mov eax, dword ptr fs:[00000030h] 7_2_018E0BCD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018E0BCD mov eax, dword ptr fs:[00000030h] 7_2_018E0BCD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0198EBD0 mov eax, dword ptr fs:[00000030h] 7_2_0198EBD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_01900BCB mov eax, dword ptr fs:[00000030h] 7_2_01900BCB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_01900BCB mov eax, dword ptr fs:[00000030h] 7_2_01900BCB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_01900BCB mov eax, dword ptr fs:[00000030h] 7_2_01900BCB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0196CBF0 mov eax, dword ptr fs:[00000030h] 7_2_0196CBF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0190EBFC mov eax, dword ptr fs:[00000030h] 7_2_0190EBFC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018E8BF0 mov eax, dword ptr fs:[00000030h] 7_2_018E8BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018E8BF0 mov eax, dword ptr fs:[00000030h] 7_2_018E8BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018E8BF0 mov eax, dword ptr fs:[00000030h] 7_2_018E8BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0195EB1D mov eax, dword ptr fs:[00000030h] 7_2_0195EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0195EB1D mov eax, dword ptr fs:[00000030h] 7_2_0195EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0195EB1D mov eax, dword ptr fs:[00000030h] 7_2_0195EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0195EB1D mov eax, dword ptr fs:[00000030h] 7_2_0195EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0195EB1D mov eax, dword ptr fs:[00000030h] 7_2_0195EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0195EB1D mov eax, dword ptr fs:[00000030h] 7_2_0195EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0195EB1D mov eax, dword ptr fs:[00000030h] 7_2_0195EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0195EB1D mov eax, dword ptr fs:[00000030h] 7_2_0195EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0195EB1D mov eax, dword ptr fs:[00000030h] 7_2_0195EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_019B4B00 mov eax, dword ptr fs:[00000030h] 7_2_019B4B00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0190EB20 mov eax, dword ptr fs:[00000030h] 7_2_0190EB20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0190EB20 mov eax, dword ptr fs:[00000030h] 7_2_0190EB20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_019A8B28 mov eax, dword ptr fs:[00000030h] 7_2_019A8B28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_019A8B28 mov eax, dword ptr fs:[00000030h] 7_2_019A8B28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0198EB50 mov eax, dword ptr fs:[00000030h] 7_2_0198EB50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_019B2B57 mov eax, dword ptr fs:[00000030h] 7_2_019B2B57
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_019B2B57 mov eax, dword ptr fs:[00000030h] 7_2_019B2B57
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_019B2B57 mov eax, dword ptr fs:[00000030h] 7_2_019B2B57
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_019B2B57 mov eax, dword ptr fs:[00000030h] 7_2_019B2B57
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_01994B4B mov eax, dword ptr fs:[00000030h] 7_2_01994B4B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_01994B4B mov eax, dword ptr fs:[00000030h] 7_2_01994B4B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_01976B40 mov eax, dword ptr fs:[00000030h] 7_2_01976B40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_01976B40 mov eax, dword ptr fs:[00000030h] 7_2_01976B40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_019AAB40 mov eax, dword ptr fs:[00000030h] 7_2_019AAB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_01988B42 mov eax, dword ptr fs:[00000030h] 7_2_01988B42
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018D8B50 mov eax, dword ptr fs:[00000030h] 7_2_018D8B50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018DCB7E mov eax, dword ptr fs:[00000030h] 7_2_018DCB7E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_01918A90 mov edx, dword ptr fs:[00000030h] 7_2_01918A90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018EEA80 mov eax, dword ptr fs:[00000030h] 7_2_018EEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018EEA80 mov eax, dword ptr fs:[00000030h] 7_2_018EEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018EEA80 mov eax, dword ptr fs:[00000030h] 7_2_018EEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018EEA80 mov eax, dword ptr fs:[00000030h] 7_2_018EEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018EEA80 mov eax, dword ptr fs:[00000030h] 7_2_018EEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018EEA80 mov eax, dword ptr fs:[00000030h] 7_2_018EEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018EEA80 mov eax, dword ptr fs:[00000030h] 7_2_018EEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018EEA80 mov eax, dword ptr fs:[00000030h] 7_2_018EEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018EEA80 mov eax, dword ptr fs:[00000030h] 7_2_018EEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_019B4A80 mov eax, dword ptr fs:[00000030h] 