Windows Analysis Report
PURCHASED ORDER OF ENG091.exe

Overview

General Information

Sample name:	PURCHASED ORDER OF ENG091.exe
Analysis ID:	1528882
MD5:	30ecd7046839af0716977a9ef6047e60
SHA1:	a1f6517726c9dc0f3d588b947e2aaeb4f849f58c
SHA256:	472a703381c8fe89f83b0fe4d7960b0942c5694054ba94dd85c249c4c702e0cd
Tags:	exeuser-lowmal3
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected FormBook

AI detected suspicious sample

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Creates multiple autostart registry keys

Drops PE files to the document folder of the user

Drops PE files with a suspicious file extension

Found direct / indirect Syscall (likely to bypass EDR)

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Modifies the prolog of user mode functions (user mode inline hooks)

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Sigma detected: CMSTP Execution Process Creation

Sigma detected: Rundll32 Execution Without CommandLine Parameters

Switches to a custom stack to bypass stack traces

Tries to detect virtualization through RDTSC time measurements

Uses cmd line tools excessively to alter registry or file data

Uses netsh to modify the Windows network and firewall settings

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Searches for user specific document files

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Direct Autorun Keys Modification

Sigma detected: Execution of Suspicious File Type Extension

Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE

Uses 32bit PE files

Uses a Windows Living Off The Land Binaries (LOL bins)

Uses code obfuscation techniques (call, push, ret)

Uses reg.exe to modify the Windows registry

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: PURCHASED ORDER OF ENG091.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Avira: detection malicious, Label: HEUR/AGEN.1305452
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif.pif	Avira: detection malicious, Label: HEUR/AGEN.1305452
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Avira: detection malicious, Label: HEUR/AGEN.1305452
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Avira: detection malicious, Label: HEUR/AGEN.1305452
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Avira: detection malicious, Label: HEUR/AGEN.1305452

Found malware configuration

Source: 0000002D.00000002.2649126395.0000000002C00000.00000040.80000000.00040000.00000000.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.cnoszirzbkaqz.com/btrd/"], "decoy": ["everslane.com", "prairieviewelectric.online", "dszvhgd.com", "papamuch.com", "8129k.vip", "jeffreestar.gold", "bestguestrentals.com", "nvzhuang1.net", "anangtoto.com", "yxfgor.top", "practicalpoppers.com", "thebestanglephotography.online", "koormm.top", "criika.net", "audioflow.online", "380747.net", "jiuguanwang.net", "bloxequities.com", "v321c.com", "sugar.monster", "agriwithai.com", "rd8.online", "texanboxes.com", "h7wlvwr4afx.top", "furryfriendsupply.store", "xmentorgroup.com", "runccl.com", "fairplaytavern.com", "concretecountertopsolutios.com", "wzxq.xyz", "outletivo.com", "studyasp.net", "pure1027.com", "xpffvn.cfd", "liposuctionclinics2.today", "rouchoug.top", "rifasgados.com", "tesourosobrerodas.site", "1stclasstv.net", "invest247on.com", "watch2movie.xyz", "martline.website", "naddafornadda.com", "drbtcbtc.com", "turbrun.com", "autounion999370.top", "wirewizardselectric.net", "0757hunyin.net", "researchforhighschool.com", "thedivorcesurvivalguide.com", "emeraldsurrogatefabric.com", "home-repair-contractors-kfm.xyz", "onlynaturlpt.shop", "agiletzal.site", "dylanmoranrules.com", "ngbbvuhkm5.asia", "proveedorafrac.com", "pho3nixkidsghana.com", "greatfightcompany.com", "hotnerdsg.com", "thecolourgrey.com", "librarylatte.com", "videomademagic.com", "coinrun.net"]}

Multi AV Scanner detection for domain / URL

Source: www.emeraldsurrogatefabric.com	Virustotal: Detection: 8%	Perma Link
Source: http://www.emeraldsurrogatefabric.com	Virustotal: Detection: 8%	Perma Link
Source: http://www.martline.website/btrd/	Virustotal: Detection: 15%	Perma Link
Source: www.cnoszirzbkaqz.com/btrd/	Virustotal: Detection: 6%	Perma Link
Source: http://www.emeraldsurrogatefabric.com/btrd/	Virustotal: Detection: 8%	Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	ReversingLabs: Detection: 60%
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	ReversingLabs: Detection: 60%
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	ReversingLabs: Detection: 60%
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	ReversingLabs: Detection: 60%
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif.pif	ReversingLabs: Detection: 60%

Multi AV Scanner detection for submitted file

Source: PURCHASED ORDER OF ENG091.exe	ReversingLabs: Detection: 60%
Source: PURCHASED ORDER OF ENG091.exe	Virustotal: Detection: 63%			Perma Link

Yara detected FormBook

Source: Yara match	File source: 7.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PURCHASED ORDER OF ENG091.exe.389a1f0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000002D.00000002.2649126395.0000000002C00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3387644205.000000000EB42000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000002.2627604465.0000000003F49000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002E.00000002.2712579590.0000000004028000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2176143982.000000000389A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000035.00000002.2731575552.0000000000600000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2235289603.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2176143982.0000000003A5B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.2500819565.00000000035F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2367170516.0000000002ED0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3365508291.00000000028B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2343571638.00000000039AB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2176143982.00000000039CC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.2411207031.000000000352B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3366459232.0000000004520000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000036.00000002.2805551760.0000000004534000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000046.00000002.2895699701.0000000005070000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.2436330065.00000000006E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000004E.00000002.3035230297.0000000003190000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003E.00000002.2823024000.0000000000960000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003F.00000002.2884163790.0000000003BB4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000047.00000002.3030559754.00000000045B3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.2526649554.0000000000B30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3366396664.00000000044F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Joe Sandbox ML: detected
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif.pif	Joe Sandbox ML: detected
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Joe Sandbox ML: detected
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Joe Sandbox ML: detected
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: PURCHASED ORDER OF ENG091.exe

Joe Sandbox ML: detected

Uses 32bit PE files

Source: PURCHASED ORDER OF ENG091.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: PURCHASED ORDER OF ENG091.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: chkdsk.pdbGCTL source: RegAsm.exe, 00000045.00000002.2892603642.0000000001380000.00000040.10000000.00040000.00000000.sdmp, chkdsk.exe, 00000046.00000002.2895393793.0000000000130000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: cmstp.pdbGCTL source: RegAsm.exe, 00000007.00000002.2235793612.0000000001540000.00000040.10000000.00040000.00000000.sdmp, cmstp.exe, 00000009.00000002.3365281971.0000000000220000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: cmmon32.pdb source: RegAsm.exe, 00000013.00000002.2357394928.0000000001720000.00000040.10000000.00040000.00000000.sdmp, cmmon32.exe, 00000014.00000002.2367071175.0000000000370000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: msdt.pdbGCTL source: RegAsm.exe, 0000001B.00000002.2433869260.00000000026F0000.00000040.10000000.00040000.00000000.sdmp, msdt.exe, 0000001C.00000002.2436801979.0000000000E80000.00000040.80000000.00040000.00000000.sdmp, msdt.exe, 00000025.00000002.2526883807.0000000000E80000.00000040.80000000.00040000.00000000.sdmp, msdt.exe, 0000003E.00000002.2824411296.0000000000E80000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: netsh.pdb source: RegAsm.exe, 0000004D.00000002.3028255621.0000000002AF0000.00000040.10000000.00040000.00000000.sdmp, netsh.exe, 0000004E.00000002.3033972586.0000000000A60000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: C:\Users\Administrator\Desktop\2023CryptsDone\password_generator-master\obj\Debug\Aewlani.pdb source: PURCHASED ORDER OF ENG091.exe, 00000000.00000000.2119834627.0000000000442000.00000002.00000001.01000000.00000003.sdmp, cmd.exe, 00000005.00000003.2161957449.00000000032E5000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000011.00000003.2315915569.0000000002AE6000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000019.00000003.2390659515.0000000003086000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000022.00000003.2479534553.0000000002695000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000002A.00000003.2596807840.0000000003135000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000032.00000003.2684351983.00000000032E4000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000003A.00000003.2769484455.0000000002905000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000043.00000003.2848660519.00000000032C4000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000004B.00000003.2975731288.00000000035E4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: cmmon32.pdbGCTL source: RegAsm.exe, 00000013.00000002.2357394928.0000000001720000.00000040.10000000.00040000.00000000.sdmp, cmmon32.exe, 00000014.00000002.2367071175.0000000000370000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: chkdsk.pdb source: RegAsm.exe, 00000045.00000002.2892603642.0000000001380000.00000040.10000000.00040000.00000000.sdmp, chkdsk.exe, 00000046.00000002.2895393793.0000000000130000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: RegAsm.exe, 00000007.00000002.2236865702.0000000003320000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, 00000009.00000003.2237767546.0000000004599000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000009.00000002.3366809069.0000000004740000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, 00000009.00000003.2235631145.00000000043E5000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000009.00000002.3366809069.00000000048DE000.00000040.00001000.00020000.00000000.sdmp, cmmon32.exe, 00000014.00000003.2357315746.0000000004B0F000.00000004.00000020.00020000.00000000.sdmp, cmmon32.exe, 00000014.00000003.2364128162.0000000004CBC000.00000004.00000020.00020000.00000000.sdmp, cmmon32.exe, 00000014.00000002.2367516642.000000000500E000.00000040.00001000.00020000.00000000.sdmp, cmmon32.exe, 00000014.00000002.2367516642.0000000004E70000.00000040.00001000.00020000.00000000.sdmp, msdt.exe, 0000001C.00000002.2436864306.0000000004B9E000.00000040.00001000.00020000.00000000.sdmp, msdt.exe, 0000001C.00000002.2436864306.0000000004A00000.00000040.00001000.00020000.00000000.sdmp, msdt.exe, 0000001C.00000003.2432746712.00000000046A4000.00000004.00000020.00020000.00000000.sdmp, msdt.exe, 0000001C.00000003.2435053187.0000000004854000.00000004.00000020.00020000.00000000.sdmp, msdt.exe, 00000025.00000002.2527278356.000000000502E000.00000040.00001000.00020000.00000000.sdmp, msdt.exe, 00000025.00000002.2527278356.0000000004E90000.00000040.00001000.00020000.00000000.sdmp, msdt.exe, 00000025.00000003.2522733065.0000000004AEF000.00000004.00000020.00020000.00000000.sdmp, msdt.exe, 00000025.00000003.2524932833.0000000004CDC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000002D.00000003.2644284547.00000000046C8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000002D.00000003.2647610865.0000000004879000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000002D.00000002.2649407934.0000000004C3E000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 0000002D.00000002.2649407934.0000000004AA0000.00000040.00001000.00020000.00000000.sdmp, wlanext.exe, 00000035.00000003.2729298239.0000000002B31000.00000004.00000020.00020000.00000000.sdmp, wlanext.exe, 00000035.00000002.2732895661.0000000002CE0000.00000040.00001000.00020000.00000000.sdmp, wlanext.exe, 00000035.00000002.2732895661.0000000002E7E000.00000040.00001000.00020000.00000000.sdmp, wlanext.exe, 00000035.00000003.2727219080.0000000002985000.00000004.00000020.00020000.00000000.sdmp, msdt.exe, 0000003E.00000003.2815565973.0000000004B43000.00000004.00000020.00020000.00000000.sdmp, msdt.exe, 0000003E.00000002.2824847586.0000000004E8E000.00000040.00001000.00020000.00000000.sdmp, msdt.exe, 0000003E.00000002.2824847586.0000000004CF0000.00000040.00001000.00020000.00000000.sdmp, msdt.exe, 0000003E.00000003.2812512464.0000000004999000.00000004.00000020.00020000.00000000.sdmp, chkdsk.exe, 00000046.00000003.2893566375.00000000056D8000.00000004.00000020.00020000.00000
Source:	Binary string: RegAsm.pdb source: explorer.exe, 00000008.00000002.3389406505.0000000010A9F000.00000004.80000000.00040000.00000000.sdmp, cmstp.exe, 00000009.00000002.3367455817.0000000004C8F000.00000004.10000000.00040000.00000000.sdmp, cmstp.exe, 00000009.00000002.3365692981.000000000293B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: netsh.pdbGCTL source: RegAsm.exe, 0000004D.00000002.3028255621.0000000002AF0000.00000040.10000000.00040000.00000000.sdmp, netsh.exe, 0000004E.00000002.3033972586.0000000000A60000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: RegAsm.exe, RegAsm.exe, 00000007.00000002.2236865702.0000000003320000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, 00000009.00000003.2237767546.0000000004599000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000009.00000002.3366809069.0000000004740000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, 00000009.00000003.2235631145.00000000043E5000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000009.00000002.3366809069.00000000048DE000.00000040.00001000.00020000.00000000.sdmp, cmmon32.exe, 00000014.00000003.2357315746.0000000004B0F000.00000004.00000020.00020000.00000000.sdmp, cmmon32.exe, 00000014.00000003.2364128162.0000000004CBC000.00000004.00000020.00020000.00000000.sdmp, cmmon32.exe, 00000014.00000002.2367516642.000000000500E000.00000040.00001000.00020000.00000000.sdmp, cmmon32.exe, 00000014.00000002.2367516642.0000000004E70000.00000040.00001000.00020000.00000000.sdmp, msdt.exe, 0000001C.00000002.2436864306.0000000004B9E000.00000040.00001000.00020000.00000000.sdmp, msdt.exe, 0000001C.00000002.2436864306.0000000004A00000.00000040.00001000.00020000.00000000.sdmp, msdt.exe, 0000001C.00000003.2432746712.00000000046A4000.00000004.00000020.00020000.00000000.sdmp, msdt.exe, 0000001C.00000003.2435053187.0000000004854000.00000004.00000020.00020000.00000000.sdmp, msdt.exe, 00000025.00000002.2527278356.000000000502E000.00000040.00001000.00020000.00000000.sdmp, msdt.exe, 00000025.00000002.2527278356.0000000004E90000.00000040.00001000.00020000.00000000.sdmp, msdt.exe, 00000025.00000003.2522733065.0000000004AEF000.00000004.00000020.00020000.00000000.sdmp, msdt.exe, 00000025.00000003.2524932833.0000000004CDC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000002D.00000003.2644284547.00000000046C8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000002D.00000003.2647610865.0000000004879000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000002D.00000002.2649407934.0000000004C3E000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 0000002D.00000002.2649407934.0000000004AA0000.00000040.00001000.00020000.00000000.sdmp, wlanext.exe, 00000035.00000003.2729298239.0000000002B31000.00000004.00000020.00020000.00000000.sdmp, wlanext.exe, 00000035.00000002.2732895661.0000000002CE0000.00000040.00001000.00020000.00000000.sdmp, wlanext.exe, 00000035.00000002.2732895661.0000000002E7E000.00000040.00001000.00020000.00000000.sdmp, wlanext.exe, 00000035.00000003.2727219080.0000000002985000.00000004.00000020.00020000.00000000.sdmp, msdt.exe, 0000003E.00000003.2815565973.0000000004B43000.00000004.00000020.00020000.00000000.sdmp, msdt.exe, 0000003E.00000002.2824847586.0000000004E8E000.00000040.00001000.00020000.00000000.sdmp, msdt.exe, 0000003E.00000002.2824847586.0000000004CF0000.00000040.00001000.00020000.00000000.sdmp, msdt.exe, 0000003E.00000003.2812512464.0000000004999000.00000004.00000020.00020000.00000000.sdmp, chkdsk.exe, 00000046.00000003.2893566375.00000000056D8000.00000004.00000020.00020
Source:	Binary string: rundll32.pdb source: RegAsm.exe, 0000002C.00000002.2646537881.00000000014A0000.00000040.10000000.00040000.00000000.sdmp, rundll32.exe, 0000002D.00000002.2648985101.0000000000270000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: wlanext.pdb source: RegAsm.exe, 00000034.00000002.2729173666.0000000002940000.00000040.10000000.00040000.00000000.sdmp, wlanext.exe, 00000035.00000002.2732547455.0000000000960000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: rundll32.pdbGCTL source: RegAsm.exe, 0000002C.00000002.2646537881.00000000014A0000.00000040.10000000.00040000.00000000.sdmp, rundll32.exe, 0000002D.00000002.2648985101.0000000000270000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: cmstp.pdb source: RegAsm.exe, 00000007.00000002.2235793612.0000000001540000.00000040.10000000.00040000.00000000.sdmp, cmstp.exe, 00000009.00000002.3365281971.0000000000220000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: RegAsm.pdb4 source: explorer.exe, 00000008.00000002.3389406505.0000000010A9F000.00000004.80000000.00040000.00000000.sdmp, cmstp.exe, 00000009.00000002.3367455817.0000000004C8F000.00000004.10000000.00040000.00000000.sdmp, cmstp.exe, 00000009.00000002.3365692981.000000000293B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: msdt.pdb source: RegAsm.exe, 0000001B.00000002.2433869260.00000000026F0000.00000040.10000000.00040000.00000000.sdmp, msdt.exe, 0000001C.00000002.2436801979.0000000000E80000.00000040.80000000.00040000.00000000.sdmp, msdt.exe, 00000025.00000002.2526883807.0000000000E80000.00000040.80000000.00040000.00000000.sdmp, msdt.exe, 0000003E.00000002.2824411296.0000000000E80000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: wlanext.pdbGCTL source: RegAsm.exe, 00000034.00000002.2729173666.0000000002940000.00000040.10000000.00040000.00000000.sdmp, wlanext.exe, 00000035.00000002.2732547455.0000000000960000.00000040.80000000.00040000.00000000.sdmp

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2031412 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.6:49995 -> 104.21.93.17:80
Source: Network traffic	Suricata IDS: 2031449 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.6:49995 -> 104.21.93.17:80
Source: Network traffic	Suricata IDS: 2031453 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.6:49995 -> 104.21.93.17:80
Source: Network traffic	Suricata IDS: 2031412 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.6:50000 -> 91.195.240.19:80
Source: Network traffic	Suricata IDS: 2031449 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.6:50000 -> 91.195.240.19:80
Source: Network traffic	Suricata IDS: 2031453 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.6:50000 -> 91.195.240.19:80
Source: Network traffic	Suricata IDS: 2031412 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.6:50006 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2031449 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.6:50006 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2031453 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.6:50006 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2031412 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.6:49882 -> 192.243.59.20:80
Source: Network traffic	Suricata IDS: 2031449 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.6:49882 -> 192.243.59.20:80
Source: Network traffic	Suricata IDS: 2031453 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.6:49882 -> 192.243.59.20:80
Source: Network traffic	Suricata IDS: 2031412 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.6:49992 -> 34.205.242.146:80
Source: Network traffic	Suricata IDS: 2031449 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.6:49992 -> 34.205.242.146:80
Source: Network traffic	Suricata IDS: 2031453 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.6:49992 -> 34.205.242.146:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.cnoszirzbkaqz.com/btrd/

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /1485 HTTP/1.1Host: youngonven.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /1485 HTTP/1.1Host: youngonven.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /1485 HTTP/1.1Host: youngonven.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /1485 HTTP/1.1Host: youngonven.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /btrd/?8pn=ChvLWF0pZdjL9&orD=G5lr6//zQ7aMiplq1GdUNb9GEJVmzQOhD2w3hHYWxcuiBbLjkdh8uX+W8X62ffIzaE+7zSgsRw== HTTP/1.1Host: www.emeraldsurrogatefabric.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /1485 HTTP/1.1Host: youngonven.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /1485 HTTP/1.1Host: youngonven.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /1485 HTTP/1.1Host: youngonven.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /btrd/?orD=Eh2Xpu8l9dqABVqMRkelxcAdaQWRauo4zIVE3zjkUJjpFQNmsYxfVbqaI7I2lWlUEjDmoepSbg==&8pn=ChvLWF0pZdjL9 HTTP/1.1Host: www.pure1027.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /1485 HTTP/1.1Host: youngonven.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /btrd/?8pn=ChvLWF0pZdjL9&orD=1hanRQkKsw2EpQWVKCl4LROlWZtcCFpSARtuzqwGSwLi36Og4ncRpLu12qyBMcT+6ho6oQQ/oA== HTTP/1.1Host: www.thecolourgrey.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /1485 HTTP/1.1Host: youngonven.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /1485 HTTP/1.1Host: youngonven.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /1485 HTTP/1.1Host: youngonven.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /btrd/?orD=sqRP0a8aV68K6FqJqAk+hHqxgWstkLnSX2TzjpZXqgEq2vKFORbsNIdmsOuhVtdKxSDXL4nXjg==&8pn=ChvLWF0pZdjL9 HTTP/1.1Host: www.anangtoto.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /1485 HTTP/1.1Host: youngonven.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /1485 HTTP/1.1Host: youngonven.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /1485 HTTP/1.1Host: youngonven.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /1485 HTTP/1.1Host: youngonven.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /1485 HTTP/1.1Host: youngonven.comConnection: Keep-Alive

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 34.205.242.146 34.205.242.146
Source: Joe Sandbox View	IP Address: 192.243.59.20 192.243.59.20
Source: Joe Sandbox View	IP Address: 192.243.59.20 192.243.59.20

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: AMAZON-AESUS AMAZON-AESUS
Source: Joe Sandbox View	ASN Name: ADVANCEDHOSTERS-ASNL ADVANCEDHOSTERS-ASNL
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: SEDO-ASDE SEDO-ASDE

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Windows\explorer.exe

Code function: 8_2_1135CF82 getaddrinfo,setsockopt,recv,

8_2_1135CF82

Source: global traffic	HTTP traffic detected: GET /1485 HTTP/1.1Host: youngonven.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /1485 HTTP/1.1Host: youngonven.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /1485 HTTP/1.1Host: youngonven.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /1485 HTTP/1.1Host: youngonven.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /btrd/?8pn=ChvLWF0pZdjL9&orD=G5lr6//zQ7aMiplq1GdUNb9GEJVmzQOhD2w3hHYWxcuiBbLjkdh8uX+W8X62ffIzaE+7zSgsRw== HTTP/1.1Host: www.emeraldsurrogatefabric.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /1485 HTTP/1.1Host: youngonven.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /1485 HTTP/1.1Host: youngonven.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /1485 HTTP/1.1Host: youngonven.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /btrd/?orD=Eh2Xpu8l9dqABVqMRkelxcAdaQWRauo4zIVE3zjkUJjpFQNmsYxfVbqaI7I2lWlUEjDmoepSbg==&8pn=ChvLWF0pZdjL9 HTTP/1.1Host: www.pure1027.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /1485 HTTP/1.1Host: youngonven.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /btrd/?8pn=ChvLWF0pZdjL9&orD=1hanRQkKsw2EpQWVKCl4LROlWZtcCFpSARtuzqwGSwLi36Og4ncRpLu12qyBMcT+6ho6oQQ/oA== HTTP/1.1Host: www.thecolourgrey.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /1485 HTTP/1.1Host: youngonven.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /1485 HTTP/1.1Host: youngonven.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /1485 HTTP/1.1Host: youngonven.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /btrd/?orD=sqRP0a8aV68K6FqJqAk+hHqxgWstkLnSX2TzjpZXqgEq2vKFORbsNIdmsOuhVtdKxSDXL4nXjg==&8pn=ChvLWF0pZdjL9 HTTP/1.1Host: www.anangtoto.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /1485 HTTP/1.1Host: youngonven.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /1485 HTTP/1.1Host: youngonven.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /1485 HTTP/1.1Host: youngonven.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /1485 HTTP/1.1Host: youngonven.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /1485 HTTP/1.1Host: youngonven.comConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: youngonven.com
Source: global traffic	DNS traffic detected: DNS query: www.emeraldsurrogatefabric.com
Source: global traffic	DNS traffic detected: DNS query: www.pure1027.com
Source: global traffic	DNS traffic detected: DNS query: www.thecolourgrey.com
Source: global traffic	DNS traffic detected: DNS query: www.anangtoto.com
Source: global traffic	DNS traffic detected: DNS query: www.0757hunyin.net
Source: global traffic	DNS traffic detected: DNS query: www.texanboxes.com

Source: explorer.exe, 00000008.00000000.2185822168.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3377674269.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.2185822168.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3377674269.000000000978C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: explorer.exe, 00000008.00000000.2185822168.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3377674269.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.2185822168.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3377674269.000000000978C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: explorer.exe, 00000008.00000000.2185822168.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3377674269.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.2185822168.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3377674269.000000000978C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: explorer.exe, 00000008.00000000.2185822168.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3377674269.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.2185822168.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3377674269.000000000978C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: explorer.exe, 00000008.00000002.3377674269.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.2185822168.000000000962B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: explorer.exe, 00000008.00000000.2180118675.0000000007B60000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000008.00000002.3367289730.00000000028A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000008.00000002.3374312359.0000000007B50000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: PURCHASED ORDER OF ENG091.exe, 00000000.00000002.2174149800.00000000027B1000.00000004.00000800.00020000.00000000.sdmp, PURCHASED ORDER OF ENG091.pif, 0000000C.00000002.2329293185.0000000002701000.00000004.00000800.00020000.00000000.sdmp, PURCHASED ORDER OF ENG091.pif, 00000015.00000002.2403280656.00000000022EC000.00000004.00000800.00020000.00000000.sdmp, PURCHASED ORDER OF ENG091.pif.pif, 0000001D.00000002.2493397578.0000000002351000.00000004.00000800.00020000.00000000.sdmp, PURCHASED ORDER OF ENG091.pif.pif, 00000026.00000002.2612943933.0000000002D0C000.00000004.00000800.00020000.00000000.sdmp, PURCHASED ORDER OF ENG091.pif.pif.pif, 0000002E.00000002.2700394567.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, PURCHASED ORDER OF ENG091.pif.pif.pif, 00000036.00000002.2785236388.00000000032FC000.00000004.00000800.00020000.00000000.sdmp, PURCHASED ORDER OF ENG091.pif.pif.pif.pif, 0000003F.00000002.2864011147.0000000002911000.00000004.00000800.00020000.00000000.sdmp, PURCHASED ORDER OF ENG091.pif.pif.pif.pif, 00000047.00000002.2995542174.000000000337C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: explorer.exe, 00000008.00000003.2980907839.000000000C4EB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3386744708.000000000C4D8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.0757hunyin.net
Source: explorer.exe, 00000008.00000003.2980907839.000000000C4EB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3386744708.000000000C4D8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.0757hunyin.net/btrd/
Source: explorer.exe, 00000008.00000003.2980907839.000000000C4EB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3386744708.000000000C4D8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.0757hunyin.net/btrd/www.texanboxes.com
Source: explorer.exe, 00000008.00000003.2980907839.000000000C4EB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3386744708.000000000C4D8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.0757hunyin.netReferer:
Source: explorer.exe, 00000008.00000003.2980907839.000000000C4EB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3386744708.000000000C4D8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.anangtoto.com
Source: explorer.exe, 00000008.00000003.2980907839.000000000C4EB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3386744708.000000000C4D8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.anangtoto.com/btrd/
Source: explorer.exe, 00000008.00000003.2980907839.000000000C4EB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3386744708.000000000C4D8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.anangtoto.com/btrd/www.0757hunyin.net
Source: explorer.exe, 00000008.00000003.2980907839.000000000C4EB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3386744708.000000000C4D8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.anangtoto.comReferer:
Source: explorer.exe, 00000008.00000003.2980907839.000000000C4EB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3386744708.000000000C4D8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.cnoszirzbkaqz.com
Source: explorer.exe, 00000008.00000003.2980907839.000000000C4EB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3386744708.000000000C4D8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.cnoszirzbkaqz.com/btrd/
Source: explorer.exe, 00000008.00000003.2980907839.000000000C4EB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3386744708.000000000C4D8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.cnoszirzbkaqz.com/btrd/www.thebestanglephotography.online
Source: explorer.exe, 00000008.00000003.2980907839.000000000C4EB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3386744708.000000000C4D8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.cnoszirzbkaqz.comReferer:
Source: explorer.exe, 00000008.00000003.2980907839.000000000C4EB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3386744708.000000000C4D8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.emeraldsurrogatefabric.com
Source: explorer.exe, 00000008.00000003.2980907839.000000000C4EB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3386744708.000000000C4D8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.emeraldsurrogatefabric.com/btrd/
Source: explorer.exe, 00000008.00000003.2980907839.000000000C4EB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3386744708.000000000C4D8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.emeraldsurrogatefabric.com/btrd/www.pure1027.com
Source: explorer.exe, 00000008.00000003.2980907839.000000000C4EB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3386744708.000000000C4D8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.emeraldsurrogatefabric.comReferer:
Source: explorer.exe, 00000008.00000003.2980907839.000000000C4EB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3386744708.000000000C4D8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.invest247on.com
Source: explorer.exe, 00000008.00000003.2980907839.000000000C4EB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3386744708.000000000C4D8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.invest247on.com/btrd/
Source: explorer.exe, 00000008.00000003.2980907839.000000000C4EB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3386744708.000000000C4D8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.invest247on.com/btrd/www.xmentorgroup.com
Source: explorer.exe, 00000008.00000003.2980907839.000000000C4EB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3386744708.000000000C4D8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.invest247on.comReferer:
Source: explorer.exe, 00000008.00000003.2980907839.000000000C4EB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3386744708.000000000C4D8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.martline.website
Source: explorer.exe, 00000008.00000003.2980907839.000000000C4EB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3386744708.000000000C4D8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.martline.website/btrd/
Source: explorer.exe, 00000008.00000003.2980907839.000000000C4EB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3386744708.000000000C4D8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.martline.website/btrd/www.naddafornadda.com
Source: explorer.exe, 00000008.00000003.2980907839.000000000C4EB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3386744708.000000000C4D8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.martline.websiteReferer:
Source: explorer.exe, 00000008.00000003.2980907839.000000000C4EB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3386744708.000000000C4D8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.naddafornadda.com
Source: explorer.exe, 00000008.00000002.3386744708.000000000C4D8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.naddafornadda.com/btrd/
Source: explorer.exe, 00000008.00000003.2980907839.000000000C4EB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3386744708.000000000C4D8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.naddafornadda.comReferer:
Source: explorer.exe, 00000008.00000003.2980907839.000000000C4EB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3386744708.000000000C4D8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.outletivo.com
Source: explorer.exe, 00000008.00000003.2980907839.000000000C4EB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3386744708.000000000C4D8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.outletivo.com/btrd/
Source: explorer.exe, 00000008.00000003.2980907839.000000000C4EB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3386744708.000000000C4D8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.outletivo.com/btrd/www.martline.website
Source: explorer.exe, 00000008.00000003.2980907839.000000000C4EB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3386744708.000000000C4D8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.outletivo.comReferer:
Source: explorer.exe, 00000008.00000003.2980907839.000000000C4EB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3386744708.000000000C4D8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.pure1027.com
Source: explorer.exe, 00000008.00000003.2980907839.000000000C4EB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3386744708.000000000C4D8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.pure1027.com/btrd/
Source: explorer.exe, 00000008.00000003.2980907839.000000000C4EB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3386744708.000000000C4D8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.pure1027.com/btrd/www.thecolourgrey.com
Source: explorer.exe, 00000008.00000003.2980907839.000000000C4EB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3386744708.000000000C4D8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.pure1027.comReferer:
Source: explorer.exe, 00000008.00000003.2980907839.000000000C4EB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3386744708.000000000C4D8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.rd8.online
Source: explorer.exe, 00000008.00000003.2980907839.000000000C4EB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3386744708.000000000C4D8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.rd8.online/btrd/
Source: explorer.exe, 00000008.00000003.2980907839.000000000C4EB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3386744708.000000000C4D8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.rd8.online/btrd/www.researchforhighschool.com
Source: explorer.exe, 00000008.00000003.2980907839.000000000C4EB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3386744708.000000000C4D8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.rd8.onlineReferer:
Source: explorer.exe, 00000008.00000003.2980907839.000000000C4EB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3386744708.000000000C4D8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.researchforhighschool.com
Source: explorer.exe, 00000008.00000003.2980907839.000000000C4EB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3386744708.000000000C4D8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.researchforhighschool.com/btrd/
Source: explorer.exe, 00000008.00000003.2980907839.000000000C4EB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3386744708.000000000C4D8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.researchforhighschool.com/btrd/www.invest247on.com
Source: explorer.exe, 00000008.00000003.2980907839.000000000C4EB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3386744708.000000000C4D8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.researchforhighschool.comReferer:
Source: explorer.exe, 00000008.00000003.2980907839.000000000C4EB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3386744708.000000000C4D8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.texanboxes.com
Source: explorer.exe, 00000008.00000003.2980907839.000000000C4EB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3386744708.000000000C4D8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.texanboxes.com/btrd/
Source: explorer.exe, 00000008.00000003.2980907839.000000000C4EB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3386744708.000000000C4D8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.texanboxes.com/btrd/www.watch2movie.xyz
Source: explorer.exe, 00000008.00000003.2980907839.000000000C4EB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3386744708.000000000C4D8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.texanboxes.comReferer:
Source: explorer.exe, 00000008.00000003.2980907839.000000000C4EB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3386744708.000000000C4D8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.thebestanglephotography.online
Source: explorer.exe, 00000008.00000003.2980907839.000000000C4EB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3386744708.000000000C4D8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.thebestanglephotography.online/btrd/
Source: explorer.exe, 00000008.00000003.2980907839.000000000C4EB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3386744708.000000000C4D8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.thebestanglephotography.online/btrd/www.rd8.online
Source: explorer.exe, 00000008.00000003.2980907839.000000000C4EB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3386744708.000000000C4D8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.thebestanglephotography.onlineReferer:
Source: explorer.exe, 00000008.00000003.2980907839.000000000C4EB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3386744708.000000000C4D8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.thecolourgrey.com
Source: explorer.exe, 00000008.00000003.2980907839.000000000C4EB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3386744708.000000000C4D8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.thecolourgrey.com/btrd/
Source: explorer.exe, 00000008.00000003.2980907839.000000000C4EB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3386744708.000000000C4D8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.thecolourgrey.com/btrd/www.anangtoto.com
Source: explorer.exe, 00000008.00000003.2980907839.000000000C4EB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3386744708.000000000C4D8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.thecolourgrey.comReferer:
Source: explorer.exe, 00000008.00000003.2980907839.000000000C4EB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3386744708.000000000C4D8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.watch2movie.xyz
Source: explorer.exe, 00000008.00000003.2980907839.000000000C4EB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3386744708.000000000C4D8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.watch2movie.xyz/btrd/
Source: explorer.exe, 00000008.00000003.2980907839.000000000C4EB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3386744708.000000000C4D8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.watch2movie.xyz/btrd/www.cnoszirzbkaqz.com
Source: explorer.exe, 00000008.00000003.2980907839.000000000C4EB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3386744708.000000000C4D8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.watch2movie.xyzReferer:
Source: explorer.exe, 00000008.00000003.2980907839.000000000C4EB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3386744708.000000000C4D8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.xmentorgroup.com
Source: explorer.exe, 00000008.00000003.2980907839.000000000C4EB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3386744708.000000000C4D8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.xmentorgroup.com/btrd/
Source: explorer.exe, 00000008.00000003.2980907839.000000000C4EB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3386744708.000000000C4D8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.xmentorgroup.com/btrd/www.outletivo.com
Source: explorer.exe, 00000008.00000003.2980907839.000000000C4EB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3386744708.000000000C4D8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.xmentorgroup.comReferer:
Source: PURCHASED ORDER OF ENG091.exe, 00000000.00000002.2174149800.00000000027B1000.00000004.00000800.00020000.00000000.sdmp, PURCHASED ORDER OF ENG091.pif, 0000000C.00000002.2329293185.0000000002701000.00000004.00000800.00020000.00000000.sdmp, PURCHASED ORDER OF ENG091.pif, 00000015.00000002.2403280656.00000000022EC000.00000004.00000800.00020000.00000000.sdmp, PURCHASED ORDER OF ENG091.pif.pif, 0000001D.00000002.2493397578.0000000002351000.00000004.00000800.00020000.00000000.sdmp, PURCHASED ORDER OF ENG091.pif.pif, 00000026.00000002.2612943933.0000000002D0C000.00000004.00000800.00020000.00000000.sdmp, PURCHASED ORDER OF ENG091.pif.pif.pif, 0000002E.00000002.2700394567.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, PURCHASED ORDER OF ENG091.pif.pif.pif, 00000036.00000002.2785236388.00000000032FC000.00000004.00000800.00020000.00000000.sdmp, PURCHASED ORDER OF ENG091.pif.pif.pif.pif, 0000003F.00000002.2864011147.0000000002911000.00000004.00000800.00020000.00000000.sdmp, PURCHASED ORDER OF ENG091.pif.pif.pif.pif, 00000047.00000002.2995542174.000000000337C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://youngonven.com
Source: PURCHASED ORDER OF ENG091.exe, 00000000.00000002.2174149800.00000000027B1000.00000004.00000800.00020000.00000000.sdmp, PURCHASED ORDER OF ENG091.pif, 0000000C.00000002.2329293185.0000000002701000.00000004.00000800.00020000.00000000.sdmp, PURCHASED ORDER OF ENG091.pif, 00000015.00000002.2403280656.000000000228C000.00000004.00000800.00020000.00000000.sdmp, PURCHASED ORDER OF ENG091.pif.pif, 0000001D.00000002.2493397578.0000000002351000.00000004.00000800.00020000.00000000.sdmp, PURCHASED ORDER OF ENG091.pif.pif, 00000026.00000002.2612943933.0000000002CAC000.00000004.00000800.00020000.00000000.sdmp, PURCHASED ORDER OF ENG091.pif.pif.pif, 0000002E.00000002.2700394567.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, PURCHASED ORDER OF ENG091.pif.pif.pif, 00000036.00000002.2785236388.000000000329C000.00000004.00000800.00020000.00000000.sdmp, PURCHASED ORDER OF ENG091.pif.pif.pif.pif, 0000003F.00000002.2864011147.0000000002911000.00000004.00000800.00020000.00000000.sdmp, PURCHASED ORDER OF ENG091.pif.pif.pif.pif, 00000047.00000002.2995542174.000000000331C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://youngonven.com/1485
Source: PURCHASED ORDER OF ENG091.exe, 00000000.00000000.2119834627.0000000000442000.00000002.00000001.01000000.00000003.sdmp, cmd.exe, 00000005.00000003.2161957449.00000000032E5000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000011.00000003.2315915569.0000000002AE6000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000019.00000003.2390659515.0000000003086000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000022.00000003.2479534553.0000000002695000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000002A.00000003.2596807840.0000000003135000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000032.00000003.2684351983.00000000032E4000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000003A.00000003.2769484455.0000000002905000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000043.00000003.2848660519.00000000032C4000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000004B.00000003.2975731288.00000000035E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://youngonven.com/1485#Re
Source: explorer.exe, 00000008.00000002.3377674269.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3074869572.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2979140509.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.2186408127.00000000099AB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp
Source: explorer.exe, 00000008.00000002.3385226475.000000000BFDF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.2191523498.000000000BFDF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 00000008.00000002.3377674269.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.2185822168.000000000962B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 00000008.00000002.3377674269.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.2185822168.000000000962B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/I
Source: explorer.exe, 00000008.00000002.3377674269.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.2185822168.000000000973C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 00000008.00000002.3377674269.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.2185822168.000000000962B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?
Source: explorer.exe, 00000008.00000000.2178462917.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3371865192.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=435B7A89D7D74BDF801F2DA188906BAF&timeOut=5000&oc
Source: explorer.exe, 00000008.00000002.3377674269.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.2178462917.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.2185822168.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3371865192.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
Source: explorer.exe, 00000008.00000002.3377674269.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.2185822168.000000000973C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.com
Source: explorer.exe, 00000008.00000002.3371865192.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
Source: explorer.exe, 00000008.00000002.3371865192.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehwh2.svg
Source: explorer.exe, 00000008.00000002.3371865192.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
Source: explorer.exe, 00000008.00000002.3371865192.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
Source: explorer.exe, 00000008.00000000.2178462917.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3371865192.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMhz
Source: explorer.exe, 00000008.00000000.2178462917.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3371865192.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMhz-dark
Source: explorer.exe, 00000008.00000002.3385226475.000000000C087000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2981523077.000000000C048000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.2191523498.000000000C048000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://excel.office.com-
Source: explorer.exe, 00000008.00000002.3371865192.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
Source: explorer.exe, 00000008.00000000.2178462917.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3371865192.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAzME7S.img
Source: explorer.exe, 00000008.00000002.3385226475.000000000C087000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2981523077.000000000C048000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.2191523498.000000000C048000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://outlook.come
Source: explorer.exe, 00000008.00000002.3385226475.000000000BFEF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.2191523498.000000000BFEF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://powerpoint.office.comEMd
Source: explorer.exe, 00000008.00000000.2178462917.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3371865192.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000008.00000000.2178462917.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3371865192.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000008.00000002.3377674269.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3074869572.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2979140509.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.2186408127.00000000099AB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://wns.windows.com/e
Source: explorer.exe, 00000008.00000002.3385226475.000000000C087000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2981523077.000000000C048000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.2191523498.000000000C048000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://word.office.comM
Source: explorer.exe, 00000008.00000002.3389406505.0000000010F8F000.00000004.80000000.00040000.00000000.sdmp, cmstp.exe, 00000009.00000002.3367455817.000000000517F000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.hugedomains.com/domain_profile.cfm?d=pure1027.com
Source: explorer.exe, 00000008.00000000.2178462917.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3371865192.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/10-things-rich-people-never-buy-and-you-shouldn-t-ei
Source: explorer.exe, 00000008.00000000.2178462917.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3371865192.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/money-matters-changing-institution-of-marriage/ar-AA
Source: explorer.exe, 00000008.00000000.2178462917.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3371865192.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/realestate/why-this-florida-city-is-a-safe-haven-from-hurricanes/ar-
Source: explorer.exe, 00000008.00000000.2178462917.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3371865192.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/savingandinvesting/americans-average-net-worth-by-age/ar-AA1h4ngF
Source: explorer.exe, 00000008.00000000.2178462917.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3371865192.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/how-donald-trump-helped-kari-lake-become-arizona-s-and-ameri
Source: explorer.exe, 00000008.00000000.2178462917.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3371865192.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/kevin-mccarthy-s-ouster-as-house-speaker-could-cost-gop-its-
Source: explorer.exe, 00000008.00000000.2178462917.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3371865192.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/republicans-already-barred-trump-from-being-speaker-of-the-h
Source: explorer.exe, 00000008.00000000.2178462917.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3371865192.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/trump-campaign-says-he-raised-more-than-45-million-in-3rd-qu
Source: explorer.exe, 00000008.00000000.2178462917.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3371865192.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/technology/a-federal-emergency-alert-will-be-sent-to-us-phones-nation
Source: explorer.exe, 00000008.00000000.2178462917.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3371865192.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/biden-administration-waives-26-federal-laws-to-allow-border-wall-c
Source: explorer.exe, 00000008.00000000.2178462917.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3371865192.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-the
Source: explorer.exe, 00000008.00000000.2178462917.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3371865192.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/world/us-supplies-ukraine-with-a-million-rounds-of-ammunition-seized-
Source: explorer.exe, 00000008.00000000.2178462917.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3371865192.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/travel/news/you-can-t-beat-bobby-flay-s-phoenix-airport-restaurant-one-of-
Source: explorer.exe, 00000008.00000000.2178462917.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3371865192.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/california-s-reservoirs-runneth-over-in-astounding-reve
Source: explorer.exe, 00000008.00000000.2178462917.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3371865192.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com:443/en-us/feed

