Windows Analysis Report
Bankcerticate223pdf.exe

Overview

General Information

Sample name:	Bankcerticate223pdf.exe
Analysis ID:	1592537
MD5:	05bf21401fdd83ba54d1ad55f909e590
SHA1:	47efbfdfcfe6a39499d1bd5bf0fe2a27ade6c0ff
SHA256:	efd65e32b20afe5bd0541a097bb5f4e7f741875b2c65cab7f08c04a645ccdf6f
Tags:	exeuser-lowmal3
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Yara detected AntiVM3

Yara detected FormBook

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Found direct / indirect Syscall (likely to bypass EDR)

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Switches to a custom stack to bypass stack traces

Tries to detect virtualization through RDTSC time measurements

Tries to resolve many domain names, but no domain seems valid

Uses schtasks.exe or at.exe to add and modify task schedules

Writes to foreign memory regions

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to communicate with device drivers

Contains functionality to launch a process as a different user

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Bankcerticate223pdf.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://www.strange.store/a02d/	Avira URL Cloud: Label: malware
Source: http://www.strange.store/a02d/www.coplus.market	Avira URL Cloud: Label: malware
Source: http://www.estionprojetsccpm.online/a02d/	Avira URL Cloud: Label: malware
Source: http://www.harepoint.legal/a02d/www.amsexgirls.website	Avira URL Cloud: Label: malware
Source: http://www.ammamiaitalia.net/a02d/www.idzev.shop	Avira URL Cloud: Label: malware
Source: http://www.ruck-driver-jobs-86708.bond/a02d/www.eat-pumps-31610.bond	Avira URL Cloud: Label: malware
Source: http://www.coplus.market/a02d/www.omptables.xyz	Avira URL Cloud: Label: malware
Source: http://www.eat-pumps-31610.bond/a02d/	Avira URL Cloud: Label: malware
Source: http://www.4cw.lat/a02d/	Avira URL Cloud: Label: malware
Source: http://www.amsexgirls.website/a02d/www.ammamiaitalia.net	Avira URL Cloud: Label: malware
Source: http://www.omptables.xyz/a02d/	Avira URL Cloud: Label: malware
Source: http://www.ruck-driver-jobs-86708.bond/a02d/	Avira URL Cloud: Label: malware
Source: http://www.amsexgirls.website/a02d/	Avira URL Cloud: Label: malware
Source: http://www.ammamiaitalia.net/a02d/	Avira URL Cloud: Label: malware
Source: http://www.idzev.shop/a02d/	Avira URL Cloud: Label: malware
Source: http://www.omptables.xyz/a02d/www.nalyzator.fun	Avira URL Cloud: Label: malware
Source: http://www.rh799295w.vip/a02d/www.4cw.lat	Avira URL Cloud: Label: malware
Source: http://www.yhbvc.xyz/a02d/www.ruck-driver-jobs-86708.bond	Avira URL Cloud: Label: malware
Source: http://www.estionprojetsccpm.online/a02d/www.8435.pizza	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe

Avira: detection malicious, Label: HEUR/AGEN.1310400

Found malware configuration

Source: 00000010.00000002.4158536381.0000000002FD0000.00000040.10000000.00040000.00000000.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.8435.pizza/a02d/"], "decoy": ["coplus.market", "oofing-jobs-74429.bond", "healchemists.xyz", "oofcarpenternearme-jp.xyz", "enewebsolutions.online", "harepoint.legal", "88977.club", "omptables.xyz", "eat-pumps-31610.bond", "endown.graphics", "amsexgirls.website", "ovevibes.xyz", "u-thiensu.online", "yblinds.xyz", "rumpchiefofstaff.store", "erzog.fun", "rrm.lat", "agiclime.pro", "agaviet59.shop", "lbdoanhnhan.net", "irvasenitpalvelut.online", "strange.store", "bsidiansurvival.shop", "lown.bond", "irrorbd.online", "idzev.shop", "tyleyourvibe.shop", "qweemaildwqfewew.live", "sychology-degree-92767.bond", "orklift-jobs-76114.bond", "nytymeoccassions.store", "nfluencer-marketing-41832.bond", "rh799295w.vip", "066661a23.buzz", "m235a.net", "omestur.online", "nalyzator.fun", "itchen-remodeling-41686.bond", "ontenbully.shop", "oratrading.best", "tiwebu.info", "lueticks.shop", "ocubox.xyz", "q33.lat", "earch-solar-installer-top.today", "ceqne.vip", "8betpragmatic.store", "oftware-download-37623.bond", "oofing-jobs-29700.bond", "vorachem.xyz", "ruck-driver-jobs-58337.bond", "om-exchange-nft370213.sbs", "jfghnxnvdfgh.icu", "inhngoc.webcam", "ruck-driver-jobs-86708.bond", "oftware-engineering-27699.bond", "nfoyl.xyz", "estionprojetsccpm.online", "reativesos.studio", "ammamiaitalia.net", "4cw.lat", "oofighters.xyz", "ukusindo4dpools.net", "yhbvc.xyz"]}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe

