Windows Analysis Report
Outstanding payment.exe

Overview

General Information

Sample name:	Outstanding payment.exe
Analysis ID:	1592447
MD5:	43dc8c62e9343eb01c3ffb53390e2a55
SHA1:	af544600a7cba01add858593c892c58fe8d9b024
SHA256:	07abbe06a2d17f142846d33bda215df5b05355148c781cb9ff1c8f233f534cbc
Tags:	exeuser-threatcat_ch
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected FormBook

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Found direct / indirect Syscall (likely to bypass EDR)

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Switches to a custom stack to bypass stack traces

Tries to detect virtualization through RDTSC time measurements

Tries to resolve many domain names, but no domain seems valid

Uses netstat to query active network connections and open ports

Uses schtasks.exe or at.exe to add and modify task schedules

Writes to foreign memory regions

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Outstanding payment.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://www.dj1.lat/a03d/	Avira URL Cloud: Label: malware
Source: http://www.istromarmitaria.online/a03d/	Avira URL Cloud: Label: malware
Source: www.enelog.xyz/a03d/	Avira URL Cloud: Label: malware
Source: http://www.otelhafnia.info/a03d/www.kkkk.shop	Avira URL Cloud: Label: malware
Source: http://www.istromarmitaria.online/a03d/www.dj1.lat	Avira URL Cloud: Label: malware
Source: http://www.nfluencer-marketing-13524.bond/a03d/www.atidiri.fun	Avira URL Cloud: Label: malware
Source: http://www.72266.vip/a03d/www.istromarmitaria.online	Avira URL Cloud: Label: malware
Source: http://www.nfluencer-marketing-13524.bond/a03d/	Avira URL Cloud: Label: malware
Source: http://www.duxrib.xyz/a03d/	Avira URL Cloud: Label: malware
Source: http://www.dj1.lat/a03d/j	Avira URL Cloud: Label: malware
Source: http://www.aja168e.live/a03d/www.duxrib.xyz	Avira URL Cloud: Label: malware
Source: http://www.enelog.xyz/a03d/	Avira URL Cloud: Label: malware
Source: http://www.atidiri.fun/a03d/	Avira URL Cloud: Label: malware
Source: http://www.otelhafnia.info/a03d/	Avira URL Cloud: Label: malware
Source: http://www.kkkk.shop/a03d/www.aja168e.live	Avira URL Cloud: Label: malware
Source: http://www.oftware-download-92806.bond/a03d/	Avira URL Cloud: Label: malware
Source: http://www.atidiri.fun/a03d/www.otelhafnia.info	Avira URL Cloud: Label: malware
Source: http://www.inggraphic.pro/a03d/	Avira URL Cloud: Label: malware
Source: http://www.behm.info/a03d/	Avira URL Cloud: Label: malware
Source: http://www.kkkk.shop	Avira URL Cloud: Label: malware
Source: http://www.elnqdjc.shop/a03d/www.8oosnny.xyz	Avira URL Cloud: Label: malware
Source: http://www.72266.vip/a03d/	Avira URL Cloud: Label: malware
Source: http://www.behm.info/a03d/www.enelog.xyz	Avira URL Cloud: Label: malware
Source: http://www.lphatechblog.xyz/a03d/www.oftware-download-92806.bond	Avira URL Cloud: Label: malware
Source: http://www.8oosnny.xyz/a03d/	Avira URL Cloud: Label: malware
Source: http://www.elnqdjc.shop/a03d/	Avira URL Cloud: Label: malware
Source: http://www.lphatechblog.xyz/a03d/	Avira URL Cloud: Label: malware
Source: http://www.enelog.xyz/a03d/www.72266.vip	Avira URL Cloud: Label: malware
Source: http://www.inggraphic.pro/a03d/www.elnqdjc.shop	Avira URL Cloud: Label: malware
Source: http://www.aja168e.live/a03d/	Avira URL Cloud: Label: malware
Source: http://www.oftware-download-92806.bond/a03d/www.behm.info	Avira URL Cloud: Label: malware
Source: http://www.duxrib.xyz/a03d/www.lphatechblog.xyz	Avira URL Cloud: Label: malware
Source: http://www.8oosnny.xyz/a03d/www.nfluencer-marketing-13524.bond	Avira URL Cloud: Label: malware
Source: http://www.kkkk.shop/a03d/	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\iBSWjb.exe

Avira: detection malicious, Label: HEUR/AGEN.1310400

Found malware configuration

Source: 0000000B.00000002.2149315222.0000000004301000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.enelog.xyz/a03d/"], "decoy": ["nfluencer-marketing-13524.bond", "cebepu.info", "lphatechblog.xyz", "haoyun.website", "itiz.xyz", "orld-visa-center.online", "si.art", "alata.xyz", "mmarketing.xyz", "elnqdjc.shop", "ensentoto.cloud", "voyagu.info", "onvert.today", "1fuli9902.shop", "otelhafnia.info", "rumpchiefofstaff.store", "urvivalflashlights.shop", "0090.pizza", "ings-hu-13.today", "oliticalpatriot.net", "5970.pizza", "arimatch-in.legal", "eepvid.xyz", "bfootball.net", "otorcycle-loans-19502.bond", "nline-advertising-34790.bond", "behm.info", "aportsystems.store", "agiararoma.net", "agfov4u.xyz", "9769.mobi", "ome-renovation-86342.bond", "kkkk.shop", "duxrib.xyz", "xurobo.info", "leurdivin.online", "ive-neurozoom.store", "ndogaming.online", "dj1.lat", "yselection.xyz", "52628.xyz", "lsaadmart.store", "oftware-download-92806.bond", "avid-hildebrand.info", "orashrine.store", "erpangina-treatment-views.sbs", "ategorie-polecane-831.buzz", "oonlightshadow.shop", "istromarmitaria.online", "gmgslzdc.sbs", "asglobalaz.shop", "locarry.store", "eleefmestreech.online", "inggraphic.pro", "atidiri.fun", "olourclubbet.shop", "eatbox.store", "romatografia.online", "encortex.beauty", "8oosnny.xyz", "72266.vip", "aja168e.live", "fath.shop", "argloscaremedia.info"]}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\iBSWjb.exe

ReversingLabs: Detection: 28%

Multi AV Scanner detection for submitted file

Source: Outstanding payment.exe	ReversingLabs: Detection: 28%
Source: Outstanding payment.exe	Virustotal: Detection: 36%			Perma Link

Yara detected FormBook

Source: Yara match	File source: 15.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Outstanding payment.exe.4234148.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.2149315222.0000000004301000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2169396425.0000000000870000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.4526105305.0000000002AF0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2162392386.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2114082596.0000000004234000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.4526496675.00000000044E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.4525873730.0000000002810000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2149315222.00000000044A7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2114082596.000000000446F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\iBSWjb.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: Outstanding payment.exe

Joe Sandbox ML: detected

Uses 32bit PE files

Source: Outstanding payment.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Outstanding payment.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: msiexec.pdb source: RegSvcs.exe, 0000000F.00000002.2163601401.00000000010A8000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.2167593167.0000000001950000.00000040.10000000.00040000.00000000.sdmp, msiexec.exe, 00000010.00000002.4525647281.0000000000120000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: netstat.pdbGCTL source: RegSvcs.exe, 00000009.00000002.2166629916.0000000001520000.00000040.10000000.00040000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.2166042893.0000000001038000.00000004.00000020.00020000.00000000.sdmp, NETSTAT.EXE, 00000011.00000002.2169801736.0000000000F60000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: msiexec.pdbGCTL source: RegSvcs.exe, 0000000F.00000002.2163601401.00000000010A8000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.2167593167.0000000001950000.00000040.10000000.00040000.00000000.sdmp, msiexec.exe, 00000010.00000002.4525647281.0000000000120000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: netstat.pdb source: RegSvcs.exe, 00000009.00000002.2166629916.0000000001520000.00000040.10000000.00040000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.2166042893.0000000001038000.00000004.00000020.00020000.00000000.sdmp, NETSTAT.EXE, 00000011.00000002.2169801736.0000000000F60000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: RegSvcs.pdb, source: explorer.exe, 0000000A.00000002.4544436194.000000001108F000.00000004.80000000.00040000.00000000.sdmp, msiexec.exe, 00000010.00000002.4526176931.0000000002B68000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000010.00000002.4527606666.0000000004C8F000.00000004.10000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: RegSvcs.exe, 0000000F.00000002.2164292767.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, msiexec.exe, 00000010.00000003.2162873949.00000000043E3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000010.00000002.4526844248.0000000004740000.00000040.00001000.00020000.00000000.sdmp, msiexec.exe, 00000010.00000003.2165021648.0000000004596000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000010.00000002.4526844248.00000000048DE000.00000040.00001000.00020000.00000000.sdmp, NETSTAT.EXE, 00000011.00000003.2168122863.0000000002F72000.00000004.00000020.00020000.00000000.sdmp, NETSTAT.EXE, 00000011.00000002.2169828122.00000000032BE000.00000040.00001000.00020000.00000000.sdmp, NETSTAT.EXE, 00000011.00000002.2169828122.0000000003120000.00000040.00001000.00020000.00000000.sdmp, NETSTAT.EXE, 00000011.00000003.2166132931.0000000000DB1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: RegSvcs.exe, RegSvcs.exe, 0000000F.00000002.2164292767.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, msiexec.exe, 00000010.00000003.2162873949.00000000043E3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000010.00000002.4526844248.0000000004740000.00000040.00001000.00020000.00000000.sdmp, msiexec.exe, 00000010.00000003.2165021648.0000000004596000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000010.00000002.4526844248.00000000048DE000.00000040.00001000.00020000.00000000.sdmp, NETSTAT.EXE, 00000011.00000003.2168122863.0000000002F72000.00000004.00000020.00020000.00000000.sdmp, NETSTAT.EXE, 00000011.00000002.2169828122.00000000032BE000.00000040.00001000.00020000.00000000.sdmp, NETSTAT.EXE, 00000011.00000002.2169828122.0000000003120000.00000040.00001000.00020000.00000000.sdmp, NETSTAT.EXE, 00000011.00000003.2166132931.0000000000DB1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: RegSvcs.pdb source: explorer.exe, 0000000A.00000002.4544436194.000000001108F000.00000004.80000000.00040000.00000000.sdmp, msiexec.exe, 00000010.00000002.4526176931.0000000002B68000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000010.00000002.4527606666.0000000004C8F000.00000004.10000000.00040000.00000000.sdmp

Source: C:\Users\user\Desktop\Outstanding payment.exe	File opened: C:\Users\user\AppData\Local\Temp\acrocef_low\NULL	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\NULL	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\NULL	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\Acrobat	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe	Jump to behavior

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 4x nop then jmp 09BD59F2h	0_2_09BD555B
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 4x nop then jmp 05304F52h	11_2_05304ABB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then pop ebx	15_2_00407B1E

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2031412 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.5:49979 -> 121.254.178.252:80
Source: Network traffic	Suricata IDS: 2031449 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.5:49979 -> 121.254.178.252:80
Source: Network traffic	Suricata IDS: 2031453 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.5:49979 -> 121.254.178.252:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.enelog.xyz/a03d/

Performs DNS queries to domains with low reputation

Source:	DNS query: www.8oosnny.xyz
Source:	DNS query: www.lphatechblog.xyz

Tries to resolve many domain names, but no domain seems valid

Source: unknown	DNS traffic detected: query: www.behm.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.8oosnny.xyz replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.nfluencer-marketing-13524.bond replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.lphatechblog.xyz replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.inggraphic.pro replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.oftware-download-92806.bond replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.aja168e.live replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.atidiri.fun replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.otelhafnia.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.elnqdjc.shop replaycode: Name error (3)

Uses netstat to query active network connections and open ports

Source: C:\Windows\explorer.exe

Process created: C:\Windows\SysWOW64\NETSTAT.EXE "C:\Windows\SysWOW64\NETSTAT.EXE"

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Windows\explorer.exe

Code function: 10_2_118ADF82 getaddrinfo,setsockopt,recv,

10_2_118ADF82

Source: global traffic	DNS traffic detected: DNS query: www.inggraphic.pro
Source: global traffic	DNS traffic detected: DNS query: www.elnqdjc.shop
Source: global traffic	DNS traffic detected: DNS query: www.8oosnny.xyz
Source: global traffic	DNS traffic detected: DNS query: www.nfluencer-marketing-13524.bond
Source: global traffic	DNS traffic detected: DNS query: www.atidiri.fun
Source: global traffic	DNS traffic detected: DNS query: www.otelhafnia.info
Source: global traffic	DNS traffic detected: DNS query: www.kkkk.shop
Source: global traffic	DNS traffic detected: DNS query: www.aja168e.live
Source: global traffic	DNS traffic detected: DNS query: www.lphatechblog.xyz
Source: global traffic	DNS traffic detected: DNS query: www.oftware-download-92806.bond
Source: global traffic	DNS traffic detected: DNS query: www.behm.info

Source: explorer.exe, 0000000A.00000000.2105292943.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4534821677.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2105292943.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4534821677.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: explorer.exe, 0000000A.00000002.4525785289.0000000000F13000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2090992450.0000000000F13000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.v
Source: explorer.exe, 0000000A.00000000.2105292943.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4534821677.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2105292943.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4534821677.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: explorer.exe, 0000000A.00000000.2105292943.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4534821677.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2105292943.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4534821677.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: explorer.exe, 0000000A.00000000.2105292943.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4534821677.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2105292943.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4534821677.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: explorer.exe, 0000000A.00000002.4534821677.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2105292943.00000000099C0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: explorer.exe, 0000000A.00000000.2104136768.0000000008890000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000000.2103626523.0000000008870000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000002.4533350845.0000000007DC0000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: Outstanding payment.exe, 00000000.00000002.2111417638.0000000002DE0000.00000004.00000800.00020000.00000000.sdmp, iBSWjb.exe, 0000000B.00000002.2146532412.0000000003309000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.72266.vip
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.72266.vip/a03d/
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.72266.vip/a03d/www.istromarmitaria.online
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.72266.vipReferer:
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.8oosnny.xyz
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.8oosnny.xyz/a03d/
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.8oosnny.xyz/a03d/www.nfluencer-marketing-13524.bond
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.8oosnny.xyzReferer:
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.aja168e.live
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.aja168e.live/a03d/
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.aja168e.live/a03d/www.duxrib.xyz
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.aja168e.liveReferer:
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.atidiri.fun
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.atidiri.fun/a03d/
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.atidiri.fun/a03d/www.otelhafnia.info
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.atidiri.funReferer:
Source: explorer.exe, 0000000A.00000000.2117409581.000000000C8E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3096098347.000000000C8E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3096192758.000000000C8EB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.behm.info
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.behm.info/a03d/
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.behm.info/a03d/www.enelog.xyz
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.behm.infoReferer:
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.dj1.lat
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.dj1.lat/a03d/
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.dj1.lat/a03d/j
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.dj1.latReferer:
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.duxrib.xyz
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.duxrib.xyz/a03d/
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.duxrib.xyz/a03d/www.lphatechblog.xyz
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.duxrib.xyzReferer:
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.elnqdjc.shop
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.elnqdjc.shop/a03d/
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.elnqdjc.shop/a03d/www.8oosnny.xyz
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.elnqdjc.shopReferer:
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.enelog.xyz
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.enelog.xyz/a03d/
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.enelog.xyz/a03d/www.72266.vip
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.enelog.xyzReferer:
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.inggraphic.pro
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.inggraphic.pro/a03d/
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.inggraphic.pro/a03d/www.elnqdjc.shop
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.inggraphic.proReferer:
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.istromarmitaria.online
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.istromarmitaria.online/a03d/
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.istromarmitaria.online/a03d/www.dj1.lat
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.istromarmitaria.onlineReferer:
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.kkkk.shop
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.kkkk.shop/a03d/
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.kkkk.shop/a03d/www.aja168e.live
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.kkkk.shopReferer:
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.lphatechblog.xyz
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.lphatechblog.xyz/a03d/
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.lphatechblog.xyz/a03d/www.oftware-download-92806.bond
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.lphatechblog.xyzReferer:
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.nfluencer-marketing-13524.bond
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.nfluencer-marketing-13524.bond/a03d/
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.nfluencer-marketing-13524.bond/a03d/www.atidiri.fun
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.nfluencer-marketing-13524.bondReferer:
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.oftware-download-92806.bond
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.oftware-download-92806.bond/a03d/
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.oftware-download-92806.bond/a03d/www.behm.info
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.oftware-download-92806.bondReferer:
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.otelhafnia.info
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.otelhafnia.info/a03d/
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.otelhafnia.info/a03d/www.kkkk.shop
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.otelhafnia.infoReferer:
Source: explorer.exe, 0000000A.00000002.4541154394.000000000C4DC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2116427332.000000000C4DC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe
Source: explorer.exe, 0000000A.00000002.4531583255.00000000076F8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2095932568.00000000076F8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 0000000A.00000002.4534821677.0000000009ADB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2105292943.0000000009ADB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 0000000A.00000000.2095932568.0000000007637000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4531583255.0000000007637000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 0000000A.00000000.2092490367.00000000035FA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4527780595.00000000035FA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3096430649.00000000035FA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.coml
Source: explorer.exe, 0000000A.00000000.2105292943.0000000009B41000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097842641.0000000009C21000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4538468202.0000000009C22000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3096220072.0000000009B77000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://excel.office.com
Source: explorer.exe, 0000000A.00000000.2105292943.0000000009B41000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4538536779.0000000009C96000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3096220072.0000000009D42000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://outlook.com
Source: explorer.exe, 0000000A.00000000.2116427332.000000000C460000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4541154394.000000000C460000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://powerpoint.office.comcember
Source: explorer.exe, 0000000A.00000002.4534821677.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2105292943.00000000099C0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://wns.windows.com/)s
Source: explorer.exe, 0000000A.00000002.4534821677.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2105292943.00000000099C0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://word.office.comon

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 15.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Outstanding payment.exe.4234148.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.2149315222.0000000004301000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2169396425.0000000000870000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.4526105305.0000000002AF0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2162392386.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2114082596.0000000004234000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.4526496675.00000000044E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.4525873730.0000000002810000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2149315222.00000000044A7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2114082596.000000000446F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 15.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 15.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 15.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 15.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 15.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 15.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.Outstanding payment.exe.4234148.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0.2.Outstanding payment.exe.4234148.2.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.Outstanding payment.exe.4234148.2.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.2149315222.0000000004301000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000B.00000002.2149315222.0000000004301000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000002.2149315222.0000000004301000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000011.00000002.2169396425.0000000000870000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000011.00000002.2169396425.0000000000870000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000011.00000002.2169396425.0000000000870000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000002.4526105305.0000000002AF0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000010.00000002.4526105305.0000000002AF0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000010.00000002.4526105305.0000000002AF0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000002.4544744783.00000000118C5000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_772cc62d Author: unknown
Source: 0000000F.00000002.2162392386.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000F.00000002.2162392386.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000F.00000002.2162392386.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.2114082596.0000000004234000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000000.00000002.2114082596.0000000004234000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.2114082596.0000000004234000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000002.4526496675.00000000044E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000010.00000002.4526496675.00000000044E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000010.00000002.4526496675.00000000044E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000002.4525873730.0000000002810000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000010.00000002.4525873730.0000000002810000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000010.00000002.4525873730.0000000002810000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.2149315222.00000000044A7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000B.00000002.2149315222.00000000044A7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000002.2149315222.00000000044A7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.2114082596.000000000446F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000000.00000002.2114082596.000000000446F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.2114082596.000000000446F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: Outstanding payment.exe PID: 6252, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: iBSWjb.exe PID: 6648, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: RegSvcs.exe PID: 6564, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: msiexec.exe PID: 3876, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: NETSTAT.EXE PID: 4676, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Outstanding payment.exe

Contains functionality to call native functions

Source: C:\Windows\explorer.exe	Code function: 10_2_118AEE12 NtProtectVirtualMemory,	10_2_118AEE12
Source: C:\Windows\explorer.exe	Code function: 10_2_118AD232 NtCreateFile,	10_2_118AD232
Source: C:\Windows\explorer.exe	Code function: 10_2_118AEE0A NtProtectVirtualMemory,	10_2_118AEE0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0041A320 NtCreateFile,	15_2_0041A320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0041A3D0 NtReadFile,	15_2_0041A3D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0041A450 NtClose,	15_2_0041A450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0041A500 NtAllocateVirtualMemory,	15_2_0041A500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0041A31B NtCreateFile,	15_2_0041A31B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0041A44B NtClose,	15_2_0041A44B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0041A4FF NtAllocateVirtualMemory,	15_2_0041A4FF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01642B60 NtClose,LdrInitializeThunk,	15_2_01642B60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01642BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	15_2_01642BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01642AD0 NtReadFile,LdrInitializeThunk,	15_2_01642AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01642D30 NtUnmapViewOfSection,LdrInitializeThunk,	15_2_01642D30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01642D10 NtMapViewOfSection,LdrInitializeThunk,	15_2_01642D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01642DF0 NtQuerySystemInformation,LdrInitializeThunk,	15_2_01642DF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01642DD0 NtDelayExecution,LdrInitializeThunk,	15_2_01642DD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01642C70 NtFreeVirtualMemory,LdrInitializeThunk,	15_2_01642C70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01642CA0 NtQueryInformationToken,LdrInitializeThunk,	15_2_01642CA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01642F30 NtCreateSection,LdrInitializeThunk,	15_2_01642F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01642FE0 NtCreateFile,LdrInitializeThunk,	15_2_01642FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01642FB0 NtResumeThread,LdrInitializeThunk,	15_2_01642FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01642F90 NtProtectVirtualMemory,LdrInitializeThunk,	15_2_01642F90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01642EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,	15_2_01642EA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01642E80 NtReadVirtualMemory,LdrInitializeThunk,	15_2_01642E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01644340 NtSetContextThread,	15_2_01644340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01644650 NtSuspendThread,	15_2_01644650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01642BE0 NtQueryValueKey,	15_2_01642BE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01642BA0 NtEnumerateValueKey,	15_2_01642BA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01642B80 NtQueryInformationFile,	15_2_01642B80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01642AF0 NtWriteFile,	15_2_01642AF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01642AB0 NtWaitForSingleObject,	15_2_01642AB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01642D00 NtSetInformationFile,	15_2_01642D00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01642DB0 NtEnumerateKey,	15_2_01642DB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01642C60 NtCreateKey,	15_2_01642C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01642C00 NtQueryInformationProcess,	15_2_01642C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01642CF0 NtOpenProcess,	15_2_01642CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01642CC0 NtQueryVirtualMemory,	15_2_01642CC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01642F60 NtCreateProcessEx,	15_2_01642F60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01642FA0 NtQuerySection,	15_2_01642FA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01642E30 NtWriteVirtualMemory,	15_2_01642E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01642EE0 NtQueueApcThread,	15_2_01642EE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01643010 NtOpenDirectoryObject,	15_2_01643010
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01643090 NtSetValueKey,	15_2_01643090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_016435C0 NtCreateMutant,	15_2_016435C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_016439B0 NtGetContextThread,	15_2_016439B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01643D70 NtOpenThread,	15_2_01643D70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01643D10 NtOpenProcessToken,	15_2_01643D10