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 7.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PURCHASED ORDER OF ENG091.exe.389a1f0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000002D.00000002.2649126395.0000000002C00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3387644205.000000000EB42000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000002.2627604465.0000000003F49000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002E.00000002.2712579590.0000000004028000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2176143982.000000000389A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000035.00000002.2731575552.0000000000600000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2235289603.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2176143982.0000000003A5B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.2500819565.00000000035F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2367170516.0000000002ED0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3365508291.00000000028B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2343571638.00000000039AB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2176143982.00000000039CC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.2411207031.000000000352B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3366459232.0000000004520000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000036.00000002.2805551760.0000000004534000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000046.00000002.2895699701.0000000005070000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.2436330065.00000000006E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000004E.00000002.3035230297.0000000003190000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003E.00000002.2823024000.0000000000960000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003F.00000002.2884163790.0000000003BB4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000047.00000002.3030559754.00000000045B3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.2526649554.0000000000B30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3366396664.00000000044F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 7.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 7.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 7.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.PURCHASED ORDER OF ENG091.exe.389a1f0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0.2.PURCHASED ORDER OF ENG091.exe.389a1f0.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.PURCHASED ORDER OF ENG091.exe.389a1f0.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 7.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 7.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 7.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000002D.00000002.2649126395.0000000002C00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000002D.00000002.2649126395.0000000002C00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000002D.00000002.2649126395.0000000002C00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.3387644205.000000000EB42000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000008.00000002.3387644205.000000000EB42000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.3387644205.000000000EB42000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000026.00000002.2627604465.0000000003F49000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000026.00000002.2627604465.0000000003F49000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000026.00000002.2627604465.0000000003F49000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000002E.00000002.2712579590.0000000004028000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000002E.00000002.2712579590.0000000004028000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000002E.00000002.2712579590.0000000004028000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.2176143982.000000000389A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000000.00000002.2176143982.000000000389A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.2176143982.000000000389A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000035.00000002.2731575552.0000000000600000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000035.00000002.2731575552.0000000000600000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000035.00000002.2731575552.0000000000600000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.2235289603.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000007.00000002.2235289603.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.2235289603.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.2176143982.0000000003A5B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000000.00000002.2176143982.0000000003A5B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.2176143982.0000000003A5B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000001D.00000002.2500819565.00000000035F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000001D.00000002.2500819565.00000000035F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000001D.00000002.2500819565.00000000035F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000014.00000002.2367170516.0000000002ED0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000014.00000002.2367170516.0000000002ED0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000014.00000002.2367170516.0000000002ED0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.3365508291.00000000028B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000009.00000002.3365508291.00000000028B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.3365508291.00000000028B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000C.00000002.2343571638.00000000039AB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000C.00000002.2343571638.00000000039AB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000C.00000002.2343571638.00000000039AB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.2176143982.00000000039CC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000000.00000002.2176143982.00000000039CC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.2176143982.00000000039CC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000015.00000002.2411207031.000000000352B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000015.00000002.2411207031.000000000352B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000015.00000002.2411207031.000000000352B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.3366459232.0000000004520000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000009.00000002.3366459232.0000000004520000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.3366459232.0000000004520000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000036.00000002.2805551760.0000000004534000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000036.00000002.2805551760.0000000004534000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000036.00000002.2805551760.0000000004534000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000046.00000002.2895699701.0000000005070000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000046.00000002.2895699701.0000000005070000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000046.00000002.2895699701.0000000005070000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000001C.00000002.2436330065.00000000006E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000001C.00000002.2436330065.00000000006E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000001C.00000002.2436330065.00000000006E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000004E.00000002.3035230297.0000000003190000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000004E.00000002.3035230297.0000000003190000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000004E.00000002.3035230297.0000000003190000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000003E.00000002.2823024000.0000000000960000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000003E.00000002.2823024000.0000000000960000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000003E.00000002.2823024000.0000000000960000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000003F.00000002.2884163790.0000000003BB4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000003F.00000002.2884163790.0000000003BB4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000003F.00000002.2884163790.0000000003BB4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000047.00000002.3030559754.00000000045B3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000047.00000002.3030559754.00000000045B3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000047.00000002.3030559754.00000000045B3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000025.00000002.2526649554.0000000000B30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000025.00000002.2526649554.0000000000B30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000025.00000002.2526649554.0000000000B30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.3366396664.00000000044F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000009.00000002.3366396664.00000000044F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.3366396664.00000000044F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: PURCHASED ORDER OF ENG091.exe PID: 3472, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: RegAsm.exe PID: 5412, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: explorer.exe PID: 4004, type: MEMORYSTR	Matched rule: Semi-Auto-generated - file ironshell.php.txt Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
Source: Process Memory Space: cmstp.exe PID: 5552, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: PURCHASED ORDER OF ENG091.pif PID: 5728, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: cmmon32.exe PID: 4620, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: PURCHASED ORDER OF ENG091.pif PID: 4872, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: msdt.exe PID: 3700, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: PURCHASED ORDER OF ENG091.pif.pif PID: 3004, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: msdt.exe PID: 6540, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: PURCHASED ORDER OF ENG091.pif.pif PID: 3924, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: rundll32.exe PID: 1824, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: PURCHASED ORDER OF ENG091.pif.pif.pif PID: 5128, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: wlanext.exe PID: 3632, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: PURCHASED ORDER OF ENG091.pif.pif.pif PID: 2264, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: msdt.exe PID: 5748, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: PURCHASED ORDER OF ENG091.pif.pif.pif.pif PID: 2704, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: chkdsk.exe PID: 6488, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: PURCHASED ORDER OF ENG091.pif.pif.pif.pif PID: 6648, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: netsh.exe PID: 5096, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: PURCHASED ORDER OF ENG091.exe

Contains functionality to call native functions

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0041A340 NtCreateFile,	7_2_0041A340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0041A3F0 NtReadFile,	7_2_0041A3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0041A470 NtClose,	7_2_0041A470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0041A520 NtAllocateVirtualMemory,	7_2_0041A520
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0041A3EA NtReadFile,	7_2_0041A3EA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0041A392 NtCreateFile,NtReadFile,	7_2_0041A392
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0041A43A NtReadFile,	7_2_0041A43A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03392B60 NtClose,LdrInitializeThunk,	7_2_03392B60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03392BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	7_2_03392BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03392AD0 NtReadFile,LdrInitializeThunk,	7_2_03392AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03392F30 NtCreateSection,LdrInitializeThunk,	7_2_03392F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03392FB0 NtResumeThread,LdrInitializeThunk,	7_2_03392FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03392F90 NtProtectVirtualMemory,LdrInitializeThunk,	7_2_03392F90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03392FE0 NtCreateFile,LdrInitializeThunk,	7_2_03392FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03392EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,	7_2_03392EA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03392E80 NtReadVirtualMemory,LdrInitializeThunk,	7_2_03392E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03392D30 NtUnmapViewOfSection,LdrInitializeThunk,	7_2_03392D30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03392D10 NtMapViewOfSection,LdrInitializeThunk,	7_2_03392D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03392DF0 NtQuerySystemInformation,LdrInitializeThunk,	7_2_03392DF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03392DD0 NtDelayExecution,LdrInitializeThunk,	7_2_03392DD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03392C70 NtFreeVirtualMemory,LdrInitializeThunk,	7_2_03392C70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03392CA0 NtQueryInformationToken,LdrInitializeThunk,	7_2_03392CA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03394340 NtSetContextThread,	7_2_03394340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03394650 NtSuspendThread,	7_2_03394650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03392BA0 NtEnumerateValueKey,	7_2_03392BA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03392B80 NtQueryInformationFile,	7_2_03392B80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03392BE0 NtQueryValueKey,	7_2_03392BE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03392AB0 NtWaitForSingleObject,	7_2_03392AB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03392AF0 NtWriteFile,	7_2_03392AF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03392F60 NtCreateProcessEx,	7_2_03392F60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03392FA0 NtQuerySection,	7_2_03392FA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03392E30 NtWriteVirtualMemory,	7_2_03392E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03392EE0 NtQueueApcThread,	7_2_03392EE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03392D00 NtSetInformationFile,	7_2_03392D00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03392DB0 NtEnumerateKey,	7_2_03392DB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03392C00 NtQueryInformationProcess,	7_2_03392C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03392C60 NtCreateKey,	7_2_03392C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03392CF0 NtOpenProcess,	7_2_03392CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03392CC0 NtQueryVirtualMemory,	7_2_03392CC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03393010 NtOpenDirectoryObject,	7_2_03393010
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03393090 NtSetValueKey,	7_2_03393090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033935C0 NtCreateMutant,	7_2_033935C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033939B0 NtGetContextThread,	7_2_033939B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03393D10 NtOpenProcessToken,	7_2_03393D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03393D70 NtOpenThread,	7_2_03393D70
Source: C:\Windows\explorer.exe	Code function: 8_2_1135C232 NtCreateFile,	8_2_1135C232
Source: C:\Windows\explorer.exe	Code function: 8_2_1135DE12 NtProtectVirtualMemory,	8_2_1135DE12
Source: C:\Windows\explorer.exe	Code function: 8_2_1135DE0A NtProtectVirtualMemory,	8_2_1135DE0A

Detected potential crypto function

Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Code function: 0_2_00A8D57C	0_2_00A8D57C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_00401030	7_2_00401030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0041D8D3	7_2_0041D8D3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0041E222	7_2_0041E222
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0041E5D6	7_2_0041E5D6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0041D583	7_2_0041D583
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_00402D90	7_2_00402D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0041EDA5	7_2_0041EDA5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0041DDB3	7_2_0041DDB3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_00409E5B	7_2_00409E5B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_00409E60	7_2_00409E60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_00402FB0	7_2_00402FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0341A352	7_2_0341A352
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_034203E6	7_2_034203E6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0336E3F0	7_2_0336E3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03400274	7_2_03400274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033E02C0	7_2_033E02C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033FA118	7_2_033FA118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03350100	7_2_03350100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033E8158	7_2_033E8158
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_034181CC	7_2_034181CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_034141A2	7_2_034141A2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_034201AA	7_2_034201AA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033F2000	7_2_033F2000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03360770	7_2_03360770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03384750	7_2_03384750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0335C7C0	7_2_0335C7C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0337C6E0	7_2_0337C6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03360535	7_2_03360535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03420591	7_2_03420591
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03412446	7_2_03412446
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03404420	7_2_03404420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0340E4F6	7_2_0340E4F6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0341AB40	7_2_0341AB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03416BD7	7_2_03416BD7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0335EA80	7_2_0335EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03376962	7_2_03376962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033629A0	7_2_033629A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0342A9A6	7_2_0342A9A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03362840	7_2_03362840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0336A840	7_2_0336A840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033468B8	7_2_033468B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0338E8F0	7_2_0338E8F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03380F30	7_2_03380F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033A2F28	7_2_033A2F28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03402F30	7_2_03402F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033D4F40	7_2_033D4F40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033DEFA0	7_2_033DEFA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0336CFE0	7_2_0336CFE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03352FC8	7_2_03352FC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0341EE26	7_2_0341EE26
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03360E59	7_2_03360E59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0341EEDB	7_2_0341EEDB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03372E90	7_2_03372E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0341CE93	7_2_0341CE93
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033FCD1F	7_2_033FCD1F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0336AD00	7_2_0336AD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03378DBF	7_2_03378DBF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0335ADE0	7_2_0335ADE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03360C00	7_2_03360C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03350CF2	7_2_03350CF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03400CB5	7_2_03400CB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0341132D	7_2_0341132D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0334D34C	7_2_0334D34C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033A739A	7_2_033A739A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033652A0	7_2_033652A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_034012ED	7_2_034012ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0337B2C0	7_2_0337B2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0342B16B	7_2_0342B16B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0334F172	7_2_0334F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0339516C	7_2_0339516C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0336B1B0	7_2_0336B1B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0340F0CC	7_2_0340F0CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0341F0E0	7_2_0341F0E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_034170E9	7_2_034170E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033670C0	7_2_033670C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0341F7B0	7_2_0341F7B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033A5630	7_2_033A5630
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_034116CC	7_2_034116CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03417571	7_2_03417571
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033FD5B0	7_2_033FD5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03351460	7_2_03351460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0341F43F	7_2_0341F43F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0341FB76	7_2_0341FB76
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0337FB80	7_2_0337FB80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0339DBF9	7_2_0339DBF9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033D5BF0	7_2_033D5BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03417A46	7_2_03417A46
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0341FA49	7_2_0341FA49
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033D3A6C	7_2_033D3A6C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0340DAC6	7_2_0340DAC6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033FDAAC	7_2_033FDAAC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033A5AA0	7_2_033A5AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03401AA3	7_2_03401AA3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033F5910	7_2_033F5910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03369950	7_2_03369950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0337B950	7_2_0337B950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033CD800	7_2_033CD800
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033638E0	7_2_033638E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0341FF09	7_2_0341FF09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03361F92	7_2_03361F92
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0341FFB1	7_2_0341FFB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03369EB0	7_2_03369EB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03411D5A	7_2_03411D5A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03417D73	7_2_03417D73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03363D40	7_2_03363D40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0337FDC0	7_2_0337FDC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033D9C32	7_2_033D9C32
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0341FCF2	7_2_0341FCF2
Source: C:\Windows\explorer.exe	Code function: 8_2_08D6A082	8_2_08D6A082
Source: C:\Windows\explorer.exe	Code function: 8_2_08D73036	8_2_08D73036
Source: C:\Windows\explorer.exe	Code function: 8_2_08D775CD	8_2_08D775CD
Source: C:\Windows\explorer.exe	Code function: 8_2_08D71912	8_2_08D71912
Source: C:\Windows\explorer.exe	Code function: 8_2_08D6BD02	8_2_08D6BD02
Source: C:\Windows\explorer.exe	Code function: 8_2_08D74232	8_2_08D74232
Source: C:\Windows\explorer.exe	Code function: 8_2_08D6EB32	8_2_08D6EB32
Source: C:\Windows\explorer.exe	Code function: 8_2_08D6EB30	8_2_08D6EB30
Source: C:\Windows\explorer.exe	Code function: 8_2_0B895B30	8_2_0B895B30
Source: C:\Windows\explorer.exe	Code function: 8_2_0B895B32	8_2_0B895B32
Source: C:\Windows\explorer.exe	Code function: 8_2_0B89B232	8_2_0B89B232
Source: C:\Windows\explorer.exe	Code function: 8_2_0B89E5CD	8_2_0B89E5CD
Source: C:\Windows\explorer.exe	Code function: 8_2_0B892D02	8_2_0B892D02
Source: C:\Windows\explorer.exe	Code function: 8_2_0B898912	8_2_0B898912
Source: C:\Windows\explorer.exe	Code function: 8_2_0B891082	8_2_0B891082
Source: C:\Windows\explorer.exe	Code function: 8_2_0B89A036	8_2_0B89A036
Source: C:\Windows\explorer.exe	Code function: 8_2_0BE39B32	8_2_0BE39B32
Source: C:\Windows\explorer.exe	Code function: 8_2_0BE39B30	8_2_0BE39B30
Source: C:\Windows\explorer.exe	Code function: 8_2_0BE3F232	8_2_0BE3F232
Source: C:\Windows\explorer.exe	Code function: 8_2_0BE425CD	8_2_0BE425CD
Source: C:\Windows\explorer.exe	Code function: 8_2_0BE36D02	8_2_0BE36D02
Source: C:\Windows\explorer.exe	Code function: 8_2_0BE3C912	8_2_0BE3C912
Source: C:\Windows\explorer.exe	Code function: 8_2_0BE35082	8_2_0BE35082
Source: C:\Windows\explorer.exe	Code function: 8_2_0BE3E036	8_2_0BE3E036
Source: C:\Windows\explorer.exe	Code function: 8_2_0E5B0232	8_2_0E5B0232
Source: C:\Windows\explorer.exe	Code function: 8_2_0E5AAB32	8_2_0E5AAB32
Source: C:\Windows\explorer.exe	Code function: 8_2_0E5AAB30	8_2_0E5AAB30
Source: C:\Windows\explorer.exe	Code function: 8_2_0E5AF036	8_2_0E5AF036
Source: C:\Windows\explorer.exe	Code function: 8_2_0E5A6082	8_2_0E5A6082
Source: C:\Windows\explorer.exe	Code function: 8_2_0E5AD912	8_2_0E5AD912
Source: C:\Windows\explorer.exe	Code function: 8_2_0E5A7D02	8_2_0E5A7D02
Source: C:\Windows\explorer.exe	Code function: 8_2_0E5B35CD	8_2_0E5B35CD
Source: C:\Windows\explorer.exe	Code function: 8_2_0E753232	8_2_0E753232
Source: C:\Windows\explorer.exe	Code function: 8_2_0E74DB30	8_2_0E74DB30
Source: C:\Windows\explorer.exe	Code function: 8_2_0E74DB32	8_2_0E74DB32
Source: C:\Windows\explorer.exe	Code function: 8_2_0E752036	8_2_0E752036
Source: C:\Windows\explorer.exe	Code function: 8_2_0E749082	8_2_0E749082
Source: C:\Windows\explorer.exe	Code function: 8_2_0E750912	8_2_0E750912
Source: C:\Windows\explorer.exe	Code function: 8_2_0E74AD02	8_2_0E74AD02
Source: C:\Windows\explorer.exe	Code function: 8_2_0E7565CD	8_2_0E7565CD
Source: C:\Windows\explorer.exe	Code function: 8_2_0E87D232	8_2_0E87D232
Source: C:\Windows\explorer.exe	Code function: 8_2_0E877B32	8_2_0E877B32
Source: C:\Windows\explorer.exe	Code function: 8_2_0E877B30	8_2_0E877B30
Source: C:\Windows\explorer.exe	Code function: 8_2_0E873082	8_2_0E873082
Source: C:\Windows\explorer.exe	Code function: 8_2_0E87C036	8_2_0E87C036
Source: C:\Windows\explorer.exe	Code function: 8_2_0E8805CD	8_2_0E8805CD
Source: C:\Windows\explorer.exe	Code function: 8_2_0E874D02	8_2_0E874D02
Source: C:\Windows\explorer.exe	Code function: 8_2_0E87A912	8_2_0E87A912
Source: C:\Windows\explorer.exe	Code function: 8_2_101E2036	8_2_101E2036
Source: C:\Windows\explorer.exe	Code function: 8_2_101D9082	8_2_101D9082
Source: C:\Windows\explorer.exe	Code function: 8_2_101E0912	8_2_101E0912
Source: C:\Windows\explorer.exe	Code function: 8_2_101DAD02	8_2_101DAD02
Source: C:\Windows\explorer.exe	Code function: 8_2_101E65CD	8_2_101E65CD
Source: C:\Windows\explorer.exe	Code function: 8_2_101E3232	8_2_101E3232
Source: C:\Windows\explorer.exe	Code function: 8_2_101DDB30	8_2_101DDB30
Source: C:\Windows\explorer.exe	Code function: 8_2_101DDB32	8_2_101DDB32
Source: C:\Windows\explorer.exe	Code function: 8_2_102C4036	8_2_102C4036
Source: C:\Windows\explorer.exe	Code function: 8_2_102BB082	8_2_102BB082
Source: C:\Windows\explorer.exe	Code function: 8_2_102BCD02	8_2_102BCD02
Source: C:\Windows\explorer.exe	Code function: 8_2_102C2912	8_2_102C2912
Source: C:\Windows\explorer.exe	Code function: 8_2_102C85CD	8_2_102C85CD
Source: C:\Windows\explorer.exe	Code function: 8_2_102C5232	8_2_102C5232
Source: C:\Windows\explorer.exe	Code function: 8_2_102BFB32	8_2_102BFB32
Source: C:\Windows\explorer.exe	Code function: 8_2_102BFB30	8_2_102BFB30
Source: C:\Windows\explorer.exe	Code function: 8_2_1041E036	8_2_1041E036
Source: C:\Windows\explorer.exe	Code function: 8_2_10415082	8_2_10415082
Source: C:\Windows\explorer.exe	Code function: 8_2_10416D02	8_2_10416D02
Source: C:\Windows\explorer.exe	Code function: 8_2_1041C912	8_2_1041C912
Source: C:\Windows\explorer.exe	Code function: 8_2_104225CD	8_2_104225CD
Source: C:\Windows\explorer.exe	Code function: 8_2_1041F232	8_2_1041F232
Source: C:\Windows\explorer.exe	Code function: 8_2_10419B30	8_2_10419B30
Source: C:\Windows\explorer.exe	Code function: 8_2_10419B32	8_2_10419B32
Source: C:\Windows\explorer.exe	Code function: 8_2_106F5036	8_2_106F5036
Source: C:\Windows\explorer.exe	Code function: 8_2_106EC082	8_2_106EC082
Source: C:\Windows\explorer.exe	Code function: 8_2_106EDD02	8_2_106EDD02
Source: C:\Windows\explorer.exe	Code function: 8_2_106F3912	8_2_106F3912
Source: C:\Windows\explorer.exe	Code function: 8_2_106F95CD	8_2_106F95CD
Source: C:\Windows\explorer.exe	Code function: 8_2_106F6232	8_2_106F6232
Source: C:\Windows\explorer.exe	Code function: 8_2_106F0B32	8_2_106F0B32
Source: C:\Windows\explorer.exe	Code function: 8_2_106F0B30	8_2_106F0B30
Source: C:\Windows\explorer.exe	Code function: 8_2_1135C232	8_2_1135C232
Source: C:\Windows\explorer.exe	Code function: 8_2_11356B30	8_2_11356B30
Source: C:\Windows\explorer.exe	Code function: 8_2_11356B32	8_2_11356B32
Source: C:\Windows\explorer.exe	Code function: 8_2_11359912	8_2_11359912
Source: C:\Windows\explorer.exe	Code function: 8_2_11353D02	8_2_11353D02
Source: C:\Windows\explorer.exe	Code function: 8_2_1135F5CD	8_2_1135F5CD
Source: C:\Windows\explorer.exe	Code function: 8_2_1135B036	8_2_1135B036
Source: C:\Windows\explorer.exe	Code function: 8_2_11352082	8_2_11352082
Source: C:\Windows\explorer.exe	Code function: 8_2_114A9D02	8_2_114A9D02
Source: C:\Windows\explorer.exe	Code function: 8_2_114AF912	8_2_114AF912
Source: C:\Windows\explorer.exe	Code function: 8_2_114B55CD	8_2_114B55CD
Source: C:\Windows\explorer.exe	Code function: 8_2_114B1036	8_2_114B1036
Source: C:\Windows\explorer.exe	Code function: 8_2_114A8082	8_2_114A8082
Source: C:\Windows\explorer.exe	Code function: 8_2_114ACB32	8_2_114ACB32
Source: C:\Windows\explorer.exe	Code function: 8_2_114ACB30	8_2_114ACB30
Source: C:\Windows\explorer.exe	Code function: 8_2_114B2232	8_2_114B2232
Source: C:\Windows\explorer.exe	Code function: 8_2_11B705CD	8_2_11B705CD
Source: C:\Windows\explorer.exe	Code function: 8_2_11B6A912	8_2_11B6A912
Source: C:\Windows\explorer.exe	Code function: 8_2_11B64D02	8_2_11B64D02
Source: C:\Windows\explorer.exe	Code function: 8_2_11B63082	8_2_11B63082
Source: C:\Windows\explorer.exe	Code function: 8_2_11B6C036	8_2_11B6C036
Source: C:\Windows\explorer.exe	Code function: 8_2_11B67B32	8_2_11B67B32
Source: C:\Windows\explorer.exe	Code function: 8_2_11B67B30	8_2_11B67B30
Source: C:\Windows\explorer.exe	Code function: 8_2_11B6D232	8_2_11B6D232

Found potential string decryption / allocating functions

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 033CEA12 appears 86 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 03395130 appears 58 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 033DF290 appears 105 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 0334B970 appears 280 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 033A7E54 appears 111 times

Sample file is different than original file name gathered from version info

Source: PURCHASED ORDER OF ENG091.exe, 00000000.00000002.2173126899.0000000000A9E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs PURCHASED ORDER OF ENG091.exe
Source: PURCHASED ORDER OF ENG091.exe, 00000000.00000000.2119860002.0000000000448000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameAewlani.exe4 vs PURCHASED ORDER OF ENG091.exe

Uses 32bit PE files

Source: PURCHASED ORDER OF ENG091.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Uses a Windows Living Off The Land Binaries (LOL bins)

Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\cmstp.exe "C:\Windows\SysWOW64\cmstp.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\cmstp.exe "C:\Windows\SysWOW64\cmstp.exe"			Jump to behavior

Uses reg.exe to modify the Windows registry

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "PURCHASED ORDER OF ENG091" /t REG_SZ /F /D "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif"

Yara signature match

Source: 7.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 7.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 7.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.PURCHASED ORDER OF ENG091.exe.389a1f0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0.2.PURCHASED ORDER OF ENG091.exe.389a1f0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.PURCHASED ORDER OF ENG091.exe.389a1f0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 7.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 7.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 7.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000002D.00000002.2649126395.0000000002C00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000002D.00000002.2649126395.0000000002C00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000002D.00000002.2649126395.0000000002C00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.3387644205.000000000EB42000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000008.00000002.3387644205.000000000EB42000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.3387644205.000000000EB42000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000026.00000002.2627604465.0000000003F49000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000026.00000002.2627604465.0000000003F49000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000026.00000002.2627604465.0000000003F49000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000002E.00000002.2712579590.0000000004028000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000002E.00000002.2712579590.0000000004028000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000002E.00000002.2712579590.0000000004028000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.2176143982.000000000389A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000000.00000002.2176143982.000000000389A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.2176143982.000000000389A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000035.00000002.2731575552.0000000000600000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000035.00000002.2731575552.0000000000600000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000035.00000002.2731575552.0000000000600000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.2235289603.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000007.00000002.2235289603.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.2235289603.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.2176143982.0000000003A5B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000000.00000002.2176143982.0000000003A5B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.2176143982.0000000003A5B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000001D.00000002.2500819565.00000000035F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000001D.00000002.2500819565.00000000035F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000001D.00000002.2500819565.00000000035F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000014.00000002.2367170516.0000000002ED0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000014.00000002.2367170516.0000000002ED0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000014.00000002.2367170516.0000000002ED0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.3365508291.00000000028B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000009.00000002.3365508291.00000000028B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.3365508291.00000000028B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000C.00000002.2343571638.00000000039AB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000C.00000002.2343571638.00000000039AB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000C.00000002.2343571638.00000000039AB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.2176143982.00000000039CC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000000.00000002.2176143982.00000000039CC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.2176143982.00000000039CC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000015.00000002.2411207031.000000000352B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000015.00000002.2411207031.000000000352B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000015.00000002.2411207031.000000000352B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.3366459232.0000000004520000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000009.00000002.3366459232.0000000004520000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.3366459232.0000000004520000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000036.00000002.2805551760.0000000004534000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000036.00000002.2805551760.0000000004534000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000036.00000002.2805551760.0000000004534000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000046.00000002.2895699701.0000000005070000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000046.00000002.2895699701.0000000005070000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000046.00000002.2895699701.0000000005070000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000001C.00000002.2436330065.00000000006E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000001C.00000002.2436330065.00000000006E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000001C.00000002.2436330065.00000000006E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000004E.00000002.3035230297.0000000003190000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000004E.00000002.3035230297.0000000003190000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000004E.00000002.3035230297.0000000003190000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000003E.00000002.2823024000.0000000000960000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000003E.00000002.2823024000.0000000000960000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000003E.00000002.2823024000.0000000000960000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000003F.00000002.2884163790.0000000003BB4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000003F.00000002.2884163790.0000000003BB4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000003F.00000002.2884163790.0000000003BB4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000047.00000002.3030559754.00000000045B3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000047.00000002.3030559754.00000000045B3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000047.00000002.3030559754.00000000045B3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000025.00000002.2526649554.0000000000B30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000025.00000002.2526649554.0000000000B30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000025.00000002.2526649554.0000000000B30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.3366396664.00000000044F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000009.00000002.3366396664.00000000044F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.3366396664.00000000044F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: PURCHASED ORDER OF ENG091.exe PID: 3472, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: RegAsm.exe PID: 5412, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: explorer.exe PID: 4004, type: MEMORYSTR	Matched rule: ironshell_php author = Neo23x0 Yara BRG + customization by Stefan -dfate- Molls, description = Semi-Auto-generated - file ironshell.php.txt, hash = 8bfa2eeb8a3ff6afc619258e39fded56
Source: Process Memory Space: cmstp.exe PID: 5552, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: PURCHASED ORDER OF ENG091.pif PID: 5728, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: cmmon32.exe PID: 4620, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: PURCHASED ORDER OF ENG091.pif PID: 4872, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: msdt.exe PID: 3700, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: PURCHASED ORDER OF ENG091.pif.pif PID: 3004, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: msdt.exe PID: 6540, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: PURCHASED ORDER OF ENG091.pif.pif PID: 3924, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: rundll32.exe PID: 1824, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: PURCHASED ORDER OF ENG091.pif.pif.pif PID: 5128, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: wlanext.exe PID: 3632, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: PURCHASED ORDER OF ENG091.pif.pif.pif PID: 2264, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: msdt.exe PID: 5748, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: PURCHASED ORDER OF ENG091.pif.pif.pif.pif PID: 2704, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: chkdsk.exe PID: 6488, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: PURCHASED ORDER OF ENG091.pif.pif.pif.pif PID: 6648, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: netsh.exe PID: 5096, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.troj.evad.winEXE@474/15@7/5

Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PURCHASED ORDER OF ENG091.exe.log

Jump to behavior

Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:432:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6324:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6108:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4988:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7164:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5696:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7036:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4048:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6776:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2264:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3172:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5828:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3224:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2672:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5072:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5064:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2420:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5564:120:WilError_03

Source: PURCHASED ORDER OF ENG091.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: PURCHASED ORDER OF ENG091.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Windows\explorer.exe

File read: C:\Users\user\Documents\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\explorer.exe

Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\rundll32.exe"

Source: PURCHASED ORDER OF ENG091.exe	ReversingLabs: Detection: 60%
Source: PURCHASED ORDER OF ENG091.exe	Virustotal: Detection: 63%

Source: unknown	Process created: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe "C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe"
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "PURCHASED ORDER OF ENG091" /t REG_SZ /F /D "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "PURCHASED ORDER OF ENG091" /t REG_SZ /F /D "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif"
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c Copy "C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe" "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\cmstp.exe "C:\Windows\SysWOW64\cmstp.exe"
Source: C:\Windows\SysWOW64\cmstp.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif"
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "PURCHASED ORDER OF ENG091.pif" /t REG_SZ /F /D "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "PURCHASED ORDER OF ENG091.pif" /t REG_SZ /F /D "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif"
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c Copy "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif" "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\cmmon32.exe "C:\Windows\SysWOW64\cmmon32.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif"
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "PURCHASED ORDER OF ENG091.pif" /t REG_SZ /F /D "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "PURCHASED ORDER OF ENG091.pif" /t REG_SZ /F /D "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif"
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c Copy "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif" "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\msdt.exe "C:\Windows\SysWOW64\msdt.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif"
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "PURCHASED ORDER OF ENG091.pif.pif" /t REG_SZ /F /D "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "PURCHASED ORDER OF ENG091.pif.pif" /t REG_SZ /F /D "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif"
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c Copy "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif" "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\msdt.exe "C:\Windows\SysWOW64\msdt.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif"
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "PURCHASED ORDER OF ENG091.pif.pif" /t REG_SZ /F /D "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "PURCHASED ORDER OF ENG091.pif.pif" /t REG_SZ /F /D "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif"
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c Copy "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif" "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\rundll32.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif"
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "PURCHASED ORDER OF ENG091.pif.pif.pif" /t REG_SZ /F /D "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "PURCHASED ORDER OF ENG091.pif.pif.pif" /t REG_SZ /F /D "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\wlanext.exe "C:\Windows\SysWOW64\wlanext.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif"
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "PURCHASED ORDER OF ENG091.pif.pif.pif" /t REG_SZ /F /D "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "PURCHASED ORDER OF ENG091.pif.pif.pif" /t REG_SZ /F /D "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif"
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c Copy "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif" "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\msdt.exe "C:\Windows\SysWOW64\msdt.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "PURCHASED ORDER OF ENG091.pif.pif.pif.pif" /t REG_SZ /F /D "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif.pif"
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c Copy "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif" "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif.pif"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\chkdsk.exe "C:\Windows\SysWOW64\chkdsk.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif"
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "PURCHASED ORDER OF ENG091.pif.pif.pif.pif" /t REG_SZ /F /D "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif.pif"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "PURCHASED ORDER OF ENG091.pif.pif.pif.pif" /t REG_SZ /F /D "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif.pif"
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c Copy "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif" "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif.pif"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\SysWOW64\netsh.exe"
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "PURCHASED ORDER OF ENG091" /t REG_SZ /F /D "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif"	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c Copy "C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe" "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif"	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "PURCHASED ORDER OF ENG091" /t REG_SZ /F /D "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\cmstp.exe "C:\Windows\SysWOW64\cmstp.exe"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "PURCHASED ORDER OF ENG091.pif" /t REG_SZ /F /D "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\msdt.exe "C:\Windows\SysWOW64\msdt.exe"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\msdt.exe "C:\Windows\SysWOW64\msdt.exe"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\rundll32.exe"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\wlanext.exe "C:\Windows\SysWOW64\wlanext.exe"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\msdt.exe "C:\Windows\SysWOW64\msdt.exe"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\chkdsk.exe "C:\Windows\SysWOW64\chkdsk.exe"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\SysWOW64\netsh.exe"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c Copy "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif" "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif"	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "PURCHASED ORDER OF ENG091.pif" /t REG_SZ /F /D "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif"	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c Copy "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif" "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif"	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "PURCHASED ORDER OF ENG091.pif" /t REG_SZ /F /D "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif"
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "PURCHASED ORDER OF ENG091.pif" /t REG_SZ /F /D "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif"
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c Copy "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif" "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif"
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "PURCHASED ORDER OF ENG091.pif" /t REG_SZ /F /D "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif"
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "PURCHASED ORDER OF ENG091.pif.pif" /t REG_SZ /F /D "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif"
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c Copy "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif" "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif"
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "PURCHASED ORDER OF ENG091.pif.pif" /t REG_SZ /F /D "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif"
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "PURCHASED ORDER OF ENG091.pif.pif" /t REG_SZ /F /D "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif"
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c Copy "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif" "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif"
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "PURCHASED ORDER OF ENG091.pif.pif" /t REG_SZ /F /D "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif"
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "PURCHASED ORDER OF ENG091.pif.pif.pif" /t REG_SZ /F /D "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif"
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c Copy "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif" "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif"
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "PURCHASED ORDER OF ENG091.pif.pif.pif" /t REG_SZ /F /D "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif"
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "PURCHASED ORDER OF ENG091.pif.pif.pif" /t REG_SZ /F /D "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif"
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c Copy "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif" "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif"
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "PURCHASED ORDER OF ENG091.pif.pif.pif" /t REG_SZ /F /D "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif"
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "PURCHASED ORDER OF ENG091.pif.pif.pif.pif" /t REG_SZ /F /D "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif.pif"
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c Copy "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif" "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif.pif"
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "PURCHASED ORDER OF ENG091.pif.pif.pif.pif" /t REG_SZ /F /D "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif.pif"
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "PURCHASED ORDER OF ENG091.pif.pif.pif.pif" /t REG_SZ /F /D "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif.pif"
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c Copy "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif" "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif.pif"
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "PURCHASED ORDER OF ENG091.pif.pif.pif.pif" /t REG_SZ /F /D "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif.pif"

Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.cloudstore.schema.shell.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: smartscreenps.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: smartscreenps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Section loaded: cmutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: ntmarta.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\cmmon32.exe	Section loaded: cmutil.dll
Source: C:\Windows\SysWOW64\cmmon32.exe	Section loaded: version.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Section loaded: mscoree.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Section loaded: version.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Section loaded: uxtheme.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Section loaded: windows.storage.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Section loaded: wldp.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Section loaded: profapi.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Section loaded: cryptsp.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Section loaded: rsaenh.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Section loaded: cryptbase.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Section loaded: rasapi32.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Section loaded: rasman.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Section loaded: rtutils.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Section loaded: mswsock.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Section loaded: winhttp.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Section loaded: iphlpapi.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Section loaded: dnsapi.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Section loaded: winnsi.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Section loaded: rasadhlp.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Section loaded: fwpuclnt.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Section loaded: amsi.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Section loaded: userenv.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Section loaded: msasn1.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Section loaded: gpapi.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Section loaded: wbemcomn.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: ntmarta.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Section loaded: mscoree.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Section loaded: apphelp.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Section loaded: version.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Section loaded: uxtheme.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Section loaded: windows.storage.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Section loaded: wldp.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Section loaded: profapi.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Section loaded: cryptsp.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Section loaded: rsaenh.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Section loaded: cryptbase.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Section loaded: rasapi32.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Section loaded: rasman.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Section loaded: rtutils.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Section loaded: mswsock.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Section loaded: winhttp.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Section loaded: iphlpapi.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Section loaded: dnsapi.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Section loaded: winnsi.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Section loaded: rasadhlp.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Section loaded: fwpuclnt.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Section loaded: amsi.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Section loaded: userenv.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Section loaded: msasn1.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Section loaded: gpapi.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: ntmarta.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Section loaded: mscoree.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Section loaded: version.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Section loaded: uxtheme.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Section loaded: windows.storage.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Section loaded: wldp.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Section loaded: profapi.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Section loaded: cryptsp.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Section loaded: rsaenh.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Section loaded: cryptbase.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Section loaded: rasapi32.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Section loaded: rasman.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Section loaded: rtutils.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Section loaded: mswsock.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Section loaded: winhttp.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Section loaded: iphlpapi.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Section loaded: dnsapi.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Section loaded: winnsi.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Section loaded: rasadhlp.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Section loaded: fwpuclnt.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Section loaded: amsi.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Section loaded: userenv.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Section loaded: msasn1.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Section loaded: gpapi.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Section loaded: wbemcomn.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: ntmarta.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Section loaded: mscoree.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Section loaded: apphelp.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Section loaded: version.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Section loaded: uxtheme.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Section loaded: windows.storage.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Section loaded: wldp.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Section loaded: profapi.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Section loaded: cryptsp.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Section loaded: rsaenh.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Section loaded: cryptbase.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Section loaded: rasapi32.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Section loaded: rasman.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Section loaded: rtutils.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Section loaded: mswsock.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Section loaded: winhttp.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Section loaded: iphlpapi.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Section loaded: dnsapi.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Section loaded: winnsi.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Section loaded: rasadhlp.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Section loaded: fwpuclnt.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Section loaded: amsi.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Section loaded: userenv.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Section loaded: msasn1.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Section loaded: gpapi.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: ntmarta.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Section loaded: mscoree.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Section loaded: version.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Section loaded: uxtheme.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Section loaded: windows.storage.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Section loaded: wldp.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Section loaded: profapi.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Section loaded: cryptsp.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Section loaded: rsaenh.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Section loaded: cryptbase.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Section loaded: rasapi32.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Section loaded: rasman.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Section loaded: rtutils.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Section loaded: mswsock.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Section loaded: winhttp.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Section loaded: iphlpapi.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Section loaded: dnsapi.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Section loaded: winnsi.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Section loaded: rasadhlp.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Section loaded: fwpuclnt.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Section loaded: amsi.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Section loaded: userenv.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Section loaded: msasn1.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Section loaded: gpapi.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Section loaded: wbemcomn.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: ntmarta.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Section loaded: mscoree.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Section loaded: apphelp.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Section loaded: version.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Section loaded: uxtheme.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Section loaded: windows.storage.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Section loaded: wldp.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Section loaded: profapi.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Section loaded: cryptsp.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Section loaded: rsaenh.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Section loaded: cryptbase.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Section loaded: rasapi32.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Section loaded: rasman.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Section loaded: rtutils.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Section loaded: mswsock.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Section loaded: winhttp.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Section loaded: iphlpapi.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Section loaded: dnsapi.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Section loaded: winnsi.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Section loaded: rasadhlp.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Section loaded: fwpuclnt.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Section loaded: amsi.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Section loaded: userenv.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Section loaded: msasn1.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Section loaded: gpapi.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: ntmarta.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\chkdsk.exe	Section loaded: ulib.dll
Source: C:\Windows\SysWOW64\chkdsk.exe	Section loaded: ifsutil.dll
Source: C:\Windows\SysWOW64\chkdsk.exe	Section loaded: devobj.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Section loaded: mscoree.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Section loaded: version.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Section loaded: uxtheme.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Section loaded: windows.storage.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Section loaded: wldp.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Section loaded: profapi.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Section loaded: cryptsp.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Section loaded: rsaenh.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Section loaded: cryptbase.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Section loaded: rasapi32.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Section loaded: rasman.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Section loaded: rtutils.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Section loaded: mswsock.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Section loaded: winhttp.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Section loaded: iphlpapi.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Section loaded: dnsapi.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Section loaded: winnsi.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Section loaded: rasadhlp.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Section loaded: fwpuclnt.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Section loaded: amsi.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Section loaded: userenv.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Section loaded: msasn1.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Section loaded: gpapi.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Section loaded: wbemcomn.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: ntmarta.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll

Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: PURCHASED ORDER OF ENG091.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: PURCHASED ORDER OF ENG091.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: PURCHASED ORDER OF ENG091.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: chkdsk.pdbGCTL source: RegAsm.exe, 00000045.00000002.2892603642.0000000001380000.00000040.10000000.00040000.00000000.sdmp, chkdsk.exe, 00000046.00000002.2895393793.0000000000130000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: cmstp.pdbGCTL source: RegAsm.exe, 00000007.00000002.2235793612.0000000001540000.00000040.10000000.00040000.00000000.sdmp, cmstp.exe, 00000009.00000002.3365281971.0000000000220000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: cmmon32.pdb source: RegAsm.exe, 00000013.00000002.2357394928.0000000001720000.00000040.10000000.00040000.00000000.sdmp, cmmon32.exe, 00000014.00000002.2367071175.0000000000370000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: msdt.pdbGCTL source: RegAsm.exe, 0000001B.00000002.2433869260.00000000026F0000.00000040.10000000.00040000.00000000.sdmp, msdt.exe, 0000001C.00000002.2436801979.0000000000E80000.00000040.80000000.00040000.00000000.sdmp, msdt.exe, 00000025.00000002.2526883807.0000000000E80000.00000040.80000000.00040000.00000000.sdmp, msdt.exe, 0000003E.00000002.2824411296.0000000000E80000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: netsh.pdb source: RegAsm.exe, 0000004D.00000002.3028255621.0000000002AF0000.00000040.10000000.00040000.00000000.sdmp, netsh.exe, 0000004E.00000002.3033972586.0000000000A60000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: C:\Users\Administrator\Desktop\2023CryptsDone\password_generator-master\obj\Debug\Aewlani.pdb source: PURCHASED ORDER OF ENG091.exe, 00000000.00000000.2119834627.0000000000442000.00000002.00000001.01000000.00000003.sdmp, cmd.exe, 00000005.00000003.2161957449.00000000032E5000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000011.00000003.2315915569.0000000002AE6000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000019.00000003.2390659515.0000000003086000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000022.00000003.2479534553.0000000002695000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000002A.00000003.2596807840.0000000003135000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000032.00000003.2684351983.00000000032E4000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000003A.00000003.2769484455.0000000002905000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000043.00000003.2848660519.00000000032C4000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000004B.00000003.2975731288.00000000035E4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: cmmon32.pdbGCTL source: RegAsm.exe, 00000013.00000002.2357394928.0000000001720000.00000040.10000000.00040000.00000000.sdmp, cmmon32.exe, 00000014.00000002.2367071175.0000000000370000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: chkdsk.pdb source: RegAsm.exe, 00000045.00000002.2892603642.0000000001380000.00000040.10000000.00040000.00000000.sdmp, chkdsk.exe, 00000046.00000002.2895393793.0000000000130000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: RegAsm.exe, 00000007.00000002.2236865702.0000000003320000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, 00000009.00000003.2237767546.0000000004599000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000009.00000002.3366809069.0000000004740000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, 00000009.00000003.2235631145.00000000043E5000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000009.00000002.3366809069.00000000048DE000.00000040.00001000.00020000.00000000.sdmp, cmmon32.exe, 00000014.00000003.2357315746.0000000004B0F000.00000004.00000020.00020000.00000000.sdmp, cmmon32.exe, 00000014.00000003.2364128162.0000000004CBC000.00000004.00000020.00020000.00000000.sdmp, cmmon32.exe, 00000014.00000002.2367516642.000000000500E000.00000040.00001000.00020000.00000000.sdmp, cmmon32.exe, 00000014.00000002.2367516642.0000000004E70000.00000040.00001000.00020000.00000000.sdmp, msdt.exe, 0000001C.00000002.2436864306.0000000004B9E000.00000040.00001000.00020000.00000000.sdmp, msdt.exe, 0000001C.00000002.2436864306.0000000004A00000.00000040.00001000.00020000.00000000.sdmp, msdt.exe, 0000001C.00000003.2432746712.00000000046A4000.00000004.00000020.00020000.00000000.sdmp, msdt.exe, 0000001C.00000003.2435053187.0000000004854000.00000004.00000020.00020000.00000000.sdmp, msdt.exe, 00000025.00000002.2527278356.000000000502E000.00000040.00001000.00020000.00000000.sdmp, msdt.exe, 00000025.00000002.2527278356.0000000004E90000.00000040.00001000.00020000.00000000.sdmp, msdt.exe, 00000025.00000003.2522733065.0000000004AEF000.00000004.00000020.00020000.00000000.sdmp, msdt.exe, 00000025.00000003.2524932833.0000000004CDC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000002D.00000003.2644284547.00000000046C8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000002D.00000003.2647610865.0000000004879000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000002D.00000002.2649407934.0000000004C3E000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 0000002D.00000002.2649407934.0000000004AA0000.00000040.00001000.00020000.00000000.sdmp, wlanext.exe, 00000035.00000003.2729298239.0000000002B31000.00000004.00000020.00020000.00000000.sdmp, wlanext.exe, 00000035.00000002.2732895661.0000000002CE0000.00000040.00001000.00020000.00000000.sdmp, wlanext.exe, 00000035.00000002.2732895661.0000000002E7E000.00000040.00001000.00020000.00000000.sdmp, wlanext.exe, 00000035.00000003.2727219080.0000000002985000.00000004.00000020.00020000.00000000.sdmp, msdt.exe, 0000003E.00000003.2815565973.0000000004B43000.00000004.00000020.00020000.00000000.sdmp, msdt.exe, 0000003E.00000002.2824847586.0000000004E8E000.00000040.00001000.00020000.00000000.sdmp, msdt.exe, 0000003E.00000002.2824847586.0000000004CF0000.00000040.00001000.00020000.00000000.sdmp, msdt.exe, 0000003E.00000003.2812512464.0000000004999000.00000004.00000020.00020000.00000000.sdmp, chkdsk.exe, 00000046.00000003.2893566375.00000000056D8000.00000004.00000020.00020000.00000
Source:	Binary string: RegAsm.pdb source: explorer.exe, 00000008.00000002.3389406505.0000000010A9F000.00000004.80000000.00040000.00000000.sdmp, cmstp.exe, 00000009.00000002.3367455817.0000000004C8F000.00000004.10000000.00040000.00000000.sdmp, cmstp.exe, 00000009.00000002.3365692981.000000000293B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: netsh.pdbGCTL source: RegAsm.exe, 0000004D.00000002.3028255621.0000000002AF0000.00000040.10000000.00040000.00000000.sdmp, netsh.exe, 0000004E.00000002.3033972586.0000000000A60000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: RegAsm.exe, RegAsm.exe, 00000007.00000002.2236865702.0000000003320000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, 00000009.00000003.2237767546.0000000004599000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000009.00000002.3366809069.0000000004740000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, 00000009.00000003.2235631145.00000000043E5000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000009.00000002.3366809069.00000000048DE000.00000040.00001000.00020000.00000000.sdmp, cmmon32.exe, 00000014.00000003.2357315746.0000000004B0F000.00000004.00000020.00020000.00000000.sdmp, cmmon32.exe, 00000014.00000003.2364128162.0000000004CBC000.00000004.00000020.00020000.00000000.sdmp, cmmon32.exe, 00000014.00000002.2367516642.000000000500E000.00000040.00001000.00020000.00000000.sdmp, cmmon32.exe, 00000014.00000002.2367516642.0000000004E70000.00000040.00001000.00020000.00000000.sdmp, msdt.exe, 0000001C.00000002.2436864306.0000000004B9E000.00000040.00001000.00020000.00000000.sdmp, msdt.exe, 0000001C.00000002.2436864306.0000000004A00000.00000040.00001000.00020000.00000000.sdmp, msdt.exe, 0000001C.00000003.2432746712.00000000046A4000.00000004.00000020.00020000.00000000.sdmp, msdt.exe, 0000001C.00000003.2435053187.0000000004854000.00000004.00000020.00020000.00000000.sdmp, msdt.exe, 00000025.00000002.2527278356.000000000502E000.00000040.00001000.00020000.00000000.sdmp, msdt.exe, 00000025.00000002.2527278356.0000000004E90000.00000040.00001000.00020000.00000000.sdmp, msdt.exe, 00000025.00000003.2522733065.0000000004AEF000.00000004.00000020.00020000.00000000.sdmp, msdt.exe, 00000025.00000003.2524932833.0000000004CDC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000002D.00000003.2644284547.00000000046C8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000002D.00000003.2647610865.0000000004879000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000002D.00000002.2649407934.0000000004C3E000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 0000002D.00000002.2649407934.0000000004AA0000.00000040.00001000.00020000.00000000.sdmp, wlanext.exe, 00000035.00000003.2729298239.0000000002B31000.00000004.00000020.00020000.00000000.sdmp, wlanext.exe, 00000035.00000002.2732895661.0000000002CE0000.00000040.00001000.00020000.00000000.sdmp, wlanext.exe, 00000035.00000002.2732895661.0000000002E7E000.00000040.00001000.00020000.00000000.sdmp, wlanext.exe, 00000035.00000003.2727219080.0000000002985000.00000004.00000020.00020000.00000000.sdmp, msdt.exe, 0000003E.00000003.2815565973.0000000004B43000.00000004.00000020.00020000.00000000.sdmp, msdt.exe, 0000003E.00000002.2824847586.0000000004E8E000.00000040.00001000.00020000.00000000.sdmp, msdt.exe, 0000003E.00000002.2824847586.0000000004CF0000.00000040.00001000.00020000.00000000.sdmp, msdt.exe, 0000003E.00000003.2812512464.0000000004999000.00000004.00000020.00020000.00000000.sdmp, chkdsk.exe, 00000046.00000003.2893566375.00000000056D8000.00000004.00000020.00020
Source:	Binary string: rundll32.pdb source: RegAsm.exe, 0000002C.00000002.2646537881.00000000014A0000.00000040.10000000.00040000.00000000.sdmp, rundll32.exe, 0000002D.00000002.2648985101.0000000000270000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: wlanext.pdb source: RegAsm.exe, 00000034.00000002.2729173666.0000000002940000.00000040.10000000.00040000.00000000.sdmp, wlanext.exe, 00000035.00000002.2732547455.0000000000960000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: rundll32.pdbGCTL source: RegAsm.exe, 0000002C.00000002.2646537881.00000000014A0000.00000040.10000000.00040000.00000000.sdmp, rundll32.exe, 0000002D.00000002.2648985101.0000000000270000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: cmstp.pdb source: RegAsm.exe, 00000007.00000002.2235793612.0000000001540000.00000040.10000000.00040000.00000000.sdmp, cmstp.exe, 00000009.00000002.3365281971.0000000000220000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: RegAsm.pdb4 source: explorer.exe, 00000008.00000002.3389406505.0000000010A9F000.00000004.80000000.00040000.00000000.sdmp, cmstp.exe, 00000009.00000002.3367455817.0000000004C8F000.00000004.10000000.00040000.00000000.sdmp, cmstp.exe, 00000009.00000002.3365692981.000000000293B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: msdt.pdb source: RegAsm.exe, 0000001B.00000002.2433869260.00000000026F0000.00000040.10000000.00040000.00000000.sdmp, msdt.exe, 0000001C.00000002.2436801979.0000000000E80000.00000040.80000000.00040000.00000000.sdmp, msdt.exe, 00000025.00000002.2526883807.0000000000E80000.00000040.80000000.00040000.00000000.sdmp, msdt.exe, 0000003E.00000002.2824411296.0000000000E80000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: wlanext.pdbGCTL source: RegAsm.exe, 00000034.00000002.2729173666.0000000002940000.00000040.10000000.00040000.00000000.sdmp, wlanext.exe, 00000035.00000002.2732547455.0000000000960000.00000040.80000000.00040000.00000000.sdmp

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Code function: 0_2_00A88FA0 push eax; iretd	0_2_00A88F87
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Code function: 0_2_00A88F7D push eax; iretd	0_2_00A88F87
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Code function: 0_2_00A8D9BA push esp; ret	0_2_00A8D9F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_004179C8 push es; retf	7_2_004179C9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_00410B2E push edx; retf	7_2_00410B2F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0041D4E2 push eax; ret	7_2_0041D4E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0041D4EB push eax; ret	7_2_0041D552
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0041D495 push eax; ret	7_2_0041D4E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0041D54C push eax; ret	7_2_0041D552
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_00407D65 push esi; iretd	7_2_00407D68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_004165BD push esi; retf	7_2_004165BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033509AD push ecx; mov dword ptr [esp], ecx	7_2_033509B6
Source: C:\Windows\explorer.exe	Code function: 8_2_08D779B5 push esp; retn 0000h	8_2_08D77AE7
Source: C:\Windows\explorer.exe	Code function: 8_2_08D77B1E push esp; retn 0000h	8_2_08D77B1F
Source: C:\Windows\explorer.exe	Code function: 8_2_08D77B02 push esp; retn 0000h	8_2_08D77B03
Source: C:\Windows\explorer.exe	Code function: 8_2_0B89EB02 push esp; retn 0000h	8_2_0B89EB03
Source: C:\Windows\explorer.exe	Code function: 8_2_0B89EB1E push esp; retn 0000h	8_2_0B89EB1F
Source: C:\Windows\explorer.exe	Code function: 8_2_0B89E9B5 push esp; retn 0000h	8_2_0B89EAE7
Source: C:\Windows\explorer.exe	Code function: 8_2_0BE42B02 push esp; retn 0000h	8_2_0BE42B03
Source: C:\Windows\explorer.exe	Code function: 8_2_0BE42B1E push esp; retn 0000h	8_2_0BE42B1F
Source: C:\Windows\explorer.exe	Code function: 8_2_0BE429B5 push esp; retn 0000h	8_2_0BE42AE7
Source: C:\Windows\explorer.exe	Code function: 8_2_0E5B3B1E push esp; retn 0000h	8_2_0E5B3B1F
Source: C:\Windows\explorer.exe	Code function: 8_2_0E5B3B02 push esp; retn 0000h	8_2_0E5B3B03
Source: C:\Windows\explorer.exe	Code function: 8_2_0E5B39B5 push esp; retn 0000h	8_2_0E5B3AE7
Source: C:\Windows\explorer.exe	Code function: 8_2_0E756B1E push esp; retn 0000h	8_2_0E756B1F
Source: C:\Windows\explorer.exe	Code function: 8_2_0E756B02 push esp; retn 0000h	8_2_0E756B03
Source: C:\Windows\explorer.exe	Code function: 8_2_0E7569B5 push esp; retn 0000h	8_2_0E756AE7
Source: C:\Windows\explorer.exe	Code function: 8_2_0E880B02 push esp; retn 0000h	8_2_0E880B03
Source: C:\Windows\explorer.exe	Code function: 8_2_0E880B1E push esp; retn 0000h	8_2_0E880B1F
Source: C:\Windows\explorer.exe	Code function: 8_2_0E8809B5 push esp; retn 0000h	8_2_0E880AE7
Source: C:\Windows\explorer.exe	Code function: 8_2_101E69B5 push esp; retn 0000h	8_2_101E6AE7

Persistence and Installation Behavior

Drops PE files to the document folder of the user

Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif.pif	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Jump to dropped file

Drops PE files with a suspicious file extension

Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif.pif	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Jump to dropped file

Uses cmd line tools excessively to alter registry or file data

Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe

Drops PE files

Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif.pif	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Jump to dropped file

Boot Survival

Creates multiple autostart registry keys

Source: C:\Windows\SysWOW64\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run PURCHASED ORDER OF ENG091.pif.pif.pif.pif
Source: C:\Windows\SysWOW64\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run PURCHASED ORDER OF ENG091.pif.pif.pif
Source: C:\Windows\SysWOW64\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run PURCHASED ORDER OF ENG091	Jump to behavior
Source: C:\Windows\SysWOW64\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run PURCHASED ORDER OF ENG091.pif.pif
Source: C:\Windows\SysWOW64\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run PURCHASED ORDER OF ENG091.pif

Source: C:\Windows\SysWOW64\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run PURCHASED ORDER OF ENG091	Jump to behavior
Source: C:\Windows\SysWOW64\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run PURCHASED ORDER OF ENG091	Jump to behavior
Source: C:\Windows\SysWOW64\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run PURCHASED ORDER OF ENG091.pif
Source: C:\Windows\SysWOW64\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run PURCHASED ORDER OF ENG091.pif
Source: C:\Windows\SysWOW64\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run PURCHASED ORDER OF ENG091.pif.pif
Source: C:\Windows\SysWOW64\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run PURCHASED ORDER OF ENG091.pif.pif
Source: C:\Windows\SysWOW64\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run PURCHASED ORDER OF ENG091.pif.pif.pif
Source: C:\Windows\SysWOW64\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run PURCHASED ORDER OF ENG091.pif.pif.pif
Source: C:\Windows\SysWOW64\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run PURCHASED ORDER OF ENG091.pif.pif.pif.pif
Source: C:\Windows\SysWOW64\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run PURCHASED ORDER OF ENG091.pif.pif.pif.pif

Hooking and other Techniques for Hiding and Protection

Modifies the prolog of user mode functions (user mode inline hooks)

Source: explorer.exe

User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x80 0x0E 0xE5

Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: PURCHASED ORDER OF ENG091.exe PID: 3472, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: PURCHASED ORDER OF ENG091.pif PID: 5728, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: PURCHASED ORDER OF ENG091.pif PID: 4872, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: PURCHASED ORDER OF ENG091.pif.pif PID: 3004, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: PURCHASED ORDER OF ENG091.pif.pif PID: 3924, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: PURCHASED ORDER OF ENG091.pif.pif.pif PID: 5128, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: PURCHASED ORDER OF ENG091.pif.pif.pif PID: 2264, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: PURCHASED ORDER OF ENG091.pif.pif.pif.pif PID: 2704, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: PURCHASED ORDER OF ENG091.pif.pif.pif.pif PID: 6648, type: MEMORYSTR

Switches to a custom stack to bypass stack traces

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	API/Special instruction interceptor: Address: 7FFDB442D324
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	API/Special instruction interceptor: Address: 7FFDB4430774
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	API/Special instruction interceptor: Address: 7FFDB4430154
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	API/Special instruction interceptor: Address: 7FFDB442D8A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	API/Special instruction interceptor: Address: 7FFDB442DA44
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	API/Special instruction interceptor: Address: 7FFDB442D1E4
Source: C:\Windows\SysWOW64\cmstp.exe	API/Special instruction interceptor: Address: 7FFDB442D324
Source: C:\Windows\SysWOW64\cmstp.exe	API/Special instruction interceptor: Address: 7FFDB4430774
Source: C:\Windows\SysWOW64\cmstp.exe	API/Special instruction interceptor: Address: 7FFDB442D944
Source: C:\Windows\SysWOW64\cmstp.exe	API/Special instruction interceptor: Address: 7FFDB442D504
Source: C:\Windows\SysWOW64\cmstp.exe	API/Special instruction interceptor: Address: 7FFDB442D544
Source: C:\Windows\SysWOW64\cmstp.exe	API/Special instruction interceptor: Address: 7FFDB442D1E4
Source: C:\Windows\SysWOW64\cmstp.exe	API/Special instruction interceptor: Address: 7FFDB4430154
Source: C:\Windows\SysWOW64\cmstp.exe	API/Special instruction interceptor: Address: 7FFDB442D8A4
Source: C:\Windows\SysWOW64\cmstp.exe	API/Special instruction interceptor: Address: 7FFDB442DA44

Tries to detect virtualization through RDTSC time measurements

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	RDTSC instruction interceptor: First address: 409904 second address: 40990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	RDTSC instruction interceptor: First address: 409B7E second address: 409B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmstp.exe	RDTSC instruction interceptor: First address: 28B9904 second address: 28B990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmstp.exe	RDTSC instruction interceptor: First address: 28B9B7E second address: 28B9B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmmon32.exe	RDTSC instruction interceptor: First address: 2ED9904 second address: 2ED990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmmon32.exe	RDTSC instruction interceptor: First address: 2ED9B7E second address: 2ED9B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\msdt.exe	RDTSC instruction interceptor: First address: 6E9904 second address: 6E990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\msdt.exe	RDTSC instruction interceptor: First address: 6E9B7E second address: 6E9B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\msdt.exe	RDTSC instruction interceptor: First address: B39904 second address: B3990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\msdt.exe	RDTSC instruction interceptor: First address: B39B7E second address: B39B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 2C09904 second address: 2C0990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 2C09B7E second address: 2C09B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\wlanext.exe	RDTSC instruction interceptor: First address: 609904 second address: 60990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\wlanext.exe	RDTSC instruction interceptor: First address: 609B7E second address: 609B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\msdt.exe	RDTSC instruction interceptor: First address: 969904 second address: 96990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\msdt.exe	RDTSC instruction interceptor: First address: 969B7E second address: 969B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\chkdsk.exe	RDTSC instruction interceptor: First address: 5079904 second address: 507990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\chkdsk.exe	RDTSC instruction interceptor: First address: 5079B7E second address: 5079B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\netsh.exe	RDTSC instruction interceptor: First address: 3199904 second address: 319990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\netsh.exe	RDTSC instruction interceptor: First address: 3199B7E second address: 3199B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Memory allocated: A60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Memory allocated: 27B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Memory allocated: DE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Memory allocated: B80000 memory reserve \| memory write watch
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Memory allocated: 2700000 memory reserve \| memory write watch
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Memory allocated: B80000 memory reserve \| memory write watch
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Memory allocated: 710000 memory reserve \| memory write watch
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Memory allocated: 2280000 memory reserve \| memory write watch
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Memory allocated: 21B0000 memory reserve \| memory write watch
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Memory allocated: 840000 memory reserve \| memory write watch
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Memory allocated: 2350000 memory reserve \| memory write watch
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Memory allocated: 2290000 memory reserve \| memory write watch
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Memory allocated: 2B10000 memory reserve \| memory write watch
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Memory allocated: 2CA0000 memory reserve \| memory write watch
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Memory allocated: 4CA0000 memory reserve \| memory write watch
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Memory allocated: 2AC0000 memory reserve \| memory write watch
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Memory allocated: 2D80000 memory reserve \| memory write watch
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Memory allocated: 2AC0000 memory reserve \| memory write watch
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Memory allocated: 17B0000 memory reserve \| memory write watch
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Memory allocated: 3290000 memory reserve \| memory write watch
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Memory allocated: 5290000 memory reserve \| memory write watch
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Memory allocated: 26F0000 memory reserve \| memory write watch
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Memory allocated: 2910000 memory reserve \| memory write watch
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Memory allocated: 4910000 memory reserve \| memory write watch
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Memory allocated: 3110000 memory reserve \| memory write watch
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Memory allocated: 3310000 memory reserve \| memory write watch
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Memory allocated: 3110000 memory reserve \| memory write watch

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 7_2_00409AB0 rdtsc

7_2_00409AB0

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Thread delayed: delay time: 922337203685477

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 9473	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 459	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 525	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Window / User API: threadDelayed 7174	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Window / User API: threadDelayed 2797	Jump to behavior

Found large amount of non-executed APIs

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

API coverage: 1.6 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe TID: 1292	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe TID: 2264	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 4344	Thread sleep time: -18946000s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 4344	Thread sleep time: -918000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe TID: 4876	Thread sleep count: 7174 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe TID: 4876	Thread sleep time: -14348000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe TID: 4876	Thread sleep count: 2797 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe TID: 4876	Thread sleep time: -5594000s >= -30000s	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif TID: 5956	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif TID: 7164	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif TID: 6628	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif TID: 3564	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif TID: 5332	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif TID: 3632	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif TID: 2308	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif TID: 2420	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif TID: 4884	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif TID: 4200	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif TID: 6244	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif TID: 3960	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif TID: 7072	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif TID: 6740	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif TID: 5696	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif TID: 6492	Thread sleep time: -922337203685477s >= -30000s

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\cmstp.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\cmstp.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Thread delayed: delay time: 922337203685477

Source: explorer.exe, 00000008.00000002.3377674269.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.2185822168.000000000962B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWystem32\DriverStore\en-US\msmouse.inf_locv
Source: explorer.exe, 00000008.00000002.3377674269.00000000097F3000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 00000008.00000002.3377674269.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.2185822168.000000000973C000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWws
Source: PURCHASED ORDER OF ENG091.pif, 00000015.00000002.2401595350.0000000000808000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll<
Source: explorer.exe, 00000008.00000003.2979140509.00000000098AD000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}RoamingCom
Source: explorer.exe, 00000008.00000002.3377674269.0000000009605000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NXTVMWare
Source: explorer.exe, 00000008.00000000.2192292885.000000000C474000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: &me#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94
Source: explorer.exe, 00000008.00000000.2175448069.0000000000D99000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: #CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000008.00000000.2185822168.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3377674269.000000000978C000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000008.00000000.2175448069.0000000000D99000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000W
Source: PURCHASED ORDER OF ENG091.pif.pif.pif.pif, 00000047.00000002.2991343791.000000000146B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllF
Source: explorer.exe, 00000008.00000002.3371865192.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: explorer.exe, 00000008.00000003.2979140509.00000000098AD000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}lnkramW6
Source: PURCHASED ORDER OF ENG091.pif.pif.pif, 00000036.00000002.2781754362.00000000014B0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll,
Source: explorer.exe, 00000008.00000000.2175448069.0000000000D99000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: PURCHASED ORDER OF ENG091.exe, 00000000.00000002.2173848112.0000000000B85000.00000004.00000020.00020000.00000000.sdmp, PURCHASED ORDER OF ENG091.pif, 0000000C.00000002.2326904554.000000000073D000.00000004.00000020.00020000.00000000.sdmp, PURCHASED ORDER OF ENG091.pif.pif, 0000001D.00000002.2491782208.00000000005A5000.00000004.00000020.00020000.00000000.sdmp, PURCHASED ORDER OF ENG091.pif.pif, 00000026.00000002.2612117214.0000000001234000.00000004.00000020.00020000.00000000.sdmp, PURCHASED ORDER OF ENG091.pif.pif.pif, 0000002E.00000002.2696733551.0000000000EA0000.00000004.00000020.00020000.00000000.sdmp, PURCHASED ORDER OF ENG091.pif.pif.pif.pif, 0000003F.00000002.2862373835.0000000000E1B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: explorer.exe, 00000008.00000003.2979140509.00000000098AD000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000
Source: explorer.exe, 00000008.00000000.2175448069.0000000000D99000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe

Process information queried: ProcessInformation

Jump to behavior

Checks if the current process is being debugged

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\cmmon32.exe	Process queried: DebugPort
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\msdt.exe	Process queried: DebugPort
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\msdt.exe	Process queried: DebugPort
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\wlanext.exe	Process queried: DebugPort
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\msdt.exe	Process queried: DebugPort
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\chkdsk.exe	Process queried: DebugPort
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\netsh.exe	Process queried: DebugPort