ReversingLabs: Detection: 34%

Multi AV Scanner detection for submitted file

Source: Bankcerticate223pdf.exe	Virustotal: Detection: 33%			Perma Link
Source: Bankcerticate223pdf.exe	ReversingLabs: Detection: 34%

Yara detected FormBook

Source: Yara match	File source: 15.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Bankcerticate223pdf.exe.4ae4148.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000002.4158536381.0000000002FD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.4157948381.00000000027D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1789025375.00000000047BF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.4158598483.0000000003000000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.1799194770.00000000009D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1741689555.0000000004D1E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.1792804943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1741689555.0000000004AE4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: Bankcerticate223pdf.exe

Joe Sandbox ML: detected

Uses 32bit PE files

Source: Bankcerticate223pdf.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Bankcerticate223pdf.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: wscript.pdbGCTL source: RegSvcs.exe, 00000008.00000002.1795690506.0000000001020000.00000040.10000000.00040000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.1795049620.0000000000C27000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000011.00000002.1799615963.0000000000E10000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: RegSvcs.pdb, source: explorer.exe, 00000009.00000002.4178475160.0000000010B5F000.00000004.80000000.00040000.00000000.sdmp, cmd.exe, 00000010.00000002.4159552520.00000000038FF000.00000004.10000000.00040000.00000000.sdmp, cmd.exe, 00000010.00000002.4158321746.0000000002CE5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: cmd.pdbUGP source: RegSvcs.exe, 0000000F.00000002.1799282057.00000000018C0000.00000040.10000000.00040000.00000000.sdmp, cmd.exe, 00000010.00000002.4157706817.0000000000240000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: RegSvcs.exe, 0000000F.00000002.1794317883.0000000001560000.00000040.00001000.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.4158931647.000000000354E000.00000040.00001000.00020000.00000000.sdmp, cmd.exe, 00000010.00000003.1795281362.0000000003200000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000003.1793090894.0000000003059000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.4158931647.00000000033B0000.00000040.00001000.00020000.00000000.sdmp, wscript.exe, 00000011.00000002.1800249537.0000000004E70000.00000040.00001000.00020000.00000000.sdmp, wscript.exe, 00000011.00000002.1800249537.000000000500E000.00000040.00001000.00020000.00000000.sdmp, wscript.exe, 00000011.00000003.1796869110.0000000004CBB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000011.00000003.1794644748.0000000004B0F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: RegSvcs.exe, RegSvcs.exe, 0000000F.00000002.1794317883.0000000001560000.00000040.00001000.00020000.00000000.sdmp, cmd.exe, cmd.exe, 00000010.00000002.4158931647.000000000354E000.00000040.00001000.00020000.00000000.sdmp, cmd.exe, 00000010.00000003.1795281362.0000000003200000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000003.1793090894.0000000003059000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.4158931647.00000000033B0000.00000040.00001000.00020000.00000000.sdmp, wscript.exe, 00000011.00000002.1800249537.0000000004E70000.00000040.00001000.00020000.00000000.sdmp, wscript.exe, 00000011.00000002.1800249537.000000000500E000.00000040.00001000.00020000.00000000.sdmp, wscript.exe, 00000011.00000003.1796869110.0000000004CBB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000011.00000003.1794644748.0000000004B0F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wscript.pdb source: RegSvcs.exe, 00000008.00000002.1795690506.0000000001020000.00000040.10000000.00040000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.1795049620.0000000000C27000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000011.00000002.1799615963.0000000000E10000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: RegSvcs.pdb source: explorer.exe, 00000009.00000002.4178475160.0000000010B5F000.00000004.80000000.00040000.00000000.sdmp, cmd.exe, 00000010.00000002.4159552520.00000000038FF000.00000004.10000000.00040000.00000000.sdmp, cmd.exe, 00000010.00000002.4158321746.0000000002CE5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: cmd.pdb source: RegSvcs.exe, 0000000F.00000002.1799282057.00000000018C0000.00000040.10000000.00040000.00000000.sdmp, cmd.exe, cmd.exe, 00000010.00000002.4157706817.0000000000240000.00000040.80000000.00040000.00000000.sdmp

Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_0025589A FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapReAlloc,FindNextFileW,FindClose,GetLastError,FindClose,	16_2_0025589A
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_00250207 FindFirstFileW,FindClose,memcpy,_wcsnicmp,_wcsicmp,memmove,	16_2_00250207
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_00263E66 FindFirstFileW,FindNextFileW,FindClose,	16_2_00263E66
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_00254EC1 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,	16_2_00254EC1
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_0024532E GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPAX@Z,FindNextFileW,??_V@YAXPAX@Z,SetLastError,??_V@YAXPAX@Z,GetLastError,FindClose,	16_2_0024532E

Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\NULL	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	File opened: C:\Users\user\AppData\Local\Temp\acrocef_low\NULL	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\Acrobat\NULL	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\Acrobat	Jump to behavior

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then pop esi		15_2_00417235
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 4x nop then pop esi		16_2_027E7235