Detected potential crypto function

Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_010925C1	0_2_010925C1
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_010991C4	0_2_010991C4
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_010913C8	0_2_010913C8
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_01093470	0_2_01093470
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_01091C08	0_2_01091C08
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_010920D2	0_2_010920D2
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_0109C39B	0_2_0109C39B
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_010943B0	0_2_010943B0
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_010943C0	0_2_010943C0
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_0109C400	0_2_0109C400
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_01090870	0_2_01090870
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_01094F08	0_2_01094F08
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_0109CE8F	0_2_0109CE8F
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_0109CED3	0_2_0109CED3
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_01094EF9	0_2_01094EF9
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_0109134B	0_2_0109134B
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_01095210	0_2_01095210
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_0109345C	0_2_0109345C
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_010957A2	0_2_010957A2
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_010957B0	0_2_010957B0
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_01095600	0_2_01095600
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_01095610	0_2_01095610
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_010959CA	0_2_010959CA
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_010959D8	0_2_010959D8
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_09BD02A0	0_2_09BD02A0
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_09BD0291	0_2_09BD0291
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_09BD84E8	0_2_09BD84E8
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_09BD0C50	0_2_09BD0C50
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_09BD77E0	0_2_09BD77E0
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_0B2F0B70	0_2_0B2F0B70
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_0B2F5A80	0_2_0B2F5A80
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_0B2F7998	0_2_0B2F7998
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_0B2F6020	0_2_0B2F6020
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_0B2F0040	0_2_0B2F0040
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_0B2F2098	0_2_0B2F2098
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_0B2F70E8	0_2_0B2F70E8
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_0B2F5640	0_2_0B2F5640
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_0B2F16E0	0_2_0B2F16E0
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_0B2F1B28	0_2_0B2F1B28
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_0B2F1B19	0_2_0B2F1B19
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_0B2F5A71	0_2_0B2F5A71
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_0B2F0AD0	0_2_0B2F0AD0
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_0B2F6928	0_2_0B2F6928
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_0B2F4920	0_2_0B2F4920
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_0B2F6918	0_2_0B2F6918
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_0B2F4910	0_2_0B2F4910
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_0B2F19B1	0_2_0B2F19B1
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_0B2F7988	0_2_0B2F7988
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_0B2F7F78	0_2_0B2F7F78
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_0B2F4FA0	0_2_0B2F4FA0
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_0B2F4FB0	0_2_0B2F4FB0
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_0B2F7F88	0_2_0B2F7F88
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_0B2F3D61	0_2_0B2F3D61
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_0B2F3D70	0_2_0B2F3D70
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_0B2F5CB9	0_2_0B2F5CB9
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_0B2F5CC8	0_2_0B2F5CC8
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_0B2F51C0	0_2_0B2F51C0
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_0B2F51D0	0_2_0B2F51D0
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_0B2F001F	0_2_0B2F001F
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_0B2F6010	0_2_0B2F6010
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_0B2F2089	0_2_0B2F2089
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_0B2F70D8	0_2_0B2F70D8
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_0B2F5631	0_2_0B2F5631
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_0B2FB6F8	0_2_0B2FB6F8
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_0B2FF6F0	0_2_0B2FF6F0
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_0B2F16D1	0_2_0B2F16D1
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_0B2F3589	0_2_0B2F3589
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_0B2F55F0	0_2_0B2F55F0
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_0B2F5438	0_2_0B2F5438
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_0B2F6468	0_2_0B2F6468
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_0B2F5448	0_2_0B2F5448
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_0B2F6459	0_2_0B2F6459
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D0100	9_2_015D0100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01626000	9_2_01626000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015EE3F0	9_2_015EE3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_016602C0	9_2_016602C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E0535	9_2_015E0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_016365D0	9_2_016365D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_016365B2	9_2_016365B2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E0770	9_2_015E0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01604750	9_2_01604750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015FC6E0	9_2_015FC6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015F6962	9_2_015F6962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015EA840	9_2_015EA840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0160E8F0	9_2_0160E8F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D28F0	9_2_015D28F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015C68F1	9_2_015C68F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01618890	9_2_01618890
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E2A45	9_2_015E2A45
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015DEA80	9_2_015DEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015EED7A	9_2_015EED7A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015EAD00	9_2_015EAD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E8DC0	9_2_015E8DC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015F8DBF	9_2_015F8DBF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E0C00	9_2_015E0C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D0CF2	9_2_015D0CF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01654F40	9_2_01654F40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01622F28	9_2_01622F28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01600F30	9_2_01600F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D2FC8	9_2_015D2FC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0165EFA0	9_2_0165EFA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E0E59	9_2_015E0E59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015F2ED9	9_2_015F2ED9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0161516C	9_2_0161516C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015CF172	9_2_015CF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015EB1B0	9_2_015EB1B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E33F3	9_2_015E33F3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015FD2F0	9_2_015FD2F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E52A0	9_2_015E52A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_016274E0	9_2_016274E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E3497	9_2_015E3497
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015EB730	9_2_015EB730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E9950	9_2_015E9950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015FB950	9_2_015FB950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D1979	9_2_015D1979
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E59DA	9_2_015E59DA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0164D800	9_2_0164D800
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E38E0	9_2_015E38E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01655BF0	9_2_01655BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0161DBF9	9_2_0161DBF9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015FFB80	9_2_015FFB80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01653A6C	9_2_01653A6C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E3D40	9_2_015E3D40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015FFDC0	9_2_015FFDC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01659C32	9_2_01659C32
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015F9C20	9_2_015F9C20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E1F92	9_2_015E1F92
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E9EB0	9_2_015E9EB0
Source: C:\Windows\explorer.exe	Code function: 10_2_0E851232	10_2_0E851232
Source: C:\Windows\explorer.exe	Code function: 10_2_0E84BB30	10_2_0E84BB30
Source: C:\Windows\explorer.exe	Code function: 10_2_0E84BB32	10_2_0E84BB32
Source: C:\Windows\explorer.exe	Code function: 10_2_0E847082	10_2_0E847082
Source: C:\Windows\explorer.exe	Code function: 10_2_0E850036	10_2_0E850036
Source: C:\Windows\explorer.exe	Code function: 10_2_0E8545CD	10_2_0E8545CD
Source: C:\Windows\explorer.exe	Code function: 10_2_0E848D02	10_2_0E848D02
Source: C:\Windows\explorer.exe	Code function: 10_2_0E84E912	10_2_0E84E912
Source: C:\Windows\explorer.exe	Code function: 10_2_10DDC082	10_2_10DDC082
Source: C:\Windows\explorer.exe	Code function: 10_2_10DE5036	10_2_10DE5036
Source: C:\Windows\explorer.exe	Code function: 10_2_10DE95CD	10_2_10DE95CD
Source: C:\Windows\explorer.exe	Code function: 10_2_10DE3912	10_2_10DE3912
Source: C:\Windows\explorer.exe	Code function: 10_2_10DDDD02	10_2_10DDDD02
Source: C:\Windows\explorer.exe	Code function: 10_2_10DE6232	10_2_10DE6232
Source: C:\Windows\explorer.exe	Code function: 10_2_10DE0B32	10_2_10DE0B32
Source: C:\Windows\explorer.exe	Code function: 10_2_10DE0B30	10_2_10DE0B30
Source: C:\Windows\explorer.exe	Code function: 10_2_118AD232	10_2_118AD232
Source: C:\Windows\explorer.exe	Code function: 10_2_118B05CD	10_2_118B05CD
Source: C:\Windows\explorer.exe	Code function: 10_2_118A4D02	10_2_118A4D02
Source: C:\Windows\explorer.exe	Code function: 10_2_118AA912	10_2_118AA912
Source: C:\Windows\explorer.exe	Code function: 10_2_118A7B32	10_2_118A7B32
Source: C:\Windows\explorer.exe	Code function: 10_2_118A7B30	10_2_118A7B30
Source: C:\Windows\explorer.exe	Code function: 10_2_118A3082	10_2_118A3082
Source: C:\Windows\explorer.exe	Code function: 10_2_118AC036	10_2_118AC036
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_031925C1	11_2_031925C1
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_031913C8	11_2_031913C8
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_031991C4	11_2_031991C4
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_03193470	11_2_03193470
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_03191C08	11_2_03191C08
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_0319C39B	11_2_0319C39B
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_031943B0	11_2_031943B0
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_031943C0	11_2_031943C0
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_031920D2	11_2_031920D2
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_0319C400	11_2_0319C400
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_03190870	11_2_03190870
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_03194F08	11_2_03194F08
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_0319CE93	11_2_0319CE93
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_0319CED3	11_2_0319CED3
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_03194EF9	11_2_03194EF9
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_0319134B	11_2_0319134B
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_03195210	11_2_03195210
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_031957B0	11_2_031957B0
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_031957A2	11_2_031957A2
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_03195610	11_2_03195610
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_03195600	11_2_03195600
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_0319345B	11_2_0319345B
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_031959D8	11_2_031959D8
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_031959CA	11_2_031959CA
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_05306468	11_2_05306468
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_053004AF	11_2_053004AF
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_053004C0	11_2_053004C0
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_053077C0	11_2_053077C0
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_05300E70	11_2_05300E70
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_08976674	11_2_08976674
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_08979188	11_2_08979188
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_0B567B18	11_2_0B567B18
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_0B560AD0	11_2_0B560AD0
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_0B565C00	11_2_0B565C00
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_0B567268	11_2_0B567268
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_0B5661A0	11_2_0B5661A0
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_0B560040	11_2_0B560040
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_0B562098	11_2_0B562098
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_0B5657C0	11_2_0B5657C0
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_0B5616E0	11_2_0B5616E0
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_0B563589	11_2_0B563589
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_0B561B19	11_2_0B561B19
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_0B567B08	11_2_0B567B08
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_0B561B28	11_2_0B561B28
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_0B565BF1	11_2_0B565BF1
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_0B566A99	11_2_0B566A99
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_0B564910	11_2_0B564910
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_0B564920	11_2_0B564920
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_0B56F870	11_2_0B56F870
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_0B56EFF0	11_2_0B56EFF0
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_0B564FB0	11_2_0B564FB0
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_0B564FA0	11_2_0B564FA0
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_0B565E48	11_2_0B565E48
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_0B565E39	11_2_0B565E39
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_0B563D70	11_2_0B563D70
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_0B563D61	11_2_0B563D61
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_0B567258	11_2_0B567258
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_0B568108	11_2_0B568108
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_0B5651D0	11_2_0B5651D0
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_0B5651C0	11_2_0B5651C0
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_0B566190	11_2_0B566190
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_0B56001E	11_2_0B56001E
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_0B5680FA	11_2_0B5680FA
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_0B562089	11_2_0B562089
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_0B5657B0	11_2_0B5657B0
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_0B5616D1	11_2_0B5616D1
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_0B5665D8	11_2_0B5665D8
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_0B5665E8	11_2_0B5665E8
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_0B565448	11_2_0B565448
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_0B565438	11_2_0B565438
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_0B56F428	11_2_0B56F428
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_00401030	15_2_00401030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0041EAC3	15_2_0041EAC3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0041E524	15_2_0041E524
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0041D580	15_2_0041D580
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_00402D90	15_2_00402D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_00409E50	15_2_00409E50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_00409E0A	15_2_00409E0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0041EFDF	15_2_0041EFDF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_00402FB0	15_2_00402FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01698158	15_2_01698158
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01600100	15_2_01600100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_016AA118	15_2_016AA118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_016C81CC	15_2_016C81CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_016D01AA	15_2_016D01AA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_016A2000	15_2_016A2000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_016CA352	15_2_016CA352
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_016D03E6	15_2_016D03E6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0161E3F0	15_2_0161E3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_016B0274	15_2_016B0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_016902C0	15_2_016902C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01610535	15_2_01610535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_016D0591	15_2_016D0591
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_016C2446	15_2_016C2446
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_016BE4F6	15_2_016BE4F6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01610770	15_2_01610770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01634750	15_2_01634750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0160C7C0	15_2_0160C7C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0162C6E0	15_2_0162C6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01626962	15_2_01626962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_016129A0	15_2_016129A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_016DA9A6	15_2_016DA9A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0161A840	15_2_0161A840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01612840	15_2_01612840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0163E8F0	15_2_0163E8F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_015F68B8	15_2_015F68B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_016CAB40	15_2_016CAB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_016C6BD7	15_2_016C6BD7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0160EA80	15_2_0160EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0161AD00	15_2_0161AD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0160ADE0	15_2_0160ADE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01628DBF	15_2_01628DBF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01610C00	15_2_01610C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01600CF2	15_2_01600CF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_016B0CB5	15_2_016B0CB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01684F40	15_2_01684F40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01652F28	15_2_01652F28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01630F30	15_2_01630F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0161CFE0	15_2_0161CFE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01602FC8	15_2_01602FC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0168EFA0	15_2_0168EFA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01610E59	15_2_01610E59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_016CEE26	15_2_016CEE26
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_016CEEDB	15_2_016CEEDB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01622E90	15_2_01622E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_016CCE93	15_2_016CCE93
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_016DB16B	15_2_016DB16B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0164516C	15_2_0164516C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_015FF172	15_2_015FF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0161B1B0	15_2_0161B1B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_016C70E9	15_2_016C70E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_016CF0E0	15_2_016CF0E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_016170C0	15_2_016170C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_016BF0CC	15_2_016BF0CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_015FD34C	15_2_015FD34C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_016C132D	15_2_016C132D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0165739A	15_2_0165739A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_016B12ED	15_2_016B12ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0162B2C0	15_2_0162B2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_016152A0	15_2_016152A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_016C7571	15_2_016C7571
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_016AD5B0	15_2_016AD5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01601460	15_2_01601460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_016CF43F	15_2_016CF43F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_016CF7B0	15_2_016CF7B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_016C16CC	15_2_016C16CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01619950	15_2_01619950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0162B950	15_2_0162B950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_016A5910	15_2_016A5910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0167D800	15_2_0167D800
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_016138E0	15_2_016138E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_016CFB76	15_2_016CFB76
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01685BF0	15_2_01685BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0164DBF9	15_2_0164DBF9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0162FB80	15_2_0162FB80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01683A6C	15_2_01683A6C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_016CFA49	15_2_016CFA49
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_016C7A46	15_2_016C7A46
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_016BDAC6	15_2_016BDAC6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01655AA0	15_2_01655AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_016ADAAC	15_2_016ADAAC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_016C7D73	15_2_016C7D73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01613D40	15_2_01613D40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_016C1D5A	15_2_016C1D5A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0162FDC0	15_2_0162FDC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01689C32	15_2_01689C32
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_016CFCF2	15_2_016CFCF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_016CFF09	15_2_016CFF09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_016CFFB1	15_2_016CFFB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01611F92	15_2_01611F92
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01619EB0	15_2_01619EB0

Found potential string decryption / allocating functions

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 01627E54 appears 97 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 0168F290 appears 105 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 015FB970 appears 275 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 01645130 appears 57 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 0167EA12 appears 86 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 0164EA12 appears 37 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 01657E54 appears 100 times

Sample file is different than original file name gathered from version info

Source: Outstanding payment.exe, 00000000.00000002.2114082596.0000000004234000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCaptive.dll" vs Outstanding payment.exe
Source: Outstanding payment.exe, 00000000.00000000.2060151617.0000000000612000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameVlWL.exe" vs Outstanding payment.exe
Source: Outstanding payment.exe, 00000000.00000002.2110202228.0000000000DFE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Outstanding payment.exe
Source: Outstanding payment.exe, 00000000.00000002.2117960305.0000000007950000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameCaptive.dll" vs Outstanding payment.exe
Source: Outstanding payment.exe, 00000000.00000002.2119057847.0000000009B20000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs Outstanding payment.exe
Source: Outstanding payment.exe, 00000000.00000002.2114082596.000000000446F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs Outstanding payment.exe
Source: Outstanding payment.exe	Binary or memory string: OriginalFilenameVlWL.exe" vs Outstanding payment.exe

Uses 32bit PE files

Source: Outstanding payment.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 15.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 15.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 15.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 15.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 15.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 15.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.Outstanding payment.exe.4234148.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0.2.Outstanding payment.exe.4234148.2.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.Outstanding payment.exe.4234148.2.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000002.2149315222.0000000004301000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000B.00000002.2149315222.0000000004301000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000002.2149315222.0000000004301000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000011.00000002.2169396425.0000000000870000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000011.00000002.2169396425.0000000000870000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000011.00000002.2169396425.0000000000870000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000002.4526105305.0000000002AF0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000010.00000002.4526105305.0000000002AF0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000010.00000002.4526105305.0000000002AF0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000002.4544744783.00000000118C5000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_772cc62d os = windows, severity = x86, creation_date = 2022-05-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8343b5d02d74791ba2d5d52d19a759f761de2b5470d935000bc27ea6c0633f5, id = 772cc62d-345c-42d8-97ab-f67e447ddca4, last_modified = 2022-07-18
Source: 0000000F.00000002.2162392386.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000F.00000002.2162392386.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000F.00000002.2162392386.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.2114082596.0000000004234000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000000.00000002.2114082596.0000000004234000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.2114082596.0000000004234000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000002.4526496675.00000000044E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000010.00000002.4526496675.00000000044E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000010.00000002.4526496675.00000000044E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000002.4525873730.0000000002810000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000010.00000002.4525873730.0000000002810000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000010.00000002.4525873730.0000000002810000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000002.2149315222.00000000044A7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000B.00000002.2149315222.00000000044A7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000002.2149315222.00000000044A7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.2114082596.000000000446F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000000.00000002.2114082596.000000000446F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.2114082596.000000000446F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: Outstanding payment.exe PID: 6252, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: iBSWjb.exe PID: 6648, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: RegSvcs.exe PID: 6564, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: msiexec.exe PID: 3876, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: NETSTAT.EXE PID: 4676, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: Outstanding payment.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: iBSWjb.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.evad.winEXE@26/15@11/0

Source: C:\Users\user\Desktop\Outstanding payment.exe

File created: C:\Users\user\AppData\Roaming\iBSWjb.exe

Jump to behavior

Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Mutant created: \Sessions\1\BaseNamedObjects\iGAQEIWfdLpPOyg
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:432:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6416:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5900:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5652:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3652:120:WilError_03

Source: C:\Users\user\Desktop\Outstanding payment.exe

File created: C:\Users\user\AppData\Local\Temp\tmpE0D0.tmp

Jump to behavior

Source: Outstanding payment.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Outstanding payment.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\Outstanding payment.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Outstanding payment.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Outstanding payment.exe	ReversingLabs: Detection: 28%
Source: Outstanding payment.exe	Virustotal: Detection: 36%

Source: C:\Users\user\Desktop\Outstanding payment.exe

File read: C:\Users\user\Desktop\Outstanding payment.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Outstanding payment.exe "C:\Users\user\Desktop\Outstanding payment.exe"
Source: C:\Users\user\Desktop\Outstanding payment.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Outstanding payment.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Outstanding payment.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\iBSWjb.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Outstanding payment.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iBSWjb" /XML "C:\Users\user\AppData\Local\Temp\tmpE0D0.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Outstanding payment.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\iBSWjb.exe C:\Users\user\AppData\Roaming\iBSWjb.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iBSWjb" /XML "C:\Users\user\AppData\Local\Temp\tmpF30F.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\NETSTAT.EXE "C:\Windows\SysWOW64\NETSTAT.EXE"
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Outstanding payment.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Outstanding payment.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\iBSWjb.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iBSWjb" /XML "C:\Users\user\AppData\Local\Temp\tmpE0D0.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\NETSTAT.EXE "C:\Windows\SysWOW64\NETSTAT.EXE"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iBSWjb" /XML "C:\Users\user\AppData\Local\Temp\tmpF30F.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

Source: C:\Users\user\Desktop\Outstanding payment.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.cloudstore.schema.shell.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Section loaded: snmpapi.dll

Source: C:\Users\user\Desktop\Outstanding payment.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\Outstanding payment.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: Outstanding payment.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Outstanding payment.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: msiexec.pdb source: RegSvcs.exe, 0000000F.00000002.2163601401.00000000010A8000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.2167593167.0000000001950000.00000040.10000000.00040000.00000000.sdmp, msiexec.exe, 00000010.00000002.4525647281.0000000000120000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: netstat.pdbGCTL source: RegSvcs.exe, 00000009.00000002.2166629916.0000000001520000.00000040.10000000.00040000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.2166042893.0000000001038000.00000004.00000020.00020000.00000000.sdmp, NETSTAT.EXE, 00000011.00000002.2169801736.0000000000F60000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: msiexec.pdbGCTL source: RegSvcs.exe, 0000000F.00000002.2163601401.00000000010A8000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.2167593167.0000000001950000.00000040.10000000.00040000.00000000.sdmp, msiexec.exe, 00000010.00000002.4525647281.0000000000120000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: netstat.pdb source: RegSvcs.exe, 00000009.00000002.2166629916.0000000001520000.00000040.10000000.00040000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.2166042893.0000000001038000.00000004.00000020.00020000.00000000.sdmp, NETSTAT.EXE, 00000011.00000002.2169801736.0000000000F60000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: RegSvcs.pdb, source: explorer.exe, 0000000A.00000002.4544436194.000000001108F000.00000004.80000000.00040000.00000000.sdmp, msiexec.exe, 00000010.00000002.4526176931.0000000002B68000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000010.00000002.4527606666.0000000004C8F000.00000004.10000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: RegSvcs.exe, 0000000F.00000002.2164292767.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, msiexec.exe, 00000010.00000003.2162873949.00000000043E3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000010.00000002.4526844248.0000000004740000.00000040.00001000.00020000.00000000.sdmp, msiexec.exe, 00000010.00000003.2165021648.0000000004596000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000010.00000002.4526844248.00000000048DE000.00000040.00001000.00020000.00000000.sdmp, NETSTAT.EXE, 00000011.00000003.2168122863.0000000002F72000.00000004.00000020.00020000.00000000.sdmp, NETSTAT.EXE, 00000011.00000002.2169828122.00000000032BE000.00000040.00001000.00020000.00000000.sdmp, NETSTAT.EXE, 00000011.00000002.2169828122.0000000003120000.00000040.00001000.00020000.00000000.sdmp, NETSTAT.EXE, 00000011.00000003.2166132931.0000000000DB1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: RegSvcs.exe, RegSvcs.exe, 0000000F.00000002.2164292767.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, msiexec.exe, 00000010.00000003.2162873949.00000000043E3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000010.00000002.4526844248.0000000004740000.00000040.00001000.00020000.00000000.sdmp, msiexec.exe, 00000010.00000003.2165021648.0000000004596000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000010.00000002.4526844248.00000000048DE000.00000040.00001000.00020000.00000000.sdmp, NETSTAT.EXE, 00000011.00000003.2168122863.0000000002F72000.00000004.00000020.00020000.00000000.sdmp, NETSTAT.EXE, 00000011.00000002.2169828122.00000000032BE000.00000040.00001000.00020000.00000000.sdmp, NETSTAT.EXE, 00000011.00000002.2169828122.0000000003120000.00000040.00001000.00020000.00000000.sdmp, NETSTAT.EXE, 00000011.00000003.2166132931.0000000000DB1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: RegSvcs.pdb source: explorer.exe, 0000000A.00000002.4544436194.000000001108F000.00000004.80000000.00040000.00000000.sdmp, msiexec.exe, 00000010.00000002.4526176931.0000000002B68000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000010.00000002.4527606666.0000000004C8F000.00000004.10000000.00040000.00000000.sdmp

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_01090C6C pushfd ; iretd	0_2_01090C6E
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_0B2F036B push ecx; ret	0_2_0B2F036C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D09AD push ecx; mov dword ptr [esp], ecx	9_2_015D09B6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015A1328 push eax; iretd	9_2_015A1369
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015A1FEC push eax; iretd	9_2_015A1FED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01627E99 push ecx; ret	9_2_01627EAC
Source: C:\Windows\explorer.exe	Code function: 10_2_0E854B02 push esp; retn 0000h	10_2_0E854B03
Source: C:\Windows\explorer.exe	Code function: 10_2_0E854B1E push esp; retn 0000h	10_2_0E854B1F
Source: C:\Windows\explorer.exe	Code function: 10_2_0E8549B5 push esp; retn 0000h	10_2_0E854AE7
Source: C:\Windows\explorer.exe	Code function: 10_2_10DE99B5 push esp; retn 0000h	10_2_10DE9AE7
Source: C:\Windows\explorer.exe	Code function: 10_2_10DE9B1E push esp; retn 0000h	10_2_10DE9B1F
Source: C:\Windows\explorer.exe	Code function: 10_2_10DE9B02 push esp; retn 0000h	10_2_10DE9B03
Source: C:\Windows\explorer.exe	Code function: 10_2_118B09B5 push esp; retn 0000h	10_2_118B0AE7
Source: C:\Windows\explorer.exe	Code function: 10_2_118B0B02 push esp; retn 0000h	10_2_118B0B03
Source: C:\Windows\explorer.exe	Code function: 10_2_118B0B1E push esp; retn 0000h	10_2_118B0B1F
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_03190C6C pushfd ; iretd	11_2_03190C6E
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_03199B79 push edi; iretd	11_2_03199B7A
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_03199AB8 push esp; iretd	11_2_03199ABE
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_03199ABF push esp; iretd	11_2_03199AC2
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_031999E0 push ebx; iretd	11_2_031999E2
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_05303A41 pushfd ; ret	11_2_05303A4D
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_0B56036B push ecx; ret	11_2_0B56036C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0041E1FC pushfd ; retf	15_2_0041E1FD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_004172AE push ebp; retf	15_2_004172B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0041D475 push eax; ret	15_2_0041D4C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0041D4C2 push eax; ret	15_2_0041D4C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0041D4CB push eax; ret	15_2_0041D532
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0041D52C push eax; ret	15_2_0041D532
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0041D580 push edx; ret	15_2_0041D957
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_016009AD push ecx; mov dword ptr [esp], ecx	15_2_016009B6

Source: Outstanding payment.exe	Static PE information: section name: .text entropy: 7.532213400746095
Source: iBSWjb.exe.0.dr	Static PE information: section name: .text entropy: 7.532213400746095

Drops PE files

Source: C:\Users\user\Desktop\Outstanding payment.exe

File created: C:\Users\user\AppData\Roaming\iBSWjb.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\Outstanding payment.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iBSWjb" /XML "C:\Users\user\AppData\Local\Temp\tmpE0D0.tmp"

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\Outstanding payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: Outstanding payment.exe PID: 6252, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: iBSWjb.exe PID: 6648, type: MEMORYSTR

Switches to a custom stack to bypass stack traces

Source: C:\Windows\SysWOW64\msiexec.exe	API/Special instruction interceptor: Address: 7FF8C88ED324
Source: C:\Windows\SysWOW64\msiexec.exe	API/Special instruction interceptor: Address: 7FF8C88F0774
Source: C:\Windows\SysWOW64\msiexec.exe	API/Special instruction interceptor: Address: 7FF8C88ED944
Source: C:\Windows\SysWOW64\msiexec.exe	API/Special instruction interceptor: Address: 7FF8C88ED504
Source: C:\Windows\SysWOW64\msiexec.exe	API/Special instruction interceptor: Address: 7FF8C88ED544
Source: C:\Windows\SysWOW64\msiexec.exe	API/Special instruction interceptor: Address: 7FF8C88ED1E4
Source: C:\Windows\SysWOW64\msiexec.exe	API/Special instruction interceptor: Address: 7FF8C88F0154
Source: C:\Windows\SysWOW64\msiexec.exe	API/Special instruction interceptor: Address: 7FF8C88ED8A4
Source: C:\Windows\SysWOW64\msiexec.exe	API/Special instruction interceptor: Address: 7FF8C88EDA44