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 7_2_00409AB0 rdtsc

7_2_00409AB0

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 7_2_0040ACF0 LdrLoadDll,

7_2_0040ACF0

Contains functionality to read the PEB

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0342634F mov eax, dword ptr fs:[00000030h]	7_2_0342634F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0341A352 mov eax, dword ptr fs:[00000030h]	7_2_0341A352
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0334C310 mov ecx, dword ptr fs:[00000030h]	7_2_0334C310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03370310 mov ecx, dword ptr fs:[00000030h]	7_2_03370310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0338A30B mov eax, dword ptr fs:[00000030h]	7_2_0338A30B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0338A30B mov eax, dword ptr fs:[00000030h]	7_2_0338A30B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0338A30B mov eax, dword ptr fs:[00000030h]	7_2_0338A30B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033F437C mov eax, dword ptr fs:[00000030h]	7_2_033F437C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033D035C mov eax, dword ptr fs:[00000030h]	7_2_033D035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033D035C mov eax, dword ptr fs:[00000030h]	7_2_033D035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033D035C mov eax, dword ptr fs:[00000030h]	7_2_033D035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033D035C mov ecx, dword ptr fs:[00000030h]	7_2_033D035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033D035C mov eax, dword ptr fs:[00000030h]	7_2_033D035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033D035C mov eax, dword ptr fs:[00000030h]	7_2_033D035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033F8350 mov ecx, dword ptr fs:[00000030h]	7_2_033F8350
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033D2349 mov eax, dword ptr fs:[00000030h]	7_2_033D2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033D2349 mov eax, dword ptr fs:[00000030h]	7_2_033D2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033D2349 mov eax, dword ptr fs:[00000030h]	7_2_033D2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033D2349 mov eax, dword ptr fs:[00000030h]	7_2_033D2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033D2349 mov eax, dword ptr fs:[00000030h]	7_2_033D2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033D2349 mov eax, dword ptr fs:[00000030h]	7_2_033D2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033D2349 mov eax, dword ptr fs:[00000030h]	7_2_033D2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033D2349 mov eax, dword ptr fs:[00000030h]	7_2_033D2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033D2349 mov eax, dword ptr fs:[00000030h]	7_2_033D2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033D2349 mov eax, dword ptr fs:[00000030h]	7_2_033D2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033D2349 mov eax, dword ptr fs:[00000030h]	7_2_033D2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033D2349 mov eax, dword ptr fs:[00000030h]	7_2_033D2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033D2349 mov eax, dword ptr fs:[00000030h]	7_2_033D2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033D2349 mov eax, dword ptr fs:[00000030h]	7_2_033D2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033D2349 mov eax, dword ptr fs:[00000030h]	7_2_033D2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0340C3CD mov eax, dword ptr fs:[00000030h]	7_2_0340C3CD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03348397 mov eax, dword ptr fs:[00000030h]	7_2_03348397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03348397 mov eax, dword ptr fs:[00000030h]	7_2_03348397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03348397 mov eax, dword ptr fs:[00000030h]	7_2_03348397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0337438F mov eax, dword ptr fs:[00000030h]	7_2_0337438F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0337438F mov eax, dword ptr fs:[00000030h]	7_2_0337438F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0334E388 mov eax, dword ptr fs:[00000030h]	7_2_0334E388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0334E388 mov eax, dword ptr fs:[00000030h]	7_2_0334E388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0334E388 mov eax, dword ptr fs:[00000030h]	7_2_0334E388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0336E3F0 mov eax, dword ptr fs:[00000030h]	7_2_0336E3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0336E3F0 mov eax, dword ptr fs:[00000030h]	7_2_0336E3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0336E3F0 mov eax, dword ptr fs:[00000030h]	7_2_0336E3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033863FF mov eax, dword ptr fs:[00000030h]	7_2_033863FF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033603E9 mov eax, dword ptr fs:[00000030h]	7_2_033603E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033603E9 mov eax, dword ptr fs:[00000030h]	7_2_033603E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033603E9 mov eax, dword ptr fs:[00000030h]	7_2_033603E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033603E9 mov eax, dword ptr fs:[00000030h]	7_2_033603E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033603E9 mov eax, dword ptr fs:[00000030h]	7_2_033603E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033603E9 mov eax, dword ptr fs:[00000030h]	7_2_033603E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033603E9 mov eax, dword ptr fs:[00000030h]	7_2_033603E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033603E9 mov eax, dword ptr fs:[00000030h]	7_2_033603E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033FE3DB mov eax, dword ptr fs:[00000030h]	7_2_033FE3DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033FE3DB mov eax, dword ptr fs:[00000030h]	7_2_033FE3DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033FE3DB mov ecx, dword ptr fs:[00000030h]	7_2_033FE3DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033FE3DB mov eax, dword ptr fs:[00000030h]	7_2_033FE3DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033F43D4 mov eax, dword ptr fs:[00000030h]	7_2_033F43D4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033F43D4 mov eax, dword ptr fs:[00000030h]	7_2_033F43D4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0335A3C0 mov eax, dword ptr fs:[00000030h]	7_2_0335A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0335A3C0 mov eax, dword ptr fs:[00000030h]	7_2_0335A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0335A3C0 mov eax, dword ptr fs:[00000030h]	7_2_0335A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0335A3C0 mov eax, dword ptr fs:[00000030h]	7_2_0335A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0335A3C0 mov eax, dword ptr fs:[00000030h]	7_2_0335A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0335A3C0 mov eax, dword ptr fs:[00000030h]	7_2_0335A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033583C0 mov eax, dword ptr fs:[00000030h]	7_2_033583C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033583C0 mov eax, dword ptr fs:[00000030h]	7_2_033583C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033583C0 mov eax, dword ptr fs:[00000030h]	7_2_033583C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033583C0 mov eax, dword ptr fs:[00000030h]	7_2_033583C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033D63C0 mov eax, dword ptr fs:[00000030h]	7_2_033D63C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0334823B mov eax, dword ptr fs:[00000030h]	7_2_0334823B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0340A250 mov eax, dword ptr fs:[00000030h]	7_2_0340A250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0340A250 mov eax, dword ptr fs:[00000030h]	7_2_0340A250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0342625D mov eax, dword ptr fs:[00000030h]	7_2_0342625D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03400274 mov eax, dword ptr fs:[00000030h]	7_2_03400274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03400274 mov eax, dword ptr fs:[00000030h]	7_2_03400274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03400274 mov eax, dword ptr fs:[00000030h]	7_2_03400274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03400274 mov eax, dword ptr fs:[00000030h]	7_2_03400274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03400274 mov eax, dword ptr fs:[00000030h]	7_2_03400274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03400274 mov eax, dword ptr fs:[00000030h]	7_2_03400274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03400274 mov eax, dword ptr fs:[00000030h]	7_2_03400274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03400274 mov eax, dword ptr fs:[00000030h]	7_2_03400274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03400274 mov eax, dword ptr fs:[00000030h]	7_2_03400274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03400274 mov eax, dword ptr fs:[00000030h]	7_2_03400274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03400274 mov eax, dword ptr fs:[00000030h]	7_2_03400274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03400274 mov eax, dword ptr fs:[00000030h]	7_2_03400274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03354260 mov eax, dword ptr fs:[00000030h]	7_2_03354260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03354260 mov eax, dword ptr fs:[00000030h]	7_2_03354260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03354260 mov eax, dword ptr fs:[00000030h]	7_2_03354260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0334826B mov eax, dword ptr fs:[00000030h]	7_2_0334826B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0334A250 mov eax, dword ptr fs:[00000030h]	7_2_0334A250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03356259 mov eax, dword ptr fs:[00000030h]	7_2_03356259
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033D8243 mov eax, dword ptr fs:[00000030h]	7_2_033D8243
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033D8243 mov ecx, dword ptr fs:[00000030h]	7_2_033D8243
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_034262D6 mov eax, dword ptr fs:[00000030h]	7_2_034262D6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033E62A0 mov eax, dword ptr fs:[00000030h]	7_2_033E62A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033E62A0 mov ecx, dword ptr fs:[00000030h]	7_2_033E62A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033E62A0 mov eax, dword ptr fs:[00000030h]	7_2_033E62A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033E62A0 mov eax, dword ptr fs:[00000030h]	7_2_033E62A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033E62A0 mov eax, dword ptr fs:[00000030h]	7_2_033E62A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033E62A0 mov eax, dword ptr fs:[00000030h]	7_2_033E62A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0338E284 mov eax, dword ptr fs:[00000030h]	7_2_0338E284
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0338E284 mov eax, dword ptr fs:[00000030h]	7_2_0338E284
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033D0283 mov eax, dword ptr fs:[00000030h]	7_2_033D0283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033D0283 mov eax, dword ptr fs:[00000030h]	7_2_033D0283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033D0283 mov eax, dword ptr fs:[00000030h]	7_2_033D0283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033602E1 mov eax, dword ptr fs:[00000030h]	7_2_033602E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033602E1 mov eax, dword ptr fs:[00000030h]	7_2_033602E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033602E1 mov eax, dword ptr fs:[00000030h]	7_2_033602E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0335A2C3 mov eax, dword ptr fs:[00000030h]	7_2_0335A2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0335A2C3 mov eax, dword ptr fs:[00000030h]	7_2_0335A2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0335A2C3 mov eax, dword ptr fs:[00000030h]	7_2_0335A2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0335A2C3 mov eax, dword ptr fs:[00000030h]	7_2_0335A2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0335A2C3 mov eax, dword ptr fs:[00000030h]	7_2_0335A2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03380124 mov eax, dword ptr fs:[00000030h]	7_2_03380124
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03424164 mov eax, dword ptr fs:[00000030h]	7_2_03424164
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03424164 mov eax, dword ptr fs:[00000030h]	7_2_03424164
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033FA118 mov ecx, dword ptr fs:[00000030h]	7_2_033FA118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033FA118 mov eax, dword ptr fs:[00000030h]	7_2_033FA118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033FA118 mov eax, dword ptr fs:[00000030h]	7_2_033FA118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033FA118 mov eax, dword ptr fs:[00000030h]	7_2_033FA118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033FE10E mov eax, dword ptr fs:[00000030h]	7_2_033FE10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033FE10E mov ecx, dword ptr fs:[00000030h]	7_2_033FE10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033FE10E mov eax, dword ptr fs:[00000030h]	7_2_033FE10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033FE10E mov eax, dword ptr fs:[00000030h]	7_2_033FE10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033FE10E mov ecx, dword ptr fs:[00000030h]	7_2_033FE10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033FE10E mov eax, dword ptr fs:[00000030h]	7_2_033FE10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033FE10E mov eax, dword ptr fs:[00000030h]	7_2_033FE10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033FE10E mov ecx, dword ptr fs:[00000030h]	7_2_033FE10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033FE10E mov eax, dword ptr fs:[00000030h]	7_2_033FE10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033FE10E mov ecx, dword ptr fs:[00000030h]	7_2_033FE10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03410115 mov eax, dword ptr fs:[00000030h]	7_2_03410115
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03356154 mov eax, dword ptr fs:[00000030h]	7_2_03356154
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03356154 mov eax, dword ptr fs:[00000030h]	7_2_03356154
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0334C156 mov eax, dword ptr fs:[00000030h]	7_2_0334C156
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033E8158 mov eax, dword ptr fs:[00000030h]	7_2_033E8158
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033E4144 mov eax, dword ptr fs:[00000030h]	7_2_033E4144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033E4144 mov eax, dword ptr fs:[00000030h]	7_2_033E4144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033E4144 mov ecx, dword ptr fs:[00000030h]	7_2_033E4144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033E4144 mov eax, dword ptr fs:[00000030h]	7_2_033E4144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033E4144 mov eax, dword ptr fs:[00000030h]	7_2_033E4144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_034161C3 mov eax, dword ptr fs:[00000030h]	7_2_034161C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_034161C3 mov eax, dword ptr fs:[00000030h]	7_2_034161C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033D019F mov eax, dword ptr fs:[00000030h]	7_2_033D019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033D019F mov eax, dword ptr fs:[00000030h]	7_2_033D019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033D019F mov eax, dword ptr fs:[00000030h]	7_2_033D019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033D019F mov eax, dword ptr fs:[00000030h]	7_2_033D019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0334A197 mov eax, dword ptr fs:[00000030h]	7_2_0334A197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0334A197 mov eax, dword ptr fs:[00000030h]	7_2_0334A197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0334A197 mov eax, dword ptr fs:[00000030h]	7_2_0334A197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_034261E5 mov eax, dword ptr fs:[00000030h]	7_2_034261E5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03390185 mov eax, dword ptr fs:[00000030h]	7_2_03390185
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033F4180 mov eax, dword ptr fs:[00000030h]	7_2_033F4180
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033F4180 mov eax, dword ptr fs:[00000030h]	7_2_033F4180
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033801F8 mov eax, dword ptr fs:[00000030h]	7_2_033801F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0340C188 mov eax, dword ptr fs:[00000030h]	7_2_0340C188
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0340C188 mov eax, dword ptr fs:[00000030h]	7_2_0340C188
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033CE1D0 mov eax, dword ptr fs:[00000030h]	7_2_033CE1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033CE1D0 mov eax, dword ptr fs:[00000030h]	7_2_033CE1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033CE1D0 mov ecx, dword ptr fs:[00000030h]	7_2_033CE1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033CE1D0 mov eax, dword ptr fs:[00000030h]	7_2_033CE1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033CE1D0 mov eax, dword ptr fs:[00000030h]	7_2_033CE1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033E6030 mov eax, dword ptr fs:[00000030h]	7_2_033E6030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0334A020 mov eax, dword ptr fs:[00000030h]	7_2_0334A020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0334C020 mov eax, dword ptr fs:[00000030h]	7_2_0334C020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0336E016 mov eax, dword ptr fs:[00000030h]	7_2_0336E016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0336E016 mov eax, dword ptr fs:[00000030h]	7_2_0336E016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0336E016 mov eax, dword ptr fs:[00000030h]	7_2_0336E016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0336E016 mov eax, dword ptr fs:[00000030h]	7_2_0336E016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033D4000 mov ecx, dword ptr fs:[00000030h]	7_2_033D4000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033F2000 mov eax, dword ptr fs:[00000030h]	7_2_033F2000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033F2000 mov eax, dword ptr fs:[00000030h]	7_2_033F2000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033F2000 mov eax, dword ptr fs:[00000030h]	7_2_033F2000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033F2000 mov eax, dword ptr fs:[00000030h]	7_2_033F2000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033F2000 mov eax, dword ptr fs:[00000030h]	7_2_033F2000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033F2000 mov eax, dword ptr fs:[00000030h]	7_2_033F2000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033F2000 mov eax, dword ptr fs:[00000030h]	7_2_033F2000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033F2000 mov eax, dword ptr fs:[00000030h]	7_2_033F2000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0337C073 mov eax, dword ptr fs:[00000030h]	7_2_0337C073
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03352050 mov eax, dword ptr fs:[00000030h]	7_2_03352050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033D6050 mov eax, dword ptr fs:[00000030h]	7_2_033D6050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033480A0 mov eax, dword ptr fs:[00000030h]	7_2_033480A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033E80A8 mov eax, dword ptr fs:[00000030h]	7_2_033E80A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0335208A mov eax, dword ptr fs:[00000030h]	7_2_0335208A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0334C0F0 mov eax, dword ptr fs:[00000030h]	7_2_0334C0F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033920F0 mov ecx, dword ptr fs:[00000030h]	7_2_033920F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0334A0E3 mov ecx, dword ptr fs:[00000030h]	7_2_0334A0E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033580E9 mov eax, dword ptr fs:[00000030h]	7_2_033580E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033D60E0 mov eax, dword ptr fs:[00000030h]	7_2_033D60E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033D20DE mov eax, dword ptr fs:[00000030h]	7_2_033D20DE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_034160B8 mov eax, dword ptr fs:[00000030h]	7_2_034160B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_034160B8 mov ecx, dword ptr fs:[00000030h]	7_2_034160B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0338273C mov eax, dword ptr fs:[00000030h]	7_2_0338273C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0338273C mov ecx, dword ptr fs:[00000030h]	7_2_0338273C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0338273C mov eax, dword ptr fs:[00000030h]	7_2_0338273C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033CC730 mov eax, dword ptr fs:[00000030h]	7_2_033CC730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0338C720 mov eax, dword ptr fs:[00000030h]	7_2_0338C720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0338C720 mov eax, dword ptr fs:[00000030h]	7_2_0338C720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03350710 mov eax, dword ptr fs:[00000030h]	7_2_03350710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03380710 mov eax, dword ptr fs:[00000030h]	7_2_03380710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0338C700 mov eax, dword ptr fs:[00000030h]	7_2_0338C700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03358770 mov eax, dword ptr fs:[00000030h]	7_2_03358770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03360770 mov eax, dword ptr fs:[00000030h]	7_2_03360770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03360770 mov eax, dword ptr fs:[00000030h]	7_2_03360770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03360770 mov eax, dword ptr fs:[00000030h]	7_2_03360770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03360770 mov eax, dword ptr fs:[00000030h]	7_2_03360770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03360770 mov eax, dword ptr fs:[00000030h]	7_2_03360770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03360770 mov eax, dword ptr fs:[00000030h]	7_2_03360770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03360770 mov eax, dword ptr fs:[00000030h]	7_2_03360770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03360770 mov eax, dword ptr fs:[00000030h]	7_2_03360770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03360770 mov eax, dword ptr fs:[00000030h]	7_2_03360770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03360770 mov eax, dword ptr fs:[00000030h]	7_2_03360770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03360770 mov eax, dword ptr fs:[00000030h]	7_2_03360770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03360770 mov eax, dword ptr fs:[00000030h]	7_2_03360770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033DE75D mov eax, dword ptr fs:[00000030h]	7_2_033DE75D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03350750 mov eax, dword ptr fs:[00000030h]	7_2_03350750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033D4755 mov eax, dword ptr fs:[00000030h]	7_2_033D4755
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03392750 mov eax, dword ptr fs:[00000030h]	7_2_03392750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03392750 mov eax, dword ptr fs:[00000030h]	7_2_03392750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0338674D mov esi, dword ptr fs:[00000030h]	7_2_0338674D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0338674D mov eax, dword ptr fs:[00000030h]	7_2_0338674D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0338674D mov eax, dword ptr fs:[00000030h]	7_2_0338674D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033507AF mov eax, dword ptr fs:[00000030h]	7_2_033507AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033F678E mov eax, dword ptr fs:[00000030h]	7_2_033F678E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033547FB mov eax, dword ptr fs:[00000030h]	7_2_033547FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033547FB mov eax, dword ptr fs:[00000030h]	7_2_033547FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033727ED mov eax, dword ptr fs:[00000030h]	7_2_033727ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033727ED mov eax, dword ptr fs:[00000030h]	7_2_033727ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033727ED mov eax, dword ptr fs:[00000030h]	7_2_033727ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033DE7E1 mov eax, dword ptr fs:[00000030h]	7_2_033DE7E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_034047A0 mov eax, dword ptr fs:[00000030h]	7_2_034047A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0335C7C0 mov eax, dword ptr fs:[00000030h]	7_2_0335C7C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033D07C3 mov eax, dword ptr fs:[00000030h]	7_2_033D07C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0336E627 mov eax, dword ptr fs:[00000030h]	7_2_0336E627
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03386620 mov eax, dword ptr fs:[00000030h]	7_2_03386620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03388620 mov eax, dword ptr fs:[00000030h]	7_2_03388620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0335262C mov eax, dword ptr fs:[00000030h]	7_2_0335262C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03392619 mov eax, dword ptr fs:[00000030h]	7_2_03392619
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0341866E mov eax, dword ptr fs:[00000030h]	7_2_0341866E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0341866E mov eax, dword ptr fs:[00000030h]	7_2_0341866E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033CE609 mov eax, dword ptr fs:[00000030h]	7_2_033CE609
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0336260B mov eax, dword ptr fs:[00000030h]	7_2_0336260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0336260B mov eax, dword ptr fs:[00000030h]	7_2_0336260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0336260B mov eax, dword ptr fs:[00000030h]	7_2_0336260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0336260B mov eax, dword ptr fs:[00000030h]	7_2_0336260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0336260B mov eax, dword ptr fs:[00000030h]	7_2_0336260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0336260B mov eax, dword ptr fs:[00000030h]	7_2_0336260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0336260B mov eax, dword ptr fs:[00000030h]	7_2_0336260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03382674 mov eax, dword ptr fs:[00000030h]	7_2_03382674
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0338A660 mov eax, dword ptr fs:[00000030h]	7_2_0338A660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0338A660 mov eax, dword ptr fs:[00000030h]	7_2_0338A660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0336C640 mov eax, dword ptr fs:[00000030h]	7_2_0336C640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033866B0 mov eax, dword ptr fs:[00000030h]	7_2_033866B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0338C6A6 mov eax, dword ptr fs:[00000030h]	7_2_0338C6A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03354690 mov eax, dword ptr fs:[00000030h]	7_2_03354690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03354690 mov eax, dword ptr fs:[00000030h]	7_2_03354690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033D06F1 mov eax, dword ptr fs:[00000030h]	7_2_033D06F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033D06F1 mov eax, dword ptr fs:[00000030h]	7_2_033D06F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033CE6F2 mov eax, dword ptr fs:[00000030h]	7_2_033CE6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033CE6F2 mov eax, dword ptr fs:[00000030h]	7_2_033CE6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033CE6F2 mov eax, dword ptr fs:[00000030h]	7_2_033CE6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033CE6F2 mov eax, dword ptr fs:[00000030h]	7_2_033CE6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0338A6C7 mov ebx, dword ptr fs:[00000030h]	7_2_0338A6C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0338A6C7 mov eax, dword ptr fs:[00000030h]	7_2_0338A6C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03360535 mov eax, dword ptr fs:[00000030h]	7_2_03360535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03360535 mov eax, dword ptr fs:[00000030h]	7_2_03360535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03360535 mov eax, dword ptr fs:[00000030h]	7_2_03360535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03360535 mov eax, dword ptr fs:[00000030h]	7_2_03360535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03360535 mov eax, dword ptr fs:[00000030h]	7_2_03360535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03360535 mov eax, dword ptr fs:[00000030h]	7_2_03360535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0337E53E mov eax, dword ptr fs:[00000030h]	7_2_0337E53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0337E53E mov eax, dword ptr fs:[00000030h]	7_2_0337E53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0337E53E mov eax, dword ptr fs:[00000030h]	7_2_0337E53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0337E53E mov eax, dword ptr fs:[00000030h]	7_2_0337E53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0337E53E mov eax, dword ptr fs:[00000030h]	7_2_0337E53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033E6500 mov eax, dword ptr fs:[00000030h]	7_2_033E6500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03424500 mov eax, dword ptr fs:[00000030h]	7_2_03424500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03424500 mov eax, dword ptr fs:[00000030h]	7_2_03424500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03424500 mov eax, dword ptr fs:[00000030h]	7_2_03424500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03424500 mov eax, dword ptr fs:[00000030h]	7_2_03424500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03424500 mov eax, dword ptr fs:[00000030h]	7_2_03424500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03424500 mov eax, dword ptr fs:[00000030h]	7_2_03424500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03424500 mov eax, dword ptr fs:[00000030h]	7_2_03424500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0338656A mov eax, dword ptr fs:[00000030h]	7_2_0338656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0338656A mov eax, dword ptr fs:[00000030h]	7_2_0338656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0338656A mov eax, dword ptr fs:[00000030h]	7_2_0338656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03358550 mov eax, dword ptr fs:[00000030h]	7_2_03358550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03358550 mov eax, dword ptr fs:[00000030h]	7_2_03358550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033745B1 mov eax, dword ptr fs:[00000030h]	7_2_033745B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033745B1 mov eax, dword ptr fs:[00000030h]	7_2_033745B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033D05A7 mov eax, dword ptr fs:[00000030h]	7_2_033D05A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033D05A7 mov eax, dword ptr fs:[00000030h]	7_2_033D05A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033D05A7 mov eax, dword ptr fs:[00000030h]	7_2_033D05A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0338E59C mov eax, dword ptr fs:[00000030h]	7_2_0338E59C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03384588 mov eax, dword ptr fs:[00000030h]	7_2_03384588
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03352582 mov eax, dword ptr fs:[00000030h]	7_2_03352582
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03352582 mov ecx, dword ptr fs:[00000030h]	7_2_03352582
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0337E5E7 mov eax, dword ptr fs:[00000030h]	7_2_0337E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0337E5E7 mov eax, dword ptr fs:[00000030h]	7_2_0337E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0337E5E7 mov eax, dword ptr fs:[00000030h]	7_2_0337E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0337E5E7 mov eax, dword ptr fs:[00000030h]	7_2_0337E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0337E5E7 mov eax, dword ptr fs:[00000030h]	7_2_0337E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0337E5E7 mov eax, dword ptr fs:[00000030h]	7_2_0337E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0337E5E7 mov eax, dword ptr fs:[00000030h]	7_2_0337E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0337E5E7 mov eax, dword ptr fs:[00000030h]	7_2_0337E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033525E0 mov eax, dword ptr fs:[00000030h]	7_2_033525E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0338C5ED mov eax, dword ptr fs:[00000030h]	7_2_0338C5ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0338C5ED mov eax, dword ptr fs:[00000030h]	7_2_0338C5ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033565D0 mov eax, dword ptr fs:[00000030h]	7_2_033565D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0338A5D0 mov eax, dword ptr fs:[00000030h]	7_2_0338A5D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0338A5D0 mov eax, dword ptr fs:[00000030h]	7_2_0338A5D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0338E5CF mov eax, dword ptr fs:[00000030h]	7_2_0338E5CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0338E5CF mov eax, dword ptr fs:[00000030h]	7_2_0338E5CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0338A430 mov eax, dword ptr fs:[00000030h]	7_2_0338A430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0334C427 mov eax, dword ptr fs:[00000030h]	7_2_0334C427
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0334E420 mov eax, dword ptr fs:[00000030h]	7_2_0334E420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0334E420 mov eax, dword ptr fs:[00000030h]	7_2_0334E420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0334E420 mov eax, dword ptr fs:[00000030h]	7_2_0334E420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0340A456 mov eax, dword ptr fs:[00000030h]	7_2_0340A456
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033D6420 mov eax, dword ptr fs:[00000030h]	7_2_033D6420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033D6420 mov eax, dword ptr fs:[00000030h]	7_2_033D6420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033D6420 mov eax, dword ptr fs:[00000030h]	7_2_033D6420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033D6420 mov eax, dword ptr fs:[00000030h]	7_2_033D6420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033D6420 mov eax, dword ptr fs:[00000030h]	7_2_033D6420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033D6420 mov eax, dword ptr fs:[00000030h]	7_2_033D6420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033D6420 mov eax, dword ptr fs:[00000030h]	7_2_033D6420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03388402 mov eax, dword ptr fs:[00000030h]	7_2_03388402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03388402 mov eax, dword ptr fs:[00000030h]	7_2_03388402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03388402 mov eax, dword ptr fs:[00000030h]	7_2_03388402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0337A470 mov eax, dword ptr fs:[00000030h]	7_2_0337A470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0337A470 mov eax, dword ptr fs:[00000030h]	7_2_0337A470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0337A470 mov eax, dword ptr fs:[00000030h]	7_2_0337A470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033DC460 mov ecx, dword ptr fs:[00000030h]	7_2_033DC460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0334645D mov eax, dword ptr fs:[00000030h]	7_2_0334645D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0337245A mov eax, dword ptr fs:[00000030h]	7_2_0337245A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0338E443 mov eax, dword ptr fs:[00000030h]	7_2_0338E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0338E443 mov eax, dword ptr fs:[00000030h]	7_2_0338E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0338E443 mov eax, dword ptr fs:[00000030h]	7_2_0338E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0338E443 mov eax, dword ptr fs:[00000030h]	7_2_0338E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0338E443 mov eax, dword ptr fs:[00000030h]	7_2_0338E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0338E443 mov eax, dword ptr fs:[00000030h]	7_2_0338E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0338E443 mov eax, dword ptr fs:[00000030h]	7_2_0338E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0338E443 mov eax, dword ptr fs:[00000030h]	7_2_0338E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033844B0 mov ecx, dword ptr fs:[00000030h]	7_2_033844B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033DA4B0 mov eax, dword ptr fs:[00000030h]	7_2_033DA4B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033564AB mov eax, dword ptr fs:[00000030h]	7_2_033564AB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033504E5 mov ecx, dword ptr fs:[00000030h]	7_2_033504E5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0340A49A mov eax, dword ptr fs:[00000030h]	7_2_0340A49A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0341AB40 mov eax, dword ptr fs:[00000030h]	7_2_0341AB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03404B4B mov eax, dword ptr fs:[00000030h]	7_2_03404B4B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03404B4B mov eax, dword ptr fs:[00000030h]	7_2_03404B4B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03422B57 mov eax, dword ptr fs:[00000030h]	7_2_03422B57
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03422B57 mov eax, dword ptr fs:[00000030h]	7_2_03422B57
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03422B57 mov eax, dword ptr fs:[00000030h]	7_2_03422B57
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03422B57 mov eax, dword ptr fs:[00000030h]	7_2_03422B57
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0337EB20 mov eax, dword ptr fs:[00000030h]	7_2_0337EB20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0337EB20 mov eax, dword ptr fs:[00000030h]	7_2_0337EB20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033CEB1D mov eax, dword ptr fs:[00000030h]	7_2_033CEB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033CEB1D mov eax, dword ptr fs:[00000030h]	7_2_033CEB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033CEB1D mov eax, dword ptr fs:[00000030h]	7_2_033CEB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033CEB1D mov eax, dword ptr fs:[00000030h]	7_2_033CEB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033CEB1D mov eax, dword ptr fs:[00000030h]	7_2_033CEB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033CEB1D mov eax, dword ptr fs:[00000030h]	7_2_033CEB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033CEB1D mov eax, dword ptr fs:[00000030h]	7_2_033CEB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033CEB1D mov eax, dword ptr fs:[00000030h]	7_2_033CEB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033CEB1D mov eax, dword ptr fs:[00000030h]	7_2_033CEB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03424B00 mov eax, dword ptr fs:[00000030h]	7_2_03424B00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0334CB7E mov eax, dword ptr fs:[00000030h]	7_2_0334CB7E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03348B50 mov eax, dword ptr fs:[00000030h]	7_2_03348B50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03418B28 mov eax, dword ptr fs:[00000030h]	7_2_03418B28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03418B28 mov eax, dword ptr fs:[00000030h]	7_2_03418B28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033FEB50 mov eax, dword ptr fs:[00000030h]	7_2_033FEB50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033F8B42 mov eax, dword ptr fs:[00000030h]	7_2_033F8B42
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033E6B40 mov eax, dword ptr fs:[00000030h]	7_2_033E6B40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033E6B40 mov eax, dword ptr fs:[00000030h]	7_2_033E6B40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03360BBE mov eax, dword ptr fs:[00000030h]	7_2_03360BBE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03360BBE mov eax, dword ptr fs:[00000030h]	7_2_03360BBE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03358BF0 mov eax, dword ptr fs:[00000030h]	7_2_03358BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03358BF0 mov eax, dword ptr fs:[00000030h]	7_2_03358BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03358BF0 mov eax, dword ptr fs:[00000030h]	7_2_03358BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0337EBFC mov eax, dword ptr fs:[00000030h]	7_2_0337EBFC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033DCBF0 mov eax, dword ptr fs:[00000030h]	7_2_033DCBF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033FEBD0 mov eax, dword ptr fs:[00000030h]	7_2_033FEBD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03404BB0 mov eax, dword ptr fs:[00000030h]	7_2_03404BB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03404BB0 mov eax, dword ptr fs:[00000030h]	7_2_03404BB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03350BCD mov eax, dword ptr fs:[00000030h]	7_2_03350BCD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03350BCD mov eax, dword ptr fs:[00000030h]	7_2_03350BCD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03350BCD mov eax, dword ptr fs:[00000030h]	7_2_03350BCD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03370BCB mov eax, dword ptr fs:[00000030h]	7_2_03370BCB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03370BCB mov eax, dword ptr fs:[00000030h]	7_2_03370BCB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03370BCB mov eax, dword ptr fs:[00000030h]	7_2_03370BCB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0338CA38 mov eax, dword ptr fs:[00000030h]	7_2_0338CA38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03374A35 mov eax, dword ptr fs:[00000030h]	7_2_03374A35
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03374A35 mov eax, dword ptr fs:[00000030h]	7_2_03374A35
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0337EA2E mov eax, dword ptr fs:[00000030h]	7_2_0337EA2E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0338CA24 mov eax, dword ptr fs:[00000030h]	7_2_0338CA24
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033DCA11 mov eax, dword ptr fs:[00000030h]	7_2_033DCA11
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033CCA72 mov eax, dword ptr fs:[00000030h]	7_2_033CCA72
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033CCA72 mov eax, dword ptr fs:[00000030h]	7_2_033CCA72
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0338CA6F mov eax, dword ptr fs:[00000030h]	7_2_0338CA6F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0338CA6F mov eax, dword ptr fs:[00000030h]	7_2_0338CA6F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0338CA6F mov eax, dword ptr fs:[00000030h]	7_2_0338CA6F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033FEA60 mov eax, dword ptr fs:[00000030h]	7_2_033FEA60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03356A50 mov eax, dword ptr fs:[00000030h]	7_2_03356A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03356A50 mov eax, dword ptr fs:[00000030h]	7_2_03356A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03356A50 mov eax, dword ptr fs:[00000030h]	7_2_03356A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03356A50 mov eax, dword ptr fs:[00000030h]	7_2_03356A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03356A50 mov eax, dword ptr fs:[00000030h]	7_2_03356A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03356A50 mov eax, dword ptr fs:[00000030h]	7_2_03356A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03356A50 mov eax, dword ptr fs:[00000030h]	7_2_03356A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03360A5B mov eax, dword ptr fs:[00000030h]	7_2_03360A5B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03360A5B mov eax, dword ptr fs:[00000030h]	7_2_03360A5B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03358AA0 mov eax, dword ptr fs:[00000030h]	7_2_03358AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03358AA0 mov eax, dword ptr fs:[00000030h]	7_2_03358AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033A6AA4 mov eax, dword ptr fs:[00000030h]	7_2_033A6AA4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03388A90 mov edx, dword ptr fs:[00000030h]	7_2_03388A90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0335EA80 mov eax, dword ptr fs:[00000030h]	7_2_0335EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0335EA80 mov eax, dword ptr fs:[00000030h]	7_2_0335EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0335EA80 mov eax, dword ptr fs:[00000030h]	7_2_0335EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0335EA80 mov eax, dword ptr fs:[00000030h]	7_2_0335EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0335EA80 mov eax, dword ptr fs:[00000030h]	7_2_0335EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0335EA80 mov eax, dword ptr fs:[00000030h]	7_2_0335EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0335EA80 mov eax, dword ptr fs:[00000030h]	7_2_0335EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0335EA80 mov eax, dword ptr fs:[00000030h]	7_2_0335EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0335EA80 mov eax, dword ptr fs:[00000030h]	7_2_0335EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03424A80 mov eax, dword ptr fs:[00000030h]	7_2_03424A80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0338AAEE mov eax, dword ptr fs:[00000030h]	7_2_0338AAEE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0338AAEE mov eax, dword ptr fs:[00000030h]	7_2_0338AAEE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03350AD0 mov eax, dword ptr fs:[00000030h]	7_2_03350AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03384AD0 mov eax, dword ptr fs:[00000030h]	7_2_03384AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03384AD0 mov eax, dword ptr fs:[00000030h]	7_2_03384AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033A6ACC mov eax, dword ptr fs:[00000030h]	7_2_033A6ACC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033A6ACC mov eax, dword ptr fs:[00000030h]	7_2_033A6ACC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033A6ACC mov eax, dword ptr fs:[00000030h]	7_2_033A6ACC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03424940 mov eax, dword ptr fs:[00000030h]	7_2_03424940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033E892B mov eax, dword ptr fs:[00000030h]	7_2_033E892B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033D892A mov eax, dword ptr fs:[00000030h]	7_2_033D892A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03348918 mov eax, dword ptr fs:[00000030h]	7_2_03348918
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03348918 mov eax, dword ptr fs:[00000030h]	7_2_03348918
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033DC912 mov eax, dword ptr fs:[00000030h]	7_2_033DC912
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033CE908 mov eax, dword ptr fs:[00000030h]	7_2_033CE908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033CE908 mov eax, dword ptr fs:[00000030h]	7_2_033CE908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033DC97C mov eax, dword ptr fs:[00000030h]	7_2_033DC97C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033F4978 mov eax, dword ptr fs:[00000030h]	7_2_033F4978
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033F4978 mov eax, dword ptr fs:[00000030h]	7_2_033F4978
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03376962 mov eax, dword ptr fs:[00000030h]	7_2_03376962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03376962 mov eax, dword ptr fs:[00000030h]	7_2_03376962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03376962 mov eax, dword ptr fs:[00000030h]	7_2_03376962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0339096E mov eax, dword ptr fs:[00000030h]	7_2_0339096E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0339096E mov edx, dword ptr fs:[00000030h]	7_2_0339096E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0339096E mov eax, dword ptr fs:[00000030h]	7_2_0339096E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033D0946 mov eax, dword ptr fs:[00000030h]	7_2_033D0946
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033D89B3 mov esi, dword ptr fs:[00000030h]	7_2_033D89B3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033D89B3 mov eax, dword ptr fs:[00000030h]	7_2_033D89B3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033D89B3 mov eax, dword ptr fs:[00000030h]	7_2_033D89B3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0341A9D3 mov eax, dword ptr fs:[00000030h]	7_2_0341A9D3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033629A0 mov eax, dword ptr fs:[00000030h]	7_2_033629A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033629A0 mov eax, dword ptr fs:[00000030h]	7_2_033629A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033629A0 mov eax, dword ptr fs:[00000030h]	7_2_033629A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033629A0 mov eax, dword ptr fs:[00000030h]	7_2_033629A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033629A0 mov eax, dword ptr fs:[00000030h]	7_2_033629A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033629A0 mov eax, dword ptr fs:[00000030h]	7_2_033629A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033629A0 mov eax, dword ptr fs:[00000030h]	7_2_033629A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033629A0 mov eax, dword ptr fs:[00000030h]	7_2_033629A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033629A0 mov eax, dword ptr fs:[00000030h]	7_2_033629A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033629A0 mov eax, dword ptr fs:[00000030h]	7_2_033629A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033629A0 mov eax, dword ptr fs:[00000030h]	7_2_033629A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033629A0 mov eax, dword ptr fs:[00000030h]	7_2_033629A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033629A0 mov eax, dword ptr fs:[00000030h]	7_2_033629A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033509AD mov eax, dword ptr fs:[00000030h]	7_2_033509AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033509AD mov eax, dword ptr fs:[00000030h]	7_2_033509AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033829F9 mov eax, dword ptr fs:[00000030h]	7_2_033829F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033829F9 mov eax, dword ptr fs:[00000030h]	7_2_033829F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033DE9E0 mov eax, dword ptr fs:[00000030h]	7_2_033DE9E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0335A9D0 mov eax, dword ptr fs:[00000030h]	7_2_0335A9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0335A9D0 mov eax, dword ptr fs:[00000030h]	7_2_0335A9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0335A9D0 mov eax, dword ptr fs:[00000030h]	7_2_0335A9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0335A9D0 mov eax, dword ptr fs:[00000030h]	7_2_0335A9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0335A9D0 mov eax, dword ptr fs:[00000030h]	7_2_0335A9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0335A9D0 mov eax, dword ptr fs:[00000030h]	7_2_0335A9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033849D0 mov eax, dword ptr fs:[00000030h]	7_2_033849D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033E69C0 mov eax, dword ptr fs:[00000030h]	7_2_033E69C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03372835 mov eax, dword ptr fs:[00000030h]	7_2_03372835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03372835 mov eax, dword ptr fs:[00000030h]	7_2_03372835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03372835 mov eax, dword ptr fs:[00000030h]	7_2_03372835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03372835 mov ecx, dword ptr fs:[00000030h]	7_2_03372835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03372835 mov eax, dword ptr fs:[00000030h]	7_2_03372835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03372835 mov eax, dword ptr fs:[00000030h]	7_2_03372835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033F483A mov eax, dword ptr fs:[00000030h]	7_2_033F483A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033F483A mov eax, dword ptr fs:[00000030h]	7_2_033F483A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0338A830 mov eax, dword ptr fs:[00000030h]	7_2_0338A830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033DC810 mov eax, dword ptr fs:[00000030h]	7_2_033DC810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033E6870 mov eax, dword ptr fs:[00000030h]	7_2_033E6870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033E6870 mov eax, dword ptr fs:[00000030h]	7_2_033E6870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033DE872 mov eax, dword ptr fs:[00000030h]	7_2_033DE872
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033DE872 mov eax, dword ptr fs:[00000030h]	7_2_033DE872
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03380854 mov eax, dword ptr fs:[00000030h]	7_2_03380854
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03354859 mov eax, dword ptr fs:[00000030h]	7_2_03354859
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03354859 mov eax, dword ptr fs:[00000030h]	7_2_03354859
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03362840 mov ecx, dword ptr fs:[00000030h]	7_2_03362840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_034208C0 mov eax, dword ptr fs:[00000030h]	7_2_034208C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033DC89D mov eax, dword ptr fs:[00000030h]	7_2_033DC89D

Enables debug privileges

Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	NtQueueApcThread: Indirect: 0x26DA4F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	NtQueueApcThread: Indirect: 0x2F9A4F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	NtClose: Indirect: 0x2F9A56C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	NtQueueApcThread: Indirect: 0x152A4F2	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	NtClose: Indirect: 0x152A56C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	NtQueueApcThread: Indirect: 0x292A4F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	NtQueueApcThread: Indirect: 0x148A4F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	NtQueueApcThread: Indirect: 0x118A4F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	NtClose: Indirect: 0x148A56C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	NtClose: Indirect: 0x292A56C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	NtClose: Indirect: 0x26DA56C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	NtQueueApcThread: Indirect: 0x14EA4F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	NtClose: Indirect: 0x118A56C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	NtClose: Indirect: 0x281A56C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	NtClose: Indirect: 0x14EA56C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	NtQueueApcThread: Indirect: 0x281A4F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	NtQueueApcThread: Indirect: 0xFCA4F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	NtClose: Indirect: 0xFCA56C

Injects a PE file into a foreign processes

Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A

Maps a DLL or memory area into another process

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: NULL target: C:\Windows\SysWOW64\cmstp.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: NULL target: C:\Windows\SysWOW64\cmstp.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: NULL target: C:\Windows\SysWOW64\reg.exe protection: execute and read and write
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: NULL target: C:\Windows\SysWOW64\reg.exe protection: execute and read and write
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: NULL target: C:\Windows\SysWOW64\msdt.exe protection: execute and read and write
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: NULL target: C:\Windows\SysWOW64\msdt.exe protection: execute and read and write
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: NULL target: C:\Windows\SysWOW64\msdt.exe protection: execute and read and write
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: NULL target: C:\Windows\SysWOW64\msdt.exe protection: execute and read and write
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: NULL target: C:\Windows\SysWOW64\rundll32.exe protection: execute and read and write
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: NULL target: C:\Windows\SysWOW64\rundll32.exe protection: execute and read and write
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: NULL target: C:\Windows\SysWOW64\wlanext.exe protection: execute and read and write
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: NULL target: C:\Windows\SysWOW64\wlanext.exe protection: execute and read and write
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: NULL target: C:\Windows\SysWOW64\msdt.exe protection: execute and read and write
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: NULL target: C:\Windows\SysWOW64\msdt.exe protection: execute and read and write
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: NULL target: C:\Windows\SysWOW64\chkdsk.exe protection: execute and read and write
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: NULL target: C:\Windows\SysWOW64\chkdsk.exe protection: execute and read and write
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: NULL target: C:\Windows\SysWOW64\netsh.exe protection: execute and read and write
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: NULL target: C:\Windows\SysWOW64\netsh.exe protection: execute and read and write

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread register set: target process: 4004	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Thread register set: target process: 4004	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread register set: target process: 4004
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread register set: target process: 4004
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread register set: target process: 4004
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread register set: target process: 4004
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread register set: target process: 4004
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread register set: target process: 4004
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread register set: target process: 4004
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread register set: target process: 4004

Queues an APC in another process (thread injection)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Sample uses process hollowing technique

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section unmapped: C:\Windows\SysWOW64\cmstp.exe base address: 220000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section unmapped: C:\Windows\SysWOW64\reg.exe base address: 370000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section unmapped: C:\Windows\SysWOW64\msdt.exe base address: E80000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section unmapped: C:\Windows\SysWOW64\msdt.exe base address: E80000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section unmapped: C:\Windows\SysWOW64\rundll32.exe base address: 270000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section unmapped: C:\Windows\SysWOW64\wlanext.exe base address: 960000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section unmapped: C:\Windows\SysWOW64\msdt.exe base address: E80000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section unmapped: C:\Windows\SysWOW64\chkdsk.exe base address: 130000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section unmapped: C:\Windows\SysWOW64\netsh.exe base address: A60000

Writes to foreign memory regions

Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 72D008
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: DF9008
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 9AB008

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "PURCHASED ORDER OF ENG091" /t REG_SZ /F /D "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif"	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "PURCHASED ORDER OF ENG091.pif" /t REG_SZ /F /D "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif"
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "PURCHASED ORDER OF ENG091.pif" /t REG_SZ /F /D "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif"
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "PURCHASED ORDER OF ENG091.pif.pif" /t REG_SZ /F /D "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif"
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "PURCHASED ORDER OF ENG091.pif.pif" /t REG_SZ /F /D "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif"
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "PURCHASED ORDER OF ENG091.pif.pif.pif" /t REG_SZ /F /D "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif"
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "PURCHASED ORDER OF ENG091.pif.pif.pif" /t REG_SZ /F /D "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif"
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "PURCHASED ORDER OF ENG091.pif.pif.pif.pif" /t REG_SZ /F /D "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif.pif"
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "PURCHASED ORDER OF ENG091.pif.pif.pif.pif" /t REG_SZ /F /D "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif.pif"

Source: explorer.exe, 00000008.00000002.3366936645.00000000013A1000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000008.00000000.2175983009.00000000013A0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: IProgram Manager
Source: explorer.exe, 00000008.00000000.2178228017.00000000048E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3366936645.00000000013A1000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000008.00000002.3371369932.00000000048E0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000008.00000002.3366936645.00000000013A1000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000008.00000000.2175983009.00000000013A0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000008.00000002.3365608338.0000000000D60000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.2175448069.0000000000D69000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: +Progman
Source: explorer.exe, 00000008.00000002.3366936645.00000000013A1000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000008.00000000.2175983009.00000000013A0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000008.00000000.2186408127.00000000098AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3074869572.00000000098AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3377674269.00000000098AD000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd31A

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Queries volume information: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Queries volume information: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Queries volume information: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif VolumeInformation
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Queries volume information: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif VolumeInformation
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Queries volume information: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif VolumeInformation
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Queries volume information: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif VolumeInformation
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Queries volume information: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif VolumeInformation
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Queries volume information: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif VolumeInformation
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Queries volume information: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif VolumeInformation
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation

Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Uses netsh to modify the Windows network and firewall settings

Source: C:\Windows\explorer.exe

Process created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\SysWOW64\netsh.exe"

AV process strings found (often used to terminate AV products)

Source: PURCHASED ORDER OF ENG091.exe, 00000000.00000002.2179042011.00000000050F4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\Program Files (x86)\AVG\Antivirus\AVGUI.exe
Source: PURCHASED ORDER OF ENG091.exe, 00000000.00000002.2179042011.000000000513C000.00000004.00000020.00020000.00000000.sdmp, PURCHASED ORDER OF ENG091.exe, 00000000.00000002.2173739355.0000000000AD5000.00000004.00000020.00020000.00000000.sdmp, PURCHASED ORDER OF ENG091.exe, 00000000.00000002.2178914699.00000000050A9000.00000004.00000020.00020000.00000000.sdmp, PURCHASED ORDER OF ENG091.pif, 0000000C.00000002.2348427426.00000000059EC000.00000004.00000020.00020000.00000000.sdmp, PURCHASED ORDER OF ENG091.pif, 00000015.00000002.2421067094.00000000056FA000.00000004.00000020.00020000.00000000.sdmp, PURCHASED ORDER OF ENG091.pif, 00000015.00000002.2401595350.0000000000808000.00000004.00000020.00020000.00000000.sdmp, PURCHASED ORDER OF ENG091.pif.pif, 0000001D.00000002.2491782208.00000000005A5000.00000004.00000020.00020000.00000000.sdmp, PURCHASED ORDER OF ENG091.pif.pif, 0000001D.00000002.2505667538.0000000005448000.00000004.00000020.00020000.00000000.sdmp, PURCHASED ORDER OF ENG091.pif.pif, 00000026.00000002.2633457329.0000000006187000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: PURCHASED ORDER OF ENG091.exe, 00000000.00000002.2174149800.0000000002ACE000.00000004.00000800.00020000.00000000.sdmp, PURCHASED ORDER OF ENG091.pif, 0000000C.00000002.2329293185.0000000002A21000.00000004.00000800.00020000.00000000.sdmp, PURCHASED ORDER OF ENG091.pif, 00000015.00000002.2403280656.000000000259A000.00000004.00000800.00020000.00000000.sdmp, PURCHASED ORDER OF ENG091.pif.pif, 0000001D.00000002.2493397578.0000000002648000.00000004.00000800.00020000.00000000.sdmp, PURCHASED ORDER OF ENG091.pif.pif, 00000026.00000002.2612943933.0000000002F95000.00000004.00000800.00020000.00000000.sdmp, PURCHASED ORDER OF ENG091.pif.pif.pif, 0000002E.00000002.2700394567.0000000003054000.00000004.00000800.00020000.00000000.sdmp, PURCHASED ORDER OF ENG091.pif.pif.pif, 00000036.00000002.2785236388.00000000034E0000.00000004.00000800.00020000.00000000.sdmp, PURCHASED ORDER OF ENG091.pif.pif.pif.pif, 0000003F.00000002.2864011147.0000000002B60000.00000004.00000800.00020000.00000000.sdmp, PURCHASED ORDER OF ENG091.pif.pif.pif.pif, 00000047.00000002.2995542174.0000000003551000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: q(C:\Program Files\AVG\Antivirus\AVGUI.exe
Source: PURCHASED ORDER OF ENG091.exe, 00000000.00000002.2174149800.0000000002ACE000.00000004.00000800.00020000.00000000.sdmp, PURCHASED ORDER OF ENG091.pif, 0000000C.00000002.2329293185.0000000002A21000.00000004.00000800.00020000.00000000.sdmp, PURCHASED ORDER OF ENG091.pif, 00000015.00000002.2403280656.000000000259A000.00000004.00000800.00020000.00000000.sdmp, PURCHASED ORDER OF ENG091.pif.pif, 0000001D.00000002.2493397578.0000000002648000.00000004.00000800.00020000.00000000.sdmp, PURCHASED ORDER OF ENG091.pif.pif, 00000026.00000002.2612943933.0000000002F95000.00000004.00000800.00020000.00000000.sdmp, PURCHASED ORDER OF ENG091.pif.pif.pif, 0000002E.00000002.2700394567.0000000003054000.00000004.00000800.00020000.00000000.sdmp, PURCHASED ORDER OF ENG091.pif.pif.pif, 00000036.00000002.2785236388.00000000034E0000.00000004.00000800.00020000.00000000.sdmp, PURCHASED ORDER OF ENG091.pif.pif.pif.pif, 0000003F.00000002.2864011147.0000000002B60000.00000004.00000800.00020000.00000000.sdmp, PURCHASED ORDER OF ENG091.pif.pif.pif.pif, 00000047.00000002.2995542174.0000000003551000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: q.C:\Program Files (x86)\AVG\Antivirus\AVGUI.exe

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Windows\SysWOW64\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Windows\SysWOW64\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Windows\SysWOW64\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 7.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PURCHASED ORDER OF ENG091.exe.389a1f0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000002D.00000002.2649126395.0000000002C00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3387644205.000000000EB42000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000002.2627604465.0000000003F49000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002E.00000002.2712579590.0000000004028000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2176143982.000000000389A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000035.00000002.2731575552.0000000000600000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2235289603.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2176143982.0000000003A5B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.2500819565.00000000035F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2367170516.0000000002ED0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3365508291.00000000028B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2343571638.00000000039AB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2176143982.00000000039CC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.2411207031.000000000352B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3366459232.0000000004520000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000036.00000002.2805551760.0000000004534000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000046.00000002.2895699701.0000000005070000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.2436330065.00000000006E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000004E.00000002.3035230297.0000000003190000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003E.00000002.2823024000.0000000000960000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003F.00000002.2884163790.0000000003BB4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000047.00000002.3030559754.00000000045B3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.2526649554.0000000000B30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3366396664.00000000044F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Searches for user specific document files

Source: C:\Windows\explorer.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\explorer.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\explorer.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\explorer.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\explorer.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\explorer.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\explorer.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\explorer.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\explorer.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\explorer.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\explorer.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\explorer.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\explorer.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\explorer.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\explorer.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\explorer.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\explorer.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\explorer.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\explorer.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\explorer.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\explorer.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\explorer.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\explorer.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\explorer.exe	Directory queried: C:\Users\user\Documents	Jump to behavior

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 7.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PURCHASED ORDER OF ENG091.exe.389a1f0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000002D.00000002.2649126395.0000000002C00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3387644205.000000000EB42000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000002.2627604465.0000000003F49000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002E.00000002.2712579590.0000000004028000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2176143982.000000000389A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000035.00000002.2731575552.0000000000600000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2235289603.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2176143982.0000000003A5B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.2500819565.00000000035F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2367170516.0000000002ED0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3365508291.00000000028B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2343571638.00000000039AB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2176143982.00000000039CC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.2411207031.000000000352B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3366459232.0000000004520000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000036.00000002.2805551760.0000000004534000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000046.00000002.2895699701.0000000005070000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.2436330065.00000000006E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000004E.00000002.3035230297.0000000003190000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003E.00000002.2823024000.0000000000960000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003F.00000002.2884163790.0000000003BB4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000047.00000002.3030559754.00000000045B3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.2526649554.0000000000B30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3366396664.00000000044F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
63.250.38.167	youngonven.com	United States	22612	NAMECHEAP-NETUS	false
34.205.242.146	hdr-nlb7-aebd5d615260636b.elb.us-east-1.amazonaws.com	United States	14618	AMAZON-AESUS	true
192.243.59.20	www.emeraldsurrogatefabric.com	Dominica	39572	ADVANCEDHOSTERS-ASNL	true
104.21.93.17	www.thecolourgrey.com	United States	13335	CLOUDFLARENETUS	true
91.195.240.19	parkingpage.namecheap.com	Germany	47846	SEDO-ASDE	true

Contacted Domains

Name	IP	Active
www.thecolourgrey.com	104.21.93.17	true
parkingpage.namecheap.com	91.195.240.19	true
texanboxes.com	3.33.130.190	true
youngonven.com	63.250.38.167	true
www.emeraldsurrogatefabric.com	192.243.59.20	true
hdr-nlb7-aebd5d615260636b.elb.us-east-1.amazonaws.com	34.205.242.146	true
www.pure1027.com	unknown	unknown
www.0757hunyin.net	unknown	unknown
www.anangtoto.com	unknown	unknown
www.texanboxes.com	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
www.cnoszirzbkaqz.com/btrd/	true	6%, Virustotal, Browse	unknown
http://www.emeraldsurrogatefabric.com/btrd/?8pn=ChvLWF0pZdjL9&orD=G5lr6//zQ7aMiplq1GdUNb9GEJVmzQOhD2w3hHYWxcuiBbLjkdh8uX+W8X62ffIzaE+7zSgsRw==	true		unknown
http://www.anangtoto.com/btrd/?orD=sqRP0a8aV68K6FqJqAk+hHqxgWstkLnSX2TzjpZXqgEq2vKFORbsNIdmsOuhVtdKxSDXL4nXjg==&8pn=ChvLWF0pZdjL9	true		unknown
http://youngonven.com/1485	false		unknown
http://www.thecolourgrey.com/btrd/?8pn=ChvLWF0pZdjL9&orD=1hanRQkKsw2EpQWVKCl4LROlWZtcCFpSARtuzqwGSwLi36Og4ncRpLu12qyBMcT+6ho6oQQ/oA==	true		unknown