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.8435.pizza/a02d/

Performs DNS queries to domains with low reputation

Source:

DNS query: www.omptables.xyz

Tries to resolve many domain names, but no domain seems valid

Source: unknown	DNS traffic detected: query: www.nfluencer-marketing-41832.bond replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.coplus.market replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.omptables.xyz replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.nalyzator.fun replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.ammamiaitalia.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.idzev.shop replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.amsexgirls.website replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.ruck-driver-jobs-86708.bond replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.harepoint.legal replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.strange.store replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.eat-pumps-31610.bond replaycode: Name error (3)

Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Source: unknown	DNS traffic detected: query: www.nfluencer-marketing-41832.bond replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.coplus.market replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.omptables.xyz replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.nalyzator.fun replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.ammamiaitalia.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.idzev.shop replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.amsexgirls.website replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.ruck-driver-jobs-86708.bond replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.harepoint.legal replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.strange.store replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.eat-pumps-31610.bond replaycode: Name error (3)

Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	DNS traffic detected: DNS query: www.nfluencer-marketing-41832.bond
Source: global traffic	DNS traffic detected: DNS query: www.ruck-driver-jobs-86708.bond
Source: global traffic	DNS traffic detected: DNS query: www.eat-pumps-31610.bond
Source: global traffic	DNS traffic detected: DNS query: www.harepoint.legal
Source: global traffic	DNS traffic detected: DNS query: www.amsexgirls.website
Source: global traffic	DNS traffic detected: DNS query: www.ammamiaitalia.net
Source: global traffic	DNS traffic detected: DNS query: www.idzev.shop
Source: global traffic	DNS traffic detected: DNS query: www.strange.store
Source: global traffic	DNS traffic detected: DNS query: www.coplus.market
Source: global traffic	DNS traffic detected: DNS query: www.omptables.xyz
Source: global traffic	DNS traffic detected: DNS query: www.nalyzator.fun