7_2_019B4A80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018E8AA0 mov eax, dword ptr fs:[00000030h] 7_2_018E8AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018E8AA0 mov eax, dword ptr fs:[00000030h] 7_2_018E8AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_01936AA4 mov eax, dword ptr fs:[00000030h] 7_2_01936AA4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_01914AD0 mov eax, dword ptr fs:[00000030h] 7_2_01914AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_01914AD0 mov eax, dword ptr fs:[00000030h] 7_2_01914AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018E0AD0 mov eax, dword ptr fs:[00000030h] 7_2_018E0AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_01936ACC mov eax, dword ptr fs:[00000030h] 7_2_01936ACC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_01936ACC mov eax, dword ptr fs:[00000030h] 7_2_01936ACC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_01936ACC mov eax, dword ptr fs:[00000030h] 7_2_01936ACC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0191AAEE mov eax, dword ptr fs:[00000030h] 7_2_0191AAEE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0191AAEE mov eax, dword ptr fs:[00000030h] 7_2_0191AAEE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0196CA11 mov eax, dword ptr fs:[00000030h] 7_2_0196CA11
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_01904A35 mov eax, dword ptr fs:[00000030h] 7_2_01904A35
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_01904A35 mov eax, dword ptr fs:[00000030h] 7_2_01904A35
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0191CA38 mov eax, dword ptr fs:[00000030h] 7_2_0191CA38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0191CA24 mov eax, dword ptr fs:[00000030h] 7_2_0191CA24
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0190EA2E mov eax, dword ptr fs:[00000030h] 7_2_0190EA2E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018F0A5B mov eax, dword ptr fs:[00000030h] 7_2_018F0A5B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018F0A5B mov eax, dword ptr fs:[00000030h] 7_2_018F0A5B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018E6A50 mov eax, dword ptr fs:[00000030h] 7_2_018E6A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018E6A50 mov eax, dword ptr fs:[00000030h] 7_2_018E6A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018E6A50 mov eax, dword ptr fs:[00000030h] 7_2_018E6A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018E6A50 mov eax, dword ptr fs:[00000030h] 7_2_018E6A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018E6A50 mov eax, dword ptr fs:[00000030h] 7_2_018E6A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018E6A50 mov eax, dword ptr fs:[00000030h] 7_2_018E6A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_018E6A50 mov eax, dword ptr fs:[00000030h] 7_2_018E6A50
Enables debug privileges
Source: C:\Users\user\Desktop\Invoice & Packing list For Sea Shipment.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\Invoice & Packing list For Sea Shipment.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\Desktop\Invoice & Packing list For Sea Shipment.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Invoice & Packing list For Sea Shipment.exe"
Source: C:\Users\user\Desktop\Invoice & Packing list For Sea Shipment.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\XXyQpOLIcjn.exe"
Source: C:\Users\user\Desktop\Invoice & Packing list For Sea Shipment.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Invoice & Packing list For Sea Shipment.exe" Jump to behavior
Source: C:\Users\user\Desktop\Invoice & Packing list For Sea Shipment.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\XXyQpOLIcjn.exe" Jump to behavior
Allocates memory in foreign processes
Source: C:\Users\user\Desktop\Invoice & Packing list For Sea Shipment.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\XXyQpOLIcjn.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and write Jump to behavior
Found direct / indirect Syscall (likely to bypass EDR)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe NtClose: Indirect: 0x134A56C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe NtQueueApcThread: Indirect: 0x134A4F2 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe NtClose: Indirect: 0x105A56C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe NtQueueApcThread: Indirect: 0x105A4F2
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\Invoice & Packing list For Sea Shipment.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Roaming\XXyQpOLIcjn.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Section loaded: NULL target: C:\Windows\SysWOW64\help.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Section loaded: NULL target: C:\Windows\SysWOW64\help.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Section loaded: NULL target: C:\Windows\SysWOW64\raserver.exe protection: execute and read and write
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Section loaded: NULL target: C:\Windows\SysWOW64\raserver.exe protection: execute and read and write
Source: C:\Windows\SysWOW64\help.exe Section loaded: NULL target: C:\Windows\explorer.exe protection: read write