AV Detection

Antivirus / Scanner detection for submitted sample

Source: PURCHASED ORDER OF ENG091.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Avira: detection malicious, Label: HEUR/AGEN.1305452
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif.pif	Avira: detection malicious, Label: HEUR/AGEN.1305452
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Avira: detection malicious, Label: HEUR/AGEN.1305452
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Avira: detection malicious, Label: HEUR/AGEN.1305452
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Avira: detection malicious, Label: HEUR/AGEN.1305452

Found malware configuration

Source: 0000002D.00000002.2649126395.0000000002C00000.00000040.80000000.00040000.00000000.sdmp

Multi AV Scanner detection for domain / URL

Source: www.emeraldsurrogatefabric.com	Virustotal: Detection: 8%	Perma Link
Source: http://www.emeraldsurrogatefabric.com	Virustotal: Detection: 8%	Perma Link
Source: http://www.martline.website/btrd/	Virustotal: Detection: 15%	Perma Link
Source: www.cnoszirzbkaqz.com/btrd/	Virustotal: Detection: 6%	Perma Link
Source: http://www.emeraldsurrogatefabric.com/btrd/	Virustotal: Detection: 8%	Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	ReversingLabs: Detection: 60%
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	ReversingLabs: Detection: 60%
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	ReversingLabs: Detection: 60%
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	ReversingLabs: Detection: 60%
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif.pif	ReversingLabs: Detection: 60%

Multi AV Scanner detection for submitted file

Source: PURCHASED ORDER OF ENG091.exe	ReversingLabs: Detection: 60%
Source: PURCHASED ORDER OF ENG091.exe	Virustotal: Detection: 63%			Perma Link

Yara detected FormBook

Source: Yara match	File source: 7.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PURCHASED ORDER OF ENG091.exe.389a1f0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000002D.00000002.2649126395.0000000002C00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3387644205.000000000EB42000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000002.2627604465.0000000003F49000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002E.00000002.2712579590.0000000004028000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2176143982.000000000389A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000035.00000002.2731575552.0000000000600000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2235289603.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2176143982.0000000003A5B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.2500819565.00000000035F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2367170516.0000000002ED0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3365508291.00000000028B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2343571638.00000000039AB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2176143982.00000000039CC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.2411207031.000000000352B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3366459232.0000000004520000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000036.00000002.2805551760.0000000004534000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000046.00000002.2895699701.0000000005070000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.2436330065.00000000006E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000004E.00000002.3035230297.0000000003190000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003E.00000002.2823024000.0000000000960000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003F.00000002.2884163790.0000000003BB4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000047.00000002.3030559754.00000000045B3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.2526649554.0000000000B30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3366396664.00000000044F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Joe Sandbox ML: detected
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif.pif	Joe Sandbox ML: detected
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Joe Sandbox ML: detected
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Joe Sandbox ML: detected
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: PURCHASED ORDER OF ENG091.exe

Joe Sandbox ML: detected

Uses 32bit PE files

Source: PURCHASED ORDER OF ENG091.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: PURCHASED ORDER OF ENG091.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: chkdsk.pdbGCTL source: RegAsm.exe, 00000045.00000002.2892603642.0000000001380000.00000040.10000000.00040000.00000000.sdmp, chkdsk.exe, 00000046.00000002.2895393793.0000000000130000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: cmstp.pdbGCTL source: RegAsm.exe, 00000007.00000002.2235793612.0000000001540000.00000040.10000000.00040000.00000000.sdmp, cmstp.exe, 00000009.00000002.3365281971.0000000000220000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: cmmon32.pdb source: RegAsm.exe, 00000013.00000002.2357394928.0000000001720000.00000040.10000000.00040000.00000000.sdmp, cmmon32.exe, 00000014.00000002.2367071175.0000000000370000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: msdt.pdbGCTL source: RegAsm.exe, 0000001B.00000002.2433869260.00000000026F0000.00000040.10000000.00040000.00000000.sdmp, msdt.exe, 0000001C.00000002.2436801979.0000000000E80000.00000040.80000000.00040000.00000000.sdmp, msdt.exe, 00000025.00000002.2526883807.0000000000E80000.00000040.80000000.00040000.00000000.sdmp, msdt.exe, 0000003E.00000002.2824411296.0000000000E80000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: netsh.pdb source: RegAsm.exe, 0000004D.00000002.3028255621.0000000002AF0000.00000040.10000000.00040000.00000000.sdmp, netsh.exe, 0000004E.00000002.3033972586.0000000000A60000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: C:\Users\Administrator\Desktop\2023CryptsDone\password_generator-master\obj\Debug\Aewlani.pdb source: PURCHASED ORDER OF ENG091.exe, 00000000.00000000.2119834627.0000000000442000.00000002.00000001.01000000.00000003.sdmp, cmd.exe, 00000005.00000003.2161957449.00000000032E5000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000011.00000003.2315915569.0000000002AE6000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000019.00000003.2390659515.0000000003086000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000022.00000003.2479534553.0000000002695000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000002A.00000003.2596807840.0000000003135000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000032.00000003.2684351983.00000000032E4000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000003A.00000003.2769484455.0000000002905000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000043.00000003.2848660519.00000000032C4000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000004B.00000003.2975731288.00000000035E4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: cmmon32.pdbGCTL source: RegAsm.exe, 00000013.00000002.2357394928.0000000001720000.00000040.10000000.00040000.00000000.sdmp, cmmon32.exe, 00000014.00000002.2367071175.0000000000370000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: chkdsk.pdb source: RegAsm.exe, 00000045.00000002.2892603642.0000000001380000.00000040.10000000.00040000.00000000.sdmp, chkdsk.exe, 00000046.00000002.2895393793.0000000000130000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: RegAsm.exe, 00000007.00000002.2236865702.0000000003320000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, 00000009.00000003.2237767546.0000000004599000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000009.00000002.3366809069.0000000004740000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, 00000009.00000003.2235631145.00000000043E5000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000009.00000002.3366809069.00000000048DE000.00000040.00001000.00020000.00000000.sdmp, cmmon32.exe, 00000014.00000003.2357315746.0000000004B0F000.00000004.00000020.00020000.00000000.sdmp, cmmon32.exe, 00000014.00000003.2364128162.0000000004CBC000.00000004.00000020.00020000.00000000.sdmp, cmmon32.exe, 00000014.00000002.2367516642.000000000500E000.00000040.00001000.00020000.00000000.sdmp, cmmon32.exe, 00000014.00000002.2367516642.0000000004E70000.00000040.00001000.00020000.00000000.sdmp, msdt.exe, 0000001C.00000002.2436864306.0000000004B9E000.00000040.00001000.00020000.00000000.sdmp, msdt.exe, 0000001C.00000002.2436864306.0000000004A00000.00000040.00001000.00020000.00000000.sdmp, msdt.exe, 0000001C.00000003.2432746712.00000000046A4000.00000004.00000020.00020000.00000000.sdmp, msdt.exe, 0000001C.00000003.2435053187.0000000004854000.00000004.00000020.00020000.00000000.sdmp, msdt.exe, 00000025.00000002.2527278356.000000000502E000.00000040.00001000.00020000.00000000.sdmp, msdt.exe, 00000025.00000002.2527278356.0000000004E90000.00000040.00001000.00020000.00000000.sdmp, msdt.exe, 00000025.00000003.2522733065.0000000004AEF000.00000004.00000020.00020000.00000000.sdmp, msdt.exe, 00000025.00000003.2524932833.0000000004CDC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000002D.00000003.2644284547.00000000046C8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000002D.00000003.2647610865.0000000004879000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000002D.00000002.2649407934.0000000004C3E000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 0000002D.00000002.2649407934.0000000004AA0000.00000040.00001000.00020000.00000000.sdmp, wlanext.exe, 00000035.00000003.2729298239.0000000002B31000.00000004.00000020.00020000.00000000.sdmp, wlanext.exe, 00000035.00000002.2732895661.0000000002CE0000.00000040.00001000.00020000.00000000.sdmp, wlanext.exe, 00000035.00000002.2732895661.0000000002E7E000.00000040.00001000.00020000.00000000.sdmp, wlanext.exe, 00000035.00000003.2727219080.0000000002985000.00000004.00000020.00020000.00000000.sdmp, msdt.exe, 0000003E.00000003.2815565973.0000000004B43000.00000004.00000020.00020000.00000000.sdmp, msdt.exe, 0000003E.00000002.2824847586.0000000004E8E000.00000040.00001000.00020000.00000000.sdmp, msdt.exe, 0000003E.00000002.2824847586.0000000004CF0000.00000040.00001000.00020000.00000000.sdmp, msdt.exe, 0000003E.00000003.2812512464.0000000004999000.00000004.00000020.00020000.00000000.sdmp, chkdsk.exe, 00000046.00000003.2893566375.00000000056D8000.00000004.00000020.00020000.00000
Source:	Binary string: RegAsm.pdb source: explorer.exe, 00000008.00000002.3389406505.0000000010A9F000.00000004.80000000.00040000.00000000.sdmp, cmstp.exe, 00000009.00000002.3367455817.0000000004C8F000.00000004.10000000.00040000.00000000.sdmp, cmstp.exe, 00000009.00000002.3365692981.000000000293B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: netsh.pdbGCTL source: RegAsm.exe, 0000004D.00000002.3028255621.0000000002AF0000.00000040.10000000.00040000.00000000.sdmp, netsh.exe, 0000004E.00000002.3033972586.0000000000A60000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: RegAsm.exe, RegAsm.exe, 00000007.00000002.2236865702.0000000003320000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, 00000009.00000003.2237767546.0000000004599000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000009.00000002.3366809069.0000000004740000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, 00000009.00000003.2235631145.00000000043E5000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000009.00000002.3366809069.00000000048DE000.00000040.00001000.00020000.00000000.sdmp, cmmon32.exe, 00000014.00000003.2357315746.0000000004B0F000.00000004.00000020.00020000.00000000.sdmp, cmmon32.exe, 00000014.00000003.2364128162.0000000004CBC000.00000004.00000020.00020000.00000000.sdmp, cmmon32.exe, 00000014.00000002.2367516642.000000000500E000.00000040.00001000.00020000.00000000.sdmp, cmmon32.exe, 00000014.00000002.2367516642.0000000004E70000.00000040.00001000.00020000.00000000.sdmp, msdt.exe, 0000001C.00000002.2436864306.0000000004B9E000.00000040.00001000.00020000.00000000.sdmp, msdt.exe, 0000001C.00000002.2436864306.0000000004A00000.00000040.00001000.00020000.00000000.sdmp, msdt.exe, 0000001C.00000003.2432746712.00000000046A4000.00000004.00000020.00020000.00000000.sdmp, msdt.exe, 0000001C.00000003.2435053187.0000000004854000.00000004.00000020.00020000.00000000.sdmp, msdt.exe, 00000025.00000002.2527278356.000000000502E000.00000040.00001000.00020000.00000000.sdmp, msdt.exe, 00000025.00000002.2527278356.0000000004E90000.00000040.00001000.00020000.00000000.sdmp, msdt.exe, 00000025.00000003.2522733065.0000000004AEF000.00000004.00000020.00020000.00000000.sdmp, msdt.exe, 00000025.00000003.2524932833.0000000004CDC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000002D.00000003.2644284547.00000000046C8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000002D.00000003.2647610865.0000000004879000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000002D.00000002.2649407934.0000000004C3E000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 0000002D.00000002.2649407934.0000000004AA0000.00000040.00001000.00020000.00000000.sdmp, wlanext.exe, 00000035.00000003.2729298239.0000000002B31000.00000004.00000020.00020000.00000000.sdmp, wlanext.exe, 00000035.00000002.2732895661.0000000002CE0000.00000040.00001000.00020000.00000000.sdmp, wlanext.exe, 00000035.00000002.2732895661.0000000002E7E000.00000040.00001000.00020000.00000000.sdmp, wlanext.exe, 00000035.00000003.2727219080.0000000002985000.00000004.00000020.00020000.00000000.sdmp, msdt.exe, 0000003E.00000003.2815565973.0000000004B43000.00000004.00000020.00020000.00000000.sdmp, msdt.exe, 0000003E.00000002.2824847586.0000000004E8E000.00000040.00001000.00020000.00000000.sdmp, msdt.exe, 0000003E.00000002.2824847586.0000000004CF0000.00000040.00001000.00020000.00000000.sdmp, msdt.exe, 0000003E.00000003.2812512464.0000000004999000.00000004.00000020.00020000.00000000.sdmp, chkdsk.exe, 00000046.00000003.2893566375.00000000056D8000.00000004.00000020.00020
Source:	Binary string: rundll32.pdb source: RegAsm.exe, 0000002C.00000002.2646537881.00000000014A0000.00000040.10000000.00040000.00000000.sdmp, rundll32.exe, 0000002D.00000002.2648985101.0000000000270000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: wlanext.pdb source: RegAsm.exe, 00000034.00000002.2729173666.0000000002940000.00000040.10000000.00040000.00000000.sdmp, wlanext.exe, 00000035.00000002.2732547455.0000000000960000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: rundll32.pdbGCTL source: RegAsm.exe, 0000002C.00000002.2646537881.00000000014A0000.00000040.10000000.00040000.00000000.sdmp, rundll32.exe, 0000002D.00000002.2648985101.0000000000270000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: cmstp.pdb source: RegAsm.exe, 00000007.00000002.2235793612.0000000001540000.00000040.10000000.00040000.00000000.sdmp, cmstp.exe, 00000009.00000002.3365281971.0000000000220000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: RegAsm.pdb4 source: explorer.exe, 00000008.00000002.3389406505.0000000010A9F000.00000004.80000000.00040000.00000000.sdmp, cmstp.exe, 00000009.00000002.3367455817.0000000004C8F000.00000004.10000000.00040000.00000000.sdmp, cmstp.exe, 00000009.00000002.3365692981.000000000293B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: msdt.pdb source: RegAsm.exe, 0000001B.00000002.2433869260.00000000026F0000.00000040.10000000.00040000.00000000.sdmp, msdt.exe, 0000001C.00000002.2436801979.0000000000E80000.00000040.80000000.00040000.00000000.sdmp, msdt.exe, 00000025.00000002.2526883807.0000000000E80000.00000040.80000000.00040000.00000000.sdmp, msdt.exe, 0000003E.00000002.2824411296.0000000000E80000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: wlanext.pdbGCTL source: RegAsm.exe, 00000034.00000002.2729173666.0000000002940000.00000040.10000000.00040000.00000000.sdmp, wlanext.exe, 00000035.00000002.2732547455.0000000000960000.00000040.80000000.00040000.00000000.sdmp

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2031412 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.6:49995 -> 104.21.93.17:80
Source: Network traffic	Suricata IDS: 2031449 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.6:49995 -> 104.21.93.17:80
Source: Network traffic	Suricata IDS: 2031453 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.6:49995 -> 104.21.93.17:80
Source: Network traffic	Suricata IDS: 2031412 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.6:50000 -> 91.195.240.19:80
Source: Network traffic	Suricata IDS: 2031449 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.6:50000 -> 91.195.240.19:80
Source: Network traffic	Suricata IDS: 2031453 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.6:50000 -> 91.195.240.19:80
Source: Network traffic	Suricata IDS: 2031412 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.6:50006 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2031449 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.6:50006 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2031453 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.6:50006 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2031412 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.6:49882 -> 192.243.59.20:80
Source: Network traffic	Suricata IDS: 2031449 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.6:49882 -> 192.243.59.20:80
Source: Network traffic	Suricata IDS: 2031453 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.6:49882 -> 192.243.59.20:80
Source: Network traffic	Suricata IDS: 2031412 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.6:49992 -> 34.205.242.146:80
Source: Network traffic	Suricata IDS: 2031449 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.6:49992 -> 34.205.242.146:80
Source: Network traffic	Suricata IDS: 2031453 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.6:49992 -> 34.205.242.146:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.cnoszirzbkaqz.com/btrd/

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /1485 HTTP/1.1Host: youngonven.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /1485 HTTP/1.1Host: youngonven.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /1485 HTTP/1.1Host: youngonven.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /1485 HTTP/1.1Host: youngonven.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /btrd/?8pn=ChvLWF0pZdjL9&orD=G5lr6//zQ7aMiplq1GdUNb9GEJVmzQOhD2w3hHYWxcuiBbLjkdh8uX+W8X62ffIzaE+7zSgsRw== HTTP/1.1Host: www.emeraldsurrogatefabric.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /1485 HTTP/1.1Host: youngonven.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /1485 HTTP/1.1Host: youngonven.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /1485 HTTP/1.1Host: youngonven.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /btrd/?orD=Eh2Xpu8l9dqABVqMRkelxcAdaQWRauo4zIVE3zjkUJjpFQNmsYxfVbqaI7I2lWlUEjDmoepSbg==&8pn=ChvLWF0pZdjL9 HTTP/1.1Host: www.pure1027.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /1485 HTTP/1.1Host: youngonven.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /btrd/?8pn=ChvLWF0pZdjL9&orD=1hanRQkKsw2EpQWVKCl4LROlWZtcCFpSARtuzqwGSwLi36Og4ncRpLu12qyBMcT+6ho6oQQ/oA== HTTP/1.1Host: www.thecolourgrey.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /1485 HTTP/1.1Host: youngonven.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /1485 HTTP/1.1Host: youngonven.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /1485 HTTP/1.1Host: youngonven.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /btrd/?orD=sqRP0a8aV68K6FqJqAk+hHqxgWstkLnSX2TzjpZXqgEq2vKFORbsNIdmsOuhVtdKxSDXL4nXjg==&8pn=ChvLWF0pZdjL9 HTTP/1.1Host: www.anangtoto.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /1485 HTTP/1.1Host: youngonven.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /1485 HTTP/1.1Host: youngonven.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /1485 HTTP/1.1Host: youngonven.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /1485 HTTP/1.1Host: youngonven.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /1485 HTTP/1.1Host: youngonven.comConnection: Keep-Alive

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 34.205.242.146 34.205.242.146
Source: Joe Sandbox View	IP Address: 192.243.59.20 192.243.59.20
Source: Joe Sandbox View	IP Address: 192.243.59.20 192.243.59.20

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: AMAZON-AESUS AMAZON-AESUS
Source: Joe Sandbox View	ASN Name: ADVANCEDHOSTERS-ASNL ADVANCEDHOSTERS-ASNL
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: SEDO-ASDE SEDO-ASDE

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Windows\explorer.exe

Code function: 8_2_1135CF82 getaddrinfo,setsockopt,recv,

8_2_1135CF82

Source: global traffic	HTTP traffic detected: GET /1485 HTTP/1.1Host: youngonven.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /1485 HTTP/1.1Host: youngonven.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /1485 HTTP/1.1Host: youngonven.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /1485 HTTP/1.1Host: youngonven.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /btrd/?8pn=ChvLWF0pZdjL9&orD=G5lr6//zQ7aMiplq1GdUNb9GEJVmzQOhD2w3hHYWxcuiBbLjkdh8uX+W8X62ffIzaE+7zSgsRw== HTTP/1.1Host: www.emeraldsurrogatefabric.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /1485 HTTP/1.1Host: youngonven.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /1485 HTTP/1.1Host: youngonven.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /1485 HTTP/1.1Host: youngonven.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /btrd/?orD=Eh2Xpu8l9dqABVqMRkelxcAdaQWRauo4zIVE3zjkUJjpFQNmsYxfVbqaI7I2lWlUEjDmoepSbg==&8pn=ChvLWF0pZdjL9 HTTP/1.1Host: www.pure1027.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /1485 HTTP/1.1Host: youngonven.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /btrd/?8pn=ChvLWF0pZdjL9&orD=1hanRQkKsw2EpQWVKCl4LROlWZtcCFpSARtuzqwGSwLi36Og4ncRpLu12qyBMcT+6ho6oQQ/oA== HTTP/1.1Host: www.thecolourgrey.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /1485 HTTP/1.1Host: youngonven.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /1485 HTTP/1.1Host: youngonven.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /1485 HTTP/1.1Host: youngonven.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /btrd/?orD=sqRP0a8aV68K6FqJqAk+hHqxgWstkLnSX2TzjpZXqgEq2vKFORbsNIdmsOuhVtdKxSDXL4nXjg==&8pn=ChvLWF0pZdjL9 HTTP/1.1Host: www.anangtoto.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /1485 HTTP/1.1Host: youngonven.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /1485 HTTP/1.1Host: youngonven.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /1485 HTTP/1.1Host: youngonven.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /1485 HTTP/1.1Host: youngonven.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /1485 HTTP/1.1Host: youngonven.comConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: youngonven.com
Source: global traffic	DNS traffic detected: DNS query: www.emeraldsurrogatefabric.com
Source: global traffic	DNS traffic detected: DNS query: www.pure1027.com
Source: global traffic	DNS traffic detected: DNS query: www.thecolourgrey.com
Source: global traffic	DNS traffic detected: DNS query: www.anangtoto.com
Source: global traffic	DNS traffic detected: DNS query: www.0757hunyin.net
Source: global traffic	DNS traffic detected: DNS query: www.texanboxes.com

Source: explorer.exe, 00000008.00000000.2185822168.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3377674269.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.2185822168.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3377674269.000000000978C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: explorer.exe, 00000008.00000000.2185822168.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3377674269.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.2185822168.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3377674269.000000000978C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: explorer.exe, 00000008.00000000.2185822168.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3377674269.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.2185822168.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3377674269.000000000978C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: explorer.exe, 00000008.00000000.2185822168.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3377674269.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.2185822168.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3377674269.000000000978C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: explorer.exe, 00000008.00000002.3377674269.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.2185822168.000000000962B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: explorer.exe, 00000008.00000000.2180118675.0000000007B60000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000008.00000002.3367289730.00000000028A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000008.00000002.3374312359.0000000007B50000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: PURCHASED ORDER OF ENG091.exe, 00000000.00000002.2174149800.00000000027B1000.00000004.00000800.00020000.00000000.sdmp, PURCHASED ORDER OF ENG091.pif, 0000000C.00000002.2329293185.0000000002701000.00000004.00000800.00020000.00000000.sdmp, PURCHASED ORDER OF ENG091.pif, 00000015.00000002.2403280656.00000000022EC000.00000004.00000800.00020000.00000000.sdmp, PURCHASED ORDER OF ENG091.pif.pif, 0000001D.00000002.2493397578.0000000002351000.00000004.00000800.00020000.00000000.sdmp, PURCHASED ORDER OF ENG091.pif.pif, 00000026.00000002.2612943933.0000000002D0C000.00000004.00000800.00020000.00000000.sdmp, PURCHASED ORDER OF ENG091.pif.pif.pif, 0000002E.00000002.2700394567.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, PURCHASED ORDER OF ENG091.pif.pif.pif, 00000036.00000002.2785236388.00000000032FC000.00000004.00000800.00020000.00000000.sdmp, PURCHASED ORDER OF ENG091.pif.pif.pif.pif, 0000003F.00000002.2864011147.0000000002911000.00000004.00000800.00020000.00000000.sdmp, PURCHASED ORDER OF ENG091.pif.pif.pif.pif, 00000047.00000002.2995542174.000000000337C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: explorer.exe, 00000008.00000003.2980907839.000000000C4EB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3386744708.000000000C4D8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.0757hunyin.net
Source: explorer.exe, 00000008.00000003.2980907839.000000000C4EB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3386744708.000000000C4D8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.0757hunyin.net/btrd/
Source: explorer.exe, 00000008.00000003.2980907839.000000000C4EB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3386744708.000000000C4D8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.0757hunyin.net/btrd/www.texanboxes.com
Source: explorer.exe, 00000008.00000003.2980907839.000000000C4EB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3386744708.000000000C4D8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.0757hunyin.netReferer:
Source: explorer.exe, 00000008.00000003.2980907839.000000000C4EB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3386744708.000000000C4D8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.anangtoto.com
Source: explorer.exe, 00000008.00000003.2980907839.000000000C4EB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3386744708.000000000C4D8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.anangtoto.com/btrd/
Source: explorer.exe, 00000008.00000003.2980907839.000000000C4EB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3386744708.000000000C4D8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.anangtoto.com/btrd/www.0757hunyin.net
Source: explorer.exe, 00000008.00000003.2980907839.000000000C4EB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3386744708.000000000C4D8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.anangtoto.comReferer:
Source: explorer.exe, 00000008.00000003.2980907839.000000000C4EB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3386744708.000000000C4D8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.cnoszirzbkaqz.com
Source: explorer.exe, 00000008.00000003.2980907839.000000000C4EB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3386744708.000000000C4D8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.cnoszirzbkaqz.com/btrd/
Source: explorer.exe, 00000008.00000003.2980907839.000000000C4EB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3386744708.000000000C4D8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.cnoszirzbkaqz.com/btrd/www.thebestanglephotography.online
Source: explorer.exe, 00000008.00000003.2980907839.000000000C4EB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3386744708.000000000C4D8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.cnoszirzbkaqz.comReferer:
Source: explorer.exe, 00000008.00000003.2980907839.000000000C4EB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3386744708.000000000C4D8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.emeraldsurrogatefabric.com
Source: explorer.exe, 00000008.00000003.2980907839.000000000C4EB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3386744708.000000000C4D8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.emeraldsurrogatefabric.com/btrd/
Source: explorer.exe, 00000008.00000003.2980907839.000000000C4EB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3386744708.000000000C4D8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.emeraldsurrogatefabric.com/btrd/www.pure1027.com
Source: explorer.exe, 00000008.00000003.2980907839.000000000C4EB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3386744708.000000000C4D8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.emeraldsurrogatefabric.comReferer:
Source: explorer.exe, 00000008.00000003.2980907839.000000000C4EB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3386744708.000000000C4D8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.invest247on.com
Source: explorer.exe, 00000008.00000003.2980907839.000000000C4EB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3386744708.000000000C4D8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.invest247on.com/btrd/
Source: explorer.exe, 00000008.00000003.2980907839.000000000C4EB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3386744708.000000000C4D8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.invest247on.com/btrd/www.xmentorgroup.com
Source: explorer.exe, 00000008.00000003.2980907839.000000000C4EB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3386744708.000000000C4D8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.invest247on.comReferer:
Source: explorer.exe, 00000008.00000003.2980907839.000000000C4EB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3386744708.000000000C4D8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.martline.website
Source: explorer.exe, 00000008.00000003.2980907839.000000000C4EB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3386744708.000000000C4D8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.martline.website/btrd/
Source: explorer.exe, 00000008.00000003.2980907839.000000000C4EB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3386744708.000000000C4D8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.martline.website/btrd/www.naddafornadda.com
Source: explorer.exe, 00000008.00000003.2980907839.000000000C4EB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3386744708.000000000C4D8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.martline.websiteReferer:
Source: explorer.exe, 00000008.00000003.2980907839.000000000C4EB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3386744708.000000000C4D8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.naddafornadda.com
Source: explorer.exe, 00000008.00000002.3386744708.000000000C4D8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.naddafornadda.com/btrd/
Source: explorer.exe, 00000008.00000003.2980907839.000000000C4EB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3386744708.000000000C4D8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.naddafornadda.comReferer:
Source: explorer.exe, 00000008.00000003.2980907839.000000000C4EB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3386744708.000000000C4D8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.outletivo.com
Source: explorer.exe, 00000008.00000003.2980907839.000000000C4EB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3386744708.000000000C4D8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.outletivo.com/btrd/
Source: explorer.exe, 00000008.00000003.2980907839.000000000C4EB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3386744708.000000000C4D8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.outletivo.com/btrd/www.martline.website
Source: explorer.exe, 00000008.00000003.2980907839.000000000C4EB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3386744708.000000000C4D8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.outletivo.comReferer:
Source: explorer.exe, 00000008.00000003.2980907839.000000000C4EB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3386744708.000000000C4D8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.pure1027.com
Source: explorer.exe, 00000008.00000003.2980907839.000000000C4EB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3386744708.000000000C4D8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.pure1027.com/btrd/
Source: explorer.exe, 00000008.00000003.2980907839.000000000C4EB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3386744708.000000000C4D8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.pure1027.com/btrd/www.thecolourgrey.com
Source: explorer.exe, 00000008.00000003.2980907839.000000000C4EB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3386744708.000000000C4D8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.pure1027.comReferer:
Source: explorer.exe, 00000008.00000003.2980907839.000000000C4EB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3386744708.000000000C4D8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.rd8.online
Source: explorer.exe, 00000008.00000003.2980907839.000000000C4EB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3386744708.000000000C4D8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.rd8.online/btrd/
Source: explorer.exe, 00000008.00000003.2980907839.000000000C4EB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3386744708.000000000C4D8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.rd8.online/btrd/www.researchforhighschool.com
Source: explorer.exe, 00000008.00000003.2980907839.000000000C4EB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3386744708.000000000C4D8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.rd8.onlineReferer:
Source: explorer.exe, 00000008.00000003.2980907839.000000000C4EB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3386744708.000000000C4D8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.researchforhighschool.com
Source: explorer.exe, 00000008.00000003.2980907839.000000000C4EB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3386744708.000000000C4D8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.researchforhighschool.com/btrd/
Source: explorer.exe, 00000008.00000003.2980907839.000000000C4EB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3386744708.000000000C4D8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.researchforhighschool.com/btrd/www.invest247on.com
Source: explorer.exe, 00000008.00000003.2980907839.000000000C4EB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3386744708.000000000C4D8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.researchforhighschool.comReferer:
Source: explorer.exe, 00000008.00000003.2980907839.000000000C4EB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3386744708.000000000C4D8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.texanboxes.com
Source: explorer.exe, 00000008.00000003.2980907839.000000000C4EB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3386744708.000000000C4D8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.texanboxes.com/btrd/
Source: explorer.exe, 00000008.00000003.2980907839.000000000C4EB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3386744708.000000000C4D8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.texanboxes.com/btrd/www.watch2movie.xyz
Source: explorer.exe, 00000008.00000003.2980907839.000000000C4EB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3386744708.000000000C4D8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.texanboxes.comReferer:
Source: explorer.exe, 00000008.00000003.2980907839.000000000C4EB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3386744708.000000000C4D8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.thebestanglephotography.online
Source: explorer.exe, 00000008.00000003.2980907839.000000000C4EB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3386744708.000000000C4D8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.thebestanglephotography.online/btrd/
Source: explorer.exe, 00000008.00000003.2980907839.000000000C4EB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3386744708.000000000C4D8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.thebestanglephotography.online/btrd/www.rd8.online
Source: explorer.exe, 00000008.00000003.2980907839.000000000C4EB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3386744708.000000000C4D8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.thebestanglephotography.onlineReferer:
Source: explorer.exe, 00000008.00000003.2980907839.000000000C4EB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3386744708.000000000C4D8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.thecolourgrey.com
Source: explorer.exe, 00000008.00000003.2980907839.000000000C4EB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3386744708.000000000C4D8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.thecolourgrey.com/btrd/
Source: explorer.exe, 00000008.00000003.2980907839.000000000C4EB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3386744708.000000000C4D8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.thecolourgrey.com/btrd/www.anangtoto.com
Source: explorer.exe, 00000008.00000003.2980907839.000000000C4EB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3386744708.000000000C4D8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.thecolourgrey.comReferer:
Source: explorer.exe, 00000008.00000003.2980907839.000000000C4EB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3386744708.000000000C4D8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.watch2movie.xyz
Source: explorer.exe, 00000008.00000003.2980907839.000000000C4EB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3386744708.000000000C4D8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.watch2movie.xyz/btrd/
Source: explorer.exe, 00000008.00000003.2980907839.000000000C4EB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3386744708.000000000C4D8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.watch2movie.xyz/btrd/www.cnoszirzbkaqz.com
Source: explorer.exe, 00000008.00000003.2980907839.000000000C4EB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3386744708.000000000C4D8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.watch2movie.xyzReferer:
Source: explorer.exe, 00000008.00000003.2980907839.000000000C4EB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3386744708.000000000C4D8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.xmentorgroup.com
Source: explorer.exe, 00000008.00000003.2980907839.000000000C4EB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3386744708.000000000C4D8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.xmentorgroup.com/btrd/
Source: explorer.exe, 00000008.00000003.2980907839.000000000C4EB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3386744708.000000000C4D8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.xmentorgroup.com/btrd/www.outletivo.com
Source: explorer.exe, 00000008.00000003.2980907839.000000000C4EB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3386744708.000000000C4D8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.xmentorgroup.comReferer:
Source: PURCHASED ORDER OF ENG091.exe, 00000000.00000002.2174149800.00000000027B1000.00000004.00000800.00020000.00000000.sdmp, PURCHASED ORDER OF ENG091.pif, 0000000C.00000002.2329293185.0000000002701000.00000004.00000800.00020000.00000000.sdmp, PURCHASED ORDER OF ENG091.pif, 00000015.00000002.2403280656.00000000022EC000.00000004.00000800.00020000.00000000.sdmp, PURCHASED ORDER OF ENG091.pif.pif, 0000001D.00000002.2493397578.0000000002351000.00000004.00000800.00020000.00000000.sdmp, PURCHASED ORDER OF ENG091.pif.pif, 00000026.00000002.2612943933.0000000002D0C000.00000004.00000800.00020000.00000000.sdmp, PURCHASED ORDER OF ENG091.pif.pif.pif, 0000002E.00000002.2700394567.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, PURCHASED ORDER OF ENG091.pif.pif.pif, 00000036.00000002.2785236388.00000000032FC000.00000004.00000800.00020000.00000000.sdmp, PURCHASED ORDER OF ENG091.pif.pif.pif.pif, 0000003F.00000002.2864011147.0000000002911000.00000004.00000800.00020000.00000000.sdmp, PURCHASED ORDER OF ENG091.pif.pif.pif.pif, 00000047.00000002.2995542174.000000000337C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://youngonven.com
Source: PURCHASED ORDER OF ENG091.exe, 00000000.00000002.2174149800.00000000027B1000.00000004.00000800.00020000.00000000.sdmp, PURCHASED ORDER OF ENG091.pif, 0000000C.00000002.2329293185.0000000002701000.00000004.00000800.00020000.00000000.sdmp, PURCHASED ORDER OF ENG091.pif, 00000015.00000002.2403280656.000000000228C000.00000004.00000800.00020000.00000000.sdmp, PURCHASED ORDER OF ENG091.pif.pif, 0000001D.00000002.2493397578.0000000002351000.00000004.00000800.00020000.00000000.sdmp, PURCHASED ORDER OF ENG091.pif.pif, 00000026.00000002.2612943933.0000000002CAC000.00000004.00000800.00020000.00000000.sdmp, PURCHASED ORDER OF ENG091.pif.pif.pif, 0000002E.00000002.2700394567.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, PURCHASED ORDER OF ENG091.pif.pif.pif, 00000036.00000002.2785236388.000000000329C000.00000004.00000800.00020000.00000000.sdmp, PURCHASED ORDER OF ENG091.pif.pif.pif.pif, 0000003F.00000002.2864011147.0000000002911000.00000004.00000800.00020000.00000000.sdmp, PURCHASED ORDER OF ENG091.pif.pif.pif.pif, 00000047.00000002.2995542174.000000000331C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://youngonven.com/1485
Source: PURCHASED ORDER OF ENG091.exe, 00000000.00000000.2119834627.0000000000442000.00000002.00000001.01000000.00000003.sdmp, cmd.exe, 00000005.00000003.2161957449.00000000032E5000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000011.00000003.2315915569.0000000002AE6000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000019.00000003.2390659515.0000000003086000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000022.00000003.2479534553.0000000002695000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000002A.00000003.2596807840.0000000003135000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000032.00000003.2684351983.00000000032E4000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000003A.00000003.2769484455.0000000002905000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000043.00000003.2848660519.00000000032C4000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000004B.00000003.2975731288.00000000035E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://youngonven.com/1485#Re
Source: explorer.exe, 00000008.00000002.3377674269.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3074869572.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2979140509.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.2186408127.00000000099AB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp
Source: explorer.exe, 00000008.00000002.3385226475.000000000BFDF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.2191523498.000000000BFDF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 00000008.00000002.3377674269.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.2185822168.000000000962B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 00000008.00000002.3377674269.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.2185822168.000000000962B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/I
Source: explorer.exe, 00000008.00000002.3377674269.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.2185822168.000000000973C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 00000008.00000002.3377674269.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.2185822168.000000000962B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?
Source: explorer.exe, 00000008.00000000.2178462917.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3371865192.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=435B7A89D7D74BDF801F2DA188906BAF&timeOut=5000&oc
Source: explorer.exe, 00000008.00000002.3377674269.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.2178462917.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.2185822168.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3371865192.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
Source: explorer.exe, 00000008.00000002.3377674269.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.2185822168.000000000973C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.com
Source: explorer.exe, 00000008.00000002.3371865192.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
Source: explorer.exe, 00000008.00000002.3371865192.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehwh2.svg
Source: explorer.exe, 00000008.00000002.3371865192.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
Source: explorer.exe, 00000008.00000002.3371865192.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
Source: explorer.exe, 00000008.00000000.2178462917.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3371865192.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMhz
Source: explorer.exe, 00000008.00000000.2178462917.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3371865192.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMhz-dark
Source: explorer.exe, 00000008.00000002.3385226475.000000000C087000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2981523077.000000000C048000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.2191523498.000000000C048000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://excel.office.com-
Source: explorer.exe, 00000008.00000002.3371865192.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
Source: explorer.exe, 00000008.00000000.2178462917.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3371865192.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAzME7S.img
Source: explorer.exe, 00000008.00000002.3385226475.000000000C087000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2981523077.000000000C048000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.2191523498.000000000C048000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://outlook.come
Source: explorer.exe, 00000008.00000002.3385226475.000000000BFEF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.2191523498.000000000BFEF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://powerpoint.office.comEMd
Source: explorer.exe, 00000008.00000000.2178462917.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3371865192.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000008.00000000.2178462917.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3371865192.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000008.00000002.3377674269.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3074869572.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2979140509.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.2186408127.00000000099AB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://wns.windows.com/e
Source: explorer.exe, 00000008.00000002.3385226475.000000000C087000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2981523077.000000000C048000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.2191523498.000000000C048000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://word.office.comM
Source: explorer.exe, 00000008.00000002.3389406505.0000000010F8F000.00000004.80000000.00040000.00000000.sdmp, cmstp.exe, 00000009.00000002.3367455817.000000000517F000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.hugedomains.com/domain_profile.cfm?d=pure1027.com
Source: explorer.exe, 00000008.00000000.2178462917.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3371865192.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/10-things-rich-people-never-buy-and-you-shouldn-t-ei
Source: explorer.exe, 00000008.00000000.2178462917.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3371865192.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/money-matters-changing-institution-of-marriage/ar-AA
Source: explorer.exe, 00000008.00000000.2178462917.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3371865192.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/realestate/why-this-florida-city-is-a-safe-haven-from-hurricanes/ar-
Source: explorer.exe, 00000008.00000000.2178462917.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3371865192.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/savingandinvesting/americans-average-net-worth-by-age/ar-AA1h4ngF
Source: explorer.exe, 00000008.00000000.2178462917.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3371865192.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/how-donald-trump-helped-kari-lake-become-arizona-s-and-ameri
Source: explorer.exe, 00000008.00000000.2178462917.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3371865192.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/kevin-mccarthy-s-ouster-as-house-speaker-could-cost-gop-its-
Source: explorer.exe, 00000008.00000000.2178462917.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3371865192.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/republicans-already-barred-trump-from-being-speaker-of-the-h
Source: explorer.exe, 00000008.00000000.2178462917.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3371865192.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/trump-campaign-says-he-raised-more-than-45-million-in-3rd-qu
Source: explorer.exe, 00000008.00000000.2178462917.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3371865192.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/technology/a-federal-emergency-alert-will-be-sent-to-us-phones-nation
Source: explorer.exe, 00000008.00000000.2178462917.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3371865192.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/biden-administration-waives-26-federal-laws-to-allow-border-wall-c
Source: explorer.exe, 00000008.00000000.2178462917.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3371865192.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-the
Source: explorer.exe, 00000008.00000000.2178462917.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3371865192.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/world/us-supplies-ukraine-with-a-million-rounds-of-ammunition-seized-
Source: explorer.exe, 00000008.00000000.2178462917.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3371865192.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/travel/news/you-can-t-beat-bobby-flay-s-phoenix-airport-restaurant-one-of-
Source: explorer.exe, 00000008.00000000.2178462917.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3371865192.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/california-s-reservoirs-runneth-over-in-astounding-reve
Source: explorer.exe, 00000008.00000000.2178462917.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3371865192.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com:443/en-us/feed