Source: explorer.exe, 00000009.00000000.1741100099.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4161508658.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1728391940.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4165294972.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3111399030.000000000982D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: explorer.exe, 00000009.00000000.1741100099.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4161508658.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1728391940.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4165294972.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3111399030.000000000982D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: explorer.exe, 00000009.00000000.1741100099.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4161508658.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1728391940.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4165294972.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3111399030.000000000982D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: explorer.exe, 00000009.00000000.1741100099.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4161508658.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1728391940.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4165294972.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3111399030.000000000982D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: explorer.exe, 00000009.00000000.1728391940.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4161508658.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: explorer.exe, 00000009.00000000.1738141569.0000000008720000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000009.00000002.4163406763.0000000007F40000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000009.00000000.1743197029.0000000009B60000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: Bankcerticate223pdf.exe, 00000000.00000002.1739595988.0000000003291000.00000004.00000800.00020000.00000000.sdmp, cvRSCwXQ.exe, 0000000B.00000002.1786290809.0000000003130000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.4cw.lat
Source: explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.4cw.lat/a02d/
Source: explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.4cw.latReferer:
Source: explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.8435.pizza
Source: explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.8435.pizza/a02d/
Source: explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.8435.pizza/a02d/www.rh799295w.vip
Source: explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.8435.pizzaReferer:
Source: explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ammamiaitalia.net
Source: explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ammamiaitalia.net/a02d/
Source: explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ammamiaitalia.net/a02d/www.idzev.shop
Source: explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ammamiaitalia.netReferer:
Source: explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.amsexgirls.website
Source: explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.amsexgirls.website/a02d/
Source: explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.amsexgirls.website/a02d/www.ammamiaitalia.net
Source: explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.amsexgirls.websiteReferer:
Source: Bankcerticate223pdf.exe, 00000000.00000002.1745426587.0000000009A42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000009.00000000.1745205480.000000000C964000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108659121.000000000C96C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108840251.000000000C999000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109262060.000000000C9AE000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: Bankcerticate223pdf.exe, 00000000.00000002.1745426587.0000000009A42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.coplus.market
Source: explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.coplus.market/a02d/
Source: explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.coplus.market/a02d/www.omptables.xyz
Source: explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.coplus.marketReferer:
Source: explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.eat-pumps-31610.bond
Source: explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.eat-pumps-31610.bond/a02d/
Source: explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.eat-pumps-31610.bond/a02d/www.harepoint.legal
Source: explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.eat-pumps-31610.bondReferer:
Source: explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.estionprojetsccpm.online
Source: explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.estionprojetsccpm.online/a02d/
Source: explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.estionprojetsccpm.online/a02d/www.8435.pizza
Source: explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.estionprojetsccpm.onlineReferer:
Source: Bankcerticate223pdf.exe, 00000000.00000002.1745426587.0000000009A42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: Bankcerticate223pdf.exe, 00000000.00000002.1745426587.0000000009A42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: Bankcerticate223pdf.exe, 00000000.00000002.1745426587.0000000009A42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: Bankcerticate223pdf.exe, 00000000.00000002.1745426587.0000000009A42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: Bankcerticate223pdf.exe, 00000000.00000002.1745426587.0000000009A42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: Bankcerticate223pdf.exe, 00000000.00000002.1745426587.0000000009A42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: Bankcerticate223pdf.exe, 00000000.00000002.1745426587.0000000009A42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: Bankcerticate223pdf.exe, 00000000.00000002.1745426587.0000000009A42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: Bankcerticate223pdf.exe, 00000000.00000002.1745426587.0000000009A42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: Bankcerticate223pdf.exe, 00000000.00000002.1745426587.0000000009A42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: Bankcerticate223pdf.exe, 00000000.00000002.1745426587.0000000009A42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: Bankcerticate223pdf.exe, 00000000.00000002.1745426587.0000000009A42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: Bankcerticate223pdf.exe, 00000000.00000002.1745426587.0000000009A42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: Bankcerticate223pdf.exe, 00000000.00000002.1745426587.0000000009A42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: Bankcerticate223pdf.exe, 00000000.00000002.1745426587.0000000009A42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.harepoint.legal
Source: explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.harepoint.legal/a02d/
Source: explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.harepoint.legal/a02d/www.amsexgirls.website
Source: explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.harepoint.legalReferer:
Source: explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.idzev.shop
Source: explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.idzev.shop/a02d/
Source: explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.idzev.shop/a02d/www.strange.store
Source: explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.idzev.shopReferer:
Source: Bankcerticate223pdf.exe, 00000000.00000002.1745426587.0000000009A42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.nalyzator.fun
Source: explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.nalyzator.fun/a02d/
Source: explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.nalyzator.fun/a02d/www.estionprojetsccpm.online
Source: explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.nalyzator.funReferer:
Source: explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.nfluencer-marketing-41832.bond
Source: explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.nfluencer-marketing-41832.bond/a02d/
Source: explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.nfluencer-marketing-41832.bond/a02d/www.yhbvc.xyz
Source: explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.nfluencer-marketing-41832.bondReferer:
Source: explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.omptables.xyz
Source: explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.omptables.xyz/a02d/
Source: explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.omptables.xyz/a02d/www.nalyzator.fun
Source: explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.omptables.xyzReferer:
Source: explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.rh799295w.vip
Source: explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.rh799295w.vip/a02d/
Source: explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.rh799295w.vip/a02d/www.4cw.lat
Source: explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.rh799295w.vipReferer:
Source: explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ruck-driver-jobs-86708.bond
Source: explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ruck-driver-jobs-86708.bond/a02d/
Source: explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ruck-driver-jobs-86708.bond/a02d/www.eat-pumps-31610.bond
Source: explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ruck-driver-jobs-86708.bondReferer:
Source: Bankcerticate223pdf.exe, 00000000.00000002.1745426587.0000000009A42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: Bankcerticate223pdf.exe, 00000000.00000002.1745426587.0000000009A42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: Bankcerticate223pdf.exe, 00000000.00000002.1745426587.0000000009A42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.strange.store
Source: explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.strange.store/a02d/
Source: explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.strange.store/a02d/www.coplus.market
Source: explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.strange.storeReferer:
Source: Bankcerticate223pdf.exe, 00000000.00000002.1745426587.0000000009A42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: Bankcerticate223pdf.exe, 00000000.00000002.1745426587.0000000009A42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: Bankcerticate223pdf.exe, 00000000.00000002.1745426587.0000000009A42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.yhbvc.xyz
Source: explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.yhbvc.xyz/a02d/
Source: explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.yhbvc.xyz/a02d/www.ruck-driver-jobs-86708.bond
Source: explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.yhbvc.xyzReferer:
Source: Bankcerticate223pdf.exe, 00000000.00000002.1745426587.0000000009A42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: explorer.exe, 00000009.00000002.4161508658.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1728391940.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/Vh5j3k
Source: explorer.exe, 00000009.00000002.4161508658.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1728391940.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/odirmr
Source: explorer.exe, 00000009.00000000.1745205480.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 00000009.00000002.4165294972.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1741100099.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3111399030.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 00000009.00000002.4165294972.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1741100099.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3111399030.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/q
Source: explorer.exe, 00000009.00000002.4159596387.000000000370D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1721630165.0000000001240000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1724813031.0000000003700000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4158057912.0000000001240000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 00000009.00000002.4165294972.0000000009702000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1741100099.00000000096DF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3111399030.0000000009701000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?&
Source: explorer.exe, 00000009.00000000.1728391940.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4161508658.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=0CC40BF291614022B7DF6E2143E8A6AF&timeOut=5000&oc
Source: explorer.exe, 00000009.00000002.4165294972.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1728391940.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1741100099.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4161508658.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3111399030.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
Source: explorer.exe, 00000009.00000002.4165294972.0000000009702000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1741100099.00000000096DF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3111399030.0000000009701000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.comi
Source: explorer.exe, 00000009.00000002.4161508658.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/staticsb/statics/latest/traffic/Notification/desktop/svg/RoadHazard.svg
Source: explorer.exe, 00000009.00000002.4161508658.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
Source: explorer.exe, 00000009.00000002.4161508658.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svg
Source: explorer.exe, 00000009.00000000.1728391940.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4161508658.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/humidity.svg
Source: explorer.exe, 00000009.00000000.1728391940.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4161508658.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
Source: explorer.exe, 00000009.00000000.1728391940.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4161508658.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
Source: explorer.exe, 00000009.00000000.1728391940.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4161508658.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu
Source: explorer.exe, 00000009.00000000.1728391940.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4161508658.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu-dark
Source: explorer.exe, 00000009.00000000.1728391940.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4161508658.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu
Source: explorer.exe, 00000009.00000000.1728391940.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4161508658.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu-dark
Source: explorer.exe, 00000009.00000000.1728391940.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4161508658.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY
Source: explorer.exe, 00000009.00000000.1728391940.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4161508658.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY-dark
Source: explorer.exe, 00000009.00000002.4173438175.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1745205480.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://excel.office.com
Source: explorer.exe, 00000009.00000000.1728391940.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4161508658.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
Source: explorer.exe, 00000009.00000000.1728391940.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4161508658.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1hlXIY.img
Source: explorer.exe, 00000009.00000000.1728391940.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4161508658.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAKSoFp.img
Source: explorer.exe, 00000009.00000000.1728391940.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4161508658.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAXaopi.img
Source: explorer.exe, 00000009.00000000.1728391940.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4161508658.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAgi0nZ.img
Source: explorer.exe, 00000009.00000000.1728391940.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4161508658.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBqlLky.img
Source: explorer.exe, 00000009.00000000.1728391940.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4161508658.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img.s-msn.com/tenant/amp/entityid/AAbC0oi.img
Source: explorer.exe, 00000009.00000002.4173438175.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1745205480.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://outlook.com_
Source: explorer.exe, 00000009.00000002.4173438175.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1745205480.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://powerpoint.office.comcember
Source: explorer.exe, 00000009.00000000.1728391940.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4161508658.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://simpleflying.com/how-do-you-become-an-air-traffic-controller/
Source: explorer.exe, 00000009.00000000.1728391940.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4161508658.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000009.00000000.1728391940.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4161508658.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000009.00000000.1745205480.000000000C557000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4173438175.000000000C557000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://wns.windows.com/L
Source: explorer.exe, 00000009.00000002.4173438175.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1745205480.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://word.office.com
Source: explorer.exe, 00000009.00000000.1728391940.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4161508658.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/lifestyle/lifestyle-buzz/biden-makes-decision-that-will-impact-more-than-1
Source: explorer.exe, 00000009.00000000.1728391940.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4161508658.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/lifestyle/travel/i-ve-worked-at-a-campsite-for-5-years-these-are-the-15-mi
Source: explorer.exe, 00000009.00000000.1728391940.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1728391940.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4161508658.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4161508658.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/13-states-that-don-t-tax-your-retirement-income/ar-A
Source: explorer.exe, 00000009.00000000.1728391940.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4161508658.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/no-wonder-the-american-public-is-confused-if-you-re-
Source: explorer.exe, 00000009.00000000.1728391940.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4161508658.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/clarence-thomas-in-spotlight-as-supreme-court-delivers-blow-
Source: explorer.exe, 00000009.00000000.1728391940.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4161508658.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/exclusive-john-kelly-goes-on-the-record-to-confirm-several-d
Source: explorer.exe, 00000009.00000000.1728391940.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4161508658.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/topic/breast%20cancer%20awareness%20month?ocid=winp1headerevent
Source: explorer.exe, 00000009.00000000.1728391940.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4161508658.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/a-nationwide-emergency-alert-will-be-sent-to-all-u-s-cellphones-we
Source: explorer.exe, 00000009.00000000.1728391940.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4161508658.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/metro-officials-still-investigating-friday-s-railcar-derailment/ar
Source: explorer.exe, 00000009.00000002.4161508658.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/when-does-daylight-saving-time-end-2023-here-s-when-to-set-your-cl
Source: explorer.exe, 00000009.00000000.1728391940.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4161508658.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/world/agostini-krausz-and-l-huillier-win-physics-nobel-for-looking-at
Source: explorer.exe, 00000009.00000000.1728391940.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4161508658.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/rest-of-hurricane-season-in-uncharted-waters-because-of
Source: explorer.exe, 00000009.00000000.1728391940.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4161508658.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/us-weather-super-el-nino-to-bring-more-flooding-and-win
Source: explorer.exe, 00000009.00000000.1728391940.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4161508658.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com:443/en-us/feed
Source: explorer.exe, 00000009.00000000.1728391940.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4161508658.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.rd.com/list/polite-habits-campers-dislike/
Source: explorer.exe, 00000009.00000000.1728391940.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4161508658.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.rd.com/newsletter/?int_source=direct&int_medium=rd.com&int_campaign=nlrda_20221001_toppe