Source: C:\Windows\SysWOW64\help.exe Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write
Modifies the context of a thread in another process (thread injection)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread register set: target process: 4088 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread register set: target process: 4088
Source: C:\Windows\SysWOW64\help.exe Thread register set: target process: 4088
Queues an APC in another process (thread injection)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Sample uses process hollowing technique
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Section unmapped: C:\Windows\SysWOW64\help.exe base address: 130000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Section unmapped: C:\Windows\SysWOW64\raserver.exe base address: 700000
Writes to foreign memory regions
Source: C:\Users\user\Desktop\Invoice & Packing list For Sea Shipment.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\Invoice & Packing list For Sea Shipment.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 401000 Jump to behavior
Source: C:\Users\user\Desktop\Invoice & Packing list For Sea Shipment.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 10D8008 Jump to behavior
Source: C:\Users\user\AppData\Roaming\XXyQpOLIcjn.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\XXyQpOLIcjn.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 401000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\XXyQpOLIcjn.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 8D5008 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Invoice & Packing list For Sea Shipment.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Invoice & Packing list For Sea Shipment.exe" Jump to behavior
Source: C:\Users\user\Desktop\Invoice & Packing list For Sea Shipment.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\XXyQpOLIcjn.exe" Jump to behavior
Source: C:\Users\user\Desktop\Invoice & Packing list For Sea Shipment.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XXyQpOLIcjn" /XML "C:\Users\user\AppData\Local\Temp\tmpAE3C.tmp" Jump to behavior
Source: C:\Users\user\Desktop\Invoice & Packing list For Sea Shipment.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\XXyQpOLIcjn.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XXyQpOLIcjn" /XML "C:\Users\user\AppData\Local\Temp\tmpB9C5.tmp" Jump to behavior
Source: C:\Users\user\AppData\Roaming\XXyQpOLIcjn.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" Jump to behavior
Source: C:\Windows\SysWOW64\help.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: explorer.exe, 00000008.00000000.899549770.0000000000560000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3322917350.0000000000560000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 1ProgmanV
Source: explorer.exe, 00000008.00000000.899993597.0000000000BC0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000008.00000002.3323936632.0000000000BC0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Program Manager
Source: explorer.exe, 00000008.00000000.899993597.0000000000BC0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000008.00000000.903136892.0000000003F00000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3323936632.0000000000BC0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000008.00000000.899993597.0000000000BC0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000008.00000002.3323936632.0000000000BC0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000008.00000000.899993597.0000000000BC0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000008.00000002.3323936632.0000000000BC0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Source: explorer.exe, 00000008.00000003.2670860260.00000000084DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.906949066.00000000084DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3328325402.00000000084DE000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Shell_TrayWnd*
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\Invoice & Packing list For Sea Shipment.exe Queries volume information: C:\Users\user\Desktop\Invoice & Packing list For Sea Shipment.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Invoice & Packing list For Sea Shipment.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Invoice & Packing list For Sea Shipment.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Invoice & Packing list For Sea Shipment.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Invoice & Packing list For Sea Shipment.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\XXyQpOLIcjn.exe Queries volume information: C:\Users\user\AppData\Roaming\XXyQpOLIcjn.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\XXyQpOLIcjn.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\XXyQpOLIcjn.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\XXyQpOLIcjn.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\XXyQpOLIcjn.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Desktop\Invoice & Packing list For Sea Shipment.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected FormBook