Tries to detect virtualization through RDTSC time measurements

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	RDTSC instruction interceptor: First address: 409904 second address: 40990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	RDTSC instruction interceptor: First address: 409B6E second address: 409B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\NETSTAT.EXE	RDTSC instruction interceptor: First address: 879904 second address: 87990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\NETSTAT.EXE	RDTSC instruction interceptor: First address: 879B6E second address: 879B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\Outstanding payment.exe	Memory allocated: 1050000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Memory allocated: 29E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Memory allocated: 49E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Memory allocated: 5070000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Memory allocated: 6070000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Memory allocated: 61A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Memory allocated: 71A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Memory allocated: B300000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Memory allocated: C300000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Memory allocated: C790000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Memory allocated: D790000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Memory allocated: E790000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Memory allocated: F790000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Memory allocated: 10790000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Memory allocated: 3150000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Memory allocated: 3300000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Memory allocated: 5300000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Memory allocated: 5970000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Memory allocated: 6970000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Memory allocated: 6AA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Memory allocated: 7AA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Memory allocated: B570000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Memory allocated: 9D30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Memory allocated: C570000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Memory allocated: 6AA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Memory allocated: B570000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Memory allocated: C570000 memory reserve \| memory write watch	Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 9_2_015CE0D0 rdtsc

9_2_015CE0D0

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\Outstanding payment.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7088	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1625	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7998	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1571	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 9681	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 870	Jump to behavior

Found large amount of non-executed APIs

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	API coverage: 1.2 %
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	API coverage: 1.7 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\Outstanding payment.exe TID: 6224	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2300	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3176	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 384	Thread sleep time: -6456360425798339s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 6004	Thread sleep count: 9681 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 6004	Thread sleep time: -19362000s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 6004	Thread sleep count: 265 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 6004	Thread sleep time: -530000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe TID: 4796	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 4720	Thread sleep count: 127 > 30
Source: C:\Windows\SysWOW64\msiexec.exe TID: 4720	Thread sleep time: -254000s >= -30000s
Source: C:\Windows\SysWOW64\msiexec.exe TID: 4720	Thread sleep count: 9270 > 30
Source: C:\Windows\SysWOW64\msiexec.exe TID: 4720	Thread sleep time: -18540000s >= -30000s

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\msiexec.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\msiexec.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\Outstanding payment.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\Outstanding payment.exe	File opened: C:\Users\user\AppData\Local\Temp\acrocef_low\NULL	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\NULL	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\NULL	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\Acrobat	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe	Jump to behavior

Source: explorer.exe, 0000000A.00000003.3096220072.0000000009B77000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
Source: explorer.exe, 0000000A.00000000.2095932568.00000000076F8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}99105f770555d7dd
Source: explorer.exe, 0000000A.00000000.2105292943.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4534821677.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW0r
Source: explorer.exe, 0000000A.00000003.3096220072.0000000009B77000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 0000000A.00000003.3096220072.0000000009B77000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NXTcaVMWare
Source: explorer.exe, 0000000A.00000002.4534821677.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000%
Source: explorer.exe, 0000000A.00000003.3096220072.0000000009B77000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000A.00000000.2092490367.0000000003530000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.
Source: explorer.exe, 0000000A.00000003.3096220072.0000000009B77000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00
Source: explorer.exe, 0000000A.00000000.2090992450.0000000000F13000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000A
Source: explorer.exe, 0000000A.00000000.2092490367.0000000003530000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware-42 27 d9 2e dc 89 72 dX
Source: explorer.exe, 0000000A.00000000.2095932568.00000000076F8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}^
Source: explorer.exe, 0000000A.00000000.2105292943.0000000009B2C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4534821677.0000000009B2C000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 0000000A.00000000.2092490367.0000000003530000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.NoneVMware-42 27 d9 2e dc 89 72 dX
Source: explorer.exe, 0000000A.00000000.2092490367.0000000003530000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware,p
Source: explorer.exe, 0000000A.00000003.3096220072.0000000009B77000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000_
Source: explorer.exe, 0000000A.00000000.2090992450.0000000000F13000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: iBSWjb.exe, 0000000B.00000002.2153882426.00000000089B0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f')
Source: explorer.exe, 0000000A.00000002.4534821677.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000A.00000000.2095932568.000000000769A000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Users\user\Desktop\Outstanding payment.exe

Process information queried: ProcessInformation

Jump to behavior

Checks if the current process is being debugged

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\msiexec.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Process queried: DebugPort

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 9_2_015CE0D0 rdtsc

9_2_015CE0D0

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 9_2_01612B60 LdrInitializeThunk,