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 15.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Bankcerticate223pdf.exe.4ae4148.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000002.4158536381.0000000002FD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.4157948381.00000000027D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1789025375.00000000047BF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.4158598483.0000000003000000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.1799194770.00000000009D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1741689555.0000000004D1E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.1792804943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1741689555.0000000004AE4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 15.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 15.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 15.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 15.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 15.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 15.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.Bankcerticate223pdf.exe.4ae4148.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0.2.Bankcerticate223pdf.exe.4ae4148.1.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.Bankcerticate223pdf.exe.4ae4148.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000002.4158536381.0000000002FD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000010.00000002.4158536381.0000000002FD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000010.00000002.4158536381.0000000002FD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000002.4157948381.00000000027D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000010.00000002.4157948381.00000000027D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000010.00000002.4157948381.00000000027D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.1789025375.00000000047BF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000B.00000002.1789025375.00000000047BF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000002.1789025375.00000000047BF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000002.4158598483.0000000003000000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000010.00000002.4158598483.0000000003000000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000010.00000002.4158598483.0000000003000000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000011.00000002.1799194770.00000000009D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000011.00000002.1799194770.00000000009D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000011.00000002.1799194770.00000000009D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.1741689555.0000000004D1E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000000.00000002.1741689555.0000000004D1E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.1741689555.0000000004D1E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000002.1792804943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000F.00000002.1792804943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000F.00000002.1792804943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.1741689555.0000000004AE4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000000.00000002.1741689555.0000000004AE4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.1741689555.0000000004AE4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: Bankcerticate223pdf.exe PID: 5408, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: cvRSCwXQ.exe PID: 7536, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: RegSvcs.exe PID: 7696, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: cmd.exe PID: 7720, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: wscript.exe PID: 7728, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Contains functionality to call native functions