Source: Yara match File source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000002.955570993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.3322884312.0000000002840000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.921854884.00000000038A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.921854884.00000000040FD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.3322242898.0000000002600000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.951007561.0000000003516000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.969807785.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.3322996222.0000000002870000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality
barindex
Yara detected FormBook
Source: Yara match File source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000002.955570993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.3322884312.0000000002840000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.921854884.00000000038A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.921854884.00000000040FD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.3322242898.0000000002600000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.951007561.0000000003516000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.969807785.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.3322996222.0000000002870000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
windows-stand
Behavior
Click here to start
Slideshow Behavior Animation
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1650980 Sample: Invoice & Packing list For ... Startdate: 28/03/2025 Architecture: WINDOWS Score: 100 69 www.itiz.xyz 2->69 71 www.enelog.xyz 2->71 73 10 other IPs or domains 2->73 75 Found malware configuration 2->75 77 Malicious sample detected (through community Yara rule) 2->77 79 Antivirus detection for URL or domain 2->79 83 12 other signatures 2->83 11 Invoice & Packing list For Sea Shipment.exe 7 2->11         started        15 XXyQpOLIcjn.exe 5 2->15         started        17 svchost.exe 2->17         started        signatures3 81 Performs DNS queries to domains with low reputation 71->81 process4 dnsIp5 55 C:\Users\user\AppData\...\XXyQpOLIcjn.exe, PE32 11->55 dropped 57 C:\Users\...\XXyQpOLIcjn.exe:Zone.Identifier, ASCII 11->57 dropped 59 C:\Users\user\AppData\Local\...\tmpAE3C.tmp, XML 11->59 dropped 61 Invoice & Packing ...ea Shipment.exe.log, ASCII 11->61 dropped 97 Writes to foreign memory regions 11->97 99 Allocates memory in foreign processes 11->99 101 Adds a directory exclusion to Windows Defender 11->101 20 RegSvcs.exe 11->20         started        23 powershell.exe 23 11->23         started        25 powershell.exe 7 11->25         started        27 schtasks.exe 1 11->27         started        103 Antivirus detection for dropped file 15->103 105 Multi AV Scanner detection for dropped file 15->105 107 Injects a PE file into a foreign processes 15->107 29 RegSvcs.exe 15->29         started        31 schtasks.exe 15->31         started        63 127.0.0.1 unknown unknown 17->63 file6 signatures7 process8 signatures9 85 Modifies the context of a thread in another process (thread injection) 20->85 87 Maps a DLL or memory area into another process 20->87 89 Sample uses process hollowing technique 20->89 95 2 other signatures 20->95 33 explorer.exe 54 1 20->33 injected 91 Loading BitLocker PowerShell Module 23->91 36 conhost.exe 23->36         started        38 WmiPrvSE.exe 23->38         started        40 conhost.exe 25->40         started        42 conhost.exe 27->42         started        93 Found direct / indirect Syscall (likely to bypass EDR) 29->93 44 conhost.exe 31->44         started        process10 dnsIp11 65 www.itiz.xyz 104.21.32.1, 49692, 80 CLOUDFLARENETUS United States 33->65 67 204.79.197.203, 443 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 33->67 46 help.exe 33->46         started        49 raserver.exe 33->49         started        process12 signatures13 109 Modifies the context of a thread in another process (thread injection) 46->109 111 Maps a DLL or memory area into another process 46->111 113 Tries to detect virtualization through RDTSC time measurements 46->113 115 Switches to a custom stack to bypass stack traces 46->115 51 cmd.exe 46->51         started        process14 process15 53 conhost.exe 51->53         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
104.21.32.1
 www.itiz.xyz United States
13335 CLOUDFLARENETUS true
204.79.197.203
 unknown United States
8068 MICROSOFT-CORP-MSN-AS-BLOCKUS false

Private

IP
127.0.0.1

Contacted Domains

Name IP Active
www.itiz.xyz 104.21.32.1 true
www.cebepu.info unknown unknown
www.olourclubbet.shop unknown unknown
www.asglobalaz.shop unknown unknown
www.gmgslzdc.sbs unknown unknown
www.0090.pizza unknown unknown
www.argloscaremedia.info unknown unknown
www.enelog.xyz unknown unknown
www.voyagu.info unknown unknown
www.urvivalflashlights.shop unknown unknown
www.ings-hu-13.today unknown unknown
www.rumpchiefofstaff.store unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://www.itiz.xyz/a03d/?06A=1S/Ml8MhhZcgUxSbm7ZuM2rP7Vmm5l/lyuGuBD/BitQWsLFnZM8smPnB3Q7M7Y+/UA9Kc3248g==&wZAD=pBZTFP-XZbx0Fd1P false
  • Avira URL Cloud: malware
 unknown
www.enelog.xyz/a03d/ false
    		high