9_2_01612B60

Contains functionality to read the PEB

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01612160 mov eax, dword ptr fs:[00000030h]	9_2_01612160
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D6154 mov eax, dword ptr fs:[00000030h]	9_2_015D6154
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D6154 mov eax, dword ptr fs:[00000030h]	9_2_015D6154
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015CC156 mov eax, dword ptr fs:[00000030h]	9_2_015CC156
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D2140 mov ecx, dword ptr fs:[00000030h]	9_2_015D2140
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D2140 mov eax, dword ptr fs:[00000030h]	9_2_015D2140
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01600124 mov eax, dword ptr fs:[00000030h]	9_2_01600124
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E61D1 mov eax, dword ptr fs:[00000030h]	9_2_015E61D1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E61D1 mov eax, dword ptr fs:[00000030h]	9_2_015E61D1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_016001F8 mov eax, dword ptr fs:[00000030h]	9_2_016001F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0164E1D0 mov eax, dword ptr fs:[00000030h]	9_2_0164E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0164E1D0 mov eax, dword ptr fs:[00000030h]	9_2_0164E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0164E1D0 mov ecx, dword ptr fs:[00000030h]	9_2_0164E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0164E1D0 mov eax, dword ptr fs:[00000030h]	9_2_0164E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0164E1D0 mov eax, dword ptr fs:[00000030h]	9_2_0164E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0162E1D8 mov eax, dword ptr fs:[00000030h]	9_2_0162E1D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_016401DA mov eax, dword ptr fs:[00000030h]	9_2_016401DA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_016401DA mov eax, dword ptr fs:[00000030h]	9_2_016401DA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015CA197 mov eax, dword ptr fs:[00000030h]	9_2_015CA197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015CA197 mov eax, dword ptr fs:[00000030h]	9_2_015CA197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015CA197 mov eax, dword ptr fs:[00000030h]	9_2_015CA197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01610185 mov eax, dword ptr fs:[00000030h]	9_2_01610185
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0165019F mov eax, dword ptr fs:[00000030h]	9_2_0165019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0165019F mov eax, dword ptr fs:[00000030h]	9_2_0165019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0165019F mov eax, dword ptr fs:[00000030h]	9_2_0165019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0165019F mov eax, dword ptr fs:[00000030h]	9_2_0165019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0160A060 mov eax, dword ptr fs:[00000030h]	9_2_0160A060
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D2050 mov eax, dword ptr fs:[00000030h]	9_2_015D2050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01632045 mov eax, dword ptr fs:[00000030h]	9_2_01632045
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015FC073 mov eax, dword ptr fs:[00000030h]	9_2_015FC073
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01656050 mov eax, dword ptr fs:[00000030h]	9_2_01656050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015EE016 mov eax, dword ptr fs:[00000030h]	9_2_015EE016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015EE016 mov eax, dword ptr fs:[00000030h]	9_2_015EE016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015EE016 mov eax, dword ptr fs:[00000030h]	9_2_015EE016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015EE016 mov eax, dword ptr fs:[00000030h]	9_2_015EE016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01654000 mov ecx, dword ptr fs:[00000030h]	9_2_01654000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015CA020 mov eax, dword ptr fs:[00000030h]	9_2_015CA020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015CC020 mov eax, dword ptr fs:[00000030h]	9_2_015CC020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_016560E0 mov eax, dword ptr fs:[00000030h]	9_2_016560E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_016120F0 mov ecx, dword ptr fs:[00000030h]	9_2_016120F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015CC0F0 mov eax, dword ptr fs:[00000030h]	9_2_015CC0F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D80E9 mov eax, dword ptr fs:[00000030h]	9_2_015D80E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_016520DE mov eax, dword ptr fs:[00000030h]	9_2_016520DE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015CA0E3 mov ecx, dword ptr fs:[00000030h]	9_2_015CA0E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D208A mov eax, dword ptr fs:[00000030h]	9_2_015D208A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015C80A0 mov eax, dword ptr fs:[00000030h]	9_2_015C80A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01652349 mov eax, dword ptr fs:[00000030h]	9_2_01652349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01652349 mov eax, dword ptr fs:[00000030h]	9_2_01652349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01652349 mov eax, dword ptr fs:[00000030h]	9_2_01652349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01652349 mov eax, dword ptr fs:[00000030h]	9_2_01652349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01652349 mov eax, dword ptr fs:[00000030h]	9_2_01652349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01652349 mov eax, dword ptr fs:[00000030h]	9_2_01652349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01652349 mov eax, dword ptr fs:[00000030h]	9_2_01652349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01652349 mov eax, dword ptr fs:[00000030h]	9_2_01652349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01652349 mov eax, dword ptr fs:[00000030h]	9_2_01652349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01652349 mov eax, dword ptr fs:[00000030h]	9_2_01652349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01652349 mov eax, dword ptr fs:[00000030h]	9_2_01652349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01652349 mov eax, dword ptr fs:[00000030h]	9_2_01652349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01652349 mov eax, dword ptr fs:[00000030h]	9_2_01652349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01652349 mov eax, dword ptr fs:[00000030h]	9_2_01652349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01652349 mov eax, dword ptr fs:[00000030h]	9_2_01652349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0163634C mov eax, dword ptr fs:[00000030h]	9_2_0163634C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0164035C mov eax, dword ptr fs:[00000030h]	9_2_0164035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0164035C mov eax, dword ptr fs:[00000030h]	9_2_0164035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0164035C mov eax, dword ptr fs:[00000030h]	9_2_0164035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0164035C mov eax, dword ptr fs:[00000030h]	9_2_0164035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0165035C mov eax, dword ptr fs:[00000030h]	9_2_0165035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0165035C mov eax, dword ptr fs:[00000030h]	9_2_0165035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0165035C mov eax, dword ptr fs:[00000030h]	9_2_0165035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0165035C mov ecx, dword ptr fs:[00000030h]	9_2_0165035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0165035C mov eax, dword ptr fs:[00000030h]	9_2_0165035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0165035C mov eax, dword ptr fs:[00000030h]	9_2_0165035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015F0310 mov ecx, dword ptr fs:[00000030h]	9_2_015F0310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015CC301 mov ecx, dword ptr fs:[00000030h]	9_2_015CC301
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0160A30B mov eax, dword ptr fs:[00000030h]	9_2_0160A30B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0160A30B mov eax, dword ptr fs:[00000030h]	9_2_0160A30B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0160A30B mov eax, dword ptr fs:[00000030h]	9_2_0160A30B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D2324 mov eax, dword ptr fs:[00000030h]	9_2_015D2324
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D83C0 mov eax, dword ptr fs:[00000030h]	9_2_015D83C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D83C0 mov eax, dword ptr fs:[00000030h]	9_2_015D83C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D83C0 mov eax, dword ptr fs:[00000030h]	9_2_015D83C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D83C0 mov eax, dword ptr fs:[00000030h]	9_2_015D83C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_016063FF mov eax, dword ptr fs:[00000030h]	9_2_016063FF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_016563C0 mov eax, dword ptr fs:[00000030h]	9_2_016563C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015EE3F0 mov eax, dword ptr fs:[00000030h]	9_2_015EE3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015EE3F0 mov eax, dword ptr fs:[00000030h]	9_2_015EE3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015EE3F0 mov eax, dword ptr fs:[00000030h]	9_2_015EE3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E03E9 mov eax, dword ptr fs:[00000030h]	9_2_015E03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E03E9 mov eax, dword ptr fs:[00000030h]	9_2_015E03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E03E9 mov eax, dword ptr fs:[00000030h]	9_2_015E03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E03E9 mov eax, dword ptr fs:[00000030h]	9_2_015E03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E03E9 mov eax, dword ptr fs:[00000030h]	9_2_015E03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E03E9 mov eax, dword ptr fs:[00000030h]	9_2_015E03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E03E9 mov eax, dword ptr fs:[00000030h]	9_2_015E03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E03E9 mov eax, dword ptr fs:[00000030h]	9_2_015E03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015C8397 mov eax, dword ptr fs:[00000030h]	9_2_015C8397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015C8397 mov eax, dword ptr fs:[00000030h]	9_2_015C8397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015C8397 mov eax, dword ptr fs:[00000030h]	9_2_015C8397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015F438F mov eax, dword ptr fs:[00000030h]	9_2_015F438F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015F438F mov eax, dword ptr fs:[00000030h]	9_2_015F438F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015CE388 mov eax, dword ptr fs:[00000030h]	9_2_015CE388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015CE388 mov eax, dword ptr fs:[00000030h]	9_2_015CE388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015CE388 mov eax, dword ptr fs:[00000030h]	9_2_015CE388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D6259 mov eax, dword ptr fs:[00000030h]	9_2_015D6259
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015CA250 mov eax, dword ptr fs:[00000030h]	9_2_015CA250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01658243 mov eax, dword ptr fs:[00000030h]	9_2_01658243
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01658243 mov ecx, dword ptr fs:[00000030h]	9_2_01658243
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015C826B mov eax, dword ptr fs:[00000030h]	9_2_015C826B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D4260 mov eax, dword ptr fs:[00000030h]	9_2_015D4260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D4260 mov eax, dword ptr fs:[00000030h]	9_2_015D4260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D4260 mov eax, dword ptr fs:[00000030h]	9_2_015D4260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E0218 mov eax, dword ptr fs:[00000030h]	9_2_015E0218
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015C823B mov eax, dword ptr fs:[00000030h]	9_2_015C823B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015DA2C3 mov eax, dword ptr fs:[00000030h]	9_2_015DA2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015DA2C3 mov eax, dword ptr fs:[00000030h]	9_2_015DA2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015DA2C3 mov eax, dword ptr fs:[00000030h]	9_2_015DA2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015DA2C3 mov eax, dword ptr fs:[00000030h]	9_2_015DA2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015DA2C3 mov eax, dword ptr fs:[00000030h]	9_2_015DA2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E02E1 mov eax, dword ptr fs:[00000030h]	9_2_015E02E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E02E1 mov eax, dword ptr fs:[00000030h]	9_2_015E02E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E02E1 mov eax, dword ptr fs:[00000030h]	9_2_015E02E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0160E284 mov eax, dword ptr fs:[00000030h]	9_2_0160E284
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0160E284 mov eax, dword ptr fs:[00000030h]	9_2_0160E284
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01650283 mov eax, dword ptr fs:[00000030h]	9_2_01650283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01650283 mov eax, dword ptr fs:[00000030h]	9_2_01650283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01650283 mov eax, dword ptr fs:[00000030h]	9_2_01650283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E02A0 mov eax, dword ptr fs:[00000030h]	9_2_015E02A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E02A0 mov eax, dword ptr fs:[00000030h]	9_2_015E02A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0160656A mov eax, dword ptr fs:[00000030h]	9_2_0160656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0160656A mov eax, dword ptr fs:[00000030h]	9_2_0160656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0160656A mov eax, dword ptr fs:[00000030h]	9_2_0160656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015FE53E mov eax, dword ptr fs:[00000030h]	9_2_015FE53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015FE53E mov eax, dword ptr fs:[00000030h]	9_2_015FE53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015FE53E mov eax, dword ptr fs:[00000030h]	9_2_015FE53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015FE53E mov eax, dword ptr fs:[00000030h]	9_2_015FE53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015FE53E mov eax, dword ptr fs:[00000030h]	9_2_015FE53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E0535 mov eax, dword ptr fs:[00000030h]	9_2_015E0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E0535 mov eax, dword ptr fs:[00000030h]	9_2_015E0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E0535 mov eax, dword ptr fs:[00000030h]	9_2_015E0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E0535 mov eax, dword ptr fs:[00000030h]	9_2_015E0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E0535 mov eax, dword ptr fs:[00000030h]	9_2_015E0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E0535 mov eax, dword ptr fs:[00000030h]	9_2_015E0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D65D0 mov eax, dword ptr fs:[00000030h]	9_2_015D65D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0160C5ED mov eax, dword ptr fs:[00000030h]	9_2_0160C5ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0160C5ED mov eax, dword ptr fs:[00000030h]	9_2_0160C5ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0160E5CF mov eax, dword ptr fs:[00000030h]	9_2_0160E5CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0160E5CF mov eax, dword ptr fs:[00000030h]	9_2_0160E5CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0160A5D0 mov eax, dword ptr fs:[00000030h]	9_2_0160A5D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0160A5D0 mov eax, dword ptr fs:[00000030h]	9_2_0160A5D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015FE5E7 mov eax, dword ptr fs:[00000030h]	9_2_015FE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015FE5E7 mov eax, dword ptr fs:[00000030h]	9_2_015FE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015FE5E7 mov eax, dword ptr fs:[00000030h]	9_2_015FE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015FE5E7 mov eax, dword ptr fs:[00000030h]	9_2_015FE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015FE5E7 mov eax, dword ptr fs:[00000030h]	9_2_015FE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015FE5E7 mov eax, dword ptr fs:[00000030h]	9_2_015FE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015FE5E7 mov eax, dword ptr fs:[00000030h]	9_2_015FE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015FE5E7 mov eax, dword ptr fs:[00000030h]	9_2_015FE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D25E0 mov eax, dword ptr fs:[00000030h]	9_2_015D25E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015CA580 mov ecx, dword ptr fs:[00000030h]	9_2_015CA580
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015CA580 mov eax, dword ptr fs:[00000030h]	9_2_015CA580
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D2582 mov eax, dword ptr fs:[00000030h]	9_2_015D2582
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D2582 mov ecx, dword ptr fs:[00000030h]	9_2_015D2582
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01604588 mov eax, dword ptr fs:[00000030h]	9_2_01604588
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015F45B1 mov eax, dword ptr fs:[00000030h]	9_2_015F45B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015F45B1 mov eax, dword ptr fs:[00000030h]	9_2_015F45B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0160E59C mov eax, dword ptr fs:[00000030h]	9_2_0160E59C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0165C460 mov ecx, dword ptr fs:[00000030h]	9_2_0165C460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015F245A mov eax, dword ptr fs:[00000030h]	9_2_015F245A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0160E443 mov eax, dword ptr fs:[00000030h]	9_2_0160E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0160E443 mov eax, dword ptr fs:[00000030h]	9_2_0160E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0160E443 mov eax, dword ptr fs:[00000030h]	9_2_0160E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0160E443 mov eax, dword ptr fs:[00000030h]	9_2_0160E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0160E443 mov eax, dword ptr fs:[00000030h]	9_2_0160E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0160E443 mov eax, dword ptr fs:[00000030h]	9_2_0160E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0160E443 mov eax, dword ptr fs:[00000030h]	9_2_0160E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0160E443 mov eax, dword ptr fs:[00000030h]	9_2_0160E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015DA471 mov eax, dword ptr fs:[00000030h]	9_2_015DA471
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015FA470 mov eax, dword ptr fs:[00000030h]	9_2_015FA470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015FA470 mov eax, dword ptr fs:[00000030h]	9_2_015FA470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015FA470 mov eax, dword ptr fs:[00000030h]	9_2_015FA470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01656420 mov eax, dword ptr fs:[00000030h]	9_2_01656420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01656420 mov eax, dword ptr fs:[00000030h]	9_2_01656420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01656420 mov eax, dword ptr fs:[00000030h]	9_2_01656420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01656420 mov eax, dword ptr fs:[00000030h]	9_2_01656420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01656420 mov eax, dword ptr fs:[00000030h]	9_2_01656420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01656420 mov eax, dword ptr fs:[00000030h]	9_2_01656420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01656420 mov eax, dword ptr fs:[00000030h]	9_2_01656420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0160A430 mov eax, dword ptr fs:[00000030h]	9_2_0160A430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01608402 mov eax, dword ptr fs:[00000030h]	9_2_01608402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01608402 mov eax, dword ptr fs:[00000030h]	9_2_01608402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01608402 mov eax, dword ptr fs:[00000030h]	9_2_01608402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015CC427 mov eax, dword ptr fs:[00000030h]	9_2_015CC427
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015CE420 mov eax, dword ptr fs:[00000030h]	9_2_015CE420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015CE420 mov eax, dword ptr fs:[00000030h]	9_2_015CE420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015CE420 mov eax, dword ptr fs:[00000030h]	9_2_015CE420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D04E5 mov ecx, dword ptr fs:[00000030h]	9_2_015D04E5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_016044B0 mov ecx, dword ptr fs:[00000030h]	9_2_016044B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0165A4B0 mov eax, dword ptr fs:[00000030h]	9_2_0165A4B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D6484 mov eax, dword ptr fs:[00000030h]	9_2_015D6484
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015C64BA mov eax, dword ptr fs:[00000030h]	9_2_015C64BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D64AB mov eax, dword ptr fs:[00000030h]	9_2_015D64AB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D0750 mov eax, dword ptr fs:[00000030h]	9_2_015D0750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015CA740 mov eax, dword ptr fs:[00000030h]	9_2_015CA740
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D8770 mov eax, dword ptr fs:[00000030h]	9_2_015D8770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0160674D mov esi, dword ptr fs:[00000030h]	9_2_0160674D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0160674D mov eax, dword ptr fs:[00000030h]	9_2_0160674D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0160674D mov eax, dword ptr fs:[00000030h]	9_2_0160674D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E0770 mov eax, dword ptr fs:[00000030h]	9_2_015E0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E0770 mov eax, dword ptr fs:[00000030h]	9_2_015E0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E0770 mov eax, dword ptr fs:[00000030h]	9_2_015E0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E0770 mov eax, dword ptr fs:[00000030h]	9_2_015E0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E0770 mov eax, dword ptr fs:[00000030h]	9_2_015E0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E0770 mov eax, dword ptr fs:[00000030h]	9_2_015E0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E0770 mov eax, dword ptr fs:[00000030h]	9_2_015E0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E0770 mov eax, dword ptr fs:[00000030h]	9_2_015E0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E0770 mov eax, dword ptr fs:[00000030h]	9_2_015E0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E0770 mov eax, dword ptr fs:[00000030h]	9_2_015E0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E0770 mov eax, dword ptr fs:[00000030h]	9_2_015E0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E0770 mov eax, dword ptr fs:[00000030h]	9_2_015E0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01654755 mov eax, dword ptr fs:[00000030h]	9_2_01654755
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01612750 mov eax, dword ptr fs:[00000030h]	9_2_01612750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01612750 mov eax, dword ptr fs:[00000030h]	9_2_01612750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0165E75D mov eax, dword ptr fs:[00000030h]	9_2_0165E75D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0160C720 mov eax, dword ptr fs:[00000030h]	9_2_0160C720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0160C720 mov eax, dword ptr fs:[00000030h]	9_2_0160C720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D0710 mov eax, dword ptr fs:[00000030h]	9_2_015D0710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0164C730 mov eax, dword ptr fs:[00000030h]	9_2_0164C730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0160273C mov eax, dword ptr fs:[00000030h]	9_2_0160273C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0160273C mov ecx, dword ptr fs:[00000030h]	9_2_0160273C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0160273C mov eax, dword ptr fs:[00000030h]	9_2_0160273C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0160C700 mov eax, dword ptr fs:[00000030h]	9_2_0160C700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01600710 mov eax, dword ptr fs:[00000030h]	9_2_01600710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0165E7E1 mov eax, dword ptr fs:[00000030h]	9_2_0165E7E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0160C7F0 mov eax, dword ptr fs:[00000030h]	9_2_0160C7F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D47FB mov eax, dword ptr fs:[00000030h]	9_2_015D47FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D47FB mov eax, dword ptr fs:[00000030h]	9_2_015D47FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_016507C3 mov eax, dword ptr fs:[00000030h]	9_2_016507C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015F27ED mov eax, dword ptr fs:[00000030h]	9_2_015F27ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015F27ED mov eax, dword ptr fs:[00000030h]	9_2_015F27ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015F27ED mov eax, dword ptr fs:[00000030h]	9_2_015F27ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D07AF mov eax, dword ptr fs:[00000030h]	9_2_015D07AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0160A660 mov eax, dword ptr fs:[00000030h]	9_2_0160A660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0160A660 mov eax, dword ptr fs:[00000030h]	9_2_0160A660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01602674 mov eax, dword ptr fs:[00000030h]	9_2_01602674
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015EC640 mov eax, dword ptr fs:[00000030h]	9_2_015EC640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E266C mov eax, dword ptr fs:[00000030h]	9_2_015E266C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01606620 mov eax, dword ptr fs:[00000030h]	9_2_01606620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01608620 mov eax, dword ptr fs:[00000030h]	9_2_01608620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0164E609 mov eax, dword ptr fs:[00000030h]	9_2_0164E609
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D262C mov eax, dword ptr fs:[00000030h]	9_2_015D262C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01612619 mov eax, dword ptr fs:[00000030h]	9_2_01612619
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015EE627 mov eax, dword ptr fs:[00000030h]	9_2_015EE627
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_016506F1 mov eax, dword ptr fs:[00000030h]	9_2_016506F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_016506F1 mov eax, dword ptr fs:[00000030h]	9_2_016506F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0164E6F2 mov eax, dword ptr fs:[00000030h]	9_2_0164E6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0164E6F2 mov eax, dword ptr fs:[00000030h]	9_2_0164E6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0164E6F2 mov eax, dword ptr fs:[00000030h]	9_2_0164E6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0164E6F2 mov eax, dword ptr fs:[00000030h]	9_2_0164E6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0160A6C7 mov ebx, dword ptr fs:[00000030h]	9_2_0160A6C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0160A6C7 mov eax, dword ptr fs:[00000030h]	9_2_0160A6C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E26EB mov eax, dword ptr fs:[00000030h]	9_2_015E26EB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E26EB mov eax, dword ptr fs:[00000030h]	9_2_015E26EB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E26EB mov eax, dword ptr fs:[00000030h]	9_2_015E26EB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E26EB mov eax, dword ptr fs:[00000030h]	9_2_015E26EB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0160C6A6 mov eax, dword ptr fs:[00000030h]	9_2_0160C6A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D4690 mov eax, dword ptr fs:[00000030h]	9_2_015D4690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D4690 mov eax, dword ptr fs:[00000030h]	9_2_015D4690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_016066B0 mov eax, dword ptr fs:[00000030h]	9_2_016066B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0160C68B mov eax, dword ptr fs:[00000030h]	9_2_0160C68B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0161096E mov eax, dword ptr fs:[00000030h]	9_2_0161096E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0161096E mov edx, dword ptr fs:[00000030h]	9_2_0161096E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0161096E mov eax, dword ptr fs:[00000030h]	9_2_0161096E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0165C97C mov eax, dword ptr fs:[00000030h]	9_2_0165C97C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01650946 mov eax, dword ptr fs:[00000030h]	9_2_01650946
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0160A950 mov eax, dword ptr fs:[00000030h]	9_2_0160A950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015F6962 mov eax, dword ptr fs:[00000030h]	9_2_015F6962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015F6962 mov eax, dword ptr fs:[00000030h]	9_2_015F6962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015F6962 mov eax, dword ptr fs:[00000030h]	9_2_015F6962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015C8918 mov eax, dword ptr fs:[00000030h]	9_2_015C8918
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015C8918 mov eax, dword ptr fs:[00000030h]	9_2_015C8918
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0165892A mov eax, dword ptr fs:[00000030h]	9_2_0165892A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0164E908 mov eax, dword ptr fs:[00000030h]	9_2_0164E908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0164E908 mov eax, dword ptr fs:[00000030h]	9_2_0164E908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0165C912 mov eax, dword ptr fs:[00000030h]	9_2_0165C912
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0165E9E0 mov eax, dword ptr fs:[00000030h]	9_2_0165E9E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015DA9D0 mov eax, dword ptr fs:[00000030h]	9_2_015DA9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015DA9D0 mov eax, dword ptr fs:[00000030h]	9_2_015DA9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015DA9D0 mov eax, dword ptr fs:[00000030h]	9_2_015DA9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015DA9D0 mov eax, dword ptr fs:[00000030h]	9_2_015DA9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015DA9D0 mov eax, dword ptr fs:[00000030h]	9_2_015DA9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015DA9D0 mov eax, dword ptr fs:[00000030h]	9_2_015DA9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_016029F9 mov eax, dword ptr fs:[00000030h]	9_2_016029F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_016029F9 mov eax, dword ptr fs:[00000030h]	9_2_016029F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_016049D0 mov eax, dword ptr fs:[00000030h]	9_2_016049D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_016589B3 mov esi, dword ptr fs:[00000030h]	9_2_016589B3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_016589B3 mov eax, dword ptr fs:[00000030h]	9_2_016589B3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_016589B3 mov eax, dword ptr fs:[00000030h]	9_2_016589B3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D09AD mov eax, dword ptr fs:[00000030h]	9_2_015D09AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D09AD mov eax, dword ptr fs:[00000030h]	9_2_015D09AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D4859 mov eax, dword ptr fs:[00000030h]	9_2_015D4859
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D4859 mov eax, dword ptr fs:[00000030h]	9_2_015D4859
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0165E872 mov eax, dword ptr fs:[00000030h]	9_2_0165E872
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0165E872 mov eax, dword ptr fs:[00000030h]	9_2_0165E872
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01600854 mov eax, dword ptr fs:[00000030h]	9_2_01600854
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0160A830 mov eax, dword ptr fs:[00000030h]	9_2_0160A830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015F2835 mov eax, dword ptr fs:[00000030h]	9_2_015F2835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015F2835 mov eax, dword ptr fs:[00000030h]	9_2_015F2835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015F2835 mov eax, dword ptr fs:[00000030h]	9_2_015F2835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015F2835 mov ecx, dword ptr fs:[00000030h]	9_2_015F2835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015F2835 mov eax, dword ptr fs:[00000030h]	9_2_015F2835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015F2835 mov eax, dword ptr fs:[00000030h]	9_2_015F2835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0165C810 mov eax, dword ptr fs:[00000030h]	9_2_0165C810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E28D0 mov ecx, dword ptr fs:[00000030h]	9_2_015E28D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0160C8F9 mov eax, dword ptr fs:[00000030h]	9_2_0160C8F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0160C8F9 mov eax, dword ptr fs:[00000030h]	9_2_0160C8F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015FE8C0 mov eax, dword ptr fs:[00000030h]	9_2_015FE8C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D28F0 mov eax, dword ptr fs:[00000030h]	9_2_015D28F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D28F0 mov eax, dword ptr fs:[00000030h]	9_2_015D28F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D28F0 mov eax, dword ptr fs:[00000030h]	9_2_015D28F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D28F0 mov eax, dword ptr fs:[00000030h]	9_2_015D28F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D28F0 mov eax, dword ptr fs:[00000030h]	9_2_015D28F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D28F0 mov eax, dword ptr fs:[00000030h]	9_2_015D28F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D0887 mov eax, dword ptr fs:[00000030h]	9_2_015D0887
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0165C89D mov eax, dword ptr fs:[00000030h]	9_2_0165C89D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015C8B50 mov eax, dword ptr fs:[00000030h]	9_2_015C8B50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015CCB7E mov eax, dword ptr fs:[00000030h]	9_2_015CCB7E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E2B79 mov eax, dword ptr fs:[00000030h]	9_2_015E2B79
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E2B79 mov eax, dword ptr fs:[00000030h]	9_2_015E2B79
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E2B79 mov eax, dword ptr fs:[00000030h]	9_2_015E2B79
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0164EB1D mov eax, dword ptr fs:[00000030h]	9_2_0164EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0164EB1D mov eax, dword ptr fs:[00000030h]	9_2_0164EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0164EB1D mov eax, dword ptr fs:[00000030h]	9_2_0164EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0164EB1D mov eax, dword ptr fs:[00000030h]	9_2_0164EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0164EB1D mov eax, dword ptr fs:[00000030h]	9_2_0164EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0164EB1D mov eax, dword ptr fs:[00000030h]	9_2_0164EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0164EB1D mov eax, dword ptr fs:[00000030h]	9_2_0164EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0164EB1D mov eax, dword ptr fs:[00000030h]	9_2_0164EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0164EB1D mov eax, dword ptr fs:[00000030h]	9_2_0164EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015FEB20 mov eax, dword ptr fs:[00000030h]	9_2_015FEB20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015FEB20 mov eax, dword ptr fs:[00000030h]	9_2_015FEB20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D0BCD mov eax, dword ptr fs:[00000030h]	9_2_015D0BCD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D0BCD mov eax, dword ptr fs:[00000030h]	9_2_015D0BCD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D0BCD mov eax, dword ptr fs:[00000030h]	9_2_015D0BCD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01608BF0 mov ecx, dword ptr fs:[00000030h]	9_2_01608BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01608BF0 mov eax, dword ptr fs:[00000030h]	9_2_01608BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01608BF0 mov eax, dword ptr fs:[00000030h]	9_2_01608BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0165CBF0 mov eax, dword ptr fs:[00000030h]	9_2_0165CBF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01632BF6 mov eax, dword ptr fs:[00000030h]	9_2_01632BF6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015FEBFC mov eax, dword ptr fs:[00000030h]	9_2_015FEBFC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D8BF0 mov eax, dword ptr fs:[00000030h]	9_2_015D8BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D8BF0 mov eax, dword ptr fs:[00000030h]	9_2_015D8BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D8BF0 mov eax, dword ptr fs:[00000030h]	9_2_015D8BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E0BBE mov eax, dword ptr fs:[00000030h]	9_2_015E0BBE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E0BBE mov eax, dword ptr fs:[00000030h]	9_2_015E0BBE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E0A5B mov eax, dword ptr fs:[00000030h]	9_2_015E0A5B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E0A5B mov eax, dword ptr fs:[00000030h]	9_2_015E0A5B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D6A50 mov eax, dword ptr fs:[00000030h]	9_2_015D6A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D6A50 mov eax, dword ptr fs:[00000030h]	9_2_015D6A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D6A50 mov eax, dword ptr fs:[00000030h]	9_2_015D6A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D6A50 mov eax, dword ptr fs:[00000030h]	9_2_015D6A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D6A50 mov eax, dword ptr fs:[00000030h]	9_2_015D6A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D6A50 mov eax, dword ptr fs:[00000030h]	9_2_015D6A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D6A50 mov eax, dword ptr fs:[00000030h]	9_2_015D6A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0160CA6F mov eax, dword ptr fs:[00000030h]	9_2_0160CA6F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0160CA6F mov eax, dword ptr fs:[00000030h]	9_2_0160CA6F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0160CA6F mov eax, dword ptr fs:[00000030h]	9_2_0160CA6F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0164CA72 mov eax, dword ptr fs:[00000030h]	9_2_0164CA72
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0164CA72 mov eax, dword ptr fs:[00000030h]	9_2_0164CA72
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E2A45 mov eax, dword ptr fs:[00000030h]	9_2_015E2A45
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E2A45 mov eax, dword ptr fs:[00000030h]	9_2_015E2A45
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E2A45 mov eax, dword ptr fs:[00000030h]	9_2_015E2A45
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01600A50 mov eax, dword ptr fs:[00000030h]	9_2_01600A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0160CA24 mov eax, dword ptr fs:[00000030h]	9_2_0160CA24
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0160CA38 mov eax, dword ptr fs:[00000030h]	9_2_0160CA38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015C8A00 mov eax, dword ptr fs:[00000030h]	9_2_015C8A00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015C8A00 mov eax, dword ptr fs:[00000030h]	9_2_015C8A00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015F4A35 mov eax, dword ptr fs:[00000030h]	9_2_015F4A35
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015F4A35 mov eax, dword ptr fs:[00000030h]	9_2_015F4A35
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0165CA11 mov eax, dword ptr fs:[00000030h]	9_2_0165CA11
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D0AD0 mov eax, dword ptr fs:[00000030h]	9_2_015D0AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0160AAEE mov eax, dword ptr fs:[00000030h]	9_2_0160AAEE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0160AAEE mov eax, dword ptr fs:[00000030h]	9_2_0160AAEE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01626ACC mov eax, dword ptr fs:[00000030h]	9_2_01626ACC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01626ACC mov eax, dword ptr fs:[00000030h]	9_2_01626ACC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01626ACC mov eax, dword ptr fs:[00000030h]	9_2_01626ACC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01604AD0 mov eax, dword ptr fs:[00000030h]	9_2_01604AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01604AD0 mov eax, dword ptr fs:[00000030h]	9_2_01604AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01626AA4 mov eax, dword ptr fs:[00000030h]	9_2_01626AA4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015CEA80 mov eax, dword ptr fs:[00000030h]	9_2_015CEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015CEA80 mov eax, dword ptr fs:[00000030h]	9_2_015CEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015DEA80 mov eax, dword ptr fs:[00000030h]	9_2_015DEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015DEA80 mov eax, dword ptr fs:[00000030h]	9_2_015DEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015DEA80 mov eax, dword ptr fs:[00000030h]	9_2_015DEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015DEA80 mov eax, dword ptr fs:[00000030h]	9_2_015DEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015DEA80 mov eax, dword ptr fs:[00000030h]	9_2_015DEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015DEA80 mov eax, dword ptr fs:[00000030h]	9_2_015DEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015DEA80 mov eax, dword ptr fs:[00000030h]	9_2_015DEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015DEA80 mov eax, dword ptr fs:[00000030h]	9_2_015DEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015DEA80 mov eax, dword ptr fs:[00000030h]	9_2_015DEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01608A90 mov edx, dword ptr fs:[00000030h]	9_2_01608A90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D8AA0 mov eax, dword ptr fs:[00000030h]	9_2_015D8AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D8AA0 mov eax, dword ptr fs:[00000030h]	9_2_015D8AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D0D59 mov eax, dword ptr fs:[00000030h]	9_2_015D0D59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D0D59 mov eax, dword ptr fs:[00000030h]	9_2_015D0D59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D0D59 mov eax, dword ptr fs:[00000030h]	9_2_015D0D59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D8D59 mov eax, dword ptr fs:[00000030h]	9_2_015D8D59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D8D59 mov eax, dword ptr fs:[00000030h]	9_2_015D8D59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D8D59 mov eax, dword ptr fs:[00000030h]	9_2_015D8D59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D8D59 mov eax, dword ptr fs:[00000030h]	9_2_015D8D59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D8D59 mov eax, dword ptr fs:[00000030h]	9_2_015D8D59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01658D20 mov eax, dword ptr fs:[00000030h]	9_2_01658D20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015C6D10 mov eax, dword ptr fs:[00000030h]	9_2_015C6D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015C6D10 mov eax, dword ptr fs:[00000030h]	9_2_015C6D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015C6D10 mov eax, dword ptr fs:[00000030h]	9_2_015C6D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015EAD00 mov eax, dword ptr fs:[00000030h]	9_2_015EAD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015EAD00 mov eax, dword ptr fs:[00000030h]	9_2_015EAD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015EAD00 mov eax, dword ptr fs:[00000030h]	9_2_015EAD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01604D1D mov eax, dword ptr fs:[00000030h]	9_2_01604D1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015FEDD3 mov eax, dword ptr fs:[00000030h]	9_2_015FEDD3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015FEDD3 mov eax, dword ptr fs:[00000030h]	9_2_015FEDD3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015FCDF0 mov eax, dword ptr fs:[00000030h]	9_2_015FCDF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015FCDF0 mov ecx, dword ptr fs:[00000030h]	9_2_015FCDF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01654DD7 mov eax, dword ptr fs:[00000030h]	9_2_01654DD7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01654DD7 mov eax, dword ptr fs:[00000030h]	9_2_01654DD7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015CCDEA mov eax, dword ptr fs:[00000030h]	9_2_015CCDEA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015CCDEA mov eax, dword ptr fs:[00000030h]	9_2_015CCDEA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015F0DE1 mov eax, dword ptr fs:[00000030h]	9_2_015F0DE1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01606DA0 mov eax, dword ptr fs:[00000030h]	9_2_01606DA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0160CDB1 mov ecx, dword ptr fs:[00000030h]	9_2_0160CDB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0160CDB1 mov eax, dword ptr fs:[00000030h]	9_2_0160CDB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0160CDB1 mov eax, dword ptr fs:[00000030h]	9_2_0160CDB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015F8DBF mov eax, dword ptr fs:[00000030h]	9_2_015F8DBF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015F8DBF mov eax, dword ptr fs:[00000030h]	9_2_015F8DBF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015DAC50 mov eax, dword ptr fs:[00000030h]	9_2_015DAC50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015DAC50 mov eax, dword ptr fs:[00000030h]	9_2_015DAC50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015DAC50 mov eax, dword ptr fs:[00000030h]	9_2_015DAC50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015DAC50 mov eax, dword ptr fs:[00000030h]	9_2_015DAC50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015DAC50 mov eax, dword ptr fs:[00000030h]	9_2_015DAC50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015DAC50 mov eax, dword ptr fs:[00000030h]	9_2_015DAC50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D6C50 mov eax, dword ptr fs:[00000030h]	9_2_015D6C50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D6C50 mov eax, dword ptr fs:[00000030h]	9_2_015D6C50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D6C50 mov eax, dword ptr fs:[00000030h]	9_2_015D6C50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015F0C44 mov eax, dword ptr fs:[00000030h]	9_2_015F0C44
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015F0C44 mov eax, dword ptr fs:[00000030h]	9_2_015F0C44
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015DCC74 mov eax, dword ptr fs:[00000030h]	9_2_015DCC74
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01604C59 mov eax, dword ptr fs:[00000030h]	9_2_01604C59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E0C00 mov eax, dword ptr fs:[00000030h]	9_2_015E0C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E0C00 mov eax, dword ptr fs:[00000030h]	9_2_015E0C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E0C00 mov eax, dword ptr fs:[00000030h]	9_2_015E0C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E0C00 mov eax, dword ptr fs:[00000030h]	9_2_015E0C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0160CC00 mov eax, dword ptr fs:[00000030h]	9_2_0160CC00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01654C0F mov eax, dword ptr fs:[00000030h]	9_2_01654C0F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015CEC20 mov eax, dword ptr fs:[00000030h]	9_2_015CEC20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E2CDC mov eax, dword ptr fs:[00000030h]	9_2_015E2CDC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E2CDC mov eax, dword ptr fs:[00000030h]	9_2_015E2CDC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E2CDC mov eax, dword ptr fs:[00000030h]	9_2_015E2CDC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015C8CD0 mov eax, dword ptr fs:[00000030h]	9_2_015C8CD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01602CF0 mov eax, dword ptr fs:[00000030h]	9_2_01602CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01602CF0 mov eax, dword ptr fs:[00000030h]	9_2_01602CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01602CF0 mov eax, dword ptr fs:[00000030h]	9_2_01602CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01602CF0 mov eax, dword ptr fs:[00000030h]	9_2_01602CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015CCCC8 mov eax, dword ptr fs:[00000030h]	9_2_015CCCC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0164CCA0 mov ecx, dword ptr fs:[00000030h]	9_2_0164CCA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0164CCA0 mov eax, dword ptr fs:[00000030h]	9_2_0164CCA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0164CCA0 mov eax, dword ptr fs:[00000030h]	9_2_0164CCA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0164CCA0 mov eax, dword ptr fs:[00000030h]	9_2_0164CCA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01654CA8 mov eax, dword ptr fs:[00000030h]	9_2_01654CA8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015C8C8D mov eax, dword ptr fs:[00000030h]	9_2_015C8C8D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015F8CB1 mov eax, dword ptr fs:[00000030h]	9_2_015F8CB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015F8CB1 mov eax, dword ptr fs:[00000030h]	9_2_015F8CB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01606F60 mov eax, dword ptr fs:[00000030h]	9_2_01606F60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01606F60 mov eax, dword ptr fs:[00000030h]	9_2_01606F60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E2F5B mov eax, dword ptr fs:[00000030h]	9_2_015E2F5B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E2F5B mov eax, dword ptr fs:[00000030h]	9_2_015E2F5B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E2F5B mov eax, dword ptr fs:[00000030h]	9_2_015E2F5B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E2F5B mov eax, dword ptr fs:[00000030h]	9_2_015E2F5B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E2F5B mov eax, dword ptr fs:[00000030h]	9_2_015E2F5B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E2F5B mov eax, dword ptr fs:[00000030h]	9_2_015E2F5B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E2F5B mov eax, dword ptr fs:[00000030h]	9_2_015E2F5B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015CCF50 mov eax, dword ptr fs:[00000030h]	9_2_015CCF50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015CCF50 mov eax, dword ptr fs:[00000030h]	9_2_015CCF50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015CCF50 mov eax, dword ptr fs:[00000030h]	9_2_015CCF50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015CCF50 mov eax, dword ptr fs:[00000030h]	9_2_015CCF50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015CCF50 mov eax, dword ptr fs:[00000030h]	9_2_015CCF50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015CCF50 mov eax, dword ptr fs:[00000030h]	9_2_015CCF50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E2F47 mov eax, dword ptr fs:[00000030h]	9_2_015E2F47
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E2F47 mov eax, dword ptr fs:[00000030h]	9_2_015E2F47
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E2F47 mov eax, dword ptr fs:[00000030h]	9_2_015E2F47
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E2F47 mov eax, dword ptr fs:[00000030h]	9_2_015E2F47
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E2F47 mov eax, dword ptr fs:[00000030h]	9_2_015E2F47
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E2F47 mov eax, dword ptr fs:[00000030h]	9_2_015E2F47
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E2F47 mov eax, dword ptr fs:[00000030h]	9_2_015E2F47
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015DAF42 mov eax, dword ptr fs:[00000030h]	9_2_015DAF42
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015DAF42 mov eax, dword ptr fs:[00000030h]	9_2_015DAF42
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015DAF42 mov eax, dword ptr fs:[00000030h]	9_2_015DAF42
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01654F40 mov eax, dword ptr fs:[00000030h]	9_2_01654F40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01654F40 mov eax, dword ptr fs:[00000030h]	9_2_01654F40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01654F40 mov eax, dword ptr fs:[00000030h]	9_2_01654F40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01654F40 mov eax, dword ptr fs:[00000030h]	9_2_01654F40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E2F7B mov eax, dword ptr fs:[00000030h]	9_2_015E2F7B

Enables debug privileges

Source: C:\Users\user\Desktop\Outstanding payment.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\Outstanding payment.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\Outstanding payment.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Outstanding payment.exe"
Source: C:\Users\user\Desktop\Outstanding payment.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\iBSWjb.exe"
Source: C:\Users\user\Desktop\Outstanding payment.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Outstanding payment.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\iBSWjb.exe"	Jump to behavior

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\Outstanding payment.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and write			Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and write			Jump to behavior

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	NtQueueApcThread: Indirect: 0x15AA4F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	NtClose: Indirect: 0x15AA56C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	NtClose: Indirect: 0x155A56C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	NtQueueApcThread: Indirect: 0x155A4F2	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Outstanding payment.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A			Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: NULL target: C:\Windows\SysWOW64\NETSTAT.EXE protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: NULL target: C:\Windows\SysWOW64\NETSTAT.EXE protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: NULL target: C:\Windows\SysWOW64\msiexec.exe protection: execute and read and write
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: NULL target: C:\Windows\SysWOW64\msiexec.exe protection: execute and read and write
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread register set: target process: 1028	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread register set: target process: 1028
Source: C:\Windows\SysWOW64\msiexec.exe	Thread register set: target process: 1028

Queues an APC in another process (thread injection)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Sample uses process hollowing technique

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section unmapped: C:\Windows\SysWOW64\NETSTAT.EXE base address: F60000			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section unmapped: C:\Windows\SysWOW64\msiexec.exe base address: 120000

Writes to foreign memory regions

Source: C:\Users\user\Desktop\Outstanding payment.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: F83008	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 401000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: C7F008	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\Outstanding payment.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Outstanding payment.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\iBSWjb.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iBSWjb" /XML "C:\Users\user\AppData\Local\Temp\tmpE0D0.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iBSWjb" /XML "C:\Users\user\AppData\Local\Temp\tmpF30F.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

Source: explorer.exe, 0000000A.00000000.2105292943.0000000009B41000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097842641.0000000009C21000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4538468202.0000000009C22000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd=
Source: explorer.exe, 0000000A.00000000.2091841907.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000002.4526760540.0000000001731000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 0000000A.00000000.2091841907.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000002.4531040280.0000000004B00000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4526760540.0000000001731000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 0000000A.00000000.2091841907.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000002.4526760540.0000000001731000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 0000000A.00000000.2091841907.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000002.4526760540.0000000001731000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 0000000A.00000000.2090992450.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4525785289.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PProgman

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\Outstanding payment.exe	Queries volume information: C:\Users\user\Desktop\Outstanding payment.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Queries volume information: C:\Users\user\AppData\Roaming\iBSWjb.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Outstanding payment.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 15.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Outstanding payment.exe.4234148.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.2149315222.0000000004301000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2169396425.0000000000870000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.4526105305.0000000002AF0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2162392386.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2114082596.0000000004234000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.4526496675.00000000044E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.4525873730.0000000002810000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2149315222.00000000044A7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2114082596.000000000446F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 15.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Outstanding payment.exe.4234148.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.2149315222.0000000004301000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2169396425.0000000000870000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.4526105305.0000000002AF0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2162392386.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2114082596.0000000004234000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.4526496675.00000000044E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.4525873730.0000000002810000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2149315222.00000000044A7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2114082596.000000000446F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