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 7.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PURCHASED ORDER OF ENG091.exe.389a1f0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000002D.00000002.2649126395.0000000002C00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3387644205.000000000EB42000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000002.2627604465.0000000003F49000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002E.00000002.2712579590.0000000004028000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2176143982.000000000389A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000035.00000002.2731575552.0000000000600000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2235289603.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2176143982.0000000003A5B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.2500819565.00000000035F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2367170516.0000000002ED0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3365508291.00000000028B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2343571638.00000000039AB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2176143982.00000000039CC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.2411207031.000000000352B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3366459232.0000000004520000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000036.00000002.2805551760.0000000004534000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000046.00000002.2895699701.0000000005070000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.2436330065.00000000006E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000004E.00000002.3035230297.0000000003190000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003E.00000002.2823024000.0000000000960000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003F.00000002.2884163790.0000000003BB4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000047.00000002.3030559754.00000000045B3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.2526649554.0000000000B30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3366396664.00000000044F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 7.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 7.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 7.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.PURCHASED ORDER OF ENG091.exe.389a1f0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0.2.PURCHASED ORDER OF ENG091.exe.389a1f0.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.PURCHASED ORDER OF ENG091.exe.389a1f0.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 7.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 7.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 7.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000002D.00000002.2649126395.0000000002C00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000002D.00000002.2649126395.0000000002C00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000002D.00000002.2649126395.0000000002C00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.3387644205.000000000EB42000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000008.00000002.3387644205.000000000EB42000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.3387644205.000000000EB42000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000026.00000002.2627604465.0000000003F49000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000026.00000002.2627604465.0000000003F49000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000026.00000002.2627604465.0000000003F49000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000002E.00000002.2712579590.0000000004028000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000002E.00000002.2712579590.0000000004028000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000002E.00000002.2712579590.0000000004028000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.2176143982.000000000389A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000000.00000002.2176143982.000000000389A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.2176143982.000000000389A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000035.00000002.2731575552.0000000000600000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000035.00000002.2731575552.0000000000600000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000035.00000002.2731575552.0000000000600000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.2235289603.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000007.00000002.2235289603.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.2235289603.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.2176143982.0000000003A5B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000000.00000002.2176143982.0000000003A5B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.2176143982.0000000003A5B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000001D.00000002.2500819565.00000000035F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000001D.00000002.2500819565.00000000035F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000001D.00000002.2500819565.00000000035F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000014.00000002.2367170516.0000000002ED0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000014.00000002.2367170516.0000000002ED0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000014.00000002.2367170516.0000000002ED0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.3365508291.00000000028B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000009.00000002.3365508291.00000000028B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.3365508291.00000000028B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000C.00000002.2343571638.00000000039AB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000C.00000002.2343571638.00000000039AB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000C.00000002.2343571638.00000000039AB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.2176143982.00000000039CC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000000.00000002.2176143982.00000000039CC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.2176143982.00000000039CC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000015.00000002.2411207031.000000000352B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000015.00000002.2411207031.000000000352B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000015.00000002.2411207031.000000000352B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.3366459232.0000000004520000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000009.00000002.3366459232.0000000004520000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.3366459232.0000000004520000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000036.00000002.2805551760.0000000004534000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000036.00000002.2805551760.0000000004534000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000036.00000002.2805551760.0000000004534000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000046.00000002.2895699701.0000000005070000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000046.00000002.2895699701.0000000005070000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000046.00000002.2895699701.0000000005070000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000001C.00000002.2436330065.00000000006E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000001C.00000002.2436330065.00000000006E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000001C.00000002.2436330065.00000000006E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000004E.00000002.3035230297.0000000003190000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000004E.00000002.3035230297.0000000003190000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000004E.00000002.3035230297.0000000003190000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000003E.00000002.2823024000.0000000000960000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000003E.00000002.2823024000.0000000000960000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000003E.00000002.2823024000.0000000000960000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000003F.00000002.2884163790.0000000003BB4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000003F.00000002.2884163790.0000000003BB4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000003F.00000002.2884163790.0000000003BB4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000047.00000002.3030559754.00000000045B3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000047.00000002.3030559754.00000000045B3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000047.00000002.3030559754.00000000045B3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000025.00000002.2526649554.0000000000B30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000025.00000002.2526649554.0000000000B30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000025.00000002.2526649554.0000000000B30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.3366396664.00000000044F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000009.00000002.3366396664.00000000044F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.3366396664.00000000044F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: PURCHASED ORDER OF ENG091.exe PID: 3472, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: RegAsm.exe PID: 5412, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: explorer.exe PID: 4004, type: MEMORYSTR	Matched rule: Semi-Auto-generated - file ironshell.php.txt Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
Source: Process Memory Space: cmstp.exe PID: 5552, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: PURCHASED ORDER OF ENG091.pif PID: 5728, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: cmmon32.exe PID: 4620, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: PURCHASED ORDER OF ENG091.pif PID: 4872, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: msdt.exe PID: 3700, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: PURCHASED ORDER OF ENG091.pif.pif PID: 3004, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: msdt.exe PID: 6540, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: PURCHASED ORDER OF ENG091.pif.pif PID: 3924, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: rundll32.exe PID: 1824, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: PURCHASED ORDER OF ENG091.pif.pif.pif PID: 5128, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: wlanext.exe PID: 3632, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: PURCHASED ORDER OF ENG091.pif.pif.pif PID: 2264, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: msdt.exe PID: 5748, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: PURCHASED ORDER OF ENG091.pif.pif.pif.pif PID: 2704, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: chkdsk.exe PID: 6488, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: PURCHASED ORDER OF ENG091.pif.pif.pif.pif PID: 6648, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: netsh.exe PID: 5096, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: PURCHASED ORDER OF ENG091.exe

Contains functionality to call native functions

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0041A340 NtCreateFile,	7_2_0041A340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0041A3F0 NtReadFile,	7_2_0041A3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0041A470 NtClose,	7_2_0041A470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0041A520 NtAllocateVirtualMemory,	7_2_0041A520
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0041A3EA NtReadFile,	7_2_0041A3EA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0041A392 NtCreateFile,NtReadFile,	7_2_0041A392
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0041A43A NtReadFile,	7_2_0041A43A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03392B60 NtClose,LdrInitializeThunk,	7_2_03392B60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03392BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	7_2_03392BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03392AD0 NtReadFile,LdrInitializeThunk,	7_2_03392AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03392F30 NtCreateSection,LdrInitializeThunk,	7_2_03392F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03392FB0 NtResumeThread,LdrInitializeThunk,	7_2_03392FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03392F90 NtProtectVirtualMemory,LdrInitializeThunk,	7_2_03392F90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03392FE0 NtCreateFile,LdrInitializeThunk,	7_2_03392FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03392EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,	7_2_03392EA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03392E80 NtReadVirtualMemory,LdrInitializeThunk,	7_2_03392E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03392D30 NtUnmapViewOfSection,LdrInitializeThunk,	7_2_03392D30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03392D10 NtMapViewOfSection,LdrInitializeThunk,	7_2_03392D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03392DF0 NtQuerySystemInformation,LdrInitializeThunk,	7_2_03392DF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03392DD0 NtDelayExecution,LdrInitializeThunk,	7_2_03392DD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03392C70 NtFreeVirtualMemory,LdrInitializeThunk,	7_2_03392C70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03392CA0 NtQueryInformationToken,LdrInitializeThunk,	7_2_03392CA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03394340 NtSetContextThread,	7_2_03394340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03394650 NtSuspendThread,	7_2_03394650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03392BA0 NtEnumerateValueKey,	7_2_03392BA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03392B80 NtQueryInformationFile,	7_2_03392B80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03392BE0 NtQueryValueKey,	7_2_03392BE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03392AB0 NtWaitForSingleObject,	7_2_03392AB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03392AF0 NtWriteFile,	7_2_03392AF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03392F60 NtCreateProcessEx,	7_2_03392F60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03392FA0 NtQuerySection,	7_2_03392FA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03392E30 NtWriteVirtualMemory,	7_2_03392E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03392EE0 NtQueueApcThread,	7_2_03392EE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03392D00 NtSetInformationFile,	7_2_03392D00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03392DB0 NtEnumerateKey,	7_2_03392DB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03392C00 NtQueryInformationProcess,	7_2_03392C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03392C60 NtCreateKey,	7_2_03392C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03392CF0 NtOpenProcess,	7_2_03392CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03392CC0 NtQueryVirtualMemory,	7_2_03392CC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03393010 NtOpenDirectoryObject,	7_2_03393010
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03393090 NtSetValueKey,	7_2_03393090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033935C0 NtCreateMutant,	7_2_033935C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033939B0 NtGetContextThread,	7_2_033939B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03393D10 NtOpenProcessToken,	7_2_03393D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03393D70 NtOpenThread,	7_2_03393D70
Source: C:\Windows\explorer.exe	Code function: 8_2_1135C232 NtCreateFile,	8_2_1135C232
Source: C:\Windows\explorer.exe	Code function: 8_2_1135DE12 NtProtectVirtualMemory,	8_2_1135DE12
Source: C:\Windows\explorer.exe	Code function: 8_2_1135DE0A NtProtectVirtualMemory,	8_2_1135DE0A

Detected potential crypto function

Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Code function: 0_2_00A8D57C	0_2_00A8D57C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_00401030	7_2_00401030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0041D8D3	7_2_0041D8D3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0041E222	7_2_0041E222
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0041E5D6	7_2_0041E5D6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0041D583	7_2_0041D583
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_00402D90	7_2_00402D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0041EDA5	7_2_0041EDA5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0041DDB3	7_2_0041DDB3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_00409E5B	7_2_00409E5B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_00409E60	7_2_00409E60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_00402FB0	7_2_00402FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0341A352	7_2_0341A352
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_034203E6	7_2_034203E6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0336E3F0	7_2_0336E3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03400274	7_2_03400274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033E02C0	7_2_033E02C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033FA118	7_2_033FA118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03350100	7_2_03350100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033E8158	7_2_033E8158
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_034181CC	7_2_034181CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_034141A2	7_2_034141A2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_034201AA	7_2_034201AA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033F2000	7_2_033F2000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03360770	7_2_03360770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03384750	7_2_03384750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0335C7C0	7_2_0335C7C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0337C6E0	7_2_0337C6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03360535	7_2_03360535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03420591	7_2_03420591
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03412446	7_2_03412446
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03404420	7_2_03404420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0340E4F6	7_2_0340E4F6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0341AB40	7_2_0341AB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03416BD7	7_2_03416BD7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0335EA80	7_2_0335EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03376962	7_2_03376962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033629A0	7_2_033629A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0342A9A6	7_2_0342A9A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03362840	7_2_03362840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0336A840	7_2_0336A840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033468B8	7_2_033468B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0338E8F0	7_2_0338E8F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03380F30	7_2_03380F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033A2F28	7_2_033A2F28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03402F30	7_2_03402F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033D4F40	7_2_033D4F40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033DEFA0	7_2_033DEFA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0336CFE0	7_2_0336CFE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03352FC8	7_2_03352FC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0341EE26	7_2_0341EE26
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03360E59	7_2_03360E59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0341EEDB	7_2_0341EEDB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03372E90	7_2_03372E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0341CE93	7_2_0341CE93
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033FCD1F	7_2_033FCD1F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0336AD00	7_2_0336AD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03378DBF	7_2_03378DBF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0335ADE0	7_2_0335ADE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03360C00	7_2_03360C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03350CF2	7_2_03350CF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03400CB5	7_2_03400CB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0341132D	7_2_0341132D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0334D34C	7_2_0334D34C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033A739A	7_2_033A739A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033652A0	7_2_033652A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_034012ED	7_2_034012ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0337B2C0	7_2_0337B2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0342B16B	7_2_0342B16B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0334F172	7_2_0334F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0339516C	7_2_0339516C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0336B1B0	7_2_0336B1B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0340F0CC	7_2_0340F0CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0341F0E0	7_2_0341F0E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_034170E9	7_2_034170E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033670C0	7_2_033670C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0341F7B0	7_2_0341F7B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033A5630	7_2_033A5630
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_034116CC	7_2_034116CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03417571	7_2_03417571
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033FD5B0	7_2_033FD5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03351460	7_2_03351460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0341F43F	7_2_0341F43F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0341FB76	7_2_0341FB76
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0337FB80	7_2_0337FB80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0339DBF9	7_2_0339DBF9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033D5BF0	7_2_033D5BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03417A46	7_2_03417A46
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0341FA49	7_2_0341FA49
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033D3A6C	7_2_033D3A6C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0340DAC6	7_2_0340DAC6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033FDAAC	7_2_033FDAAC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033A5AA0	7_2_033A5AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03401AA3	7_2_03401AA3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033F5910	7_2_033F5910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03369950	7_2_03369950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0337B950	7_2_0337B950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033CD800	7_2_033CD800
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033638E0	7_2_033638E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0341FF09	7_2_0341FF09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03361F92	7_2_03361F92
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0341FFB1	7_2_0341FFB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03369EB0	7_2_03369EB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03411D5A	7_2_03411D5A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03417D73	7_2_03417D73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03363D40	7_2_03363D40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0337FDC0	7_2_0337FDC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033D9C32	7_2_033D9C32
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0341FCF2	7_2_0341FCF2
Source: C:\Windows\explorer.exe	Code function: 8_2_08D6A082	8_2_08D6A082
Source: C:\Windows\explorer.exe	Code function: 8_2_08D73036	8_2_08D73036
Source: C:\Windows\explorer.exe	Code function: 8_2_08D775CD	8_2_08D775CD
Source: C:\Windows\explorer.exe	Code function: 8_2_08D71912	8_2_08D71912
Source: C:\Windows\explorer.exe	Code function: 8_2_08D6BD02	8_2_08D6BD02
Source: C:\Windows\explorer.exe	Code function: 8_2_08D74232	8_2_08D74232
Source: C:\Windows\explorer.exe	Code function: 8_2_08D6EB32	8_2_08D6EB32
Source: C:\Windows\explorer.exe	Code function: 8_2_08D6EB30	8_2_08D6EB30
Source: C:\Windows\explorer.exe	Code function: 8_2_0B895B30	8_2_0B895B30
Source: C:\Windows\explorer.exe	Code function: 8_2_0B895B32	8_2_0B895B32
Source: C:\Windows\explorer.exe	Code function: 8_2_0B89B232	8_2_0B89B232
Source: C:\Windows\explorer.exe	Code function: 8_2_0B89E5CD	8_2_0B89E5CD
Source: C:\Windows\explorer.exe	Code function: 8_2_0B892D02	8_2_0B892D02
Source: C:\Windows\explorer.exe	Code function: 8_2_0B898912	8_2_0B898912
Source: C:\Windows\explorer.exe	Code function: 8_2_0B891082	8_2_0B891082
Source: C:\Windows\explorer.exe	Code function: 8_2_0B89A036	8_2_0B89A036
Source: C:\Windows\explorer.exe	Code function: 8_2_0BE39B32	8_2_0BE39B32
Source: C:\Windows\explorer.exe	Code function: 8_2_0BE39B30	8_2_0BE39B30
Source: C:\Windows\explorer.exe	Code function: 8_2_0BE3F232	8_2_0BE3F232
Source: C:\Windows\explorer.exe	Code function: 8_2_0BE425CD	8_2_0BE425CD
Source: C:\Windows\explorer.exe	Code function: 8_2_0BE36D02	8_2_0BE36D02
Source: C:\Windows\explorer.exe	Code function: 8_2_0BE3C912	8_2_0BE3C912
Source: C:\Windows\explorer.exe	Code function: 8_2_0BE35082	8_2_0BE35082
Source: C:\Windows\explorer.exe	Code function: 8_2_0BE3E036	8_2_0BE3E036
Source: C:\Windows\explorer.exe	Code function: 8_2_0E5B0232	8_2_0E5B0232
Source: C:\Windows\explorer.exe	Code function: 8_2_0E5AAB32	8_2_0E5AAB32
Source: C:\Windows\explorer.exe	Code function: 8_2_0E5AAB30	8_2_0E5AAB30
Source: C:\Windows\explorer.exe	Code function: 8_2_0E5AF036	8_2_0E5AF036
Source: C:\Windows\explorer.exe	Code function: 8_2_0E5A6082	8_2_0E5A6082
Source: C:\Windows\explorer.exe	Code function: 8_2_0E5AD912	8_2_0E5AD912
Source: C:\Windows\explorer.exe	Code function: 8_2_0E5A7D02	8_2_0E5A7D02
Source: C:\Windows\explorer.exe	Code function: 8_2_0E5B35CD	8_2_0E5B35CD
Source: C:\Windows\explorer.exe	Code function: 8_2_0E753232	8_2_0E753232
Source: C:\Windows\explorer.exe	Code function: 8_2_0E74DB30	8_2_0E74DB30
Source: C:\Windows\explorer.exe	Code function: 8_2_0E74DB32	8_2_0E74DB32
Source: C:\Windows\explorer.exe	Code function: 8_2_0E752036	8_2_0E752036
Source: C:\Windows\explorer.exe	Code function: 8_2_0E749082	8_2_0E749082
Source: C:\Windows\explorer.exe	Code function: 8_2_0E750912	8_2_0E750912
Source: C:\Windows\explorer.exe	Code function: 8_2_0E74AD02	8_2_0E74AD02
Source: C:\Windows\explorer.exe	Code function: 8_2_0E7565CD	8_2_0E7565CD
Source: C:\Windows\explorer.exe	Code function: 8_2_0E87D232	8_2_0E87D232
Source: C:\Windows\explorer.exe	Code function: 8_2_0E877B32	8_2_0E877B32
Source: C:\Windows\explorer.exe	Code function: 8_2_0E877B30	8_2_0E877B30
Source: C:\Windows\explorer.exe	Code function: 8_2_0E873082	8_2_0E873082
Source: C:\Windows\explorer.exe	Code function: 8_2_0E87C036	8_2_0E87C036
Source: C:\Windows\explorer.exe	Code function: 8_2_0E8805CD	8_2_0E8805CD
Source: C:\Windows\explorer.exe	Code function: 8_2_0E874D02	8_2_0E874D02
Source: C:\Windows\explorer.exe	Code function: 8_2_0E87A912	8_2_0E87A912
Source: C:\Windows\explorer.exe	Code function: 8_2_101E2036	8_2_101E2036
Source: C:\Windows\explorer.exe	Code function: 8_2_101D9082	8_2_101D9082
Source: C:\Windows\explorer.exe	Code function: 8_2_101E0912	8_2_101E0912
Source: C:\Windows\explorer.exe	Code function: 8_2_101DAD02	8_2_101DAD02
Source: C:\Windows\explorer.exe	Code function: 8_2_101E65CD	8_2_101E65CD
Source: C:\Windows\explorer.exe	Code function: 8_2_101E3232	8_2_101E3232
Source: C:\Windows\explorer.exe	Code function: 8_2_101DDB30	8_2_101DDB30
Source: C:\Windows\explorer.exe	Code function: 8_2_101DDB32	8_2_101DDB32
Source: C:\Windows\explorer.exe	Code function: 8_2_102C4036	8_2_102C4036
Source: C:\Windows\explorer.exe	Code function: 8_2_102BB082	8_2_102BB082
Source: C:\Windows\explorer.exe	Code function: 8_2_102BCD02	8_2_102BCD02
Source: C:\Windows\explorer.exe	Code function: 8_2_102C2912	8_2_102C2912
Source: C:\Windows\explorer.exe	Code function: 8_2_102C85CD	8_2_102C85CD
Source: C:\Windows\explorer.exe	Code function: 8_2_102C5232	8_2_102C5232
Source: C:\Windows\explorer.exe	Code function: 8_2_102BFB32	8_2_102BFB32
Source: C:\Windows\explorer.exe	Code function: 8_2_102BFB30	8_2_102BFB30
Source: C:\Windows\explorer.exe	Code function: 8_2_1041E036	8_2_1041E036
Source: C:\Windows\explorer.exe	Code function: 8_2_10415082	8_2_10415082
Source: C:\Windows\explorer.exe	Code function: 8_2_10416D02	8_2_10416D02
Source: C:\Windows\explorer.exe	Code function: 8_2_1041C912	8_2_1041C912
Source: C:\Windows\explorer.exe	Code function: 8_2_104225CD	8_2_104225CD
Source: C:\Windows\explorer.exe	Code function: 8_2_1041F232	8_2_1041F232
Source: C:\Windows\explorer.exe	Code function: 8_2_10419B30	8_2_10419B30
Source: C:\Windows\explorer.exe	Code function: 8_2_10419B32	8_2_10419B32
Source: C:\Windows\explorer.exe	Code function: 8_2_106F5036	8_2_106F5036
Source: C:\Windows\explorer.exe	Code function: 8_2_106EC082	8_2_106EC082
Source: C:\Windows\explorer.exe	Code function: 8_2_106EDD02	8_2_106EDD02
Source: C:\Windows\explorer.exe	Code function: 8_2_106F3912	8_2_106F3912
Source: C:\Windows\explorer.exe	Code function: 8_2_106F95CD	8_2_106F95CD
Source: C:\Windows\explorer.exe	Code function: 8_2_106F6232	8_2_106F6232
Source: C:\Windows\explorer.exe	Code function: 8_2_106F0B32	8_2_106F0B32
Source: C:\Windows\explorer.exe	Code function: 8_2_106F0B30	8_2_106F0B30
Source: C:\Windows\explorer.exe	Code function: 8_2_1135C232	8_2_1135C232
Source: C:\Windows\explorer.exe	Code function: 8_2_11356B30	8_2_11356B30
Source: C:\Windows\explorer.exe	Code function: 8_2_11356B32	8_2_11356B32
Source: C:\Windows\explorer.exe	Code function: 8_2_11359912	8_2_11359912
Source: C:\Windows\explorer.exe	Code function: 8_2_11353D02	8_2_11353D02
Source: C:\Windows\explorer.exe	Code function: 8_2_1135F5CD	8_2_1135F5CD
Source: C:\Windows\explorer.exe	Code function: 8_2_1135B036	8_2_1135B036
Source: C:\Windows\explorer.exe	Code function: 8_2_11352082	8_2_11352082
Source: C:\Windows\explorer.exe	Code function: 8_2_114A9D02	8_2_114A9D02
Source: C:\Windows\explorer.exe	Code function: 8_2_114AF912	8_2_114AF912
Source: C:\Windows\explorer.exe	Code function: 8_2_114B55CD	8_2_114B55CD
Source: C:\Windows\explorer.exe	Code function: 8_2_114B1036	8_2_114B1036
Source: C:\Windows\explorer.exe	Code function: 8_2_114A8082	8_2_114A8082
Source: C:\Windows\explorer.exe	Code function: 8_2_114ACB32	8_2_114ACB32
Source: C:\Windows\explorer.exe	Code function: 8_2_114ACB30	8_2_114ACB30
Source: C:\Windows\explorer.exe	Code function: 8_2_114B2232	8_2_114B2232
Source: C:\Windows\explorer.exe	Code function: 8_2_11B705CD	8_2_11B705CD
Source: C:\Windows\explorer.exe	Code function: 8_2_11B6A912	8_2_11B6A912
Source: C:\Windows\explorer.exe	Code function: 8_2_11B64D02	8_2_11B64D02
Source: C:\Windows\explorer.exe	Code function: 8_2_11B63082	8_2_11B63082
Source: C:\Windows\explorer.exe	Code function: 8_2_11B6C036	8_2_11B6C036
Source: C:\Windows\explorer.exe	Code function: 8_2_11B67B32	8_2_11B67B32
Source: C:\Windows\explorer.exe	Code function: 8_2_11B67B30	8_2_11B67B30
Source: C:\Windows\explorer.exe	Code function: 8_2_11B6D232	8_2_11B6D232

Found potential string decryption / allocating functions

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 033CEA12 appears 86 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 03395130 appears 58 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 033DF290 appears 105 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 0334B970 appears 280 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 033A7E54 appears 111 times

Sample file is different than original file name gathered from version info

Source: PURCHASED ORDER OF ENG091.exe, 00000000.00000002.2173126899.0000000000A9E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs PURCHASED ORDER OF ENG091.exe
Source: PURCHASED ORDER OF ENG091.exe, 00000000.00000000.2119860002.0000000000448000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameAewlani.exe4 vs PURCHASED ORDER OF ENG091.exe

Uses 32bit PE files

Source: PURCHASED ORDER OF ENG091.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Uses a Windows Living Off The Land Binaries (LOL bins)

Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\cmstp.exe "C:\Windows\SysWOW64\cmstp.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\cmstp.exe "C:\Windows\SysWOW64\cmstp.exe"			Jump to behavior

Uses reg.exe to modify the Windows registry

Source: C:\Windows\SysWOW64\cmd.exe

Yara signature match

Source: 7.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 7.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 7.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.PURCHASED ORDER OF ENG091.exe.389a1f0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0.2.PURCHASED ORDER OF ENG091.exe.389a1f0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.PURCHASED ORDER OF ENG091.exe.389a1f0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 7.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 7.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 7.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000002D.00000002.2649126395.0000000002C00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000002D.00000002.2649126395.0000000002C00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000002D.00000002.2649126395.0000000002C00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.3387644205.000000000EB42000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000008.00000002.3387644205.000000000EB42000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.3387644205.000000000EB42000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000026.00000002.2627604465.0000000003F49000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000026.00000002.2627604465.0000000003F49000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000026.00000002.2627604465.0000000003F49000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000002E.00000002.2712579590.0000000004028000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000002E.00000002.2712579590.0000000004028000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000002E.00000002.2712579590.0000000004028000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.2176143982.000000000389A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000000.00000002.2176143982.000000000389A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.2176143982.000000000389A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000035.00000002.2731575552.0000000000600000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000035.00000002.2731575552.0000000000600000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000035.00000002.2731575552.0000000000600000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.2235289603.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000007.00000002.2235289603.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.2235289603.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.2176143982.0000000003A5B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000000.00000002.2176143982.0000000003A5B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.2176143982.0000000003A5B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000001D.00000002.2500819565.00000000035F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000001D.00000002.2500819565.00000000035F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000001D.00000002.2500819565.00000000035F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000014.00000002.2367170516.0000000002ED0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000014.00000002.2367170516.0000000002ED0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000014.00000002.2367170516.0000000002ED0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.3365508291.00000000028B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000009.00000002.3365508291.00000000028B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.3365508291.00000000028B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000C.00000002.2343571638.00000000039AB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000C.00000002.2343571638.00000000039AB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000C.00000002.2343571638.00000000039AB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.2176143982.00000000039CC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000000.00000002.2176143982.00000000039CC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.2176143982.00000000039CC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000015.00000002.2411207031.000000000352B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000015.00000002.2411207031.000000000352B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000015.00000002.2411207031.000000000352B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.3366459232.0000000004520000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000009.00000002.3366459232.0000000004520000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.3366459232.0000000004520000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000036.00000002.2805551760.0000000004534000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000036.00000002.2805551760.0000000004534000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000036.00000002.2805551760.0000000004534000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000046.00000002.2895699701.0000000005070000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000046.00000002.2895699701.0000000005070000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000046.00000002.2895699701.0000000005070000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000001C.00000002.2436330065.00000000006E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000001C.00000002.2436330065.00000000006E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000001C.00000002.2436330065.00000000006E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000004E.00000002.3035230297.0000000003190000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000004E.00000002.3035230297.0000000003190000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000004E.00000002.3035230297.0000000003190000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000003E.00000002.2823024000.0000000000960000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000003E.00000002.2823024000.0000000000960000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000003E.00000002.2823024000.0000000000960000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000003F.00000002.2884163790.0000000003BB4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000003F.00000002.2884163790.0000000003BB4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000003F.00000002.2884163790.0000000003BB4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000047.00000002.3030559754.00000000045B3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000047.00000002.3030559754.00000000045B3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000047.00000002.3030559754.00000000045B3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000025.00000002.2526649554.0000000000B30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000025.00000002.2526649554.0000000000B30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000025.00000002.2526649554.0000000000B30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.3366396664.00000000044F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000009.00000002.3366396664.00000000044F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.3366396664.00000000044F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: PURCHASED ORDER OF ENG091.exe PID: 3472, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: RegAsm.exe PID: 5412, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: explorer.exe PID: 4004, type: MEMORYSTR	Matched rule: ironshell_php author = Neo23x0 Yara BRG + customization by Stefan -dfate- Molls, description = Semi-Auto-generated - file ironshell.php.txt, hash = 8bfa2eeb8a3ff6afc619258e39fded56
Source: Process Memory Space: cmstp.exe PID: 5552, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: PURCHASED ORDER OF ENG091.pif PID: 5728, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: cmmon32.exe PID: 4620, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: PURCHASED ORDER OF ENG091.pif PID: 4872, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: msdt.exe PID: 3700, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: PURCHASED ORDER OF ENG091.pif.pif PID: 3004, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: msdt.exe PID: 6540, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: PURCHASED ORDER OF ENG091.pif.pif PID: 3924, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: rundll32.exe PID: 1824, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: PURCHASED ORDER OF ENG091.pif.pif.pif PID: 5128, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: wlanext.exe PID: 3632, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: PURCHASED ORDER OF ENG091.pif.pif.pif PID: 2264, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: msdt.exe PID: 5748, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: PURCHASED ORDER OF ENG091.pif.pif.pif.pif PID: 2704, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: chkdsk.exe PID: 6488, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: PURCHASED ORDER OF ENG091.pif.pif.pif.pif PID: 6648, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: netsh.exe PID: 5096, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.troj.evad.winEXE@474/15@7/5

Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PURCHASED ORDER OF ENG091.exe.log

Jump to behavior

Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:432:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6324:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6108:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4988:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7164:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5696:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7036:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4048:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6776:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2264:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3172:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5828:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3224:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2672:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5072:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5064:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2420:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5564:120:WilError_03

Source: PURCHASED ORDER OF ENG091.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: PURCHASED ORDER OF ENG091.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Windows\explorer.exe

File read: C:\Users\user\Documents\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\explorer.exe

Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\rundll32.exe"

Source: PURCHASED ORDER OF ENG091.exe	ReversingLabs: Detection: 60%
Source: PURCHASED ORDER OF ENG091.exe	Virustotal: Detection: 63%

Source: unknown	Process created: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe "C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe"
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "PURCHASED ORDER OF ENG091" /t REG_SZ /F /D "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "PURCHASED ORDER OF ENG091" /t REG_SZ /F /D "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif"
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c Copy "C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe" "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\cmstp.exe "C:\Windows\SysWOW64\cmstp.exe"
Source: C:\Windows\SysWOW64\cmstp.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif"
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "PURCHASED ORDER OF ENG091.pif" /t REG_SZ /F /D "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "PURCHASED ORDER OF ENG091.pif" /t REG_SZ /F /D "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif"
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c Copy "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif" "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\cmmon32.exe "C:\Windows\SysWOW64\cmmon32.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif"
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "PURCHASED ORDER OF ENG091.pif" /t REG_SZ /F /D "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "PURCHASED ORDER OF ENG091.pif" /t REG_SZ /F /D "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif"
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c Copy "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif" "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\msdt.exe "C:\Windows\SysWOW64\msdt.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif"
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "PURCHASED ORDER OF ENG091.pif.pif" /t REG_SZ /F /D "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "PURCHASED ORDER OF ENG091.pif.pif" /t REG_SZ /F /D "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif"
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c Copy "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif" "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\msdt.exe "C:\Windows\SysWOW64\msdt.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif"
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "PURCHASED ORDER OF ENG091.pif.pif" /t REG_SZ /F /D "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "PURCHASED ORDER OF ENG091.pif.pif" /t REG_SZ /F /D "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif"
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c Copy "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif" "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\rundll32.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif"
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "PURCHASED ORDER OF ENG091.pif.pif.pif" /t REG_SZ /F /D "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "PURCHASED ORDER OF ENG091.pif.pif.pif" /t REG_SZ /F /D "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\wlanext.exe "C:\Windows\SysWOW64\wlanext.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif"
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "PURCHASED ORDER OF ENG091.pif.pif.pif" /t REG_SZ /F /D "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "PURCHASED ORDER OF ENG091.pif.pif.pif" /t REG_SZ /F /D "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif"
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c Copy "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif" "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\msdt.exe "C:\Windows\SysWOW64\msdt.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "PURCHASED ORDER OF ENG091.pif.pif.pif.pif" /t REG_SZ /F /D "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif.pif"
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c Copy "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif" "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif.pif"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\chkdsk.exe "C:\Windows\SysWOW64\chkdsk.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif"
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "PURCHASED ORDER OF ENG091.pif.pif.pif.pif" /t REG_SZ /F /D "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif.pif"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "PURCHASED ORDER OF ENG091.pif.pif.pif.pif" /t REG_SZ /F /D "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif.pif"
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c Copy "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif" "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif.pif"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\SysWOW64\netsh.exe"
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "PURCHASED ORDER OF ENG091" /t REG_SZ /F /D "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif"	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c Copy "C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe" "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif"	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "PURCHASED ORDER OF ENG091" /t REG_SZ /F /D "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\cmstp.exe "C:\Windows\SysWOW64\cmstp.exe"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "PURCHASED ORDER OF ENG091.pif" /t REG_SZ /F /D "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\msdt.exe "C:\Windows\SysWOW64\msdt.exe"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\msdt.exe "C:\Windows\SysWOW64\msdt.exe"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\rundll32.exe"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\wlanext.exe "C:\Windows\SysWOW64\wlanext.exe"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\msdt.exe "C:\Windows\SysWOW64\msdt.exe"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\chkdsk.exe "C:\Windows\SysWOW64\chkdsk.exe"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\SysWOW64\netsh.exe"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c Copy "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif" "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif"	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "PURCHASED ORDER OF ENG091.pif" /t REG_SZ /F /D "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif"	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c Copy "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif" "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif"	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "PURCHASED ORDER OF ENG091.pif" /t REG_SZ /F /D "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif"
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "PURCHASED ORDER OF ENG091.pif" /t REG_SZ /F /D "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif"
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c Copy "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif" "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif"
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "PURCHASED ORDER OF ENG091.pif" /t REG_SZ /F /D "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif"
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "PURCHASED ORDER OF ENG091.pif.pif" /t REG_SZ /F /D "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif"
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c Copy "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif" "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif"
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "PURCHASED ORDER OF ENG091.pif.pif" /t REG_SZ /F /D "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif"
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "PURCHASED ORDER OF ENG091.pif.pif" /t REG_SZ /F /D "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif"
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c Copy "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif" "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif"
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "PURCHASED ORDER OF ENG091.pif.pif" /t REG_SZ /F /D "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif"
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "PURCHASED ORDER OF ENG091.pif.pif.pif" /t REG_SZ /F /D "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif"
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c Copy "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif" "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif"
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "PURCHASED ORDER OF ENG091.pif.pif.pif" /t REG_SZ /F /D "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif"
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "PURCHASED ORDER OF ENG091.pif.pif.pif" /t REG_SZ /F /D "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif"
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c Copy "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif" "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif"
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "PURCHASED ORDER OF ENG091.pif.pif.pif" /t REG_SZ /F /D "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif"
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "PURCHASED ORDER OF ENG091.pif.pif.pif.pif" /t REG_SZ /F /D "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif.pif"
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c Copy "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif" "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif.pif"
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "PURCHASED ORDER OF ENG091.pif.pif.pif.pif" /t REG_SZ /F /D "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif.pif"
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "PURCHASED ORDER OF ENG091.pif.pif.pif.pif" /t REG_SZ /F /D "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif.pif"
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c Copy "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif" "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif.pif"
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "PURCHASED ORDER OF ENG091.pif.pif.pif.pif" /t REG_SZ /F /D "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif.pif"

Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.cloudstore.schema.shell.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: smartscreenps.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: smartscreenps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Section loaded: cmutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: ntmarta.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\cmmon32.exe	Section loaded: cmutil.dll
Source: C:\Windows\SysWOW64\cmmon32.exe	Section loaded: version.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Section loaded: mscoree.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Section loaded: version.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Section loaded: uxtheme.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Section loaded: windows.storage.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Section loaded: wldp.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Section loaded: profapi.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Section loaded: cryptsp.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Section loaded: rsaenh.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Section loaded: cryptbase.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Section loaded: rasapi32.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Section loaded: rasman.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Section loaded: rtutils.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Section loaded: mswsock.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Section loaded: winhttp.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Section loaded: iphlpapi.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Section loaded: dnsapi.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Section loaded: winnsi.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Section loaded: rasadhlp.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Section loaded: fwpuclnt.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Section loaded: amsi.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Section loaded: userenv.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Section loaded: msasn1.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Section loaded: gpapi.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Section loaded: wbemcomn.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: ntmarta.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Section loaded: mscoree.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Section loaded: apphelp.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Section loaded: version.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Section loaded: uxtheme.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Section loaded: windows.storage.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Section loaded: wldp.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Section loaded: profapi.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Section loaded: cryptsp.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Section loaded: rsaenh.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Section loaded: cryptbase.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Section loaded: rasapi32.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Section loaded: rasman.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Section loaded: rtutils.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Section loaded: mswsock.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Section loaded: winhttp.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Section loaded: iphlpapi.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Section loaded: dnsapi.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Section loaded: winnsi.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Section loaded: rasadhlp.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Section loaded: fwpuclnt.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Section loaded: amsi.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Section loaded: userenv.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Section loaded: msasn1.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Section loaded: gpapi.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: ntmarta.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Section loaded: mscoree.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Section loaded: version.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Section loaded: uxtheme.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Section loaded: windows.storage.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Section loaded: wldp.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Section loaded: profapi.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Section loaded: cryptsp.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Section loaded: rsaenh.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Section loaded: cryptbase.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Section loaded: rasapi32.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Section loaded: rasman.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Section loaded: rtutils.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Section loaded: mswsock.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Section loaded: winhttp.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Section loaded: iphlpapi.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Section loaded: dnsapi.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Section loaded: winnsi.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Section loaded: rasadhlp.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Section loaded: fwpuclnt.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Section loaded: amsi.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Section loaded: userenv.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Section loaded: msasn1.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Section loaded: gpapi.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Section loaded: wbemcomn.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: ntmarta.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Section loaded: mscoree.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Section loaded: apphelp.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Section loaded: version.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Section loaded: uxtheme.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Section loaded: windows.storage.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Section loaded: wldp.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Section loaded: profapi.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Section loaded: cryptsp.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Section loaded: rsaenh.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Section loaded: cryptbase.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Section loaded: rasapi32.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Section loaded: rasman.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Section loaded: rtutils.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Section loaded: mswsock.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Section loaded: winhttp.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Section loaded: iphlpapi.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Section loaded: dnsapi.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Section loaded: winnsi.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Section loaded: rasadhlp.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Section loaded: fwpuclnt.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Section loaded: amsi.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Section loaded: userenv.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Section loaded: msasn1.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Section loaded: gpapi.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: ntmarta.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Section loaded: mscoree.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Section loaded: version.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Section loaded: uxtheme.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Section loaded: windows.storage.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Section loaded: wldp.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Section loaded: profapi.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Section loaded: cryptsp.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Section loaded: rsaenh.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Section loaded: cryptbase.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Section loaded: rasapi32.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Section loaded: rasman.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Section loaded: rtutils.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Section loaded: mswsock.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Section loaded: winhttp.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Section loaded: iphlpapi.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Section loaded: dnsapi.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Section loaded: winnsi.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Section loaded: rasadhlp.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Section loaded: fwpuclnt.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Section loaded: amsi.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Section loaded: userenv.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Section loaded: msasn1.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Section loaded: gpapi.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Section loaded: wbemcomn.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: ntmarta.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Section loaded: mscoree.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Section loaded: apphelp.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Section loaded: version.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Section loaded: uxtheme.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Section loaded: windows.storage.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Section loaded: wldp.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Section loaded: profapi.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Section loaded: cryptsp.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Section loaded: rsaenh.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Section loaded: cryptbase.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Section loaded: rasapi32.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Section loaded: rasman.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Section loaded: rtutils.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Section loaded: mswsock.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Section loaded: winhttp.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Section loaded: iphlpapi.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Section loaded: dnsapi.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Section loaded: winnsi.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Section loaded: rasadhlp.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Section loaded: fwpuclnt.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Section loaded: amsi.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Section loaded: userenv.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Section loaded: msasn1.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Section loaded: gpapi.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: ntmarta.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\chkdsk.exe	Section loaded: ulib.dll
Source: C:\Windows\SysWOW64\chkdsk.exe	Section loaded: ifsutil.dll
Source: C:\Windows\SysWOW64\chkdsk.exe	Section loaded: devobj.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Section loaded: mscoree.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Section loaded: version.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Section loaded: uxtheme.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Section loaded: windows.storage.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Section loaded: wldp.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Section loaded: profapi.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Section loaded: cryptsp.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Section loaded: rsaenh.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Section loaded: cryptbase.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Section loaded: rasapi32.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Section loaded: rasman.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Section loaded: rtutils.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Section loaded: mswsock.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Section loaded: winhttp.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Section loaded: iphlpapi.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Section loaded: dnsapi.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Section loaded: winnsi.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Section loaded: rasadhlp.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Section loaded: fwpuclnt.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Section loaded: amsi.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Section loaded: userenv.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Section loaded: msasn1.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Section loaded: gpapi.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Section loaded: wbemcomn.dll
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: ntmarta.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll

Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: PURCHASED ORDER OF ENG091.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: PURCHASED ORDER OF ENG091.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: PURCHASED ORDER OF ENG091.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: chkdsk.pdbGCTL source: RegAsm.exe, 00000045.00000002.2892603642.0000000001380000.00000040.10000000.00040000.00000000.sdmp, chkdsk.exe, 00000046.00000002.2895393793.0000000000130000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: cmstp.pdbGCTL source: RegAsm.exe, 00000007.00000002.2235793612.0000000001540000.00000040.10000000.00040000.00000000.sdmp, cmstp.exe, 00000009.00000002.3365281971.0000000000220000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: cmmon32.pdb source: RegAsm.exe, 00000013.00000002.2357394928.0000000001720000.00000040.10000000.00040000.00000000.sdmp, cmmon32.exe, 00000014.00000002.2367071175.0000000000370000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: msdt.pdbGCTL source: RegAsm.exe, 0000001B.00000002.2433869260.00000000026F0000.00000040.10000000.00040000.00000000.sdmp, msdt.exe, 0000001C.00000002.2436801979.0000000000E80000.00000040.80000000.00040000.00000000.sdmp, msdt.exe, 00000025.00000002.2526883807.0000000000E80000.00000040.80000000.00040000.00000000.sdmp, msdt.exe, 0000003E.00000002.2824411296.0000000000E80000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: netsh.pdb source: RegAsm.exe, 0000004D.00000002.3028255621.0000000002AF0000.00000040.10000000.00040000.00000000.sdmp, netsh.exe, 0000004E.00000002.3033972586.0000000000A60000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: C:\Users\Administrator\Desktop\2023CryptsDone\password_generator-master\obj\Debug\Aewlani.pdb source: PURCHASED ORDER OF ENG091.exe, 00000000.00000000.2119834627.0000000000442000.00000002.00000001.01000000.00000003.sdmp, cmd.exe, 00000005.00000003.2161957449.00000000032E5000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000011.00000003.2315915569.0000000002AE6000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000019.00000003.2390659515.0000000003086000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000022.00000003.2479534553.0000000002695000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000002A.00000003.2596807840.0000000003135000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000032.00000003.2684351983.00000000032E4000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000003A.00000003.2769484455.0000000002905000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000043.00000003.2848660519.00000000032C4000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000004B.00000003.2975731288.00000000035E4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: cmmon32.pdbGCTL source: RegAsm.exe, 00000013.00000002.2357394928.0000000001720000.00000040.10000000.00040000.00000000.sdmp, cmmon32.exe, 00000014.00000002.2367071175.0000000000370000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: chkdsk.pdb source: RegAsm.exe, 00000045.00000002.2892603642.0000000001380000.00000040.10000000.00040000.00000000.sdmp, chkdsk.exe, 00000046.00000002.2895393793.0000000000130000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: RegAsm.exe, 00000007.00000002.2236865702.0000000003320000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, 00000009.00000003.2237767546.0000000004599000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000009.00000002.3366809069.0000000004740000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, 00000009.00000003.2235631145.00000000043E5000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000009.00000002.3366809069.00000000048DE000.00000040.00001000.00020000.00000000.sdmp, cmmon32.exe, 00000014.00000003.2357315746.0000000004B0F000.00000004.00000020.00020000.00000000.sdmp, cmmon32.exe, 00000014.00000003.2364128162.0000000004CBC000.00000004.00000020.00020000.00000000.sdmp, cmmon32.exe, 00000014.00000002.2367516642.000000000500E000.00000040.00001000.00020000.00000000.sdmp, cmmon32.exe, 00000014.00000002.2367516642.0000000004E70000.00000040.00001000.00020000.00000000.sdmp, msdt.exe, 0000001C.00000002.2436864306.0000000004B9E000.00000040.00001000.00020000.00000000.sdmp, msdt.exe, 0000001C.00000002.2436864306.0000000004A00000.00000040.00001000.00020000.00000000.sdmp, msdt.exe, 0000001C.00000003.2432746712.00000000046A4000.00000004.00000020.00020000.00000000.sdmp, msdt.exe, 0000001C.00000003.2435053187.0000000004854000.00000004.00000020.00020000.00000000.sdmp, msdt.exe, 00000025.00000002.2527278356.000000000502E000.00000040.00001000.00020000.00000000.sdmp, msdt.exe, 00000025.00000002.2527278356.0000000004E90000.00000040.00001000.00020000.00000000.sdmp, msdt.exe, 00000025.00000003.2522733065.0000000004AEF000.00000004.00000020.00020000.00000000.sdmp, msdt.exe, 00000025.00000003.2524932833.0000000004CDC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000002D.00000003.2644284547.00000000046C8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000002D.00000003.2647610865.0000000004879000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000002D.00000002.2649407934.0000000004C3E000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 0000002D.00000002.2649407934.0000000004AA0000.00000040.00001000.00020000.00000000.sdmp, wlanext.exe, 00000035.00000003.2729298239.0000000002B31000.00000004.00000020.00020000.00000000.sdmp, wlanext.exe, 00000035.00000002.2732895661.0000000002CE0000.00000040.00001000.00020000.00000000.sdmp, wlanext.exe, 00000035.00000002.2732895661.0000000002E7E000.00000040.00001000.00020000.00000000.sdmp, wlanext.exe, 00000035.00000003.2727219080.0000000002985000.00000004.00000020.00020000.00000000.sdmp, msdt.exe, 0000003E.00000003.2815565973.0000000004B43000.00000004.00000020.00020000.00000000.sdmp, msdt.exe, 0000003E.00000002.2824847586.0000000004E8E000.00000040.00001000.00020000.00000000.sdmp, msdt.exe, 0000003E.00000002.2824847586.0000000004CF0000.00000040.00001000.00020000.00000000.sdmp, msdt.exe, 0000003E.00000003.2812512464.0000000004999000.00000004.00000020.00020000.00000000.sdmp, chkdsk.exe, 00000046.00000003.2893566375.00000000056D8000.00000004.00000020.00020000.00000
Source:	Binary string: RegAsm.pdb source: explorer.exe, 00000008.00000002.3389406505.0000000010A9F000.00000004.80000000.00040000.00000000.sdmp, cmstp.exe, 00000009.00000002.3367455817.0000000004C8F000.00000004.10000000.00040000.00000000.sdmp, cmstp.exe, 00000009.00000002.3365692981.000000000293B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: netsh.pdbGCTL source: RegAsm.exe, 0000004D.00000002.3028255621.0000000002AF0000.00000040.10000000.00040000.00000000.sdmp, netsh.exe, 0000004E.00000002.3033972586.0000000000A60000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: RegAsm.exe, RegAsm.exe, 00000007.00000002.2236865702.0000000003320000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, 00000009.00000003.2237767546.0000000004599000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000009.00000002.3366809069.0000000004740000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, 00000009.00000003.2235631145.00000000043E5000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000009.00000002.3366809069.00000000048DE000.00000040.00001000.00020000.00000000.sdmp, cmmon32.exe, 00000014.00000003.2357315746.0000000004B0F000.00000004.00000020.00020000.00000000.sdmp, cmmon32.exe, 00000014.00000003.2364128162.0000000004CBC000.00000004.00000020.00020000.00000000.sdmp, cmmon32.exe, 00000014.00000002.2367516642.000000000500E000.00000040.00001000.00020000.00000000.sdmp, cmmon32.exe, 00000014.00000002.2367516642.0000000004E70000.00000040.00001000.00020000.00000000.sdmp, msdt.exe, 0000001C.00000002.2436864306.0000000004B9E000.00000040.00001000.00020000.00000000.sdmp, msdt.exe, 0000001C.00000002.2436864306.0000000004A00000.00000040.00001000.00020000.00000000.sdmp, msdt.exe, 0000001C.00000003.2432746712.00000000046A4000.00000004.00000020.00020000.00000000.sdmp, msdt.exe, 0000001C.00000003.2435053187.0000000004854000.00000004.00000020.00020000.00000000.sdmp, msdt.exe, 00000025.00000002.2527278356.000000000502E000.00000040.00001000.00020000.00000000.sdmp, msdt.exe, 00000025.00000002.2527278356.0000000004E90000.00000040.00001000.00020000.00000000.sdmp, msdt.exe, 00000025.00000003.2522733065.0000000004AEF000.00000004.00000020.00020000.00000000.sdmp, msdt.exe, 00000025.00000003.2524932833.0000000004CDC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000002D.00000003.2644284547.00000000046C8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000002D.00000003.2647610865.0000000004879000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000002D.00000002.2649407934.0000000004C3E000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 0000002D.00000002.2649407934.0000000004AA0000.00000040.00001000.00020000.00000000.sdmp, wlanext.exe, 00000035.00000003.2729298239.0000000002B31000.00000004.00000020.00020000.00000000.sdmp, wlanext.exe, 00000035.00000002.2732895661.0000000002CE0000.00000040.00001000.00020000.00000000.sdmp, wlanext.exe, 00000035.00000002.2732895661.0000000002E7E000.00000040.00001000.00020000.00000000.sdmp, wlanext.exe, 00000035.00000003.2727219080.0000000002985000.00000004.00000020.00020000.00000000.sdmp, msdt.exe, 0000003E.00000003.2815565973.0000000004B43000.00000004.00000020.00020000.00000000.sdmp, msdt.exe, 0000003E.00000002.2824847586.0000000004E8E000.00000040.00001000.00020000.00000000.sdmp, msdt.exe, 0000003E.00000002.2824847586.0000000004CF0000.00000040.00001000.00020000.00000000.sdmp, msdt.exe, 0000003E.00000003.2812512464.0000000004999000.00000004.00000020.00020000.00000000.sdmp, chkdsk.exe, 00000046.00000003.2893566375.00000000056D8000.00000004.00000020.00020
Source:	Binary string: rundll32.pdb source: RegAsm.exe, 0000002C.00000002.2646537881.00000000014A0000.00000040.10000000.00040000.00000000.sdmp, rundll32.exe, 0000002D.00000002.2648985101.0000000000270000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: wlanext.pdb source: RegAsm.exe, 00000034.00000002.2729173666.0000000002940000.00000040.10000000.00040000.00000000.sdmp, wlanext.exe, 00000035.00000002.2732547455.0000000000960000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: rundll32.pdbGCTL source: RegAsm.exe, 0000002C.00000002.2646537881.00000000014A0000.00000040.10000000.00040000.00000000.sdmp, rundll32.exe, 0000002D.00000002.2648985101.0000000000270000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: cmstp.pdb source: RegAsm.exe, 00000007.00000002.2235793612.0000000001540000.00000040.10000000.00040000.00000000.sdmp, cmstp.exe, 00000009.00000002.3365281971.0000000000220000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: RegAsm.pdb4 source: explorer.exe, 00000008.00000002.3389406505.0000000010A9F000.00000004.80000000.00040000.00000000.sdmp, cmstp.exe, 00000009.00000002.3367455817.0000000004C8F000.00000004.10000000.00040000.00000000.sdmp, cmstp.exe, 00000009.00000002.3365692981.000000000293B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: msdt.pdb source: RegAsm.exe, 0000001B.00000002.2433869260.00000000026F0000.00000040.10000000.00040000.00000000.sdmp, msdt.exe, 0000001C.00000002.2436801979.0000000000E80000.00000040.80000000.00040000.00000000.sdmp, msdt.exe, 00000025.00000002.2526883807.0000000000E80000.00000040.80000000.00040000.00000000.sdmp, msdt.exe, 0000003E.00000002.2824411296.0000000000E80000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: wlanext.pdbGCTL source: RegAsm.exe, 00000034.00000002.2729173666.0000000002940000.00000040.10000000.00040000.00000000.sdmp, wlanext.exe, 00000035.00000002.2732547455.0000000000960000.00000040.80000000.00040000.00000000.sdmp

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Code function: 0_2_00A88FA0 push eax; iretd	0_2_00A88F87
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Code function: 0_2_00A88F7D push eax; iretd	0_2_00A88F87
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Code function: 0_2_00A8D9BA push esp; ret	0_2_00A8D9F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_004179C8 push es; retf	7_2_004179C9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_00410B2E push edx; retf	7_2_00410B2F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0041D4E2 push eax; ret	7_2_0041D4E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0041D4EB push eax; ret	7_2_0041D552
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0041D495 push eax; ret	7_2_0041D4E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0041D54C push eax; ret	7_2_0041D552
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_00407D65 push esi; iretd	7_2_00407D68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_004165BD push esi; retf	7_2_004165BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033509AD push ecx; mov dword ptr [esp], ecx	7_2_033509B6
Source: C:\Windows\explorer.exe	Code function: 8_2_08D779B5 push esp; retn 0000h	8_2_08D77AE7
Source: C:\Windows\explorer.exe	Code function: 8_2_08D77B1E push esp; retn 0000h	8_2_08D77B1F
Source: C:\Windows\explorer.exe	Code function: 8_2_08D77B02 push esp; retn 0000h	8_2_08D77B03
Source: C:\Windows\explorer.exe	Code function: 8_2_0B89EB02 push esp; retn 0000h	8_2_0B89EB03
Source: C:\Windows\explorer.exe	Code function: 8_2_0B89EB1E push esp; retn 0000h	8_2_0B89EB1F
Source: C:\Windows\explorer.exe	Code function: 8_2_0B89E9B5 push esp; retn 0000h	8_2_0B89EAE7
Source: C:\Windows\explorer.exe	Code function: 8_2_0BE42B02 push esp; retn 0000h	8_2_0BE42B03
Source: C:\Windows\explorer.exe	Code function: 8_2_0BE42B1E push esp; retn 0000h	8_2_0BE42B1F
Source: C:\Windows\explorer.exe	Code function: 8_2_0BE429B5 push esp; retn 0000h	8_2_0BE42AE7
Source: C:\Windows\explorer.exe	Code function: 8_2_0E5B3B1E push esp; retn 0000h	8_2_0E5B3B1F
Source: C:\Windows\explorer.exe	Code function: 8_2_0E5B3B02 push esp; retn 0000h	8_2_0E5B3B03
Source: C:\Windows\explorer.exe	Code function: 8_2_0E5B39B5 push esp; retn 0000h	8_2_0E5B3AE7
Source: C:\Windows\explorer.exe	Code function: 8_2_0E756B1E push esp; retn 0000h	8_2_0E756B1F
Source: C:\Windows\explorer.exe	Code function: 8_2_0E756B02 push esp; retn 0000h	8_2_0E756B03
Source: C:\Windows\explorer.exe	Code function: 8_2_0E7569B5 push esp; retn 0000h	8_2_0E756AE7
Source: C:\Windows\explorer.exe	Code function: 8_2_0E880B02 push esp; retn 0000h	8_2_0E880B03
Source: C:\Windows\explorer.exe	Code function: 8_2_0E880B1E push esp; retn 0000h	8_2_0E880B1F
Source: C:\Windows\explorer.exe	Code function: 8_2_0E8809B5 push esp; retn 0000h	8_2_0E880AE7
Source: C:\Windows\explorer.exe	Code function: 8_2_101E69B5 push esp; retn 0000h	8_2_101E6AE7

Persistence and Installation Behavior

Drops PE files to the document folder of the user

Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif.pif	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Jump to dropped file

Drops PE files with a suspicious file extension

Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif.pif	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Jump to dropped file

Uses cmd line tools excessively to alter registry or file data

Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe

Drops PE files

Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif.pif	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Jump to dropped file

Boot Survival

Creates multiple autostart registry keys

Source: C:\Windows\SysWOW64\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run PURCHASED ORDER OF ENG091.pif.pif.pif.pif
Source: C:\Windows\SysWOW64\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run PURCHASED ORDER OF ENG091.pif.pif.pif
Source: C:\Windows\SysWOW64\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run PURCHASED ORDER OF ENG091	Jump to behavior
Source: C:\Windows\SysWOW64\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run PURCHASED ORDER OF ENG091.pif.pif
Source: C:\Windows\SysWOW64\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run PURCHASED ORDER OF ENG091.pif

Source: C:\Windows\SysWOW64\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run PURCHASED ORDER OF ENG091	Jump to behavior
Source: C:\Windows\SysWOW64\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run PURCHASED ORDER OF ENG091	Jump to behavior
Source: C:\Windows\SysWOW64\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run PURCHASED ORDER OF ENG091.pif
Source: C:\Windows\SysWOW64\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run PURCHASED ORDER OF ENG091.pif
Source: C:\Windows\SysWOW64\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run PURCHASED ORDER OF ENG091.pif.pif
Source: C:\Windows\SysWOW64\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run PURCHASED ORDER OF ENG091.pif.pif
Source: C:\Windows\SysWOW64\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run PURCHASED ORDER OF ENG091.pif.pif.pif
Source: C:\Windows\SysWOW64\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run PURCHASED ORDER OF ENG091.pif.pif.pif
Source: C:\Windows\SysWOW64\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run PURCHASED ORDER OF ENG091.pif.pif.pif.pif
Source: C:\Windows\SysWOW64\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run PURCHASED ORDER OF ENG091.pif.pif.pif.pif

Hooking and other Techniques for Hiding and Protection

Modifies the prolog of user mode functions (user mode inline hooks)

Source: explorer.exe

User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x80 0x0E 0xE5

Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: PURCHASED ORDER OF ENG091.exe PID: 3472, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: PURCHASED ORDER OF ENG091.pif PID: 5728, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: PURCHASED ORDER OF ENG091.pif PID: 4872, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: PURCHASED ORDER OF ENG091.pif.pif PID: 3004, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: PURCHASED ORDER OF ENG091.pif.pif PID: 3924, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: PURCHASED ORDER OF ENG091.pif.pif.pif PID: 5128, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: PURCHASED ORDER OF ENG091.pif.pif.pif PID: 2264, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: PURCHASED ORDER OF ENG091.pif.pif.pif.pif PID: 2704, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: PURCHASED ORDER OF ENG091.pif.pif.pif.pif PID: 6648, type: MEMORYSTR

Switches to a custom stack to bypass stack traces

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	API/Special instruction interceptor: Address: 7FFDB442D324
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	API/Special instruction interceptor: Address: 7FFDB4430774
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	API/Special instruction interceptor: Address: 7FFDB4430154
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	API/Special instruction interceptor: Address: 7FFDB442D8A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	API/Special instruction interceptor: Address: 7FFDB442DA44
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	API/Special instruction interceptor: Address: 7FFDB442D1E4
Source: C:\Windows\SysWOW64\cmstp.exe	API/Special instruction interceptor: Address: 7FFDB442D324
Source: C:\Windows\SysWOW64\cmstp.exe	API/Special instruction interceptor: Address: 7FFDB4430774
Source: C:\Windows\SysWOW64\cmstp.exe	API/Special instruction interceptor: Address: 7FFDB442D944
Source: C:\Windows\SysWOW64\cmstp.exe	API/Special instruction interceptor: Address: 7FFDB442D504
Source: C:\Windows\SysWOW64\cmstp.exe	API/Special instruction interceptor: Address: 7FFDB442D544
Source: C:\Windows\SysWOW64\cmstp.exe	API/Special instruction interceptor: Address: 7FFDB442D1E4
Source: C:\Windows\SysWOW64\cmstp.exe	API/Special instruction interceptor: Address: 7FFDB4430154
Source: C:\Windows\SysWOW64\cmstp.exe	API/Special instruction interceptor: Address: 7FFDB442D8A4
Source: C:\Windows\SysWOW64\cmstp.exe	API/Special instruction interceptor: Address: 7FFDB442DA44

Tries to detect virtualization through RDTSC time measurements

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	RDTSC instruction interceptor: First address: 409904 second address: 40990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	RDTSC instruction interceptor: First address: 409B7E second address: 409B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmstp.exe	RDTSC instruction interceptor: First address: 28B9904 second address: 28B990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmstp.exe	RDTSC instruction interceptor: First address: 28B9B7E second address: 28B9B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmmon32.exe	RDTSC instruction interceptor: First address: 2ED9904 second address: 2ED990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmmon32.exe	RDTSC instruction interceptor: First address: 2ED9B7E second address: 2ED9B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\msdt.exe	RDTSC instruction interceptor: First address: 6E9904 second address: 6E990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\msdt.exe	RDTSC instruction interceptor: First address: 6E9B7E second address: 6E9B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\msdt.exe	RDTSC instruction interceptor: First address: B39904 second address: B3990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\msdt.exe	RDTSC instruction interceptor: First address: B39B7E second address: B39B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 2C09904 second address: 2C0990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 2C09B7E second address: 2C09B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\wlanext.exe	RDTSC instruction interceptor: First address: 609904 second address: 60990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\wlanext.exe	RDTSC instruction interceptor: First address: 609B7E second address: 609B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\msdt.exe	RDTSC instruction interceptor: First address: 969904 second address: 96990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\msdt.exe	RDTSC instruction interceptor: First address: 969B7E second address: 969B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\chkdsk.exe	RDTSC instruction interceptor: First address: 5079904 second address: 507990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\chkdsk.exe	RDTSC instruction interceptor: First address: 5079B7E second address: 5079B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\netsh.exe	RDTSC instruction interceptor: First address: 3199904 second address: 319990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\netsh.exe	RDTSC instruction interceptor: First address: 3199B7E second address: 3199B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Memory allocated: A60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Memory allocated: 27B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Memory allocated: DE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Memory allocated: B80000 memory reserve \| memory write watch
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Memory allocated: 2700000 memory reserve \| memory write watch
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Memory allocated: B80000 memory reserve \| memory write watch
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Memory allocated: 710000 memory reserve \| memory write watch
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Memory allocated: 2280000 memory reserve \| memory write watch
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Memory allocated: 21B0000 memory reserve \| memory write watch
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Memory allocated: 840000 memory reserve \| memory write watch
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Memory allocated: 2350000 memory reserve \| memory write watch
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Memory allocated: 2290000 memory reserve \| memory write watch
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Memory allocated: 2B10000 memory reserve \| memory write watch
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Memory allocated: 2CA0000 memory reserve \| memory write watch
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Memory allocated: 4CA0000 memory reserve \| memory write watch
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Memory allocated: 2AC0000 memory reserve \| memory write watch
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Memory allocated: 2D80000 memory reserve \| memory write watch
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Memory allocated: 2AC0000 memory reserve \| memory write watch
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Memory allocated: 17B0000 memory reserve \| memory write watch
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Memory allocated: 3290000 memory reserve \| memory write watch
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Memory allocated: 5290000 memory reserve \| memory write watch
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Memory allocated: 26F0000 memory reserve \| memory write watch
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Memory allocated: 2910000 memory reserve \| memory write watch
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Memory allocated: 4910000 memory reserve \| memory write watch
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Memory allocated: 3110000 memory reserve \| memory write watch
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Memory allocated: 3310000 memory reserve \| memory write watch
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Memory allocated: 3110000 memory reserve \| memory write watch

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 7_2_00409AB0 rdtsc

7_2_00409AB0

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Thread delayed: delay time: 922337203685477

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 9473	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 459	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 525	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Window / User API: threadDelayed 7174	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Window / User API: threadDelayed 2797	Jump to behavior

Found large amount of non-executed APIs

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

API coverage: 1.6 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe TID: 1292	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe TID: 2264	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 4344	Thread sleep time: -18946000s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 4344	Thread sleep time: -918000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe TID: 4876	Thread sleep count: 7174 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe TID: 4876	Thread sleep time: -14348000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe TID: 4876	Thread sleep count: 2797 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe TID: 4876	Thread sleep time: -5594000s >= -30000s	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif TID: 5956	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif TID: 7164	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif TID: 6628	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif TID: 3564	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif TID: 5332	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif TID: 3632	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif TID: 2308	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif TID: 2420	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif TID: 4884	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif TID: 4200	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif TID: 6244	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif TID: 3960	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif TID: 7072	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif TID: 6740	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif TID: 5696	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif TID: 6492	Thread sleep time: -922337203685477s >= -30000s

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\cmstp.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\cmstp.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Thread delayed: delay time: 922337203685477

Source: explorer.exe, 00000008.00000002.3377674269.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.2185822168.000000000962B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWystem32\DriverStore\en-US\msmouse.inf_locv
Source: explorer.exe, 00000008.00000002.3377674269.00000000097F3000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 00000008.00000002.3377674269.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.2185822168.000000000973C000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWws
Source: PURCHASED ORDER OF ENG091.pif, 00000015.00000002.2401595350.0000000000808000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll<
Source: explorer.exe, 00000008.00000003.2979140509.00000000098AD000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}RoamingCom
Source: explorer.exe, 00000008.00000002.3377674269.0000000009605000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NXTVMWare
Source: explorer.exe, 00000008.00000000.2192292885.000000000C474000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: &me#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94
Source: explorer.exe, 00000008.00000000.2175448069.0000000000D99000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: #CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000008.00000000.2185822168.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3377674269.000000000978C000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000008.00000000.2175448069.0000000000D99000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000W
Source: PURCHASED ORDER OF ENG091.pif.pif.pif.pif, 00000047.00000002.2991343791.000000000146B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllF
Source: explorer.exe, 00000008.00000002.3371865192.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: explorer.exe, 00000008.00000003.2979140509.00000000098AD000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}lnkramW6
Source: PURCHASED ORDER OF ENG091.pif.pif.pif, 00000036.00000002.2781754362.00000000014B0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll,
Source: explorer.exe, 00000008.00000000.2175448069.0000000000D99000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: PURCHASED ORDER OF ENG091.exe, 00000000.00000002.2173848112.0000000000B85000.00000004.00000020.00020000.00000000.sdmp, PURCHASED ORDER OF ENG091.pif, 0000000C.00000002.2326904554.000000000073D000.00000004.00000020.00020000.00000000.sdmp, PURCHASED ORDER OF ENG091.pif.pif, 0000001D.00000002.2491782208.00000000005A5000.00000004.00000020.00020000.00000000.sdmp, PURCHASED ORDER OF ENG091.pif.pif, 00000026.00000002.2612117214.0000000001234000.00000004.00000020.00020000.00000000.sdmp, PURCHASED ORDER OF ENG091.pif.pif.pif, 0000002E.00000002.2696733551.0000000000EA0000.00000004.00000020.00020000.00000000.sdmp, PURCHASED ORDER OF ENG091.pif.pif.pif.pif, 0000003F.00000002.2862373835.0000000000E1B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: explorer.exe, 00000008.00000003.2979140509.00000000098AD000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000
Source: explorer.exe, 00000008.00000000.2175448069.0000000000D99000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe

Process information queried: ProcessInformation

Jump to behavior

Checks if the current process is being debugged

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\cmmon32.exe	Process queried: DebugPort
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\msdt.exe	Process queried: DebugPort
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\msdt.exe	Process queried: DebugPort
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\wlanext.exe	Process queried: DebugPort
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\msdt.exe	Process queried: DebugPort
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\chkdsk.exe	Process queried: DebugPort
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\netsh.exe	Process queried: DebugPort