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010F2B60 NtClose,LdrInitializeThunk,	8_2_010F2B60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010F2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	8_2_010F2BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010F2AD0 NtReadFile,LdrInitializeThunk,	8_2_010F2AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010F2D10 NtMapViewOfSection,LdrInitializeThunk,	8_2_010F2D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010F2D30 NtUnmapViewOfSection,LdrInitializeThunk,	8_2_010F2D30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010F2DD0 NtDelayExecution,LdrInitializeThunk,	8_2_010F2DD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010F2DF0 NtQuerySystemInformation,LdrInitializeThunk,	8_2_010F2DF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010F2C70 NtFreeVirtualMemory,LdrInitializeThunk,	8_2_010F2C70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010F2CA0 NtQueryInformationToken,LdrInitializeThunk,	8_2_010F2CA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010F2F30 NtCreateSection,LdrInitializeThunk,	8_2_010F2F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010F2F90 NtProtectVirtualMemory,LdrInitializeThunk,	8_2_010F2F90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010F2FB0 NtResumeThread,LdrInitializeThunk,	8_2_010F2FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010F2FE0 NtCreateFile,LdrInitializeThunk,	8_2_010F2FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010F2E80 NtReadVirtualMemory,LdrInitializeThunk,	8_2_010F2E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010F2EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,	8_2_010F2EA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010F4340 NtSetContextThread,	8_2_010F4340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010F4650 NtSuspendThread,	8_2_010F4650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010F2B80 NtQueryInformationFile,	8_2_010F2B80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010F2BA0 NtEnumerateValueKey,	8_2_010F2BA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010F2BE0 NtQueryValueKey,	8_2_010F2BE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010F2AB0 NtWaitForSingleObject,	8_2_010F2AB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010F2AF0 NtWriteFile,	8_2_010F2AF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010F2D00 NtSetInformationFile,	8_2_010F2D00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010F2DB0 NtEnumerateKey,	8_2_010F2DB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010F2C00 NtQueryInformationProcess,	8_2_010F2C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010F2C60 NtCreateKey,	8_2_010F2C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010F2CC0 NtQueryVirtualMemory,	8_2_010F2CC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010F2CF0 NtOpenProcess,	8_2_010F2CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010F2F60 NtCreateProcessEx,	8_2_010F2F60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010F2FA0 NtQuerySection,	8_2_010F2FA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010F2E30 NtWriteVirtualMemory,	8_2_010F2E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010F2EE0 NtQueueApcThread,	8_2_010F2EE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010F3010 NtOpenDirectoryObject,	8_2_010F3010
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010F3090 NtSetValueKey,	8_2_010F3090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010F35C0 NtCreateMutant,	8_2_010F35C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010F39B0 NtGetContextThread,	8_2_010F39B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010F3D10 NtOpenProcessToken,	8_2_010F3D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010F3D70 NtOpenThread,	8_2_010F3D70
Source: C:\Windows\explorer.exe	Code function: 9_2_0F950E12 NtProtectVirtualMemory,	9_2_0F950E12
Source: C:\Windows\explorer.exe	Code function: 9_2_0F94F232 NtCreateFile,	9_2_0F94F232
Source: C:\Windows\explorer.exe	Code function: 9_2_0F950E0A NtProtectVirtualMemory,	9_2_0F950E0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0041A320 NtCreateFile,	15_2_0041A320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0041A3D0 NtReadFile,	15_2_0041A3D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0041A450 NtClose,	15_2_0041A450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0041A500 NtAllocateVirtualMemory,	15_2_0041A500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0041A31D NtCreateFile,	15_2_0041A31D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0041A44B NtClose,	15_2_0041A44B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0041A4FA NtAllocateVirtualMemory,	15_2_0041A4FA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0041A57A NtAllocateVirtualMemory,	15_2_0041A57A
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_00254823 NtQueryVolumeInformationFile,GetFileInformationByHandleEx,	16_2_00254823
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_0025643A NtOpenThreadToken,NtOpenProcessToken,NtClose,	16_2_0025643A
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_00267460 EnterCriticalSection,LeaveCriticalSection,fprintf,fflush,TryAcquireSRWLockExclusive,NtCancelSynchronousIoFile,ReleaseSRWLockExclusive,_get_osfhandle,FlushConsoleInputBuffer,	16_2_00267460
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_002564CA NtQueryInformationToken,	16_2_002564CA
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_0026A135 NtSetInformationFile,	16_2_0026A135
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_00256500 NtQueryInformationToken,NtQueryInformationToken,	16_2_00256500
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_0026C1FA SetLastError,CreateDirectoryW,CreateFileW,RtlDosPathNameToNtPathName_U,memset,memcpy,memcpy,NtFsControlFile,RtlNtStatusToDosError,SetLastError,CloseHandle,RtlFreeHeap,RemoveDirectoryW,	16_2_0026C1FA
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_00244E3B _setjmp3,NtQueryInformationProcess,NtSetInformationProcess,NtSetInformationProcess,longjmp,	16_2_00244E3B
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_00254759 RtlDosPathNameToRelativeNtPathName_U_WithStatus,NtOpenFile,RtlReleaseRelativeName,RtlFreeUnicodeString,CloseHandle,DeleteFileW,GetLastError,	16_2_00254759
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_03422B60 NtClose,LdrInitializeThunk,	16_2_03422B60
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_03422AD0 NtReadFile,LdrInitializeThunk,	16_2_03422AD0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_03422F30 NtCreateSection,LdrInitializeThunk,	16_2_03422F30
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_03422FE0 NtCreateFile,LdrInitializeThunk,	16_2_03422FE0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_03422EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,	16_2_03422EA0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_03422D10 NtMapViewOfSection,LdrInitializeThunk,	16_2_03422D10
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_03422DD0 NtDelayExecution,LdrInitializeThunk,	16_2_03422DD0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_03422DF0 NtQuerySystemInformation,LdrInitializeThunk,	16_2_03422DF0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_03422C60 NtCreateKey,LdrInitializeThunk,	16_2_03422C60
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_03422C70 NtFreeVirtualMemory,LdrInitializeThunk,	16_2_03422C70
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_03422CA0 NtQueryInformationToken,LdrInitializeThunk,	16_2_03422CA0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_034235C0 NtCreateMutant,LdrInitializeThunk,	16_2_034235C0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_03424340 NtSetContextThread,	16_2_03424340
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_03424650 NtSuspendThread,	16_2_03424650
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_03422BE0 NtQueryValueKey,	16_2_03422BE0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_03422BF0 NtAllocateVirtualMemory,	16_2_03422BF0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_03422B80 NtQueryInformationFile,	16_2_03422B80
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_03422BA0 NtEnumerateValueKey,	16_2_03422BA0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_03422AF0 NtWriteFile,	16_2_03422AF0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_03422AB0 NtWaitForSingleObject,	16_2_03422AB0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_03422F60 NtCreateProcessEx,	16_2_03422F60
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_03422F90 NtProtectVirtualMemory,	16_2_03422F90
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_03422FA0 NtQuerySection,	16_2_03422FA0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_03422FB0 NtResumeThread,	16_2_03422FB0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_03422E30 NtWriteVirtualMemory,	16_2_03422E30
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_03422EE0 NtQueueApcThread,	16_2_03422EE0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_03422E80 NtReadVirtualMemory,	16_2_03422E80
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_03422D00 NtSetInformationFile,	16_2_03422D00
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_03422D30 NtUnmapViewOfSection,	16_2_03422D30
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_03422DB0 NtEnumerateKey,	16_2_03422DB0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_03422C00 NtQueryInformationProcess,	16_2_03422C00
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_03422CC0 NtQueryVirtualMemory,	16_2_03422CC0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_03422CF0 NtOpenProcess,	16_2_03422CF0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_03423010 NtOpenDirectoryObject,	16_2_03423010
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_03423090 NtSetValueKey,	16_2_03423090
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_034239B0 NtGetContextThread,	16_2_034239B0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_03423D70 NtOpenThread,	16_2_03423D70
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_03423D10 NtOpenProcessToken,	16_2_03423D10
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_027EA320 NtCreateFile,	16_2_027EA320
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_027EA3D0 NtReadFile,	16_2_027EA3D0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_027EA450 NtClose,	16_2_027EA450
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_027EA31D NtCreateFile,	16_2_027EA31D
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_027EA44B NtClose,	16_2_027EA44B