Contacted Domains

Name	IP	Active
www.kkkk.shop	121.254.178.252	true
www.oftware-download-92806.bond	unknown	unknown
www.inggraphic.pro	unknown	unknown
www.elnqdjc.shop	unknown	unknown
www.otelhafnia.info	unknown	unknown
www.behm.info	unknown	unknown
www.aja168e.live	unknown	unknown
www.atidiri.fun	unknown	unknown
www.8oosnny.xyz	unknown	unknown
www.nfluencer-marketing-13524.bond	unknown	unknown
www.lphatechblog.xyz	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
www.enelog.xyz/a03d/	true	Avira URL Cloud: malware	unknown

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Outstanding payment.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://www.dj1.lat/a03d/	Avira URL Cloud: Label: malware
Source: http://www.istromarmitaria.online/a03d/	Avira URL Cloud: Label: malware
Source: www.enelog.xyz/a03d/	Avira URL Cloud: Label: malware
Source: http://www.otelhafnia.info/a03d/www.kkkk.shop	Avira URL Cloud: Label: malware
Source: http://www.istromarmitaria.online/a03d/www.dj1.lat	Avira URL Cloud: Label: malware
Source: http://www.nfluencer-marketing-13524.bond/a03d/www.atidiri.fun	Avira URL Cloud: Label: malware
Source: http://www.72266.vip/a03d/www.istromarmitaria.online	Avira URL Cloud: Label: malware
Source: http://www.nfluencer-marketing-13524.bond/a03d/	Avira URL Cloud: Label: malware
Source: http://www.duxrib.xyz/a03d/	Avira URL Cloud: Label: malware
Source: http://www.dj1.lat/a03d/j	Avira URL Cloud: Label: malware
Source: http://www.aja168e.live/a03d/www.duxrib.xyz	Avira URL Cloud: Label: malware
Source: http://www.enelog.xyz/a03d/	Avira URL Cloud: Label: malware
Source: http://www.atidiri.fun/a03d/	Avira URL Cloud: Label: malware
Source: http://www.otelhafnia.info/a03d/	Avira URL Cloud: Label: malware
Source: http://www.kkkk.shop/a03d/www.aja168e.live	Avira URL Cloud: Label: malware
Source: http://www.oftware-download-92806.bond/a03d/	Avira URL Cloud: Label: malware
Source: http://www.atidiri.fun/a03d/www.otelhafnia.info	Avira URL Cloud: Label: malware
Source: http://www.inggraphic.pro/a03d/	Avira URL Cloud: Label: malware
Source: http://www.behm.info/a03d/	Avira URL Cloud: Label: malware
Source: http://www.kkkk.shop	Avira URL Cloud: Label: malware
Source: http://www.elnqdjc.shop/a03d/www.8oosnny.xyz	Avira URL Cloud: Label: malware
Source: http://www.72266.vip/a03d/	Avira URL Cloud: Label: malware
Source: http://www.behm.info/a03d/www.enelog.xyz	Avira URL Cloud: Label: malware
Source: http://www.lphatechblog.xyz/a03d/www.oftware-download-92806.bond	Avira URL Cloud: Label: malware
Source: http://www.8oosnny.xyz/a03d/	Avira URL Cloud: Label: malware
Source: http://www.elnqdjc.shop/a03d/	Avira URL Cloud: Label: malware
Source: http://www.lphatechblog.xyz/a03d/	Avira URL Cloud: Label: malware
Source: http://www.enelog.xyz/a03d/www.72266.vip	Avira URL Cloud: Label: malware
Source: http://www.inggraphic.pro/a03d/www.elnqdjc.shop	Avira URL Cloud: Label: malware
Source: http://www.aja168e.live/a03d/	Avira URL Cloud: Label: malware
Source: http://www.oftware-download-92806.bond/a03d/www.behm.info	Avira URL Cloud: Label: malware
Source: http://www.duxrib.xyz/a03d/www.lphatechblog.xyz	Avira URL Cloud: Label: malware
Source: http://www.8oosnny.xyz/a03d/www.nfluencer-marketing-13524.bond	Avira URL Cloud: Label: malware
Source: http://www.kkkk.shop/a03d/	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\iBSWjb.exe

Avira: detection malicious, Label: HEUR/AGEN.1310400

Found malware configuration

Source: 0000000B.00000002.2149315222.0000000004301000.00000004.00000800.00020000.00000000.sdmp

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\iBSWjb.exe

ReversingLabs: Detection: 28%

Multi AV Scanner detection for submitted file

Source: Outstanding payment.exe	ReversingLabs: Detection: 28%
Source: Outstanding payment.exe	Virustotal: Detection: 36%			Perma Link

Yara detected FormBook

Source: Yara match	File source: 15.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Outstanding payment.exe.4234148.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.2149315222.0000000004301000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2169396425.0000000000870000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.4526105305.0000000002AF0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2162392386.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2114082596.0000000004234000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.4526496675.00000000044E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.4525873730.0000000002810000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2149315222.00000000044A7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2114082596.000000000446F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\iBSWjb.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: Outstanding payment.exe

Joe Sandbox ML: detected

Uses 32bit PE files

Source: Outstanding payment.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Outstanding payment.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: msiexec.pdb source: RegSvcs.exe, 0000000F.00000002.2163601401.00000000010A8000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.2167593167.0000000001950000.00000040.10000000.00040000.00000000.sdmp, msiexec.exe, 00000010.00000002.4525647281.0000000000120000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: netstat.pdbGCTL source: RegSvcs.exe, 00000009.00000002.2166629916.0000000001520000.00000040.10000000.00040000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.2166042893.0000000001038000.00000004.00000020.00020000.00000000.sdmp, NETSTAT.EXE, 00000011.00000002.2169801736.0000000000F60000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: msiexec.pdbGCTL source: RegSvcs.exe, 0000000F.00000002.2163601401.00000000010A8000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.2167593167.0000000001950000.00000040.10000000.00040000.00000000.sdmp, msiexec.exe, 00000010.00000002.4525647281.0000000000120000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: netstat.pdb source: RegSvcs.exe, 00000009.00000002.2166629916.0000000001520000.00000040.10000000.00040000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.2166042893.0000000001038000.00000004.00000020.00020000.00000000.sdmp, NETSTAT.EXE, 00000011.00000002.2169801736.0000000000F60000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: RegSvcs.pdb, source: explorer.exe, 0000000A.00000002.4544436194.000000001108F000.00000004.80000000.00040000.00000000.sdmp, msiexec.exe, 00000010.00000002.4526176931.0000000002B68000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000010.00000002.4527606666.0000000004C8F000.00000004.10000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: RegSvcs.exe, 0000000F.00000002.2164292767.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, msiexec.exe, 00000010.00000003.2162873949.00000000043E3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000010.00000002.4526844248.0000000004740000.00000040.00001000.00020000.00000000.sdmp, msiexec.exe, 00000010.00000003.2165021648.0000000004596000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000010.00000002.4526844248.00000000048DE000.00000040.00001000.00020000.00000000.sdmp, NETSTAT.EXE, 00000011.00000003.2168122863.0000000002F72000.00000004.00000020.00020000.00000000.sdmp, NETSTAT.EXE, 00000011.00000002.2169828122.00000000032BE000.00000040.00001000.00020000.00000000.sdmp, NETSTAT.EXE, 00000011.00000002.2169828122.0000000003120000.00000040.00001000.00020000.00000000.sdmp, NETSTAT.EXE, 00000011.00000003.2166132931.0000000000DB1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: RegSvcs.exe, RegSvcs.exe, 0000000F.00000002.2164292767.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, msiexec.exe, 00000010.00000003.2162873949.00000000043E3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000010.00000002.4526844248.0000000004740000.00000040.00001000.00020000.00000000.sdmp, msiexec.exe, 00000010.00000003.2165021648.0000000004596000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000010.00000002.4526844248.00000000048DE000.00000040.00001000.00020000.00000000.sdmp, NETSTAT.EXE, 00000011.00000003.2168122863.0000000002F72000.00000004.00000020.00020000.00000000.sdmp, NETSTAT.EXE, 00000011.00000002.2169828122.00000000032BE000.00000040.00001000.00020000.00000000.sdmp, NETSTAT.EXE, 00000011.00000002.2169828122.0000000003120000.00000040.00001000.00020000.00000000.sdmp, NETSTAT.EXE, 00000011.00000003.2166132931.0000000000DB1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: RegSvcs.pdb source: explorer.exe, 0000000A.00000002.4544436194.000000001108F000.00000004.80000000.00040000.00000000.sdmp, msiexec.exe, 00000010.00000002.4526176931.0000000002B68000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000010.00000002.4527606666.0000000004C8F000.00000004.10000000.00040000.00000000.sdmp

Source: C:\Users\user\Desktop\Outstanding payment.exe	File opened: C:\Users\user\AppData\Local\Temp\acrocef_low\NULL	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\NULL	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\NULL	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\Acrobat	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe	Jump to behavior

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 4x nop then jmp 09BD59F2h	0_2_09BD555B
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 4x nop then jmp 05304F52h	11_2_05304ABB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then pop ebx	15_2_00407B1E

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2031412 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.5:49979 -> 121.254.178.252:80
Source: Network traffic	Suricata IDS: 2031449 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.5:49979 -> 121.254.178.252:80
Source: Network traffic	Suricata IDS: 2031453 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.5:49979 -> 121.254.178.252:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.enelog.xyz/a03d/

Performs DNS queries to domains with low reputation

Source:	DNS query: www.8oosnny.xyz
Source:	DNS query: www.lphatechblog.xyz

Tries to resolve many domain names, but no domain seems valid

Source: unknown	DNS traffic detected: query: www.behm.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.8oosnny.xyz replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.nfluencer-marketing-13524.bond replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.lphatechblog.xyz replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.inggraphic.pro replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.oftware-download-92806.bond replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.aja168e.live replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.atidiri.fun replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.otelhafnia.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.elnqdjc.shop replaycode: Name error (3)

Uses netstat to query active network connections and open ports

Source: C:\Windows\explorer.exe

Process created: C:\Windows\SysWOW64\NETSTAT.EXE "C:\Windows\SysWOW64\NETSTAT.EXE"

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Windows\explorer.exe

Code function: 10_2_118ADF82 getaddrinfo,setsockopt,recv,

10_2_118ADF82

Source: global traffic	DNS traffic detected: DNS query: www.inggraphic.pro
Source: global traffic	DNS traffic detected: DNS query: www.elnqdjc.shop
Source: global traffic	DNS traffic detected: DNS query: www.8oosnny.xyz
Source: global traffic	DNS traffic detected: DNS query: www.nfluencer-marketing-13524.bond
Source: global traffic	DNS traffic detected: DNS query: www.atidiri.fun
Source: global traffic	DNS traffic detected: DNS query: www.otelhafnia.info
Source: global traffic	DNS traffic detected: DNS query: www.kkkk.shop
Source: global traffic	DNS traffic detected: DNS query: www.aja168e.live
Source: global traffic	DNS traffic detected: DNS query: www.lphatechblog.xyz
Source: global traffic	DNS traffic detected: DNS query: www.oftware-download-92806.bond
Source: global traffic	DNS traffic detected: DNS query: www.behm.info

Source: explorer.exe, 0000000A.00000000.2105292943.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4534821677.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2105292943.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4534821677.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: explorer.exe, 0000000A.00000002.4525785289.0000000000F13000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2090992450.0000000000F13000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.v
Source: explorer.exe, 0000000A.00000000.2105292943.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4534821677.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2105292943.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4534821677.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: explorer.exe, 0000000A.00000000.2105292943.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4534821677.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2105292943.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4534821677.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: explorer.exe, 0000000A.00000000.2105292943.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4534821677.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2105292943.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4534821677.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: explorer.exe, 0000000A.00000002.4534821677.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2105292943.00000000099C0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: explorer.exe, 0000000A.00000000.2104136768.0000000008890000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000000.2103626523.0000000008870000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000002.4533350845.0000000007DC0000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: Outstanding payment.exe, 00000000.00000002.2111417638.0000000002DE0000.00000004.00000800.00020000.00000000.sdmp, iBSWjb.exe, 0000000B.00000002.2146532412.0000000003309000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.72266.vip
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.72266.vip/a03d/
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.72266.vip/a03d/www.istromarmitaria.online
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.72266.vipReferer:
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.8oosnny.xyz
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.8oosnny.xyz/a03d/
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.8oosnny.xyz/a03d/www.nfluencer-marketing-13524.bond
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.8oosnny.xyzReferer:
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.aja168e.live
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.aja168e.live/a03d/
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.aja168e.live/a03d/www.duxrib.xyz
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.aja168e.liveReferer:
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.atidiri.fun
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.atidiri.fun/a03d/
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.atidiri.fun/a03d/www.otelhafnia.info
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.atidiri.funReferer:
Source: explorer.exe, 0000000A.00000000.2117409581.000000000C8E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3096098347.000000000C8E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3096192758.000000000C8EB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.behm.info
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.behm.info/a03d/
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.behm.info/a03d/www.enelog.xyz
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.behm.infoReferer:
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.dj1.lat
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.dj1.lat/a03d/
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.dj1.lat/a03d/j
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.dj1.latReferer:
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.duxrib.xyz
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.duxrib.xyz/a03d/
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.duxrib.xyz/a03d/www.lphatechblog.xyz
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.duxrib.xyzReferer:
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.elnqdjc.shop
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.elnqdjc.shop/a03d/
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.elnqdjc.shop/a03d/www.8oosnny.xyz
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.elnqdjc.shopReferer:
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.enelog.xyz
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.enelog.xyz/a03d/
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.enelog.xyz/a03d/www.72266.vip
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.enelog.xyzReferer:
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.inggraphic.pro
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.inggraphic.pro/a03d/
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.inggraphic.pro/a03d/www.elnqdjc.shop
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.inggraphic.proReferer:
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.istromarmitaria.online
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.istromarmitaria.online/a03d/
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.istromarmitaria.online/a03d/www.dj1.lat
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.istromarmitaria.onlineReferer:
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.kkkk.shop
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.kkkk.shop/a03d/
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.kkkk.shop/a03d/www.aja168e.live
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.kkkk.shopReferer:
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.lphatechblog.xyz
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.lphatechblog.xyz/a03d/
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.lphatechblog.xyz/a03d/www.oftware-download-92806.bond
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.lphatechblog.xyzReferer:
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.nfluencer-marketing-13524.bond
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.nfluencer-marketing-13524.bond/a03d/
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.nfluencer-marketing-13524.bond/a03d/www.atidiri.fun
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.nfluencer-marketing-13524.bondReferer:
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.oftware-download-92806.bond
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.oftware-download-92806.bond/a03d/
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.oftware-download-92806.bond/a03d/www.behm.info
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.oftware-download-92806.bondReferer:
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.otelhafnia.info
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.otelhafnia.info/a03d/
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.otelhafnia.info/a03d/www.kkkk.shop
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.otelhafnia.infoReferer:
Source: explorer.exe, 0000000A.00000002.4541154394.000000000C4DC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2116427332.000000000C4DC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe
Source: explorer.exe, 0000000A.00000002.4531583255.00000000076F8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2095932568.00000000076F8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 0000000A.00000002.4534821677.0000000009ADB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2105292943.0000000009ADB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 0000000A.00000000.2095932568.0000000007637000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4531583255.0000000007637000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 0000000A.00000000.2092490367.00000000035FA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4527780595.00000000035FA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3096430649.00000000035FA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.coml
Source: explorer.exe, 0000000A.00000000.2105292943.0000000009B41000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097842641.0000000009C21000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4538468202.0000000009C22000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3096220072.0000000009B77000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://excel.office.com
Source: explorer.exe, 0000000A.00000000.2105292943.0000000009B41000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4538536779.0000000009C96000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3096220072.0000000009D42000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://outlook.com
Source: explorer.exe, 0000000A.00000000.2116427332.000000000C460000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4541154394.000000000C460000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://powerpoint.office.comcember
Source: explorer.exe, 0000000A.00000002.4534821677.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2105292943.00000000099C0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://wns.windows.com/)s
Source: explorer.exe, 0000000A.00000002.4534821677.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2105292943.00000000099C0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://word.office.comon

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 15.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Outstanding payment.exe.4234148.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.2149315222.0000000004301000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2169396425.0000000000870000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.4526105305.0000000002AF0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2162392386.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2114082596.0000000004234000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.4526496675.00000000044E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.4525873730.0000000002810000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2149315222.00000000044A7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2114082596.000000000446F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 15.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 15.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 15.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 15.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 15.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 15.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.Outstanding payment.exe.4234148.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0.2.Outstanding payment.exe.4234148.2.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.Outstanding payment.exe.4234148.2.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.2149315222.0000000004301000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000B.00000002.2149315222.0000000004301000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000002.2149315222.0000000004301000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000011.00000002.2169396425.0000000000870000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000011.00000002.2169396425.0000000000870000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000011.00000002.2169396425.0000000000870000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000002.4526105305.0000000002AF0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000010.00000002.4526105305.0000000002AF0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000010.00000002.4526105305.0000000002AF0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000002.4544744783.00000000118C5000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_772cc62d Author: unknown
Source: 0000000F.00000002.2162392386.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000F.00000002.2162392386.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000F.00000002.2162392386.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.2114082596.0000000004234000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000000.00000002.2114082596.0000000004234000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.2114082596.0000000004234000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000002.4526496675.00000000044E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000010.00000002.4526496675.00000000044E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000010.00000002.4526496675.00000000044E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000002.4525873730.0000000002810000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000010.00000002.4525873730.0000000002810000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000010.00000002.4525873730.0000000002810000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.2149315222.00000000044A7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000B.00000002.2149315222.00000000044A7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000002.2149315222.00000000044A7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.2114082596.000000000446F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000000.00000002.2114082596.000000000446F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.2114082596.000000000446F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: Outstanding payment.exe PID: 6252, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: iBSWjb.exe PID: 6648, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: RegSvcs.exe PID: 6564, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: msiexec.exe PID: 3876, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: NETSTAT.EXE PID: 4676, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Outstanding payment.exe

Contains functionality to call native functions

Source: C:\Windows\explorer.exe	Code function: 10_2_118AEE12 NtProtectVirtualMemory,	10_2_118AEE12
Source: C:\Windows\explorer.exe	Code function: 10_2_118AD232 NtCreateFile,	10_2_118AD232
Source: C:\Windows\explorer.exe	Code function: 10_2_118AEE0A NtProtectVirtualMemory,	10_2_118AEE0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0041A320 NtCreateFile,	15_2_0041A320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0041A3D0 NtReadFile,	15_2_0041A3D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0041A450 NtClose,	15_2_0041A450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0041A500 NtAllocateVirtualMemory,	15_2_0041A500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0041A31B NtCreateFile,	15_2_0041A31B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0041A44B NtClose,	15_2_0041A44B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0041A4FF NtAllocateVirtualMemory,	15_2_0041A4FF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01642B60 NtClose,LdrInitializeThunk,	15_2_01642B60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01642BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	15_2_01642BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01642AD0 NtReadFile,LdrInitializeThunk,	15_2_01642AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01642D30 NtUnmapViewOfSection,LdrInitializeThunk,	15_2_01642D30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01642D10 NtMapViewOfSection,LdrInitializeThunk,	15_2_01642D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01642DF0 NtQuerySystemInformation,LdrInitializeThunk,	15_2_01642DF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01642DD0 NtDelayExecution,LdrInitializeThunk,	15_2_01642DD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01642C70 NtFreeVirtualMemory,LdrInitializeThunk,	15_2_01642C70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01642CA0 NtQueryInformationToken,LdrInitializeThunk,	15_2_01642CA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01642F30 NtCreateSection,LdrInitializeThunk,	15_2_01642F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01642FE0 NtCreateFile,LdrInitializeThunk,	15_2_01642FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01642FB0 NtResumeThread,LdrInitializeThunk,	15_2_01642FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01642F90 NtProtectVirtualMemory,LdrInitializeThunk,	15_2_01642F90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01642EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,	15_2_01642EA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01642E80 NtReadVirtualMemory,LdrInitializeThunk,	15_2_01642E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01644340 NtSetContextThread,	15_2_01644340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01644650 NtSuspendThread,	15_2_01644650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01642BE0 NtQueryValueKey,	15_2_01642BE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01642BA0 NtEnumerateValueKey,	15_2_01642BA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01642B80 NtQueryInformationFile,	15_2_01642B80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01642AF0 NtWriteFile,	15_2_01642AF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01642AB0 NtWaitForSingleObject,	15_2_01642AB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01642D00 NtSetInformationFile,	15_2_01642D00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01642DB0 NtEnumerateKey,	15_2_01642DB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01642C60 NtCreateKey,	15_2_01642C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01642C00 NtQueryInformationProcess,	15_2_01642C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01642CF0 NtOpenProcess,	15_2_01642CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01642CC0 NtQueryVirtualMemory,	15_2_01642CC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01642F60 NtCreateProcessEx,	15_2_01642F60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01642FA0 NtQuerySection,	15_2_01642FA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01642E30 NtWriteVirtualMemory,	15_2_01642E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01642EE0 NtQueueApcThread,	15_2_01642EE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01643010 NtOpenDirectoryObject,	15_2_01643010
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01643090 NtSetValueKey,	15_2_01643090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_016435C0 NtCreateMutant,	15_2_016435C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_016439B0 NtGetContextThread,	15_2_016439B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01643D70 NtOpenThread,	15_2_01643D70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01643D10 NtOpenProcessToken,	15_2_01643D10