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 7_2_00409AB0 rdtsc

7_2_00409AB0

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 7_2_0040ACF0 LdrLoadDll,

7_2_0040ACF0

Contains functionality to read the PEB

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0342634F mov eax, dword ptr fs:[00000030h]	7_2_0342634F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0341A352 mov eax, dword ptr fs:[00000030h]	7_2_0341A352
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0334C310 mov ecx, dword ptr fs:[00000030h]	7_2_0334C310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03370310 mov ecx, dword ptr fs:[00000030h]	7_2_03370310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0338A30B mov eax, dword ptr fs:[00000030h]	7_2_0338A30B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0338A30B mov eax, dword ptr fs:[00000030h]	7_2_0338A30B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0338A30B mov eax, dword ptr fs:[00000030h]	7_2_0338A30B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033F437C mov eax, dword ptr fs:[00000030h]	7_2_033F437C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033D035C mov eax, dword ptr fs:[00000030h]	7_2_033D035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033D035C mov eax, dword ptr fs:[00000030h]	7_2_033D035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033D035C mov eax, dword ptr fs:[00000030h]	7_2_033D035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033D035C mov ecx, dword ptr fs:[00000030h]	7_2_033D035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033D035C mov eax, dword ptr fs:[00000030h]	7_2_033D035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033D035C mov eax, dword ptr fs:[00000030h]	7_2_033D035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033F8350 mov ecx, dword ptr fs:[00000030h]	7_2_033F8350
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033D2349 mov eax, dword ptr fs:[00000030h]	7_2_033D2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033D2349 mov eax, dword ptr fs:[00000030h]	7_2_033D2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033D2349 mov eax, dword ptr fs:[00000030h]	7_2_033D2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033D2349 mov eax, dword ptr fs:[00000030h]	7_2_033D2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033D2349 mov eax, dword ptr fs:[00000030h]	7_2_033D2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033D2349 mov eax, dword ptr fs:[00000030h]	7_2_033D2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033D2349 mov eax, dword ptr fs:[00000030h]	7_2_033D2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033D2349 mov eax, dword ptr fs:[00000030h]	7_2_033D2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033D2349 mov eax, dword ptr fs:[00000030h]	7_2_033D2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033D2349 mov eax, dword ptr fs:[00000030h]	7_2_033D2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033D2349 mov eax, dword ptr fs:[00000030h]	7_2_033D2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033D2349 mov eax, dword ptr fs:[00000030h]	7_2_033D2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033D2349 mov eax, dword ptr fs:[00000030h]	7_2_033D2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033D2349 mov eax, dword ptr fs:[00000030h]	7_2_033D2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033D2349 mov eax, dword ptr fs:[00000030h]	7_2_033D2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0340C3CD mov eax, dword ptr fs:[00000030h]	7_2_0340C3CD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03348397 mov eax, dword ptr fs:[00000030h]	7_2_03348397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03348397 mov eax, dword ptr fs:[00000030h]	7_2_03348397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03348397 mov eax, dword ptr fs:[00000030h]	7_2_03348397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0337438F mov eax, dword ptr fs:[00000030h]	7_2_0337438F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0337438F mov eax, dword ptr fs:[00000030h]	7_2_0337438F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0334E388 mov eax, dword ptr fs:[00000030h]	7_2_0334E388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0334E388 mov eax, dword ptr fs:[00000030h]	7_2_0334E388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0334E388 mov eax, dword ptr fs:[00000030h]	7_2_0334E388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0336E3F0 mov eax, dword ptr fs:[00000030h]	7_2_0336E3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0336E3F0 mov eax, dword ptr fs:[00000030h]	7_2_0336E3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0336E3F0 mov eax, dword ptr fs:[00000030h]	7_2_0336E3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033863FF mov eax, dword ptr fs:[00000030h]	7_2_033863FF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033603E9 mov eax, dword ptr fs:[00000030h]	7_2_033603E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033603E9 mov eax, dword ptr fs:[00000030h]	7_2_033603E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033603E9 mov eax, dword ptr fs:[00000030h]	7_2_033603E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033603E9 mov eax, dword ptr fs:[00000030h]	7_2_033603E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033603E9 mov eax, dword ptr fs:[00000030h]	7_2_033603E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033603E9 mov eax, dword ptr fs:[00000030h]	7_2_033603E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033603E9 mov eax, dword ptr fs:[00000030h]	7_2_033603E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033603E9 mov eax, dword ptr fs:[00000030h]	7_2_033603E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033FE3DB mov eax, dword ptr fs:[00000030h]	7_2_033FE3DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033FE3DB mov eax, dword ptr fs:[00000030h]	7_2_033FE3DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033FE3DB mov ecx, dword ptr fs:[00000030h]	7_2_033FE3DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033FE3DB mov eax, dword ptr fs:[00000030h]	7_2_033FE3DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033F43D4 mov eax, dword ptr fs:[00000030h]	7_2_033F43D4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033F43D4 mov eax, dword ptr fs:[00000030h]	7_2_033F43D4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0335A3C0 mov eax, dword ptr fs:[00000030h]	7_2_0335A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0335A3C0 mov eax, dword ptr fs:[00000030h]	7_2_0335A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0335A3C0 mov eax, dword ptr fs:[00000030h]	7_2_0335A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0335A3C0 mov eax, dword ptr fs:[00000030h]	7_2_0335A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0335A3C0 mov eax, dword ptr fs:[00000030h]	7_2_0335A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0335A3C0 mov eax, dword ptr fs:[00000030h]	7_2_0335A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033583C0 mov eax, dword ptr fs:[00000030h]	7_2_033583C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033583C0 mov eax, dword ptr fs:[00000030h]	7_2_033583C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033583C0 mov eax, dword ptr fs:[00000030h]	7_2_033583C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033583C0 mov eax, dword ptr fs:[00000030h]	7_2_033583C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033D63C0 mov eax, dword ptr fs:[00000030h]	7_2_033D63C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0334823B mov eax, dword ptr fs:[00000030h]	7_2_0334823B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0340A250 mov eax, dword ptr fs:[00000030h]	7_2_0340A250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0340A250 mov eax, dword ptr fs:[00000030h]	7_2_0340A250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0342625D mov eax, dword ptr fs:[00000030h]	7_2_0342625D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03400274 mov eax, dword ptr fs:[00000030h]	7_2_03400274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03400274 mov eax, dword ptr fs:[00000030h]	7_2_03400274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03400274 mov eax, dword ptr fs:[00000030h]	7_2_03400274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03400274 mov eax, dword ptr fs:[00000030h]	7_2_03400274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03400274 mov eax, dword ptr fs:[00000030h]	7_2_03400274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03400274 mov eax, dword ptr fs:[00000030h]	7_2_03400274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03400274 mov eax, dword ptr fs:[00000030h]	7_2_03400274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03400274 mov eax, dword ptr fs:[00000030h]	7_2_03400274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03400274 mov eax, dword ptr fs:[00000030h]	7_2_03400274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03400274 mov eax, dword ptr fs:[00000030h]	7_2_03400274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03400274 mov eax, dword ptr fs:[00000030h]	7_2_03400274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03400274 mov eax, dword ptr fs:[00000030h]	7_2_03400274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03354260 mov eax, dword ptr fs:[00000030h]	7_2_03354260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03354260 mov eax, dword ptr fs:[00000030h]	7_2_03354260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03354260 mov eax, dword ptr fs:[00000030h]	7_2_03354260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0334826B mov eax, dword ptr fs:[00000030h]	7_2_0334826B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0334A250 mov eax, dword ptr fs:[00000030h]	7_2_0334A250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03356259 mov eax, dword ptr fs:[00000030h]	7_2_03356259
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033D8243 mov eax, dword ptr fs:[00000030h]	7_2_033D8243
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033D8243 mov ecx, dword ptr fs:[00000030h]	7_2_033D8243
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_034262D6 mov eax, dword ptr fs:[00000030h]	7_2_034262D6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033E62A0 mov eax, dword ptr fs:[00000030h]	7_2_033E62A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033E62A0 mov ecx, dword ptr fs:[00000030h]	7_2_033E62A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033E62A0 mov eax, dword ptr fs:[00000030h]	7_2_033E62A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033E62A0 mov eax, dword ptr fs:[00000030h]	7_2_033E62A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033E62A0 mov eax, dword ptr fs:[00000030h]	7_2_033E62A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033E62A0 mov eax, dword ptr fs:[00000030h]	7_2_033E62A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0338E284 mov eax, dword ptr fs:[00000030h]	7_2_0338E284
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0338E284 mov eax, dword ptr fs:[00000030h]	7_2_0338E284
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033D0283 mov eax, dword ptr fs:[00000030h]	7_2_033D0283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033D0283 mov eax, dword ptr fs:[00000030h]	7_2_033D0283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033D0283 mov eax, dword ptr fs:[00000030h]	7_2_033D0283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033602E1 mov eax, dword ptr fs:[00000030h]	7_2_033602E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033602E1 mov eax, dword ptr fs:[00000030h]	7_2_033602E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033602E1 mov eax, dword ptr fs:[00000030h]	7_2_033602E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0335A2C3 mov eax, dword ptr fs:[00000030h]	7_2_0335A2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0335A2C3 mov eax, dword ptr fs:[00000030h]	7_2_0335A2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0335A2C3 mov eax, dword ptr fs:[00000030h]	7_2_0335A2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0335A2C3 mov eax, dword ptr fs:[00000030h]	7_2_0335A2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0335A2C3 mov eax, dword ptr fs:[00000030h]	7_2_0335A2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03380124 mov eax, dword ptr fs:[00000030h]	7_2_03380124
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03424164 mov eax, dword ptr fs:[00000030h]	7_2_03424164
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03424164 mov eax, dword ptr fs:[00000030h]	7_2_03424164
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033FA118 mov ecx, dword ptr fs:[00000030h]	7_2_033FA118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033FA118 mov eax, dword ptr fs:[00000030h]	7_2_033FA118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033FA118 mov eax, dword ptr fs:[00000030h]	7_2_033FA118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033FA118 mov eax, dword ptr fs:[00000030h]	7_2_033FA118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033FE10E mov eax, dword ptr fs:[00000030h]	7_2_033FE10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033FE10E mov ecx, dword ptr fs:[00000030h]	7_2_033FE10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033FE10E mov eax, dword ptr fs:[00000030h]	7_2_033FE10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033FE10E mov eax, dword ptr fs:[00000030h]	7_2_033FE10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033FE10E mov ecx, dword ptr fs:[00000030h]	7_2_033FE10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033FE10E mov eax, dword ptr fs:[00000030h]	7_2_033FE10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033FE10E mov eax, dword ptr fs:[00000030h]	7_2_033FE10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033FE10E mov ecx, dword ptr fs:[00000030h]	7_2_033FE10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033FE10E mov eax, dword ptr fs:[00000030h]	7_2_033FE10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033FE10E mov ecx, dword ptr fs:[00000030h]	7_2_033FE10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03410115 mov eax, dword ptr fs:[00000030h]	7_2_03410115
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03356154 mov eax, dword ptr fs:[00000030h]	7_2_03356154
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03356154 mov eax, dword ptr fs:[00000030h]	7_2_03356154
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0334C156 mov eax, dword ptr fs:[00000030h]	7_2_0334C156
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033E8158 mov eax, dword ptr fs:[00000030h]	7_2_033E8158
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033E4144 mov eax, dword ptr fs:[00000030h]	7_2_033E4144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033E4144 mov eax, dword ptr fs:[00000030h]	7_2_033E4144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033E4144 mov ecx, dword ptr fs:[00000030h]	7_2_033E4144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033E4144 mov eax, dword ptr fs:[00000030h]	7_2_033E4144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033E4144 mov eax, dword ptr fs:[00000030h]	7_2_033E4144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_034161C3 mov eax, dword ptr fs:[00000030h]	7_2_034161C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_034161C3 mov eax, dword ptr fs:[00000030h]	7_2_034161C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033D019F mov eax, dword ptr fs:[00000030h]	7_2_033D019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033D019F mov eax, dword ptr fs:[00000030h]	7_2_033D019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033D019F mov eax, dword ptr fs:[00000030h]	7_2_033D019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033D019F mov eax, dword ptr fs:[00000030h]	7_2_033D019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0334A197 mov eax, dword ptr fs:[00000030h]	7_2_0334A197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0334A197 mov eax, dword ptr fs:[00000030h]	7_2_0334A197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0334A197 mov eax, dword ptr fs:[00000030h]	7_2_0334A197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_034261E5 mov eax, dword ptr fs:[00000030h]	7_2_034261E5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03390185 mov eax, dword ptr fs:[00000030h]	7_2_03390185
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033F4180 mov eax, dword ptr fs:[00000030h]	7_2_033F4180
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033F4180 mov eax, dword ptr fs:[00000030h]	7_2_033F4180
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033801F8 mov eax, dword ptr fs:[00000030h]	7_2_033801F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0340C188 mov eax, dword ptr fs:[00000030h]	7_2_0340C188
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0340C188 mov eax, dword ptr fs:[00000030h]	7_2_0340C188
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033CE1D0 mov eax, dword ptr fs:[00000030h]	7_2_033CE1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033CE1D0 mov eax, dword ptr fs:[00000030h]	7_2_033CE1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033CE1D0 mov ecx, dword ptr fs:[00000030h]	7_2_033CE1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033CE1D0 mov eax, dword ptr fs:[00000030h]	7_2_033CE1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033CE1D0 mov eax, dword ptr fs:[00000030h]	7_2_033CE1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033E6030 mov eax, dword ptr fs:[00000030h]	7_2_033E6030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0334A020 mov eax, dword ptr fs:[00000030h]	7_2_0334A020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0334C020 mov eax, dword ptr fs:[00000030h]	7_2_0334C020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0336E016 mov eax, dword ptr fs:[00000030h]	7_2_0336E016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0336E016 mov eax, dword ptr fs:[00000030h]	7_2_0336E016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0336E016 mov eax, dword ptr fs:[00000030h]	7_2_0336E016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0336E016 mov eax, dword ptr fs:[00000030h]	7_2_0336E016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033D4000 mov ecx, dword ptr fs:[00000030h]	7_2_033D4000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033F2000 mov eax, dword ptr fs:[00000030h]	7_2_033F2000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033F2000 mov eax, dword ptr fs:[00000030h]	7_2_033F2000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033F2000 mov eax, dword ptr fs:[00000030h]	7_2_033F2000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033F2000 mov eax, dword ptr fs:[00000030h]	7_2_033F2000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033F2000 mov eax, dword ptr fs:[00000030h]	7_2_033F2000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033F2000 mov eax, dword ptr fs:[00000030h]	7_2_033F2000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033F2000 mov eax, dword ptr fs:[00000030h]	7_2_033F2000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033F2000 mov eax, dword ptr fs:[00000030h]	7_2_033F2000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0337C073 mov eax, dword ptr fs:[00000030h]	7_2_0337C073
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03352050 mov eax, dword ptr fs:[00000030h]	7_2_03352050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033D6050 mov eax, dword ptr fs:[00000030h]	7_2_033D6050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033480A0 mov eax, dword ptr fs:[00000030h]	7_2_033480A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033E80A8 mov eax, dword ptr fs:[00000030h]	7_2_033E80A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0335208A mov eax, dword ptr fs:[00000030h]	7_2_0335208A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0334C0F0 mov eax, dword ptr fs:[00000030h]	7_2_0334C0F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033920F0 mov ecx, dword ptr fs:[00000030h]	7_2_033920F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0334A0E3 mov ecx, dword ptr fs:[00000030h]	7_2_0334A0E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033580E9 mov eax, dword ptr fs:[00000030h]	7_2_033580E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033D60E0 mov eax, dword ptr fs:[00000030h]	7_2_033D60E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033D20DE mov eax, dword ptr fs:[00000030h]	7_2_033D20DE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_034160B8 mov eax, dword ptr fs:[00000030h]	7_2_034160B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_034160B8 mov ecx, dword ptr fs:[00000030h]	7_2_034160B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0338273C mov eax, dword ptr fs:[00000030h]	7_2_0338273C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0338273C mov ecx, dword ptr fs:[00000030h]	7_2_0338273C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0338273C mov eax, dword ptr fs:[00000030h]	7_2_0338273C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033CC730 mov eax, dword ptr fs:[00000030h]	7_2_033CC730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0338C720 mov eax, dword ptr fs:[00000030h]	7_2_0338C720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0338C720 mov eax, dword ptr fs:[00000030h]	7_2_0338C720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03350710 mov eax, dword ptr fs:[00000030h]	7_2_03350710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03380710 mov eax, dword ptr fs:[00000030h]	7_2_03380710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0338C700 mov eax, dword ptr fs:[00000030h]	7_2_0338C700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03358770 mov eax, dword ptr fs:[00000030h]	7_2_03358770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03360770 mov eax, dword ptr fs:[00000030h]	7_2_03360770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03360770 mov eax, dword ptr fs:[00000030h]	7_2_03360770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03360770 mov eax, dword ptr fs:[00000030h]	7_2_03360770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03360770 mov eax, dword ptr fs:[00000030h]	7_2_03360770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03360770 mov eax, dword ptr fs:[00000030h]	7_2_03360770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03360770 mov eax, dword ptr fs:[00000030h]	7_2_03360770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03360770 mov eax, dword ptr fs:[00000030h]	7_2_03360770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03360770 mov eax, dword ptr fs:[00000030h]	7_2_03360770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03360770 mov eax, dword ptr fs:[00000030h]	7_2_03360770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03360770 mov eax, dword ptr fs:[00000030h]	7_2_03360770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03360770 mov eax, dword ptr fs:[00000030h]	7_2_03360770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03360770 mov eax, dword ptr fs:[00000030h]	7_2_03360770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033DE75D mov eax, dword ptr fs:[00000030h]	7_2_033DE75D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03350750 mov eax, dword ptr fs:[00000030h]	7_2_03350750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033D4755 mov eax, dword ptr fs:[00000030h]	7_2_033D4755
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03392750 mov eax, dword ptr fs:[00000030h]	7_2_03392750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03392750 mov eax, dword ptr fs:[00000030h]	7_2_03392750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0338674D mov esi, dword ptr fs:[00000030h]	7_2_0338674D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0338674D mov eax, dword ptr fs:[00000030h]	7_2_0338674D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0338674D mov eax, dword ptr fs:[00000030h]	7_2_0338674D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033507AF mov eax, dword ptr fs:[00000030h]	7_2_033507AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033F678E mov eax, dword ptr fs:[00000030h]	7_2_033F678E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033547FB mov eax, dword ptr fs:[00000030h]	7_2_033547FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033547FB mov eax, dword ptr fs:[00000030h]	7_2_033547FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033727ED mov eax, dword ptr fs:[00000030h]	7_2_033727ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033727ED mov eax, dword ptr fs:[00000030h]	7_2_033727ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033727ED mov eax, dword ptr fs:[00000030h]	7_2_033727ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033DE7E1 mov eax, dword ptr fs:[00000030h]	7_2_033DE7E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_034047A0 mov eax, dword ptr fs:[00000030h]	7_2_034047A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0335C7C0 mov eax, dword ptr fs:[00000030h]	7_2_0335C7C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033D07C3 mov eax, dword ptr fs:[00000030h]	7_2_033D07C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0336E627 mov eax, dword ptr fs:[00000030h]	7_2_0336E627
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03386620 mov eax, dword ptr fs:[00000030h]	7_2_03386620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03388620 mov eax, dword ptr fs:[00000030h]	7_2_03388620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0335262C mov eax, dword ptr fs:[00000030h]	7_2_0335262C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03392619 mov eax, dword ptr fs:[00000030h]	7_2_03392619
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0341866E mov eax, dword ptr fs:[00000030h]	7_2_0341866E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0341866E mov eax, dword ptr fs:[00000030h]	7_2_0341866E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033CE609 mov eax, dword ptr fs:[00000030h]	7_2_033CE609
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0336260B mov eax, dword ptr fs:[00000030h]	7_2_0336260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0336260B mov eax, dword ptr fs:[00000030h]	7_2_0336260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0336260B mov eax, dword ptr fs:[00000030h]	7_2_0336260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0336260B mov eax, dword ptr fs:[00000030h]	7_2_0336260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0336260B mov eax, dword ptr fs:[00000030h]	7_2_0336260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0336260B mov eax, dword ptr fs:[00000030h]	7_2_0336260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0336260B mov eax, dword ptr fs:[00000030h]	7_2_0336260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03382674 mov eax, dword ptr fs:[00000030h]	7_2_03382674
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0338A660 mov eax, dword ptr fs:[00000030h]	7_2_0338A660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0338A660 mov eax, dword ptr fs:[00000030h]	7_2_0338A660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0336C640 mov eax, dword ptr fs:[00000030h]	7_2_0336C640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033866B0 mov eax, dword ptr fs:[00000030h]	7_2_033866B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0338C6A6 mov eax, dword ptr fs:[00000030h]	7_2_0338C6A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03354690 mov eax, dword ptr fs:[00000030h]	7_2_03354690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03354690 mov eax, dword ptr fs:[00000030h]	7_2_03354690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033D06F1 mov eax, dword ptr fs:[00000030h]	7_2_033D06F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033D06F1 mov eax, dword ptr fs:[00000030h]	7_2_033D06F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033CE6F2 mov eax, dword ptr fs:[00000030h]	7_2_033CE6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033CE6F2 mov eax, dword ptr fs:[00000030h]	7_2_033CE6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033CE6F2 mov eax, dword ptr fs:[00000030h]	7_2_033CE6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033CE6F2 mov eax, dword ptr fs:[00000030h]	7_2_033CE6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0338A6C7 mov ebx, dword ptr fs:[00000030h]	7_2_0338A6C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0338A6C7 mov eax, dword ptr fs:[00000030h]	7_2_0338A6C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03360535 mov eax, dword ptr fs:[00000030h]	7_2_03360535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03360535 mov eax, dword ptr fs:[00000030h]	7_2_03360535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03360535 mov eax, dword ptr fs:[00000030h]	7_2_03360535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03360535 mov eax, dword ptr fs:[00000030h]	7_2_03360535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03360535 mov eax, dword ptr fs:[00000030h]	7_2_03360535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03360535 mov eax, dword ptr fs:[00000030h]	7_2_03360535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0337E53E mov eax, dword ptr fs:[00000030h]	7_2_0337E53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0337E53E mov eax, dword ptr fs:[00000030h]	7_2_0337E53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0337E53E mov eax, dword ptr fs:[00000030h]	7_2_0337E53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0337E53E mov eax, dword ptr fs:[00000030h]	7_2_0337E53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0337E53E mov eax, dword ptr fs:[00000030h]	7_2_0337E53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033E6500 mov eax, dword ptr fs:[00000030h]	7_2_033E6500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03424500 mov eax, dword ptr fs:[00000030h]	7_2_03424500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03424500 mov eax, dword ptr fs:[00000030h]	7_2_03424500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03424500 mov eax, dword ptr fs:[00000030h]	7_2_03424500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03424500 mov eax, dword ptr fs:[00000030h]	7_2_03424500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03424500 mov eax, dword ptr fs:[00000030h]	7_2_03424500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03424500 mov eax, dword ptr fs:[00000030h]	7_2_03424500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03424500 mov eax, dword ptr fs:[00000030h]	7_2_03424500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0338656A mov eax, dword ptr fs:[00000030h]	7_2_0338656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0338656A mov eax, dword ptr fs:[00000030h]	7_2_0338656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0338656A mov eax, dword ptr fs:[00000030h]	7_2_0338656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03358550 mov eax, dword ptr fs:[00000030h]	7_2_03358550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03358550 mov eax, dword ptr fs:[00000030h]	7_2_03358550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033745B1 mov eax, dword ptr fs:[00000030h]	7_2_033745B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033745B1 mov eax, dword ptr fs:[00000030h]	7_2_033745B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033D05A7 mov eax, dword ptr fs:[00000030h]	7_2_033D05A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033D05A7 mov eax, dword ptr fs:[00000030h]	7_2_033D05A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033D05A7 mov eax, dword ptr fs:[00000030h]	7_2_033D05A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0338E59C mov eax, dword ptr fs:[00000030h]	7_2_0338E59C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03384588 mov eax, dword ptr fs:[00000030h]	7_2_03384588
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03352582 mov eax, dword ptr fs:[00000030h]	7_2_03352582
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03352582 mov ecx, dword ptr fs:[00000030h]	7_2_03352582
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0337E5E7 mov eax, dword ptr fs:[00000030h]	7_2_0337E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0337E5E7 mov eax, dword ptr fs:[00000030h]	7_2_0337E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0337E5E7 mov eax, dword ptr fs:[00000030h]	7_2_0337E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0337E5E7 mov eax, dword ptr fs:[00000030h]	7_2_0337E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0337E5E7 mov eax, dword ptr fs:[00000030h]	7_2_0337E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0337E5E7 mov eax, dword ptr fs:[00000030h]	7_2_0337E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0337E5E7 mov eax, dword ptr fs:[00000030h]	7_2_0337E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0337E5E7 mov eax, dword ptr fs:[00000030h]	7_2_0337E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033525E0 mov eax, dword ptr fs:[00000030h]	7_2_033525E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0338C5ED mov eax, dword ptr fs:[00000030h]	7_2_0338C5ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0338C5ED mov eax, dword ptr fs:[00000030h]	7_2_0338C5ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033565D0 mov eax, dword ptr fs:[00000030h]	7_2_033565D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0338A5D0 mov eax, dword ptr fs:[00000030h]	7_2_0338A5D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0338A5D0 mov eax, dword ptr fs:[00000030h]	7_2_0338A5D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0338E5CF mov eax, dword ptr fs:[00000030h]	7_2_0338E5CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0338E5CF mov eax, dword ptr fs:[00000030h]	7_2_0338E5CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0338A430 mov eax, dword ptr fs:[00000030h]	7_2_0338A430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0334C427 mov eax, dword ptr fs:[00000030h]	7_2_0334C427
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0334E420 mov eax, dword ptr fs:[00000030h]	7_2_0334E420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0334E420 mov eax, dword ptr fs:[00000030h]	7_2_0334E420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0334E420 mov eax, dword ptr fs:[00000030h]	7_2_0334E420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0340A456 mov eax, dword ptr fs:[00000030h]	7_2_0340A456
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033D6420 mov eax, dword ptr fs:[00000030h]	7_2_033D6420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033D6420 mov eax, dword ptr fs:[00000030h]	7_2_033D6420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033D6420 mov eax, dword ptr fs:[00000030h]	7_2_033D6420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033D6420 mov eax, dword ptr fs:[00000030h]	7_2_033D6420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033D6420 mov eax, dword ptr fs:[00000030h]	7_2_033D6420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033D6420 mov eax, dword ptr fs:[00000030h]	7_2_033D6420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033D6420 mov eax, dword ptr fs:[00000030h]	7_2_033D6420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03388402 mov eax, dword ptr fs:[00000030h]	7_2_03388402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03388402 mov eax, dword ptr fs:[00000030h]	7_2_03388402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03388402 mov eax, dword ptr fs:[00000030h]	7_2_03388402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0337A470 mov eax, dword ptr fs:[00000030h]	7_2_0337A470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0337A470 mov eax, dword ptr fs:[00000030h]	7_2_0337A470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0337A470 mov eax, dword ptr fs:[00000030h]	7_2_0337A470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033DC460 mov ecx, dword ptr fs:[00000030h]	7_2_033DC460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0334645D mov eax, dword ptr fs:[00000030h]	7_2_0334645D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0337245A mov eax, dword ptr fs:[00000030h]	7_2_0337245A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0338E443 mov eax, dword ptr fs:[00000030h]	7_2_0338E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0338E443 mov eax, dword ptr fs:[00000030h]	7_2_0338E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0338E443 mov eax, dword ptr fs:[00000030h]	7_2_0338E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0338E443 mov eax, dword ptr fs:[00000030h]	7_2_0338E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0338E443 mov eax, dword ptr fs:[00000030h]	7_2_0338E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0338E443 mov eax, dword ptr fs:[00000030h]	7_2_0338E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0338E443 mov eax, dword ptr fs:[00000030h]	7_2_0338E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0338E443 mov eax, dword ptr fs:[00000030h]	7_2_0338E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033844B0 mov ecx, dword ptr fs:[00000030h]	7_2_033844B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033DA4B0 mov eax, dword ptr fs:[00000030h]	7_2_033DA4B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033564AB mov eax, dword ptr fs:[00000030h]	7_2_033564AB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033504E5 mov ecx, dword ptr fs:[00000030h]	7_2_033504E5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0340A49A mov eax, dword ptr fs:[00000030h]	7_2_0340A49A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0341AB40 mov eax, dword ptr fs:[00000030h]	7_2_0341AB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03404B4B mov eax, dword ptr fs:[00000030h]	7_2_03404B4B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03404B4B mov eax, dword ptr fs:[00000030h]	7_2_03404B4B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03422B57 mov eax, dword ptr fs:[00000030h]	7_2_03422B57
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03422B57 mov eax, dword ptr fs:[00000030h]	7_2_03422B57
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03422B57 mov eax, dword ptr fs:[00000030h]	7_2_03422B57
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03422B57 mov eax, dword ptr fs:[00000030h]	7_2_03422B57
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0337EB20 mov eax, dword ptr fs:[00000030h]	7_2_0337EB20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0337EB20 mov eax, dword ptr fs:[00000030h]	7_2_0337EB20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033CEB1D mov eax, dword ptr fs:[00000030h]	7_2_033CEB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033CEB1D mov eax, dword ptr fs:[00000030h]	7_2_033CEB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033CEB1D mov eax, dword ptr fs:[00000030h]	7_2_033CEB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033CEB1D mov eax, dword ptr fs:[00000030h]	7_2_033CEB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033CEB1D mov eax, dword ptr fs:[00000030h]	7_2_033CEB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033CEB1D mov eax, dword ptr fs:[00000030h]	7_2_033CEB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033CEB1D mov eax, dword ptr fs:[00000030h]	7_2_033CEB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033CEB1D mov eax, dword ptr fs:[00000030h]	7_2_033CEB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033CEB1D mov eax, dword ptr fs:[00000030h]	7_2_033CEB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03424B00 mov eax, dword ptr fs:[00000030h]	7_2_03424B00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0334CB7E mov eax, dword ptr fs:[00000030h]	7_2_0334CB7E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03348B50 mov eax, dword ptr fs:[00000030h]	7_2_03348B50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03418B28 mov eax, dword ptr fs:[00000030h]	7_2_03418B28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03418B28 mov eax, dword ptr fs:[00000030h]	7_2_03418B28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033FEB50 mov eax, dword ptr fs:[00000030h]	7_2_033FEB50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033F8B42 mov eax, dword ptr fs:[00000030h]	7_2_033F8B42
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033E6B40 mov eax, dword ptr fs:[00000030h]	7_2_033E6B40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033E6B40 mov eax, dword ptr fs:[00000030h]	7_2_033E6B40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03360BBE mov eax, dword ptr fs:[00000030h]	7_2_03360BBE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03360BBE mov eax, dword ptr fs:[00000030h]	7_2_03360BBE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03358BF0 mov eax, dword ptr fs:[00000030h]	7_2_03358BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03358BF0 mov eax, dword ptr fs:[00000030h]	7_2_03358BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03358BF0 mov eax, dword ptr fs:[00000030h]	7_2_03358BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0337EBFC mov eax, dword ptr fs:[00000030h]	7_2_0337EBFC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033DCBF0 mov eax, dword ptr fs:[00000030h]	7_2_033DCBF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033FEBD0 mov eax, dword ptr fs:[00000030h]	7_2_033FEBD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03404BB0 mov eax, dword ptr fs:[00000030h]	7_2_03404BB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03404BB0 mov eax, dword ptr fs:[00000030h]	7_2_03404BB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03350BCD mov eax, dword ptr fs:[00000030h]	7_2_03350BCD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03350BCD mov eax, dword ptr fs:[00000030h]	7_2_03350BCD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03350BCD mov eax, dword ptr fs:[00000030h]	7_2_03350BCD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03370BCB mov eax, dword ptr fs:[00000030h]	7_2_03370BCB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03370BCB mov eax, dword ptr fs:[00000030h]	7_2_03370BCB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03370BCB mov eax, dword ptr fs:[00000030h]	7_2_03370BCB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0338CA38 mov eax, dword ptr fs:[00000030h]	7_2_0338CA38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03374A35 mov eax, dword ptr fs:[00000030h]	7_2_03374A35
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03374A35 mov eax, dword ptr fs:[00000030h]	7_2_03374A35
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0337EA2E mov eax, dword ptr fs:[00000030h]	7_2_0337EA2E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0338CA24 mov eax, dword ptr fs:[00000030h]	7_2_0338CA24
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033DCA11 mov eax, dword ptr fs:[00000030h]	7_2_033DCA11
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033CCA72 mov eax, dword ptr fs:[00000030h]	7_2_033CCA72
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033CCA72 mov eax, dword ptr fs:[00000030h]	7_2_033CCA72
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0338CA6F mov eax, dword ptr fs:[00000030h]	7_2_0338CA6F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0338CA6F mov eax, dword ptr fs:[00000030h]	7_2_0338CA6F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0338CA6F mov eax, dword ptr fs:[00000030h]	7_2_0338CA6F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033FEA60 mov eax, dword ptr fs:[00000030h]	7_2_033FEA60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03356A50 mov eax, dword ptr fs:[00000030h]	7_2_03356A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03356A50 mov eax, dword ptr fs:[00000030h]	7_2_03356A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03356A50 mov eax, dword ptr fs:[00000030h]	7_2_03356A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03356A50 mov eax, dword ptr fs:[00000030h]	7_2_03356A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03356A50 mov eax, dword ptr fs:[00000030h]	7_2_03356A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03356A50 mov eax, dword ptr fs:[00000030h]	7_2_03356A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03356A50 mov eax, dword ptr fs:[00000030h]	7_2_03356A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03360A5B mov eax, dword ptr fs:[00000030h]	7_2_03360A5B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03360A5B mov eax, dword ptr fs:[00000030h]	7_2_03360A5B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03358AA0 mov eax, dword ptr fs:[00000030h]	7_2_03358AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03358AA0 mov eax, dword ptr fs:[00000030h]	7_2_03358AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033A6AA4 mov eax, dword ptr fs:[00000030h]	7_2_033A6AA4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03388A90 mov edx, dword ptr fs:[00000030h]	7_2_03388A90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0335EA80 mov eax, dword ptr fs:[00000030h]	7_2_0335EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0335EA80 mov eax, dword ptr fs:[00000030h]	7_2_0335EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0335EA80 mov eax, dword ptr fs:[00000030h]	7_2_0335EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0335EA80 mov eax, dword ptr fs:[00000030h]	7_2_0335EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0335EA80 mov eax, dword ptr fs:[00000030h]	7_2_0335EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0335EA80 mov eax, dword ptr fs:[00000030h]	7_2_0335EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0335EA80 mov eax, dword ptr fs:[00000030h]	7_2_0335EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0335EA80 mov eax, dword ptr fs:[00000030h]	7_2_0335EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0335EA80 mov eax, dword ptr fs:[00000030h]	7_2_0335EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03424A80 mov eax, dword ptr fs:[00000030h]	7_2_03424A80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0338AAEE mov eax, dword ptr fs:[00000030h]	7_2_0338AAEE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0338AAEE mov eax, dword ptr fs:[00000030h]	7_2_0338AAEE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03350AD0 mov eax, dword ptr fs:[00000030h]	7_2_03350AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03384AD0 mov eax, dword ptr fs:[00000030h]	7_2_03384AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03384AD0 mov eax, dword ptr fs:[00000030h]	7_2_03384AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033A6ACC mov eax, dword ptr fs:[00000030h]	7_2_033A6ACC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033A6ACC mov eax, dword ptr fs:[00000030h]	7_2_033A6ACC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033A6ACC mov eax, dword ptr fs:[00000030h]	7_2_033A6ACC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03424940 mov eax, dword ptr fs:[00000030h]	7_2_03424940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033E892B mov eax, dword ptr fs:[00000030h]	7_2_033E892B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033D892A mov eax, dword ptr fs:[00000030h]	7_2_033D892A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03348918 mov eax, dword ptr fs:[00000030h]	7_2_03348918
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03348918 mov eax, dword ptr fs:[00000030h]	7_2_03348918
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033DC912 mov eax, dword ptr fs:[00000030h]	7_2_033DC912
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033CE908 mov eax, dword ptr fs:[00000030h]	7_2_033CE908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033CE908 mov eax, dword ptr fs:[00000030h]	7_2_033CE908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033DC97C mov eax, dword ptr fs:[00000030h]	7_2_033DC97C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033F4978 mov eax, dword ptr fs:[00000030h]	7_2_033F4978
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033F4978 mov eax, dword ptr fs:[00000030h]	7_2_033F4978
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03376962 mov eax, dword ptr fs:[00000030h]	7_2_03376962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03376962 mov eax, dword ptr fs:[00000030h]	7_2_03376962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03376962 mov eax, dword ptr fs:[00000030h]	7_2_03376962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0339096E mov eax, dword ptr fs:[00000030h]	7_2_0339096E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0339096E mov edx, dword ptr fs:[00000030h]	7_2_0339096E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0339096E mov eax, dword ptr fs:[00000030h]	7_2_0339096E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033D0946 mov eax, dword ptr fs:[00000030h]	7_2_033D0946
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033D89B3 mov esi, dword ptr fs:[00000030h]	7_2_033D89B3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033D89B3 mov eax, dword ptr fs:[00000030h]	7_2_033D89B3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033D89B3 mov eax, dword ptr fs:[00000030h]	7_2_033D89B3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0341A9D3 mov eax, dword ptr fs:[00000030h]	7_2_0341A9D3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033629A0 mov eax, dword ptr fs:[00000030h]	7_2_033629A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033629A0 mov eax, dword ptr fs:[00000030h]	7_2_033629A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033629A0 mov eax, dword ptr fs:[00000030h]	7_2_033629A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033629A0 mov eax, dword ptr fs:[00000030h]	7_2_033629A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033629A0 mov eax, dword ptr fs:[00000030h]	7_2_033629A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033629A0 mov eax, dword ptr fs:[00000030h]	7_2_033629A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033629A0 mov eax, dword ptr fs:[00000030h]	7_2_033629A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033629A0 mov eax, dword ptr fs:[00000030h]	7_2_033629A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033629A0 mov eax, dword ptr fs:[00000030h]	7_2_033629A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033629A0 mov eax, dword ptr fs:[00000030h]	7_2_033629A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033629A0 mov eax, dword ptr fs:[00000030h]	7_2_033629A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033629A0 mov eax, dword ptr fs:[00000030h]	7_2_033629A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033629A0 mov eax, dword ptr fs:[00000030h]	7_2_033629A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033509AD mov eax, dword ptr fs:[00000030h]	7_2_033509AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033509AD mov eax, dword ptr fs:[00000030h]	7_2_033509AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033829F9 mov eax, dword ptr fs:[00000030h]	7_2_033829F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033829F9 mov eax, dword ptr fs:[00000030h]	7_2_033829F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033DE9E0 mov eax, dword ptr fs:[00000030h]	7_2_033DE9E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0335A9D0 mov eax, dword ptr fs:[00000030h]	7_2_0335A9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0335A9D0 mov eax, dword ptr fs:[00000030h]	7_2_0335A9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0335A9D0 mov eax, dword ptr fs:[00000030h]	7_2_0335A9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0335A9D0 mov eax, dword ptr fs:[00000030h]	7_2_0335A9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0335A9D0 mov eax, dword ptr fs:[00000030h]	7_2_0335A9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0335A9D0 mov eax, dword ptr fs:[00000030h]	7_2_0335A9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033849D0 mov eax, dword ptr fs:[00000030h]	7_2_033849D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033E69C0 mov eax, dword ptr fs:[00000030h]	7_2_033E69C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03372835 mov eax, dword ptr fs:[00000030h]	7_2_03372835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03372835 mov eax, dword ptr fs:[00000030h]	7_2_03372835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03372835 mov eax, dword ptr fs:[00000030h]	7_2_03372835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03372835 mov ecx, dword ptr fs:[00000030h]	7_2_03372835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03372835 mov eax, dword ptr fs:[00000030h]	7_2_03372835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03372835 mov eax, dword ptr fs:[00000030h]	7_2_03372835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033F483A mov eax, dword ptr fs:[00000030h]	7_2_033F483A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033F483A mov eax, dword ptr fs:[00000030h]	7_2_033F483A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0338A830 mov eax, dword ptr fs:[00000030h]	7_2_0338A830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033DC810 mov eax, dword ptr fs:[00000030h]	7_2_033DC810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033E6870 mov eax, dword ptr fs:[00000030h]	7_2_033E6870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033E6870 mov eax, dword ptr fs:[00000030h]	7_2_033E6870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033DE872 mov eax, dword ptr fs:[00000030h]	7_2_033DE872
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033DE872 mov eax, dword ptr fs:[00000030h]	7_2_033DE872
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03380854 mov eax, dword ptr fs:[00000030h]	7_2_03380854
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03354859 mov eax, dword ptr fs:[00000030h]	7_2_03354859
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03354859 mov eax, dword ptr fs:[00000030h]	7_2_03354859
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_03362840 mov ecx, dword ptr fs:[00000030h]	7_2_03362840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_034208C0 mov eax, dword ptr fs:[00000030h]	7_2_034208C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_033DC89D mov eax, dword ptr fs:[00000030h]	7_2_033DC89D

Enables debug privileges

Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	NtQueueApcThread: Indirect: 0x26DA4F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	NtQueueApcThread: Indirect: 0x2F9A4F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	NtClose: Indirect: 0x2F9A56C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	NtQueueApcThread: Indirect: 0x152A4F2	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	NtClose: Indirect: 0x152A56C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	NtQueueApcThread: Indirect: 0x292A4F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	NtQueueApcThread: Indirect: 0x148A4F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	NtQueueApcThread: Indirect: 0x118A4F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	NtClose: Indirect: 0x148A56C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	NtClose: Indirect: 0x292A56C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	NtClose: Indirect: 0x26DA56C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	NtQueueApcThread: Indirect: 0x14EA4F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	NtClose: Indirect: 0x118A56C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	NtClose: Indirect: 0x281A56C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	NtClose: Indirect: 0x14EA56C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	NtQueueApcThread: Indirect: 0x281A4F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	NtQueueApcThread: Indirect: 0xFCA4F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	NtClose: Indirect: 0xFCA56C

Injects a PE file into a foreign processes

Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A

Maps a DLL or memory area into another process

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: NULL target: C:\Windows\SysWOW64\cmstp.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: NULL target: C:\Windows\SysWOW64\cmstp.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: NULL target: C:\Windows\SysWOW64\reg.exe protection: execute and read and write
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: NULL target: C:\Windows\SysWOW64\reg.exe protection: execute and read and write
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: NULL target: C:\Windows\SysWOW64\msdt.exe protection: execute and read and write
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: NULL target: C:\Windows\SysWOW64\msdt.exe protection: execute and read and write
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: NULL target: C:\Windows\SysWOW64\msdt.exe protection: execute and read and write
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: NULL target: C:\Windows\SysWOW64\msdt.exe protection: execute and read and write
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: NULL target: C:\Windows\SysWOW64\rundll32.exe protection: execute and read and write
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: NULL target: C:\Windows\SysWOW64\rundll32.exe protection: execute and read and write
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: NULL target: C:\Windows\SysWOW64\wlanext.exe protection: execute and read and write
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: NULL target: C:\Windows\SysWOW64\wlanext.exe protection: execute and read and write
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: NULL target: C:\Windows\SysWOW64\msdt.exe protection: execute and read and write
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: NULL target: C:\Windows\SysWOW64\msdt.exe protection: execute and read and write
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: NULL target: C:\Windows\SysWOW64\chkdsk.exe protection: execute and read and write
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: NULL target: C:\Windows\SysWOW64\chkdsk.exe protection: execute and read and write
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: NULL target: C:\Windows\SysWOW64\netsh.exe protection: execute and read and write
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: NULL target: C:\Windows\SysWOW64\netsh.exe protection: execute and read and write

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread register set: target process: 4004	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Thread register set: target process: 4004	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread register set: target process: 4004
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread register set: target process: 4004
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread register set: target process: 4004
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread register set: target process: 4004
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread register set: target process: 4004
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread register set: target process: 4004
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread register set: target process: 4004
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread register set: target process: 4004

Queues an APC in another process (thread injection)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Sample uses process hollowing technique

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section unmapped: C:\Windows\SysWOW64\cmstp.exe base address: 220000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section unmapped: C:\Windows\SysWOW64\reg.exe base address: 370000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section unmapped: C:\Windows\SysWOW64\msdt.exe base address: E80000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section unmapped: C:\Windows\SysWOW64\msdt.exe base address: E80000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section unmapped: C:\Windows\SysWOW64\rundll32.exe base address: 270000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section unmapped: C:\Windows\SysWOW64\wlanext.exe base address: 960000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section unmapped: C:\Windows\SysWOW64\msdt.exe base address: E80000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section unmapped: C:\Windows\SysWOW64\chkdsk.exe base address: 130000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section unmapped: C:\Windows\SysWOW64\netsh.exe base address: A60000

Writes to foreign memory regions

Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 72D008
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: DF9008
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 9AB008

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "PURCHASED ORDER OF ENG091" /t REG_SZ /F /D "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif"	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "PURCHASED ORDER OF ENG091.pif" /t REG_SZ /F /D "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif"
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "PURCHASED ORDER OF ENG091.pif" /t REG_SZ /F /D "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif"
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "PURCHASED ORDER OF ENG091.pif.pif" /t REG_SZ /F /D "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif"
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "PURCHASED ORDER OF ENG091.pif.pif" /t REG_SZ /F /D "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif"
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "PURCHASED ORDER OF ENG091.pif.pif.pif" /t REG_SZ /F /D "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif"
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "PURCHASED ORDER OF ENG091.pif.pif.pif" /t REG_SZ /F /D "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif"
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "PURCHASED ORDER OF ENG091.pif.pif.pif.pif" /t REG_SZ /F /D "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif.pif"
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "PURCHASED ORDER OF ENG091.pif.pif.pif.pif" /t REG_SZ /F /D "C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif.pif"

Source: explorer.exe, 00000008.00000002.3366936645.00000000013A1000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000008.00000000.2175983009.00000000013A0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: IProgram Manager
Source: explorer.exe, 00000008.00000000.2178228017.00000000048E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3366936645.00000000013A1000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000008.00000002.3371369932.00000000048E0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000008.00000002.3366936645.00000000013A1000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000008.00000000.2175983009.00000000013A0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000008.00000002.3365608338.0000000000D60000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.2175448069.0000000000D69000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: +Progman
Source: explorer.exe, 00000008.00000002.3366936645.00000000013A1000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000008.00000000.2175983009.00000000013A0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000008.00000000.2186408127.00000000098AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3074869572.00000000098AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3377674269.00000000098AD000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd31A

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Queries volume information: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Queries volume information: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Queries volume information: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif VolumeInformation
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Queries volume information: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif VolumeInformation
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Queries volume information: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif VolumeInformation
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Queries volume information: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif VolumeInformation
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Queries volume information: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif VolumeInformation
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Queries volume information: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif VolumeInformation
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Queries volume information: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif VolumeInformation
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation

Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Uses netsh to modify the Windows network and firewall settings

Source: C:\Windows\explorer.exe

Process created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\SysWOW64\netsh.exe"

AV process strings found (often used to terminate AV products)

Source: PURCHASED ORDER OF ENG091.exe, 00000000.00000002.2179042011.00000000050F4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\Program Files (x86)\AVG\Antivirus\AVGUI.exe
Source: PURCHASED ORDER OF ENG091.exe, 00000000.00000002.2179042011.000000000513C000.00000004.00000020.00020000.00000000.sdmp, PURCHASED ORDER OF ENG091.exe, 00000000.00000002.2173739355.0000000000AD5000.00000004.00000020.00020000.00000000.sdmp, PURCHASED ORDER OF ENG091.exe, 00000000.00000002.2178914699.00000000050A9000.00000004.00000020.00020000.00000000.sdmp, PURCHASED ORDER OF ENG091.pif, 0000000C.00000002.2348427426.00000000059EC000.00000004.00000020.00020000.00000000.sdmp, PURCHASED ORDER OF ENG091.pif, 00000015.00000002.2421067094.00000000056FA000.00000004.00000020.00020000.00000000.sdmp, PURCHASED ORDER OF ENG091.pif, 00000015.00000002.2401595350.0000000000808000.00000004.00000020.00020000.00000000.sdmp, PURCHASED ORDER OF ENG091.pif.pif, 0000001D.00000002.2491782208.00000000005A5000.00000004.00000020.00020000.00000000.sdmp, PURCHASED ORDER OF ENG091.pif.pif, 0000001D.00000002.2505667538.0000000005448000.00000004.00000020.00020000.00000000.sdmp, PURCHASED ORDER OF ENG091.pif.pif, 00000026.00000002.2633457329.0000000006187000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: PURCHASED ORDER OF ENG091.exe, 00000000.00000002.2174149800.0000000002ACE000.00000004.00000800.00020000.00000000.sdmp, PURCHASED ORDER OF ENG091.pif, 0000000C.00000002.2329293185.0000000002A21000.00000004.00000800.00020000.00000000.sdmp, PURCHASED ORDER OF ENG091.pif, 00000015.00000002.2403280656.000000000259A000.00000004.00000800.00020000.00000000.sdmp, PURCHASED ORDER OF ENG091.pif.pif, 0000001D.00000002.2493397578.0000000002648000.00000004.00000800.00020000.00000000.sdmp, PURCHASED ORDER OF ENG091.pif.pif, 00000026.00000002.2612943933.0000000002F95000.00000004.00000800.00020000.00000000.sdmp, PURCHASED ORDER OF ENG091.pif.pif.pif, 0000002E.00000002.2700394567.0000000003054000.00000004.00000800.00020000.00000000.sdmp, PURCHASED ORDER OF ENG091.pif.pif.pif, 00000036.00000002.2785236388.00000000034E0000.00000004.00000800.00020000.00000000.sdmp, PURCHASED ORDER OF ENG091.pif.pif.pif.pif, 0000003F.00000002.2864011147.0000000002B60000.00000004.00000800.00020000.00000000.sdmp, PURCHASED ORDER OF ENG091.pif.pif.pif.pif, 00000047.00000002.2995542174.0000000003551000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: q(C:\Program Files\AVG\Antivirus\AVGUI.exe
Source: PURCHASED ORDER OF ENG091.exe, 00000000.00000002.2174149800.0000000002ACE000.00000004.00000800.00020000.00000000.sdmp, PURCHASED ORDER OF ENG091.pif, 0000000C.00000002.2329293185.0000000002A21000.00000004.00000800.00020000.00000000.sdmp, PURCHASED ORDER OF ENG091.pif, 00000015.00000002.2403280656.000000000259A000.00000004.00000800.00020000.00000000.sdmp, PURCHASED ORDER OF ENG091.pif.pif, 0000001D.00000002.2493397578.0000000002648000.00000004.00000800.00020000.00000000.sdmp, PURCHASED ORDER OF ENG091.pif.pif, 00000026.00000002.2612943933.0000000002F95000.00000004.00000800.00020000.00000000.sdmp, PURCHASED ORDER OF ENG091.pif.pif.pif, 0000002E.00000002.2700394567.0000000003054000.00000004.00000800.00020000.00000000.sdmp, PURCHASED ORDER OF ENG091.pif.pif.pif, 00000036.00000002.2785236388.00000000034E0000.00000004.00000800.00020000.00000000.sdmp, PURCHASED ORDER OF ENG091.pif.pif.pif.pif, 0000003F.00000002.2864011147.0000000002B60000.00000004.00000800.00020000.00000000.sdmp, PURCHASED ORDER OF ENG091.pif.pif.pif.pif, 00000047.00000002.2995542174.0000000003551000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: q.C:\Program Files (x86)\AVG\Antivirus\AVGUI.exe

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Users\user\Desktop\PURCHASED ORDER OF ENG091.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Windows\SysWOW64\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Windows\SysWOW64\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Windows\SysWOW64\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 7.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PURCHASED ORDER OF ENG091.exe.389a1f0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000002D.00000002.2649126395.0000000002C00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3387644205.000000000EB42000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000002.2627604465.0000000003F49000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002E.00000002.2712579590.0000000004028000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2176143982.000000000389A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000035.00000002.2731575552.0000000000600000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2235289603.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2176143982.0000000003A5B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.2500819565.00000000035F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2367170516.0000000002ED0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3365508291.00000000028B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2343571638.00000000039AB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2176143982.00000000039CC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.2411207031.000000000352B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3366459232.0000000004520000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000036.00000002.2805551760.0000000004534000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000046.00000002.2895699701.0000000005070000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.2436330065.00000000006E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000004E.00000002.3035230297.0000000003190000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003E.00000002.2823024000.0000000000960000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003F.00000002.2884163790.0000000003BB4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000047.00000002.3030559754.00000000045B3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.2526649554.0000000000B30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3366396664.00000000044F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Searches for user specific document files

Source: C:\Windows\explorer.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\explorer.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\explorer.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\explorer.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\explorer.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\explorer.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\explorer.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\explorer.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\explorer.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\explorer.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\explorer.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\explorer.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\explorer.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\explorer.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\explorer.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\explorer.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\explorer.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\explorer.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\explorer.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\explorer.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\explorer.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\explorer.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\explorer.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\explorer.exe	Directory queried: C:\Users\user\Documents	Jump to behavior

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 7.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PURCHASED ORDER OF ENG091.exe.389a1f0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000002D.00000002.2649126395.0000000002C00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3387644205.000000000EB42000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000002.2627604465.0000000003F49000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002E.00000002.2712579590.0000000004028000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2176143982.000000000389A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000035.00000002.2731575552.0000000000600000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2235289603.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2176143982.0000000003A5B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.2500819565.00000000035F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2367170516.0000000002ED0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3365508291.00000000028B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2343571638.00000000039AB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2176143982.00000000039CC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.2411207031.000000000352B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3366459232.0000000004520000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000036.00000002.2805551760.0000000004534000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000046.00000002.2895699701.0000000005070000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.2436330065.00000000006E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000004E.00000002.3035230297.0000000003190000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003E.00000002.2823024000.0000000000960000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003F.00000002.2884163790.0000000003BB4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000047.00000002.3030559754.00000000045B3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.2526649554.0000000000B30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3366396664.00000000044F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Windows Analysis Report
PURCHASED ORDER OF ENG091.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Compliance

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

ID:	1528882
Product:	CloudBasic
Start time:	11:29:12
Start date:	08.10.2024
Sample:	PURCHASED ORDER OF ENG091.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	30ecd7046839af0716977a9ef6047e60
SHA1:	a1f6517726c9dc0f3d588b947e2aaeb4f849f58c
SHA256:	472a703381c8fe89f83b0fe4d7960b0942c5694054ba94dd85c249c4c702e0cd
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PURCHASED ORDER OF ENG091.exe.log	ASCII text, with CRLF line terminators	E8F202D47F8209A1C5C4BDEB370E4BBC	02D322F9852FA4E53BE3996868275A55F1228078	71719EF4FD3912492F7AD3CA6CF8F5A458C0EC56CEECDE1005B05B610B5FF378
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PURCHASED ORDER OF ENG091.pif.log	ASCII text, with CRLF line terminators	E8F202D47F8209A1C5C4BDEB370E4BBC	02D322F9852FA4E53BE3996868275A55F1228078	71719EF4FD3912492F7AD3CA6CF8F5A458C0EC56CEECDE1005B05B610B5FF378
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PURCHASED ORDER OF ENG091.pif.pif.log	ASCII text, with CRLF line terminators	E8F202D47F8209A1C5C4BDEB370E4BBC	02D322F9852FA4E53BE3996868275A55F1228078	71719EF4FD3912492F7AD3CA6CF8F5A458C0EC56CEECDE1005B05B610B5FF378
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PURCHASED ORDER OF ENG091.pif.pif.pif.log	ASCII text, with CRLF line terminators	E8F202D47F8209A1C5C4BDEB370E4BBC	02D322F9852FA4E53BE3996868275A55F1228078	71719EF4FD3912492F7AD3CA6CF8F5A458C0EC56CEECDE1005B05B610B5FF378
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PURCHASED ORDER OF ENG091.pif.pif.pif.pif.log	ASCII text, with CRLF line terminators	E8F202D47F8209A1C5C4BDEB370E4BBC	02D322F9852FA4E53BE3996868275A55F1228078	71719EF4FD3912492F7AD3CA6CF8F5A458C0EC56CEECDE1005B05B610B5FF378
C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	30ECD7046839AF0716977A9EF6047E60	A1F6517726C9DC0F3D588B947E2AAEB4F849F58C	472A703381C8FE89F83B0FE4D7960B0942C5694054BA94DD85C249C4C702E0CD
C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	30ECD7046839AF0716977A9EF6047E60	A1F6517726C9DC0F3D588B947E2AAEB4F849F58C	472A703381C8FE89F83B0FE4D7960B0942C5694054BA94DD85C249C4C702E0CD
C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	30ECD7046839AF0716977A9EF6047E60	A1F6517726C9DC0F3D588B947E2AAEB4F849F58C	472A703381C8FE89F83B0FE4D7960B0942C5694054BA94DD85C249C4C702E0CD
C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	30ECD7046839AF0716977A9EF6047E60	A1F6517726C9DC0F3D588B947E2AAEB4F849F58C	472A703381C8FE89F83B0FE4D7960B0942C5694054BA94DD85C249C4C702E0CD
C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif.pif	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	30ECD7046839AF0716977A9EF6047E60	A1F6517726C9DC0F3D588B947E2AAEB4F849F58C	472A703381C8FE89F83B0FE4D7960B0942C5694054BA94DD85C249C4C702E0CD
C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif.pif:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif.pif:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif.pif:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif.pif:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
C:\Users\user\Documents\PURCHASED ORDER OF ENG091.pif:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309

Windows Analysis Report PURCHASED ORDER OF ENG091.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
PURCHASED ORDER OF ENG091.exe

Malware Threat Intel
Provided by