Detected potential crypto function

Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_010925C1	0_2_010925C1
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_010991C4	0_2_010991C4
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_010913C8	0_2_010913C8
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_01093470	0_2_01093470
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_01091C08	0_2_01091C08
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_010920D2	0_2_010920D2
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_0109C39B	0_2_0109C39B
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_010943B0	0_2_010943B0
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_010943C0	0_2_010943C0
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_0109C400	0_2_0109C400
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_01090870	0_2_01090870
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_01094F08	0_2_01094F08
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_0109CE8F	0_2_0109CE8F
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_0109CED3	0_2_0109CED3
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_01094EF9	0_2_01094EF9
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_0109134B	0_2_0109134B
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_01095210	0_2_01095210
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_0109345C	0_2_0109345C
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_010957A2	0_2_010957A2
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_010957B0	0_2_010957B0
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_01095600	0_2_01095600
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_01095610	0_2_01095610
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_010959CA	0_2_010959CA
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_010959D8	0_2_010959D8
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_09BD02A0	0_2_09BD02A0
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_09BD0291	0_2_09BD0291
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_09BD84E8	0_2_09BD84E8
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_09BD0C50	0_2_09BD0C50
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_09BD77E0	0_2_09BD77E0
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_0B2F0B70	0_2_0B2F0B70
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_0B2F5A80	0_2_0B2F5A80
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_0B2F7998	0_2_0B2F7998
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_0B2F6020	0_2_0B2F6020
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_0B2F0040	0_2_0B2F0040
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_0B2F2098	0_2_0B2F2098
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_0B2F70E8	0_2_0B2F70E8
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_0B2F5640	0_2_0B2F5640
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_0B2F16E0	0_2_0B2F16E0
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_0B2F1B28	0_2_0B2F1B28
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_0B2F1B19	0_2_0B2F1B19
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_0B2F5A71	0_2_0B2F5A71
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_0B2F0AD0	0_2_0B2F0AD0
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_0B2F6928	0_2_0B2F6928
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_0B2F4920	0_2_0B2F4920
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_0B2F6918	0_2_0B2F6918
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_0B2F4910	0_2_0B2F4910
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_0B2F19B1	0_2_0B2F19B1
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_0B2F7988	0_2_0B2F7988
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_0B2F7F78	0_2_0B2F7F78
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_0B2F4FA0	0_2_0B2F4FA0
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_0B2F4FB0	0_2_0B2F4FB0
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_0B2F7F88	0_2_0B2F7F88
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_0B2F3D61	0_2_0B2F3D61
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_0B2F3D70	0_2_0B2F3D70
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_0B2F5CB9	0_2_0B2F5CB9
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_0B2F5CC8	0_2_0B2F5CC8
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_0B2F51C0	0_2_0B2F51C0
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_0B2F51D0	0_2_0B2F51D0
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_0B2F001F	0_2_0B2F001F
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_0B2F6010	0_2_0B2F6010
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_0B2F2089	0_2_0B2F2089
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_0B2F70D8	0_2_0B2F70D8
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_0B2F5631	0_2_0B2F5631
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_0B2FB6F8	0_2_0B2FB6F8
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_0B2FF6F0	0_2_0B2FF6F0
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_0B2F16D1	0_2_0B2F16D1
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_0B2F3589	0_2_0B2F3589
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_0B2F55F0	0_2_0B2F55F0
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_0B2F5438	0_2_0B2F5438
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_0B2F6468	0_2_0B2F6468
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_0B2F5448	0_2_0B2F5448
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_0B2F6459	0_2_0B2F6459
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D0100	9_2_015D0100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01626000	9_2_01626000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015EE3F0	9_2_015EE3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_016602C0	9_2_016602C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E0535	9_2_015E0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_016365D0	9_2_016365D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_016365B2	9_2_016365B2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E0770	9_2_015E0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01604750	9_2_01604750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015FC6E0	9_2_015FC6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015F6962	9_2_015F6962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015EA840	9_2_015EA840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0160E8F0	9_2_0160E8F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D28F0	9_2_015D28F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015C68F1	9_2_015C68F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01618890	9_2_01618890
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E2A45	9_2_015E2A45
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015DEA80	9_2_015DEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015EED7A	9_2_015EED7A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015EAD00	9_2_015EAD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E8DC0	9_2_015E8DC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015F8DBF	9_2_015F8DBF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E0C00	9_2_015E0C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D0CF2	9_2_015D0CF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01654F40	9_2_01654F40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01622F28	9_2_01622F28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01600F30	9_2_01600F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D2FC8	9_2_015D2FC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0165EFA0	9_2_0165EFA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E0E59	9_2_015E0E59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015F2ED9	9_2_015F2ED9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0161516C	9_2_0161516C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015CF172	9_2_015CF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015EB1B0	9_2_015EB1B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E33F3	9_2_015E33F3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015FD2F0	9_2_015FD2F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E52A0	9_2_015E52A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_016274E0	9_2_016274E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E3497	9_2_015E3497
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015EB730	9_2_015EB730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E9950	9_2_015E9950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015FB950	9_2_015FB950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D1979	9_2_015D1979
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E59DA	9_2_015E59DA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0164D800	9_2_0164D800
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E38E0	9_2_015E38E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01655BF0	9_2_01655BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0161DBF9	9_2_0161DBF9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015FFB80	9_2_015FFB80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01653A6C	9_2_01653A6C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E3D40	9_2_015E3D40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015FFDC0	9_2_015FFDC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01659C32	9_2_01659C32
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015F9C20	9_2_015F9C20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E1F92	9_2_015E1F92
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E9EB0	9_2_015E9EB0
Source: C:\Windows\explorer.exe	Code function: 10_2_0E851232	10_2_0E851232
Source: C:\Windows\explorer.exe	Code function: 10_2_0E84BB30	10_2_0E84BB30
Source: C:\Windows\explorer.exe	Code function: 10_2_0E84BB32	10_2_0E84BB32
Source: C:\Windows\explorer.exe	Code function: 10_2_0E847082	10_2_0E847082
Source: C:\Windows\explorer.exe	Code function: 10_2_0E850036	10_2_0E850036
Source: C:\Windows\explorer.exe	Code function: 10_2_0E8545CD	10_2_0E8545CD
Source: C:\Windows\explorer.exe	Code function: 10_2_0E848D02	10_2_0E848D02
Source: C:\Windows\explorer.exe	Code function: 10_2_0E84E912	10_2_0E84E912
Source: C:\Windows\explorer.exe	Code function: 10_2_10DDC082	10_2_10DDC082
Source: C:\Windows\explorer.exe	Code function: 10_2_10DE5036	10_2_10DE5036
Source: C:\Windows\explorer.exe	Code function: 10_2_10DE95CD	10_2_10DE95CD
Source: C:\Windows\explorer.exe	Code function: 10_2_10DE3912	10_2_10DE3912
Source: C:\Windows\explorer.exe	Code function: 10_2_10DDDD02	10_2_10DDDD02
Source: C:\Windows\explorer.exe	Code function: 10_2_10DE6232	10_2_10DE6232
Source: C:\Windows\explorer.exe	Code function: 10_2_10DE0B32	10_2_10DE0B32
Source: C:\Windows\explorer.exe	Code function: 10_2_10DE0B30	10_2_10DE0B30
Source: C:\Windows\explorer.exe	Code function: 10_2_118AD232	10_2_118AD232
Source: C:\Windows\explorer.exe	Code function: 10_2_118B05CD	10_2_118B05CD
Source: C:\Windows\explorer.exe	Code function: 10_2_118A4D02	10_2_118A4D02
Source: C:\Windows\explorer.exe	Code function: 10_2_118AA912	10_2_118AA912
Source: C:\Windows\explorer.exe	Code function: 10_2_118A7B32	10_2_118A7B32
Source: C:\Windows\explorer.exe	Code function: 10_2_118A7B30	10_2_118A7B30
Source: C:\Windows\explorer.exe	Code function: 10_2_118A3082	10_2_118A3082
Source: C:\Windows\explorer.exe	Code function: 10_2_118AC036	10_2_118AC036
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_031925C1	11_2_031925C1
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_031913C8	11_2_031913C8
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_031991C4	11_2_031991C4
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_03193470	11_2_03193470
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_03191C08	11_2_03191C08
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_0319C39B	11_2_0319C39B
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_031943B0	11_2_031943B0
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_031943C0	11_2_031943C0
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_031920D2	11_2_031920D2
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_0319C400	11_2_0319C400
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_03190870	11_2_03190870
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_03194F08	11_2_03194F08
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_0319CE93	11_2_0319CE93
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_0319CED3	11_2_0319CED3
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_03194EF9	11_2_03194EF9
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_0319134B	11_2_0319134B
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_03195210	11_2_03195210
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_031957B0	11_2_031957B0
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_031957A2	11_2_031957A2
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_03195610	11_2_03195610
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_03195600	11_2_03195600
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_0319345B	11_2_0319345B
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_031959D8	11_2_031959D8
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_031959CA	11_2_031959CA
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_05306468	11_2_05306468
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_053004AF	11_2_053004AF
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_053004C0	11_2_053004C0
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_053077C0	11_2_053077C0
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_05300E70	11_2_05300E70
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_08976674	11_2_08976674
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_08979188	11_2_08979188
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_0B567B18	11_2_0B567B18
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_0B560AD0	11_2_0B560AD0
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_0B565C00	11_2_0B565C00
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_0B567268	11_2_0B567268
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_0B5661A0	11_2_0B5661A0
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_0B560040	11_2_0B560040
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_0B562098	11_2_0B562098
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_0B5657C0	11_2_0B5657C0
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_0B5616E0	11_2_0B5616E0
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_0B563589	11_2_0B563589
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_0B561B19	11_2_0B561B19
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_0B567B08	11_2_0B567B08
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_0B561B28	11_2_0B561B28
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_0B565BF1	11_2_0B565BF1
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_0B566A99	11_2_0B566A99
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_0B564910	11_2_0B564910
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_0B564920	11_2_0B564920
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_0B56F870	11_2_0B56F870
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_0B56EFF0	11_2_0B56EFF0
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_0B564FB0	11_2_0B564FB0
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_0B564FA0	11_2_0B564FA0
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_0B565E48	11_2_0B565E48
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_0B565E39	11_2_0B565E39
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_0B563D70	11_2_0B563D70
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_0B563D61	11_2_0B563D61
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_0B567258	11_2_0B567258
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_0B568108	11_2_0B568108
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_0B5651D0	11_2_0B5651D0
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_0B5651C0	11_2_0B5651C0
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_0B566190	11_2_0B566190
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_0B56001E	11_2_0B56001E
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_0B5680FA	11_2_0B5680FA
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_0B562089	11_2_0B562089
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_0B5657B0	11_2_0B5657B0
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_0B5616D1	11_2_0B5616D1
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_0B5665D8	11_2_0B5665D8
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_0B5665E8	11_2_0B5665E8
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_0B565448	11_2_0B565448
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_0B565438	11_2_0B565438
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_0B56F428	11_2_0B56F428
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_00401030	15_2_00401030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0041EAC3	15_2_0041EAC3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0041E524	15_2_0041E524
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0041D580	15_2_0041D580
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_00402D90	15_2_00402D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_00409E50	15_2_00409E50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_00409E0A	15_2_00409E0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0041EFDF	15_2_0041EFDF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_00402FB0	15_2_00402FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01698158	15_2_01698158
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01600100	15_2_01600100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_016AA118	15_2_016AA118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_016C81CC	15_2_016C81CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_016D01AA	15_2_016D01AA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_016A2000	15_2_016A2000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_016CA352	15_2_016CA352
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_016D03E6	15_2_016D03E6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0161E3F0	15_2_0161E3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_016B0274	15_2_016B0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_016902C0	15_2_016902C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01610535	15_2_01610535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_016D0591	15_2_016D0591
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_016C2446	15_2_016C2446
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_016BE4F6	15_2_016BE4F6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01610770	15_2_01610770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01634750	15_2_01634750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0160C7C0	15_2_0160C7C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0162C6E0	15_2_0162C6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01626962	15_2_01626962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_016129A0	15_2_016129A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_016DA9A6	15_2_016DA9A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0161A840	15_2_0161A840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01612840	15_2_01612840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0163E8F0	15_2_0163E8F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_015F68B8	15_2_015F68B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_016CAB40	15_2_016CAB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_016C6BD7	15_2_016C6BD7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0160EA80	15_2_0160EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0161AD00	15_2_0161AD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0160ADE0	15_2_0160ADE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01628DBF	15_2_01628DBF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01610C00	15_2_01610C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01600CF2	15_2_01600CF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_016B0CB5	15_2_016B0CB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01684F40	15_2_01684F40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01652F28	15_2_01652F28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01630F30	15_2_01630F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0161CFE0	15_2_0161CFE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01602FC8	15_2_01602FC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0168EFA0	15_2_0168EFA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01610E59	15_2_01610E59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_016CEE26	15_2_016CEE26
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_016CEEDB	15_2_016CEEDB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01622E90	15_2_01622E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_016CCE93	15_2_016CCE93
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_016DB16B	15_2_016DB16B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0164516C	15_2_0164516C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_015FF172	15_2_015FF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0161B1B0	15_2_0161B1B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_016C70E9	15_2_016C70E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_016CF0E0	15_2_016CF0E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_016170C0	15_2_016170C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_016BF0CC	15_2_016BF0CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_015FD34C	15_2_015FD34C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_016C132D	15_2_016C132D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0165739A	15_2_0165739A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_016B12ED	15_2_016B12ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0162B2C0	15_2_0162B2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_016152A0	15_2_016152A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_016C7571	15_2_016C7571
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_016AD5B0	15_2_016AD5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01601460	15_2_01601460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_016CF43F	15_2_016CF43F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_016CF7B0	15_2_016CF7B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_016C16CC	15_2_016C16CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01619950	15_2_01619950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0162B950	15_2_0162B950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_016A5910	15_2_016A5910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0167D800	15_2_0167D800
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_016138E0	15_2_016138E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_016CFB76	15_2_016CFB76
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01685BF0	15_2_01685BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0164DBF9	15_2_0164DBF9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0162FB80	15_2_0162FB80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01683A6C	15_2_01683A6C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_016CFA49	15_2_016CFA49
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_016C7A46	15_2_016C7A46
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_016BDAC6	15_2_016BDAC6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01655AA0	15_2_01655AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_016ADAAC	15_2_016ADAAC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_016C7D73	15_2_016C7D73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01613D40	15_2_01613D40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_016C1D5A	15_2_016C1D5A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0162FDC0	15_2_0162FDC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01689C32	15_2_01689C32
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_016CFCF2	15_2_016CFCF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_016CFF09	15_2_016CFF09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_016CFFB1	15_2_016CFFB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01611F92	15_2_01611F92
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01619EB0	15_2_01619EB0

Found potential string decryption / allocating functions

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 01627E54 appears 97 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 0168F290 appears 105 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 015FB970 appears 275 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 01645130 appears 57 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 0167EA12 appears 86 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 0164EA12 appears 37 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 01657E54 appears 100 times

Sample file is different than original file name gathered from version info

Source: Outstanding payment.exe, 00000000.00000002.2114082596.0000000004234000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCaptive.dll" vs Outstanding payment.exe
Source: Outstanding payment.exe, 00000000.00000000.2060151617.0000000000612000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameVlWL.exe" vs Outstanding payment.exe
Source: Outstanding payment.exe, 00000000.00000002.2110202228.0000000000DFE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Outstanding payment.exe
Source: Outstanding payment.exe, 00000000.00000002.2117960305.0000000007950000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameCaptive.dll" vs Outstanding payment.exe
Source: Outstanding payment.exe, 00000000.00000002.2119057847.0000000009B20000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs Outstanding payment.exe
Source: Outstanding payment.exe, 00000000.00000002.2114082596.000000000446F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs Outstanding payment.exe
Source: Outstanding payment.exe	Binary or memory string: OriginalFilenameVlWL.exe" vs Outstanding payment.exe

Uses 32bit PE files

Source: Outstanding payment.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 15.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 15.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 15.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 15.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 15.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 15.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.Outstanding payment.exe.4234148.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0.2.Outstanding payment.exe.4234148.2.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.Outstanding payment.exe.4234148.2.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000002.2149315222.0000000004301000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000B.00000002.2149315222.0000000004301000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000002.2149315222.0000000004301000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000011.00000002.2169396425.0000000000870000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000011.00000002.2169396425.0000000000870000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000011.00000002.2169396425.0000000000870000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000002.4526105305.0000000002AF0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000010.00000002.4526105305.0000000002AF0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000010.00000002.4526105305.0000000002AF0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000002.4544744783.00000000118C5000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_772cc62d os = windows, severity = x86, creation_date = 2022-05-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8343b5d02d74791ba2d5d52d19a759f761de2b5470d935000bc27ea6c0633f5, id = 772cc62d-345c-42d8-97ab-f67e447ddca4, last_modified = 2022-07-18
Source: 0000000F.00000002.2162392386.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000F.00000002.2162392386.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000F.00000002.2162392386.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.2114082596.0000000004234000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000000.00000002.2114082596.0000000004234000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.2114082596.0000000004234000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000002.4526496675.00000000044E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000010.00000002.4526496675.00000000044E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000010.00000002.4526496675.00000000044E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000002.4525873730.0000000002810000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000010.00000002.4525873730.0000000002810000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000010.00000002.4525873730.0000000002810000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000002.2149315222.00000000044A7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000B.00000002.2149315222.00000000044A7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000002.2149315222.00000000044A7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.2114082596.000000000446F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000000.00000002.2114082596.000000000446F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.2114082596.000000000446F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: Outstanding payment.exe PID: 6252, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: iBSWjb.exe PID: 6648, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: RegSvcs.exe PID: 6564, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: msiexec.exe PID: 3876, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: NETSTAT.EXE PID: 4676, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: Outstanding payment.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: iBSWjb.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.evad.winEXE@26/15@11/0

Source: C:\Users\user\Desktop\Outstanding payment.exe

File created: C:\Users\user\AppData\Roaming\iBSWjb.exe

Jump to behavior

Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Mutant created: \Sessions\1\BaseNamedObjects\iGAQEIWfdLpPOyg
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:432:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6416:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5900:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5652:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3652:120:WilError_03

Source: C:\Users\user\Desktop\Outstanding payment.exe

File created: C:\Users\user\AppData\Local\Temp\tmpE0D0.tmp

Jump to behavior

Source: Outstanding payment.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Outstanding payment.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\Outstanding payment.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Outstanding payment.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Outstanding payment.exe	ReversingLabs: Detection: 28%
Source: Outstanding payment.exe	Virustotal: Detection: 36%

Source: C:\Users\user\Desktop\Outstanding payment.exe

File read: C:\Users\user\Desktop\Outstanding payment.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Outstanding payment.exe "C:\Users\user\Desktop\Outstanding payment.exe"
Source: C:\Users\user\Desktop\Outstanding payment.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Outstanding payment.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Outstanding payment.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\iBSWjb.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Outstanding payment.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iBSWjb" /XML "C:\Users\user\AppData\Local\Temp\tmpE0D0.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Outstanding payment.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\iBSWjb.exe C:\Users\user\AppData\Roaming\iBSWjb.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iBSWjb" /XML "C:\Users\user\AppData\Local\Temp\tmpF30F.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\NETSTAT.EXE "C:\Windows\SysWOW64\NETSTAT.EXE"
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Outstanding payment.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Outstanding payment.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\iBSWjb.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iBSWjb" /XML "C:\Users\user\AppData\Local\Temp\tmpE0D0.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\NETSTAT.EXE "C:\Windows\SysWOW64\NETSTAT.EXE"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iBSWjb" /XML "C:\Users\user\AppData\Local\Temp\tmpF30F.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

Source: C:\Users\user\Desktop\Outstanding payment.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.cloudstore.schema.shell.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Section loaded: snmpapi.dll

Source: C:\Users\user\Desktop\Outstanding payment.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\Outstanding payment.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: Outstanding payment.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Outstanding payment.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: msiexec.pdb source: RegSvcs.exe, 0000000F.00000002.2163601401.00000000010A8000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.2167593167.0000000001950000.00000040.10000000.00040000.00000000.sdmp, msiexec.exe, 00000010.00000002.4525647281.0000000000120000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: netstat.pdbGCTL source: RegSvcs.exe, 00000009.00000002.2166629916.0000000001520000.00000040.10000000.00040000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.2166042893.0000000001038000.00000004.00000020.00020000.00000000.sdmp, NETSTAT.EXE, 00000011.00000002.2169801736.0000000000F60000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: msiexec.pdbGCTL source: RegSvcs.exe, 0000000F.00000002.2163601401.00000000010A8000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.2167593167.0000000001950000.00000040.10000000.00040000.00000000.sdmp, msiexec.exe, 00000010.00000002.4525647281.0000000000120000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: netstat.pdb source: RegSvcs.exe, 00000009.00000002.2166629916.0000000001520000.00000040.10000000.00040000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.2166042893.0000000001038000.00000004.00000020.00020000.00000000.sdmp, NETSTAT.EXE, 00000011.00000002.2169801736.0000000000F60000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: RegSvcs.pdb, source: explorer.exe, 0000000A.00000002.4544436194.000000001108F000.00000004.80000000.00040000.00000000.sdmp, msiexec.exe, 00000010.00000002.4526176931.0000000002B68000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000010.00000002.4527606666.0000000004C8F000.00000004.10000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: RegSvcs.exe, 0000000F.00000002.2164292767.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, msiexec.exe, 00000010.00000003.2162873949.00000000043E3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000010.00000002.4526844248.0000000004740000.00000040.00001000.00020000.00000000.sdmp, msiexec.exe, 00000010.00000003.2165021648.0000000004596000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000010.00000002.4526844248.00000000048DE000.00000040.00001000.00020000.00000000.sdmp, NETSTAT.EXE, 00000011.00000003.2168122863.0000000002F72000.00000004.00000020.00020000.00000000.sdmp, NETSTAT.EXE, 00000011.00000002.2169828122.00000000032BE000.00000040.00001000.00020000.00000000.sdmp, NETSTAT.EXE, 00000011.00000002.2169828122.0000000003120000.00000040.00001000.00020000.00000000.sdmp, NETSTAT.EXE, 00000011.00000003.2166132931.0000000000DB1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: RegSvcs.exe, RegSvcs.exe, 0000000F.00000002.2164292767.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, msiexec.exe, 00000010.00000003.2162873949.00000000043E3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000010.00000002.4526844248.0000000004740000.00000040.00001000.00020000.00000000.sdmp, msiexec.exe, 00000010.00000003.2165021648.0000000004596000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000010.00000002.4526844248.00000000048DE000.00000040.00001000.00020000.00000000.sdmp, NETSTAT.EXE, 00000011.00000003.2168122863.0000000002F72000.00000004.00000020.00020000.00000000.sdmp, NETSTAT.EXE, 00000011.00000002.2169828122.00000000032BE000.00000040.00001000.00020000.00000000.sdmp, NETSTAT.EXE, 00000011.00000002.2169828122.0000000003120000.00000040.00001000.00020000.00000000.sdmp, NETSTAT.EXE, 00000011.00000003.2166132931.0000000000DB1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: RegSvcs.pdb source: explorer.exe, 0000000A.00000002.4544436194.000000001108F000.00000004.80000000.00040000.00000000.sdmp, msiexec.exe, 00000010.00000002.4526176931.0000000002B68000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000010.00000002.4527606666.0000000004C8F000.00000004.10000000.00040000.00000000.sdmp

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_01090C6C pushfd ; iretd	0_2_01090C6E
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_0B2F036B push ecx; ret	0_2_0B2F036C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D09AD push ecx; mov dword ptr [esp], ecx	9_2_015D09B6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015A1328 push eax; iretd	9_2_015A1369
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015A1FEC push eax; iretd	9_2_015A1FED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01627E99 push ecx; ret	9_2_01627EAC
Source: C:\Windows\explorer.exe	Code function: 10_2_0E854B02 push esp; retn 0000h	10_2_0E854B03
Source: C:\Windows\explorer.exe	Code function: 10_2_0E854B1E push esp; retn 0000h	10_2_0E854B1F
Source: C:\Windows\explorer.exe	Code function: 10_2_0E8549B5 push esp; retn 0000h	10_2_0E854AE7
Source: C:\Windows\explorer.exe	Code function: 10_2_10DE99B5 push esp; retn 0000h	10_2_10DE9AE7
Source: C:\Windows\explorer.exe	Code function: 10_2_10DE9B1E push esp; retn 0000h	10_2_10DE9B1F
Source: C:\Windows\explorer.exe	Code function: 10_2_10DE9B02 push esp; retn 0000h	10_2_10DE9B03
Source: C:\Windows\explorer.exe	Code function: 10_2_118B09B5 push esp; retn 0000h	10_2_118B0AE7
Source: C:\Windows\explorer.exe	Code function: 10_2_118B0B02 push esp; retn 0000h	10_2_118B0B03
Source: C:\Windows\explorer.exe	Code function: 10_2_118B0B1E push esp; retn 0000h	10_2_118B0B1F
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_03190C6C pushfd ; iretd	11_2_03190C6E
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_03199B79 push edi; iretd	11_2_03199B7A
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_03199AB8 push esp; iretd	11_2_03199ABE
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_03199ABF push esp; iretd	11_2_03199AC2
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_031999E0 push ebx; iretd	11_2_031999E2
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_05303A41 pushfd ; ret	11_2_05303A4D
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_0B56036B push ecx; ret	11_2_0B56036C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0041E1FC pushfd ; retf	15_2_0041E1FD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_004172AE push ebp; retf	15_2_004172B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0041D475 push eax; ret	15_2_0041D4C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0041D4C2 push eax; ret	15_2_0041D4C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0041D4CB push eax; ret	15_2_0041D532
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0041D52C push eax; ret	15_2_0041D532
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0041D580 push edx; ret	15_2_0041D957
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_016009AD push ecx; mov dword ptr [esp], ecx	15_2_016009B6

Source: Outstanding payment.exe	Static PE information: section name: .text entropy: 7.532213400746095
Source: iBSWjb.exe.0.dr	Static PE information: section name: .text entropy: 7.532213400746095

Drops PE files

Source: C:\Users\user\Desktop\Outstanding payment.exe

File created: C:\Users\user\AppData\Roaming\iBSWjb.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\Outstanding payment.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iBSWjb" /XML "C:\Users\user\AppData\Local\Temp\tmpE0D0.tmp"

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\Outstanding payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: Outstanding payment.exe PID: 6252, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: iBSWjb.exe PID: 6648, type: MEMORYSTR

Switches to a custom stack to bypass stack traces

Source: C:\Windows\SysWOW64\msiexec.exe	API/Special instruction interceptor: Address: 7FF8C88ED324
Source: C:\Windows\SysWOW64\msiexec.exe	API/Special instruction interceptor: Address: 7FF8C88F0774
Source: C:\Windows\SysWOW64\msiexec.exe	API/Special instruction interceptor: Address: 7FF8C88ED944
Source: C:\Windows\SysWOW64\msiexec.exe	API/Special instruction interceptor: Address: 7FF8C88ED504
Source: C:\Windows\SysWOW64\msiexec.exe	API/Special instruction interceptor: Address: 7FF8C88ED544
Source: C:\Windows\SysWOW64\msiexec.exe	API/Special instruction interceptor: Address: 7FF8C88ED1E4
Source: C:\Windows\SysWOW64\msiexec.exe	API/Special instruction interceptor: Address: 7FF8C88F0154
Source: C:\Windows\SysWOW64\msiexec.exe	API/Special instruction interceptor: Address: 7FF8C88ED8A4
Source: C:\Windows\SysWOW64\msiexec.exe	API/Special instruction interceptor: Address: 7FF8C88EDA44

Tries to detect virtualization through RDTSC time measurements

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	RDTSC instruction interceptor: First address: 409904 second address: 40990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	RDTSC instruction interceptor: First address: 409B6E second address: 409B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\NETSTAT.EXE	RDTSC instruction interceptor: First address: 879904 second address: 87990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\NETSTAT.EXE	RDTSC instruction interceptor: First address: 879B6E second address: 879B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\Outstanding payment.exe	Memory allocated: 1050000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Memory allocated: 29E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Memory allocated: 49E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Memory allocated: 5070000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Memory allocated: 6070000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Memory allocated: 61A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Memory allocated: 71A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Memory allocated: B300000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Memory allocated: C300000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Memory allocated: C790000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Memory allocated: D790000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Memory allocated: E790000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Memory allocated: F790000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Memory allocated: 10790000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Memory allocated: 3150000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Memory allocated: 3300000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Memory allocated: 5300000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Memory allocated: 5970000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Memory allocated: 6970000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Memory allocated: 6AA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Memory allocated: 7AA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Memory allocated: B570000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Memory allocated: 9D30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Memory allocated: C570000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Memory allocated: 6AA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Memory allocated: B570000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Memory allocated: C570000 memory reserve \| memory write watch	Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 9_2_015CE0D0 rdtsc

9_2_015CE0D0

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\Outstanding payment.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7088	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1625	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7998	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1571	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 9681	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 870	Jump to behavior

Found large amount of non-executed APIs

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	API coverage: 1.2 %
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	API coverage: 1.7 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\Outstanding payment.exe TID: 6224	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2300	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3176	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 384	Thread sleep time: -6456360425798339s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 6004	Thread sleep count: 9681 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 6004	Thread sleep time: -19362000s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 6004	Thread sleep count: 265 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 6004	Thread sleep time: -530000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe TID: 4796	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 4720	Thread sleep count: 127 > 30
Source: C:\Windows\SysWOW64\msiexec.exe TID: 4720	Thread sleep time: -254000s >= -30000s
Source: C:\Windows\SysWOW64\msiexec.exe TID: 4720	Thread sleep count: 9270 > 30
Source: C:\Windows\SysWOW64\msiexec.exe TID: 4720	Thread sleep time: -18540000s >= -30000s

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\msiexec.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\msiexec.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\Outstanding payment.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\Outstanding payment.exe	File opened: C:\Users\user\AppData\Local\Temp\acrocef_low\NULL	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\NULL	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\NULL	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\Acrobat	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe	Jump to behavior

Source: explorer.exe, 0000000A.00000003.3096220072.0000000009B77000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
Source: explorer.exe, 0000000A.00000000.2095932568.00000000076F8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}99105f770555d7dd
Source: explorer.exe, 0000000A.00000000.2105292943.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4534821677.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW0r
Source: explorer.exe, 0000000A.00000003.3096220072.0000000009B77000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 0000000A.00000003.3096220072.0000000009B77000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NXTcaVMWare
Source: explorer.exe, 0000000A.00000002.4534821677.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000%
Source: explorer.exe, 0000000A.00000003.3096220072.0000000009B77000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000A.00000000.2092490367.0000000003530000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.
Source: explorer.exe, 0000000A.00000003.3096220072.0000000009B77000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00
Source: explorer.exe, 0000000A.00000000.2090992450.0000000000F13000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000A
Source: explorer.exe, 0000000A.00000000.2092490367.0000000003530000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware-42 27 d9 2e dc 89 72 dX
Source: explorer.exe, 0000000A.00000000.2095932568.00000000076F8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}^
Source: explorer.exe, 0000000A.00000000.2105292943.0000000009B2C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4534821677.0000000009B2C000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 0000000A.00000000.2092490367.0000000003530000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.NoneVMware-42 27 d9 2e dc 89 72 dX
Source: explorer.exe, 0000000A.00000000.2092490367.0000000003530000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware,p
Source: explorer.exe, 0000000A.00000003.3096220072.0000000009B77000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000_
Source: explorer.exe, 0000000A.00000000.2090992450.0000000000F13000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: iBSWjb.exe, 0000000B.00000002.2153882426.00000000089B0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f')
Source: explorer.exe, 0000000A.00000002.4534821677.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000A.00000000.2095932568.000000000769A000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Users\user\Desktop\Outstanding payment.exe

Process information queried: ProcessInformation

Jump to behavior

Checks if the current process is being debugged

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\msiexec.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Process queried: DebugPort

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 9_2_015CE0D0 rdtsc

9_2_015CE0D0

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 9_2_01612B60 LdrInitializeThunk,

9_2_01612B60

Contains functionality to read the PEB

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01612160 mov eax, dword ptr fs:[00000030h]	9_2_01612160
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D6154 mov eax, dword ptr fs:[00000030h]	9_2_015D6154
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D6154 mov eax, dword ptr fs:[00000030h]	9_2_015D6154
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015CC156 mov eax, dword ptr fs:[00000030h]	9_2_015CC156
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D2140 mov ecx, dword ptr fs:[00000030h]	9_2_015D2140
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D2140 mov eax, dword ptr fs:[00000030h]	9_2_015D2140
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01600124 mov eax, dword ptr fs:[00000030h]	9_2_01600124
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E61D1 mov eax, dword ptr fs:[00000030h]	9_2_015E61D1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E61D1 mov eax, dword ptr fs:[00000030h]	9_2_015E61D1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_016001F8 mov eax, dword ptr fs:[00000030h]	9_2_016001F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0164E1D0 mov eax, dword ptr fs:[00000030h]	9_2_0164E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0164E1D0 mov eax, dword ptr fs:[00000030h]	9_2_0164E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0164E1D0 mov ecx, dword ptr fs:[00000030h]	9_2_0164E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0164E1D0 mov eax, dword ptr fs:[00000030h]	9_2_0164E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0164E1D0 mov eax, dword ptr fs:[00000030h]	9_2_0164E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0162E1D8 mov eax, dword ptr fs:[00000030h]	9_2_0162E1D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_016401DA mov eax, dword ptr fs:[00000030h]	9_2_016401DA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_016401DA mov eax, dword ptr fs:[00000030h]	9_2_016401DA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015CA197 mov eax, dword ptr fs:[00000030h]	9_2_015CA197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015CA197 mov eax, dword ptr fs:[00000030h]	9_2_015CA197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015CA197 mov eax, dword ptr fs:[00000030h]	9_2_015CA197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01610185 mov eax, dword ptr fs:[00000030h]	9_2_01610185
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0165019F mov eax, dword ptr fs:[00000030h]	9_2_0165019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0165019F mov eax, dword ptr fs:[00000030h]	9_2_0165019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0165019F mov eax, dword ptr fs:[00000030h]	9_2_0165019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0165019F mov eax, dword ptr fs:[00000030h]	9_2_0165019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0160A060 mov eax, dword ptr fs:[00000030h]	9_2_0160A060
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D2050 mov eax, dword ptr fs:[00000030h]	9_2_015D2050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01632045 mov eax, dword ptr fs:[00000030h]	9_2_01632045
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015FC073 mov eax, dword ptr fs:[00000030h]	9_2_015FC073
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01656050 mov eax, dword ptr fs:[00000030h]	9_2_01656050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015EE016 mov eax, dword ptr fs:[00000030h]	9_2_015EE016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015EE016 mov eax, dword ptr fs:[00000030h]	9_2_015EE016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015EE016 mov eax, dword ptr fs:[00000030h]	9_2_015EE016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015EE016 mov eax, dword ptr fs:[00000030h]	9_2_015EE016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01654000 mov ecx, dword ptr fs:[00000030h]	9_2_01654000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015CA020 mov eax, dword ptr fs:[00000030h]	9_2_015CA020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015CC020 mov eax, dword ptr fs:[00000030h]	9_2_015CC020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_016560E0 mov eax, dword ptr fs:[00000030h]	9_2_016560E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_016120F0 mov ecx, dword ptr fs:[00000030h]	9_2_016120F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015CC0F0 mov eax, dword ptr fs:[00000030h]	9_2_015CC0F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D80E9 mov eax, dword ptr fs:[00000030h]	9_2_015D80E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_016520DE mov eax, dword ptr fs:[00000030h]	9_2_016520DE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015CA0E3 mov ecx, dword ptr fs:[00000030h]	9_2_015CA0E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D208A mov eax, dword ptr fs:[00000030h]	9_2_015D208A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015C80A0 mov eax, dword ptr fs:[00000030h]	9_2_015C80A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01652349 mov eax, dword ptr fs:[00000030h]	9_2_01652349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01652349 mov eax, dword ptr fs:[00000030h]	9_2_01652349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01652349 mov eax, dword ptr fs:[00000030h]	9_2_01652349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01652349 mov eax, dword ptr fs:[00000030h]	9_2_01652349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01652349 mov eax, dword ptr fs:[00000030h]	9_2_01652349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01652349 mov eax, dword ptr fs:[00000030h]	9_2_01652349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01652349 mov eax, dword ptr fs:[00000030h]	9_2_01652349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01652349 mov eax, dword ptr fs:[00000030h]	9_2_01652349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01652349 mov eax, dword ptr fs:[00000030h]	9_2_01652349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01652349 mov eax, dword ptr fs:[00000030h]	9_2_01652349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01652349 mov eax, dword ptr fs:[00000030h]	9_2_01652349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01652349 mov eax, dword ptr fs:[00000030h]	9_2_01652349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01652349 mov eax, dword ptr fs:[00000030h]	9_2_01652349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01652349 mov eax, dword ptr fs:[00000030h]	9_2_01652349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01652349 mov eax, dword ptr fs:[00000030h]	9_2_01652349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0163634C mov eax, dword ptr fs:[00000030h]	9_2_0163634C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0164035C mov eax, dword ptr fs:[00000030h]	9_2_0164035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0164035C mov eax, dword ptr fs:[00000030h]	9_2_0164035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0164035C mov eax, dword ptr fs:[00000030h]	9_2_0164035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0164035C mov eax, dword ptr fs:[00000030h]	9_2_0164035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0165035C mov eax, dword ptr fs:[00000030h]	9_2_0165035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0165035C mov eax, dword ptr fs:[00000030h]	9_2_0165035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0165035C mov eax, dword ptr fs:[00000030h]	9_2_0165035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0165035C mov ecx, dword ptr fs:[00000030h]	9_2_0165035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0165035C mov eax, dword ptr fs:[00000030h]	9_2_0165035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0165035C mov eax, dword ptr fs:[00000030h]	9_2_0165035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015F0310 mov ecx, dword ptr fs:[00000030h]	9_2_015F0310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015CC301 mov ecx, dword ptr fs:[00000030h]	9_2_015CC301
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0160A30B mov eax, dword ptr fs:[00000030h]	9_2_0160A30B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0160A30B mov eax, dword ptr fs:[00000030h]	9_2_0160A30B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0160A30B mov eax, dword ptr fs:[00000030h]	9_2_0160A30B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D2324 mov eax, dword ptr fs:[00000030h]	9_2_015D2324
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D83C0 mov eax, dword ptr fs:[00000030h]	9_2_015D83C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D83C0 mov eax, dword ptr fs:[00000030h]	9_2_015D83C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D83C0 mov eax, dword ptr fs:[00000030h]	9_2_015D83C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D83C0 mov eax, dword ptr fs:[00000030h]	9_2_015D83C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_016063FF mov eax, dword ptr fs:[00000030h]	9_2_016063FF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_016563C0 mov eax, dword ptr fs:[00000030h]	9_2_016563C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015EE3F0 mov eax, dword ptr fs:[00000030h]	9_2_015EE3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015EE3F0 mov eax, dword ptr fs:[00000030h]	9_2_015EE3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015EE3F0 mov eax, dword ptr fs:[00000030h]	9_2_015EE3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E03E9 mov eax, dword ptr fs:[00000030h]	9_2_015E03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E03E9 mov eax, dword ptr fs:[00000030h]	9_2_015E03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E03E9 mov eax, dword ptr fs:[00000030h]	9_2_015E03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E03E9 mov eax, dword ptr fs:[00000030h]	9_2_015E03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E03E9 mov eax, dword ptr fs:[00000030h]	9_2_015E03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E03E9 mov eax, dword ptr fs:[00000030h]	9_2_015E03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E03E9 mov eax, dword ptr fs:[00000030h]	9_2_015E03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E03E9 mov eax, dword ptr fs:[00000030h]	9_2_015E03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015C8397 mov eax, dword ptr fs:[00000030h]	9_2_015C8397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015C8397 mov eax, dword ptr fs:[00000030h]	9_2_015C8397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015C8397 mov eax, dword ptr fs:[00000030h]	9_2_015C8397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015F438F mov eax, dword ptr fs:[00000030h]	9_2_015F438F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015F438F mov eax, dword ptr fs:[00000030h]	9_2_015F438F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015CE388 mov eax, dword ptr fs:[00000030h]	9_2_015CE388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015CE388 mov eax, dword ptr fs:[00000030h]	9_2_015CE388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015CE388 mov eax, dword ptr fs:[00000030h]	9_2_015CE388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D6259 mov eax, dword ptr fs:[00000030h]	9_2_015D6259
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015CA250 mov eax, dword ptr fs:[00000030h]	9_2_015CA250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01658243 mov eax, dword ptr fs:[00000030h]	9_2_01658243
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01658243 mov ecx, dword ptr fs:[00000030h]	9_2_01658243
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015C826B mov eax, dword ptr fs:[00000030h]	9_2_015C826B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D4260 mov eax, dword ptr fs:[00000030h]	9_2_015D4260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D4260 mov eax, dword ptr fs:[00000030h]	9_2_015D4260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D4260 mov eax, dword ptr fs:[00000030h]	9_2_015D4260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E0218 mov eax, dword ptr fs:[00000030h]	9_2_015E0218
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015C823B mov eax, dword ptr fs:[00000030h]	9_2_015C823B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015DA2C3 mov eax, dword ptr fs:[00000030h]	9_2_015DA2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015DA2C3 mov eax, dword ptr fs:[00000030h]	9_2_015DA2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015DA2C3 mov eax, dword ptr fs:[00000030h]	9_2_015DA2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015DA2C3 mov eax, dword ptr fs:[00000030h]	9_2_015DA2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015DA2C3 mov eax, dword ptr fs:[00000030h]	9_2_015DA2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E02E1 mov eax, dword ptr fs:[00000030h]	9_2_015E02E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E02E1 mov eax, dword ptr fs:[00000030h]	9_2_015E02E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E02E1 mov eax, dword ptr fs:[00000030h]	9_2_015E02E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0160E284 mov eax, dword ptr fs:[00000030h]	9_2_0160E284
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0160E284 mov eax, dword ptr fs:[00000030h]	9_2_0160E284
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01650283 mov eax, dword ptr fs:[00000030h]	9_2_01650283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01650283 mov eax, dword ptr fs:[00000030h]	9_2_01650283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01650283 mov eax, dword ptr fs:[00000030h]	9_2_01650283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E02A0 mov eax, dword ptr fs:[00000030h]	9_2_015E02A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E02A0 mov eax, dword ptr fs:[00000030h]	9_2_015E02A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0160656A mov eax, dword ptr fs:[00000030h]	9_2_0160656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0160656A mov eax, dword ptr fs:[00000030h]	9_2_0160656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0160656A mov eax, dword ptr fs:[00000030h]	9_2_0160656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015FE53E mov eax, dword ptr fs:[00000030h]	9_2_015FE53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015FE53E mov eax, dword ptr fs:[00000030h]	9_2_015FE53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015FE53E mov eax, dword ptr fs:[00000030h]	9_2_015FE53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015FE53E mov eax, dword ptr fs:[00000030h]	9_2_015FE53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015FE53E mov eax, dword ptr fs:[00000030h]	9_2_015FE53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E0535 mov eax, dword ptr fs:[00000030h]	9_2_015E0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E0535 mov eax, dword ptr fs:[00000030h]	9_2_015E0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E0535 mov eax, dword ptr fs:[00000030h]	9_2_015E0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E0535 mov eax, dword ptr fs:[00000030h]	9_2_015E0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E0535 mov eax, dword ptr fs:[00000030h]	9_2_015E0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E0535 mov eax, dword ptr fs:[00000030h]	9_2_015E0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D65D0 mov eax, dword ptr fs:[00000030h]	9_2_015D65D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0160C5ED mov eax, dword ptr fs:[00000030h]	9_2_0160C5ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0160C5ED mov eax, dword ptr fs:[00000030h]	9_2_0160C5ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0160E5CF mov eax, dword ptr fs:[00000030h]	9_2_0160E5CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0160E5CF mov eax, dword ptr fs:[00000030h]	9_2_0160E5CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0160A5D0 mov eax, dword ptr fs:[00000030h]	9_2_0160A5D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0160A5D0 mov eax, dword ptr fs:[00000030h]	9_2_0160A5D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015FE5E7 mov eax, dword ptr fs:[00000030h]	9_2_015FE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015FE5E7 mov eax, dword ptr fs:[00000030h]	9_2_015FE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015FE5E7 mov eax, dword ptr fs:[00000030h]	9_2_015FE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015FE5E7 mov eax, dword ptr fs:[00000030h]	9_2_015FE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015FE5E7 mov eax, dword ptr fs:[00000030h]	9_2_015FE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015FE5E7 mov eax, dword ptr fs:[00000030h]	9_2_015FE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015FE5E7 mov eax, dword ptr fs:[00000030h]	9_2_015FE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015FE5E7 mov eax, dword ptr fs:[00000030h]	9_2_015FE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D25E0 mov eax, dword ptr fs:[00000030h]	9_2_015D25E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015CA580 mov ecx, dword ptr fs:[00000030h]	9_2_015CA580
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015CA580 mov eax, dword ptr fs:[00000030h]	9_2_015CA580
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D2582 mov eax, dword ptr fs:[00000030h]	9_2_015D2582
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D2582 mov ecx, dword ptr fs:[00000030h]	9_2_015D2582
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01604588 mov eax, dword ptr fs:[00000030h]	9_2_01604588
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015F45B1 mov eax, dword ptr fs:[00000030h]	9_2_015F45B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015F45B1 mov eax, dword ptr fs:[00000030h]	9_2_015F45B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0160E59C mov eax, dword ptr fs:[00000030h]	9_2_0160E59C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0165C460 mov ecx, dword ptr fs:[00000030h]	9_2_0165C460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015F245A mov eax, dword ptr fs:[00000030h]	9_2_015F245A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0160E443 mov eax, dword ptr fs:[00000030h]	9_2_0160E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0160E443 mov eax, dword ptr fs:[00000030h]	9_2_0160E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0160E443 mov eax, dword ptr fs:[00000030h]	9_2_0160E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0160E443 mov eax, dword ptr fs:[00000030h]	9_2_0160E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0160E443 mov eax, dword ptr fs:[00000030h]	9_2_0160E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0160E443 mov eax, dword ptr fs:[00000030h]	9_2_0160E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0160E443 mov eax, dword ptr fs:[00000030h]	9_2_0160E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0160E443 mov eax, dword ptr fs:[00000030h]	9_2_0160E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015DA471 mov eax, dword ptr fs:[00000030h]	9_2_015DA471
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015FA470 mov eax, dword ptr fs:[00000030h]	9_2_015FA470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015FA470 mov eax, dword ptr fs:[00000030h]	9_2_015FA470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015FA470 mov eax, dword ptr fs:[00000030h]	9_2_015FA470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01656420 mov eax, dword ptr fs:[00000030h]	9_2_01656420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01656420 mov eax, dword ptr fs:[00000030h]	9_2_01656420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01656420 mov eax, dword ptr fs:[00000030h]	9_2_01656420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01656420 mov eax, dword ptr fs:[00000030h]	9_2_01656420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01656420 mov eax, dword ptr fs:[00000030h]	9_2_01656420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01656420 mov eax, dword ptr fs:[00000030h]	9_2_01656420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01656420 mov eax, dword ptr fs:[00000030h]	9_2_01656420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0160A430 mov eax, dword ptr fs:[00000030h]	9_2_0160A430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01608402 mov eax, dword ptr fs:[00000030h]	9_2_01608402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01608402 mov eax, dword ptr fs:[00000030h]	9_2_01608402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01608402 mov eax, dword ptr fs:[00000030h]	9_2_01608402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015CC427 mov eax, dword ptr fs:[00000030h]	9_2_015CC427
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015CE420 mov eax, dword ptr fs:[00000030h]	9_2_015CE420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015CE420 mov eax, dword ptr fs:[00000030h]	9_2_015CE420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015CE420 mov eax, dword ptr fs:[00000030h]	9_2_015CE420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D04E5 mov ecx, dword ptr fs:[00000030h]	9_2_015D04E5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_016044B0 mov ecx, dword ptr fs:[00000030h]	9_2_016044B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0165A4B0 mov eax, dword ptr fs:[00000030h]	9_2_0165A4B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D6484 mov eax, dword ptr fs:[00000030h]	9_2_015D6484
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015C64BA mov eax, dword ptr fs:[00000030h]	9_2_015C64BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D64AB mov eax, dword ptr fs:[00000030h]	9_2_015D64AB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D0750 mov eax, dword ptr fs:[00000030h]	9_2_015D0750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015CA740 mov eax, dword ptr fs:[00000030h]	9_2_015CA740
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D8770 mov eax, dword ptr fs:[00000030h]	9_2_015D8770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0160674D mov esi, dword ptr fs:[00000030h]	9_2_0160674D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0160674D mov eax, dword ptr fs:[00000030h]	9_2_0160674D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0160674D mov eax, dword ptr fs:[00000030h]	9_2_0160674D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E0770 mov eax, dword ptr fs:[00000030h]	9_2_015E0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E0770 mov eax, dword ptr fs:[00000030h]	9_2_015E0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E0770 mov eax, dword ptr fs:[00000030h]	9_2_015E0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E0770 mov eax, dword ptr fs:[00000030h]	9_2_015E0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E0770 mov eax, dword ptr fs:[00000030h]	9_2_015E0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E0770 mov eax, dword ptr fs:[00000030h]	9_2_015E0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E0770 mov eax, dword ptr fs:[00000030h]	9_2_015E0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E0770 mov eax, dword ptr fs:[00000030h]	9_2_015E0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E0770 mov eax, dword ptr fs:[00000030h]	9_2_015E0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E0770 mov eax, dword ptr fs:[00000030h]	9_2_015E0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E0770 mov eax, dword ptr fs:[00000030h]	9_2_015E0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E0770 mov eax, dword ptr fs:[00000030h]	9_2_015E0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01654755 mov eax, dword ptr fs:[00000030h]	9_2_01654755
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01612750 mov eax, dword ptr fs:[00000030h]	9_2_01612750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01612750 mov eax, dword ptr fs:[00000030h]	9_2_01612750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0165E75D mov eax, dword ptr fs:[00000030h]	9_2_0165E75D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0160C720 mov eax, dword ptr fs:[00000030h]	9_2_0160C720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0160C720 mov eax, dword ptr fs:[00000030h]	9_2_0160C720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D0710 mov eax, dword ptr fs:[00000030h]	9_2_015D0710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0164C730 mov eax, dword ptr fs:[00000030h]	9_2_0164C730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0160273C mov eax, dword ptr fs:[00000030h]	9_2_0160273C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0160273C mov ecx, dword ptr fs:[00000030h]	9_2_0160273C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0160273C mov eax, dword ptr fs:[00000030h]	9_2_0160273C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0160C700 mov eax, dword ptr fs:[00000030h]	9_2_0160C700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01600710 mov eax, dword ptr fs:[00000030h]	9_2_01600710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0165E7E1 mov eax, dword ptr fs:[00000030h]	9_2_0165E7E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0160C7F0 mov eax, dword ptr fs:[00000030h]	9_2_0160C7F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D47FB mov eax, dword ptr fs:[00000030h]	9_2_015D47FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D47FB mov eax, dword ptr fs:[00000030h]	9_2_015D47FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_016507C3 mov eax, dword ptr fs:[00000030h]	9_2_016507C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015F27ED mov eax, dword ptr fs:[00000030h]	9_2_015F27ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015F27ED mov eax, dword ptr fs:[00000030h]	9_2_015F27ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015F27ED mov eax, dword ptr fs:[00000030h]	9_2_015F27ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D07AF mov eax, dword ptr fs:[00000030h]	9_2_015D07AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0160A660 mov eax, dword ptr fs:[00000030h]	9_2_0160A660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0160A660 mov eax, dword ptr fs:[00000030h]	9_2_0160A660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01602674 mov eax, dword ptr fs:[00000030h]	9_2_01602674
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015EC640 mov eax, dword ptr fs:[00000030h]	9_2_015EC640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E266C mov eax, dword ptr fs:[00000030h]	9_2_015E266C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01606620 mov eax, dword ptr fs:[00000030h]	9_2_01606620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01608620 mov eax, dword ptr fs:[00000030h]	9_2_01608620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0164E609 mov eax, dword ptr fs:[00000030h]	9_2_0164E609
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D262C mov eax, dword ptr fs:[00000030h]	9_2_015D262C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01612619 mov eax, dword ptr fs:[00000030h]	9_2_01612619
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015EE627 mov eax, dword ptr fs:[00000030h]	9_2_015EE627
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_016506F1 mov eax, dword ptr fs:[00000030h]	9_2_016506F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_016506F1 mov eax, dword ptr fs:[00000030h]	9_2_016506F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0164E6F2 mov eax, dword ptr fs:[00000030h]	9_2_0164E6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0164E6F2 mov eax, dword ptr fs:[00000030h]	9_2_0164E6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0164E6F2 mov eax, dword ptr fs:[00000030h]	9_2_0164E6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0164E6F2 mov eax, dword ptr fs:[00000030h]	9_2_0164E6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0160A6C7 mov ebx, dword ptr fs:[00000030h]	9_2_0160A6C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0160A6C7 mov eax, dword ptr fs:[00000030h]	9_2_0160A6C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E26EB mov eax, dword ptr fs:[00000030h]	9_2_015E26EB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E26EB mov eax, dword ptr fs:[00000030h]	9_2_015E26EB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E26EB mov eax, dword ptr fs:[00000030h]	9_2_015E26EB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E26EB mov eax, dword ptr fs:[00000030h]	9_2_015E26EB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0160C6A6 mov eax, dword ptr fs:[00000030h]	9_2_0160C6A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D4690 mov eax, dword ptr fs:[00000030h]	9_2_015D4690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D4690 mov eax, dword ptr fs:[00000030h]	9_2_015D4690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_016066B0 mov eax, dword ptr fs:[00000030h]	9_2_016066B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0160C68B mov eax, dword ptr fs:[00000030h]	9_2_0160C68B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0161096E mov eax, dword ptr fs:[00000030h]	9_2_0161096E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0161096E mov edx, dword ptr fs:[00000030h]	9_2_0161096E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0161096E mov eax, dword ptr fs:[00000030h]	9_2_0161096E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0165C97C mov eax, dword ptr fs:[00000030h]	9_2_0165C97C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01650946 mov eax, dword ptr fs:[00000030h]	9_2_01650946
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0160A950 mov eax, dword ptr fs:[00000030h]	9_2_0160A950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015F6962 mov eax, dword ptr fs:[00000030h]	9_2_015F6962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015F6962 mov eax, dword ptr fs:[00000030h]	9_2_015F6962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015F6962 mov eax, dword ptr fs:[00000030h]	9_2_015F6962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015C8918 mov eax, dword ptr fs:[00000030h]	9_2_015C8918
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015C8918 mov eax, dword ptr fs:[00000030h]	9_2_015C8918
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0165892A mov eax, dword ptr fs:[00000030h]	9_2_0165892A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0164E908 mov eax, dword ptr fs:[00000030h]	9_2_0164E908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0164E908 mov eax, dword ptr fs:[00000030h]	9_2_0164E908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0165C912 mov eax, dword ptr fs:[00000030h]	9_2_0165C912
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0165E9E0 mov eax, dword ptr fs:[00000030h]	9_2_0165E9E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015DA9D0 mov eax, dword ptr fs:[00000030h]	9_2_015DA9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015DA9D0 mov eax, dword ptr fs:[00000030h]	9_2_015DA9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015DA9D0 mov eax, dword ptr fs:[00000030h]	9_2_015DA9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015DA9D0 mov eax, dword ptr fs:[00000030h]	9_2_015DA9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015DA9D0 mov eax, dword ptr fs:[00000030h]	9_2_015DA9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015DA9D0 mov eax, dword ptr fs:[00000030h]	9_2_015DA9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_016029F9 mov eax, dword ptr fs:[00000030h]	9_2_016029F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_016029F9 mov eax, dword ptr fs:[00000030h]	9_2_016029F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_016049D0 mov eax, dword ptr fs:[00000030h]	9_2_016049D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_016589B3 mov esi, dword ptr fs:[00000030h]	9_2_016589B3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_016589B3 mov eax, dword ptr fs:[00000030h]	9_2_016589B3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_016589B3 mov eax, dword ptr fs:[00000030h]	9_2_016589B3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D09AD mov eax, dword ptr fs:[00000030h]	9_2_015D09AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D09AD mov eax, dword ptr fs:[00000030h]	9_2_015D09AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D4859 mov eax, dword ptr fs:[00000030h]	9_2_015D4859
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D4859 mov eax, dword ptr fs:[00000030h]	9_2_015D4859
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0165E872 mov eax, dword ptr fs:[00000030h]	9_2_0165E872
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0165E872 mov eax, dword ptr fs:[00000030h]	9_2_0165E872
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01600854 mov eax, dword ptr fs:[00000030h]	9_2_01600854
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0160A830 mov eax, dword ptr fs:[00000030h]	9_2_0160A830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015F2835 mov eax, dword ptr fs:[00000030h]	9_2_015F2835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015F2835 mov eax, dword ptr fs:[00000030h]	9_2_015F2835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015F2835 mov eax, dword ptr fs:[00000030h]	9_2_015F2835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015F2835 mov ecx, dword ptr fs:[00000030h]	9_2_015F2835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015F2835 mov eax, dword ptr fs:[00000030h]	9_2_015F2835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015F2835 mov eax, dword ptr fs:[00000030h]	9_2_015F2835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0165C810 mov eax, dword ptr fs:[00000030h]	9_2_0165C810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E28D0 mov ecx, dword ptr fs:[00000030h]	9_2_015E28D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0160C8F9 mov eax, dword ptr fs:[00000030h]	9_2_0160C8F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0160C8F9 mov eax, dword ptr fs:[00000030h]	9_2_0160C8F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015FE8C0 mov eax, dword ptr fs:[00000030h]	9_2_015FE8C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D28F0 mov eax, dword ptr fs:[00000030h]	9_2_015D28F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D28F0 mov eax, dword ptr fs:[00000030h]	9_2_015D28F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D28F0 mov eax, dword ptr fs:[00000030h]	9_2_015D28F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D28F0 mov eax, dword ptr fs:[00000030h]	9_2_015D28F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D28F0 mov eax, dword ptr fs:[00000030h]	9_2_015D28F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D28F0 mov eax, dword ptr fs:[00000030h]	9_2_015D28F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D0887 mov eax, dword ptr fs:[00000030h]	9_2_015D0887
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0165C89D mov eax, dword ptr fs:[00000030h]	9_2_0165C89D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015C8B50 mov eax, dword ptr fs:[00000030h]	9_2_015C8B50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015CCB7E mov eax, dword ptr fs:[00000030h]	9_2_015CCB7E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E2B79 mov eax, dword ptr fs:[00000030h]	9_2_015E2B79
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E2B79 mov eax, dword ptr fs:[00000030h]	9_2_015E2B79
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E2B79 mov eax, dword ptr fs:[00000030h]	9_2_015E2B79
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0164EB1D mov eax, dword ptr fs:[00000030h]	9_2_0164EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0164EB1D mov eax, dword ptr fs:[00000030h]	9_2_0164EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0164EB1D mov eax, dword ptr fs:[00000030h]	9_2_0164EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0164EB1D mov eax, dword ptr fs:[00000030h]	9_2_0164EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0164EB1D mov eax, dword ptr fs:[00000030h]	9_2_0164EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0164EB1D mov eax, dword ptr fs:[00000030h]	9_2_0164EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0164EB1D mov eax, dword ptr fs:[00000030h]	9_2_0164EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0164EB1D mov eax, dword ptr fs:[00000030h]	9_2_0164EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0164EB1D mov eax, dword ptr fs:[00000030h]	9_2_0164EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015FEB20 mov eax, dword ptr fs:[00000030h]	9_2_015FEB20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015FEB20 mov eax, dword ptr fs:[00000030h]	9_2_015FEB20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D0BCD mov eax, dword ptr fs:[00000030h]	9_2_015D0BCD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D0BCD mov eax, dword ptr fs:[00000030h]	9_2_015D0BCD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D0BCD mov eax, dword ptr fs:[00000030h]	9_2_015D0BCD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01608BF0 mov ecx, dword ptr fs:[00000030h]	9_2_01608BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01608BF0 mov eax, dword ptr fs:[00000030h]	9_2_01608BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01608BF0 mov eax, dword ptr fs:[00000030h]	9_2_01608BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0165CBF0 mov eax, dword ptr fs:[00000030h]	9_2_0165CBF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01632BF6 mov eax, dword ptr fs:[00000030h]	9_2_01632BF6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015FEBFC mov eax, dword ptr fs:[00000030h]	9_2_015FEBFC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D8BF0 mov eax, dword ptr fs:[00000030h]	9_2_015D8BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D8BF0 mov eax, dword ptr fs:[00000030h]	9_2_015D8BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D8BF0 mov eax, dword ptr fs:[00000030h]	9_2_015D8BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E0BBE mov eax, dword ptr fs:[00000030h]	9_2_015E0BBE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E0BBE mov eax, dword ptr fs:[00000030h]	9_2_015E0BBE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E0A5B mov eax, dword ptr fs:[00000030h]	9_2_015E0A5B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E0A5B mov eax, dword ptr fs:[00000030h]	9_2_015E0A5B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D6A50 mov eax, dword ptr fs:[00000030h]	9_2_015D6A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D6A50 mov eax, dword ptr fs:[00000030h]	9_2_015D6A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D6A50 mov eax, dword ptr fs:[00000030h]	9_2_015D6A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D6A50 mov eax, dword ptr fs:[00000030h]	9_2_015D6A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D6A50 mov eax, dword ptr fs:[00000030h]	9_2_015D6A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D6A50 mov eax, dword ptr fs:[00000030h]	9_2_015D6A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D6A50 mov eax, dword ptr fs:[00000030h]	9_2_015D6A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0160CA6F mov eax, dword ptr fs:[00000030h]	9_2_0160CA6F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0160CA6F mov eax, dword ptr fs:[00000030h]	9_2_0160CA6F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0160CA6F mov eax, dword ptr fs:[00000030h]	9_2_0160CA6F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0164CA72 mov eax, dword ptr fs:[00000030h]	9_2_0164CA72
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0164CA72 mov eax, dword ptr fs:[00000030h]	9_2_0164CA72
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E2A45 mov eax, dword ptr fs:[00000030h]	9_2_015E2A45
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E2A45 mov eax, dword ptr fs:[00000030h]	9_2_015E2A45
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E2A45 mov eax, dword ptr fs:[00000030h]	9_2_015E2A45
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01600A50 mov eax, dword ptr fs:[00000030h]	9_2_01600A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0160CA24 mov eax, dword ptr fs:[00000030h]	9_2_0160CA24
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0160CA38 mov eax, dword ptr fs:[00000030h]	9_2_0160CA38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015C8A00 mov eax, dword ptr fs:[00000030h]	9_2_015C8A00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015C8A00 mov eax, dword ptr fs:[00000030h]	9_2_015C8A00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015F4A35 mov eax, dword ptr fs:[00000030h]	9_2_015F4A35
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015F4A35 mov eax, dword ptr fs:[00000030h]	9_2_015F4A35
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0165CA11 mov eax, dword ptr fs:[00000030h]	9_2_0165CA11
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D0AD0 mov eax, dword ptr fs:[00000030h]	9_2_015D0AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0160AAEE mov eax, dword ptr fs:[00000030h]	9_2_0160AAEE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0160AAEE mov eax, dword ptr fs:[00000030h]	9_2_0160AAEE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01626ACC mov eax, dword ptr fs:[00000030h]	9_2_01626ACC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01626ACC mov eax, dword ptr fs:[00000030h]	9_2_01626ACC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01626ACC mov eax, dword ptr fs:[00000030h]	9_2_01626ACC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01604AD0 mov eax, dword ptr fs:[00000030h]	9_2_01604AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01604AD0 mov eax, dword ptr fs:[00000030h]	9_2_01604AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01626AA4 mov eax, dword ptr fs:[00000030h]	9_2_01626AA4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015CEA80 mov eax, dword ptr fs:[00000030h]	9_2_015CEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015CEA80 mov eax, dword ptr fs:[00000030h]	9_2_015CEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015DEA80 mov eax, dword ptr fs:[00000030h]	9_2_015DEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015DEA80 mov eax, dword ptr fs:[00000030h]	9_2_015DEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015DEA80 mov eax, dword ptr fs:[00000030h]	9_2_015DEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015DEA80 mov eax, dword ptr fs:[00000030h]	9_2_015DEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015DEA80 mov eax, dword ptr fs:[00000030h]	9_2_015DEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015DEA80 mov eax, dword ptr fs:[00000030h]	9_2_015DEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015DEA80 mov eax, dword ptr fs:[00000030h]	9_2_015DEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015DEA80 mov eax, dword ptr fs:[00000030h]	9_2_015DEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015DEA80 mov eax, dword ptr fs:[00000030h]	9_2_015DEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01608A90 mov edx, dword ptr fs:[00000030h]	9_2_01608A90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D8AA0 mov eax, dword ptr fs:[00000030h]	9_2_015D8AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D8AA0 mov eax, dword ptr fs:[00000030h]	9_2_015D8AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D0D59 mov eax, dword ptr fs:[00000030h]	9_2_015D0D59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D0D59 mov eax, dword ptr fs:[00000030h]	9_2_015D0D59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D0D59 mov eax, dword ptr fs:[00000030h]	9_2_015D0D59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D8D59 mov eax, dword ptr fs:[00000030h]	9_2_015D8D59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D8D59 mov eax, dword ptr fs:[00000030h]	9_2_015D8D59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D8D59 mov eax, dword ptr fs:[00000030h]	9_2_015D8D59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D8D59 mov eax, dword ptr fs:[00000030h]	9_2_015D8D59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D8D59 mov eax, dword ptr fs:[00000030h]	9_2_015D8D59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01658D20 mov eax, dword ptr fs:[00000030h]	9_2_01658D20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015C6D10 mov eax, dword ptr fs:[00000030h]	9_2_015C6D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015C6D10 mov eax, dword ptr fs:[00000030h]	9_2_015C6D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015C6D10 mov eax, dword ptr fs:[00000030h]	9_2_015C6D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015EAD00 mov eax, dword ptr fs:[00000030h]	9_2_015EAD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015EAD00 mov eax, dword ptr fs:[00000030h]	9_2_015EAD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015EAD00 mov eax, dword ptr fs:[00000030h]	9_2_015EAD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01604D1D mov eax, dword ptr fs:[00000030h]	9_2_01604D1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015FEDD3 mov eax, dword ptr fs:[00000030h]	9_2_015FEDD3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015FEDD3 mov eax, dword ptr fs:[00000030h]	9_2_015FEDD3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015FCDF0 mov eax, dword ptr fs:[00000030h]	9_2_015FCDF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015FCDF0 mov ecx, dword ptr fs:[00000030h]	9_2_015FCDF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01654DD7 mov eax, dword ptr fs:[00000030h]	9_2_01654DD7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01654DD7 mov eax, dword ptr fs:[00000030h]	9_2_01654DD7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015CCDEA mov eax, dword ptr fs:[00000030h]	9_2_015CCDEA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015CCDEA mov eax, dword ptr fs:[00000030h]	9_2_015CCDEA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015F0DE1 mov eax, dword ptr fs:[00000030h]	9_2_015F0DE1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01606DA0 mov eax, dword ptr fs:[00000030h]	9_2_01606DA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0160CDB1 mov ecx, dword ptr fs:[00000030h]	9_2_0160CDB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0160CDB1 mov eax, dword ptr fs:[00000030h]	9_2_0160CDB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0160CDB1 mov eax, dword ptr fs:[00000030h]	9_2_0160CDB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015F8DBF mov eax, dword ptr fs:[00000030h]	9_2_015F8DBF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015F8DBF mov eax, dword ptr fs:[00000030h]	9_2_015F8DBF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015DAC50 mov eax, dword ptr fs:[00000030h]	9_2_015DAC50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015DAC50 mov eax, dword ptr fs:[00000030h]	9_2_015DAC50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015DAC50 mov eax, dword ptr fs:[00000030h]	9_2_015DAC50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015DAC50 mov eax, dword ptr fs:[00000030h]	9_2_015DAC50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015DAC50 mov eax, dword ptr fs:[00000030h]	9_2_015DAC50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015DAC50 mov eax, dword ptr fs:[00000030h]	9_2_015DAC50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D6C50 mov eax, dword ptr fs:[00000030h]	9_2_015D6C50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D6C50 mov eax, dword ptr fs:[00000030h]	9_2_015D6C50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D6C50 mov eax, dword ptr fs:[00000030h]	9_2_015D6C50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015F0C44 mov eax, dword ptr fs:[00000030h]	9_2_015F0C44
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015F0C44 mov eax, dword ptr fs:[00000030h]	9_2_015F0C44
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015DCC74 mov eax, dword ptr fs:[00000030h]	9_2_015DCC74
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01604C59 mov eax, dword ptr fs:[00000030h]	9_2_01604C59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E0C00 mov eax, dword ptr fs:[00000030h]	9_2_015E0C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E0C00 mov eax, dword ptr fs:[00000030h]	9_2_015E0C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E0C00 mov eax, dword ptr fs:[00000030h]	9_2_015E0C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E0C00 mov eax, dword ptr fs:[00000030h]	9_2_015E0C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0160CC00 mov eax, dword ptr fs:[00000030h]	9_2_0160CC00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01654C0F mov eax, dword ptr fs:[00000030h]	9_2_01654C0F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015CEC20 mov eax, dword ptr fs:[00000030h]	9_2_015CEC20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E2CDC mov eax, dword ptr fs:[00000030h]	9_2_015E2CDC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E2CDC mov eax, dword ptr fs:[00000030h]	9_2_015E2CDC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E2CDC mov eax, dword ptr fs:[00000030h]	9_2_015E2CDC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015C8CD0 mov eax, dword ptr fs:[00000030h]	9_2_015C8CD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01602CF0 mov eax, dword ptr fs:[00000030h]	9_2_01602CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01602CF0 mov eax, dword ptr fs:[00000030h]	9_2_01602CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01602CF0 mov eax, dword ptr fs:[00000030h]	9_2_01602CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01602CF0 mov eax, dword ptr fs:[00000030h]	9_2_01602CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015CCCC8 mov eax, dword ptr fs:[00000030h]	9_2_015CCCC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0164CCA0 mov ecx, dword ptr fs:[00000030h]	9_2_0164CCA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0164CCA0 mov eax, dword ptr fs:[00000030h]	9_2_0164CCA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0164CCA0 mov eax, dword ptr fs:[00000030h]	9_2_0164CCA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0164CCA0 mov eax, dword ptr fs:[00000030h]	9_2_0164CCA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01654CA8 mov eax, dword ptr fs:[00000030h]	9_2_01654CA8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015C8C8D mov eax, dword ptr fs:[00000030h]	9_2_015C8C8D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015F8CB1 mov eax, dword ptr fs:[00000030h]	9_2_015F8CB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015F8CB1 mov eax, dword ptr fs:[00000030h]	9_2_015F8CB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01606F60 mov eax, dword ptr fs:[00000030h]	9_2_01606F60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01606F60 mov eax, dword ptr fs:[00000030h]	9_2_01606F60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E2F5B mov eax, dword ptr fs:[00000030h]	9_2_015E2F5B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E2F5B mov eax, dword ptr fs:[00000030h]	9_2_015E2F5B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E2F5B mov eax, dword ptr fs:[00000030h]	9_2_015E2F5B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E2F5B mov eax, dword ptr fs:[00000030h]	9_2_015E2F5B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E2F5B mov eax, dword ptr fs:[00000030h]	9_2_015E2F5B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E2F5B mov eax, dword ptr fs:[00000030h]	9_2_015E2F5B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E2F5B mov eax, dword ptr fs:[00000030h]	9_2_015E2F5B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015CCF50 mov eax, dword ptr fs:[00000030h]	9_2_015CCF50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015CCF50 mov eax, dword ptr fs:[00000030h]	9_2_015CCF50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015CCF50 mov eax, dword ptr fs:[00000030h]	9_2_015CCF50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015CCF50 mov eax, dword ptr fs:[00000030h]	9_2_015CCF50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015CCF50 mov eax, dword ptr fs:[00000030h]	9_2_015CCF50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015CCF50 mov eax, dword ptr fs:[00000030h]	9_2_015CCF50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E2F47 mov eax, dword ptr fs:[00000030h]	9_2_015E2F47
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E2F47 mov eax, dword ptr fs:[00000030h]	9_2_015E2F47
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E2F47 mov eax, dword ptr fs:[00000030h]	9_2_015E2F47
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E2F47 mov eax, dword ptr fs:[00000030h]	9_2_015E2F47
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E2F47 mov eax, dword ptr fs:[00000030h]	9_2_015E2F47
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E2F47 mov eax, dword ptr fs:[00000030h]	9_2_015E2F47
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E2F47 mov eax, dword ptr fs:[00000030h]	9_2_015E2F47
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015DAF42 mov eax, dword ptr fs:[00000030h]	9_2_015DAF42
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015DAF42 mov eax, dword ptr fs:[00000030h]	9_2_015DAF42
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015DAF42 mov eax, dword ptr fs:[00000030h]	9_2_015DAF42
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01654F40 mov eax, dword ptr fs:[00000030h]	9_2_01654F40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01654F40 mov eax, dword ptr fs:[00000030h]	9_2_01654F40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01654F40 mov eax, dword ptr fs:[00000030h]	9_2_01654F40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01654F40 mov eax, dword ptr fs:[00000030h]	9_2_01654F40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E2F7B mov eax, dword ptr fs:[00000030h]	9_2_015E2F7B

Enables debug privileges

Source: C:\Users\user\Desktop\Outstanding payment.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\Outstanding payment.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\Outstanding payment.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Outstanding payment.exe"
Source: C:\Users\user\Desktop\Outstanding payment.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\iBSWjb.exe"
Source: C:\Users\user\Desktop\Outstanding payment.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Outstanding payment.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\iBSWjb.exe"	Jump to behavior

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\Outstanding payment.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and write			Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and write			Jump to behavior

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	NtQueueApcThread: Indirect: 0x15AA4F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	NtClose: Indirect: 0x15AA56C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	NtClose: Indirect: 0x155A56C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	NtQueueApcThread: Indirect: 0x155A4F2	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Outstanding payment.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A			Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: NULL target: C:\Windows\SysWOW64\NETSTAT.EXE protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: NULL target: C:\Windows\SysWOW64\NETSTAT.EXE protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: NULL target: C:\Windows\SysWOW64\msiexec.exe protection: execute and read and write
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: NULL target: C:\Windows\SysWOW64\msiexec.exe protection: execute and read and write
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread register set: target process: 1028	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread register set: target process: 1028
Source: C:\Windows\SysWOW64\msiexec.exe	Thread register set: target process: 1028

Queues an APC in another process (thread injection)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Sample uses process hollowing technique

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section unmapped: C:\Windows\SysWOW64\NETSTAT.EXE base address: F60000			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section unmapped: C:\Windows\SysWOW64\msiexec.exe base address: 120000

Writes to foreign memory regions

Source: C:\Users\user\Desktop\Outstanding payment.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: F83008	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 401000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: C7F008	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\Outstanding payment.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Outstanding payment.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\iBSWjb.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iBSWjb" /XML "C:\Users\user\AppData\Local\Temp\tmpE0D0.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iBSWjb" /XML "C:\Users\user\AppData\Local\Temp\tmpF30F.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

Source: explorer.exe, 0000000A.00000000.2105292943.0000000009B41000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097842641.0000000009C21000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4538468202.0000000009C22000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd=
Source: explorer.exe, 0000000A.00000000.2091841907.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000002.4526760540.0000000001731000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 0000000A.00000000.2091841907.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000002.4531040280.0000000004B00000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4526760540.0000000001731000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 0000000A.00000000.2091841907.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000002.4526760540.0000000001731000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 0000000A.00000000.2091841907.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000002.4526760540.0000000001731000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 0000000A.00000000.2090992450.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4525785289.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PProgman

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\Outstanding payment.exe	Queries volume information: C:\Users\user\Desktop\Outstanding payment.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Queries volume information: C:\Users\user\AppData\Roaming\iBSWjb.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Outstanding payment.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 15.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Outstanding payment.exe.4234148.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.2149315222.0000000004301000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2169396425.0000000000870000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.4526105305.0000000002AF0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2162392386.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2114082596.0000000004234000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.4526496675.00000000044E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.4525873730.0000000002810000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2149315222.00000000044A7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2114082596.000000000446F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 15.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Outstanding payment.exe.4234148.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.2149315222.0000000004301000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2169396425.0000000000870000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.4526105305.0000000002AF0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2162392386.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2114082596.0000000004234000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.4526496675.00000000044E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.4525873730.0000000002810000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2149315222.00000000044A7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2114082596.000000000446F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Windows Analysis Report
Outstanding payment.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Domains

Contacted URLs

ID:	1592447
Product:	CloudBasic
Start time:	06:36:05
Start date:	16.01.2025
Sample:	Outstanding payment.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	43dc8c62e9343eb01c3ffb53390e2a55
SHA1:	af544600a7cba01add858593c892c58fe8d9b024
SHA256:	07abbe06a2d17f142846d33bda215df5b05355148c781cb9ff1c8f233f534cbc
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Outstanding payment.exe.log	ASCII text, with CRLF line terminators	1330C80CAAC9A0FB172F202485E9B1E8	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\iBSWjb.exe.log	ASCII text, with CRLF line terminators	1330C80CAAC9A0FB172F202485E9B1E8	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	data	DF955507FBE64D94C86A0F629F298531	33507D77FEF2D184410666E0326801215E4867E6	2329221C88D5F3CBFE5F03251DE7B6AA039DA4647C15FAD7E4307255040C6EE4
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_03hkkdh3.ypg.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_34qw05zq.w2b.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_52eucve1.ftn.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_anq4t5ds.b1y.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jxxbcmwh.nng.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nhuexac3.cpk.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rodvztqb.mdz.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zrdf23vf.zzk.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\tmpE0D0.tmp	XML 1.0 document, ASCII text	2E914F9D6A61B792D977724AC15A9C75	40E723959AA03FC7ACA8D54208073DDCED344698	24DFCB135700526DD3B377DACE2E96B87A73AA3F8EC5BFA8E2F195BA1EE770CF
C:\Users\user\AppData\Local\Temp\tmpF30F.tmp	XML 1.0 document, ASCII text	2E914F9D6A61B792D977724AC15A9C75	40E723959AA03FC7ACA8D54208073DDCED344698	24DFCB135700526DD3B377DACE2E96B87A73AA3F8EC5BFA8E2F195BA1EE770CF
C:\Users\user\AppData\Roaming\iBSWjb.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	43DC8C62E9343EB01C3FFB53390E2A55	AF544600A7CBA01ADD858593C892C58FE8D9B024	07ABBE06A2D17F142846D33BDA215DF5B05355148C781CB9FF1C8F233F534CBC
C:\Users\user\AppData\Roaming\iBSWjb.exe:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309

Windows Analysis Report Outstanding payment.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Domains

Contacted URLs

Windows Analysis Report
Outstanding payment.exe

Malware Threat Intel
Provided by