Contains functionality to communicate with device drivers

Source: C:\Windows\SysWOW64\cmd.exe

Code function: 16_2_00244C10: memset,GetFileSecurityW,GetSecurityDescriptorOwner,??_V@YAXPAX@Z,memset,CreateFileW,DeviceIoControl,memcpy,CloseHandle,??_V@YAXPAX@Z,memset,??_V@YAXPAX@Z,FindClose,??_V@YAXPAX@Z,

16_2_00244C10

Contains functionality to launch a process as a different user

Source: C:\Windows\SysWOW64\cmd.exe

Code function: 16_2_00249458 InitializeProcThreadAttributeList,UpdateProcThreadAttribute,memset,memset,GetStartupInfoW,lstrcmpW,CreateProcessW,CloseHandle,GetLastError,GetLastError,DeleteProcThreadAttributeList,_local_unwind4,CreateProcessAsUserW,GetLastError,CloseHandle,

16_2_00249458

Detected potential crypto function

Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_016425C0	0_2_016425C0
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_01640871	0_2_01640871
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_01641360	0_2_01641360
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_016434A8	0_2_016434A8
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_01641BC0	0_2_01641BC0
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_01644308	0_2_01644308
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_016442F9	0_2_016442F9
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_0164C680	0_2_0164C680
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_01645178	0_2_01645178
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_016433B8	0_2_016433B8
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_016412FD	0_2_016412FD
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_016415F8	0_2_016415F8
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_016455A1	0_2_016455A1
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_016455B0	0_2_016455B0
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_01645768	0_2_01645768
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_01645758	0_2_01645758
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_016459E8	0_2_016459E8
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_016459F8	0_2_016459F8
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_099E7990	0_2_099E7990
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_099E0B70	0_2_099E0B70
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_099E5A78	0_2_099E5A78
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_099E1C90	0_2_099E1C90
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_099E70E0	0_2_099E70E0
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_099E6018	0_2_099E6018
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_099E0040	0_2_099E0040
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_099E12D8	0_2_099E12D8
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_099E5638	0_2_099E5638
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_099E7980	0_2_099E7980
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_099E6910	0_2_099E6910
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_099E6920	0_2_099E6920
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_099E3959	0_2_099E3959
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_099E3968	0_2_099E3968
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_099E4B98	0_2_099E4B98
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_099E4BA8	0_2_099E4BA8
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_099E0AD0	0_2_099E0AD0
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_099E5A69	0_2_099E5A69
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_099E4DB8	0_2_099E4DB8
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_099E4DC8	0_2_099E4DC8
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_099EED30	0_2_099EED30
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_099E1C81	0_2_099E1C81
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_099E5CB1	0_2_099E5CB1
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_099E5CC0	0_2_099E5CC0
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_099E5F21	0_2_099E5F21
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_099E7F70	0_2_099E7F70
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_099E7F60	0_2_099E7F60
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_099EF180	0_2_099EF180
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_099EF170	0_2_099EF170
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_099E70D0	0_2_099E70D0
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_099E6008	0_2_099E6008
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_099E0006	0_2_099E0006
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_099E5030	0_2_099E5030
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_099E5040	0_2_099E5040
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_099E12C9	0_2_099E12C9
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_099EF5B8	0_2_099EF5B8
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_099EF5A9	0_2_099EF5A9
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_099E4518	0_2_099E4518
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_099E4508	0_2_099E4508
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_099E3561	0_2_099E3561
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_099E6451	0_2_099E6451
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_099E6460	0_2_099E6460
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_099E1711	0_2_099E1711
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_099E1720	0_2_099E1720
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_099E5629	0_2_099E5629
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_099F6D70	0_2_099F6D70
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_099F0290	0_2_099F0290
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_099F02A0	0_2_099F02A0
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_099F06D8	0_2_099F06D8
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_099F06C9	0_2_099F06C9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010B0100	8_2_010B0100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0115A118	8_2_0115A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01148158	8_2_01148158
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_011801AA	8_2_011801AA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_011741A2	8_2_011741A2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_011781CC	8_2_011781CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01152000	8_2_01152000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0117A352	8_2_0117A352
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010CE3F0	8_2_010CE3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_011803E6	8_2_011803E6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01160274	8_2_01160274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_011402C0	8_2_011402C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C0535	8_2_010C0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01180591	8_2_01180591
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01164420	8_2_01164420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01172446	8_2_01172446
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0116E4F6	8_2_0116E4F6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010E4750	8_2_010E4750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C0770	8_2_010C0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010BC7C0	8_2_010BC7C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010DC6E0	8_2_010DC6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010D6962	8_2_010D6962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C29A0	8_2_010C29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0118A9A6	8_2_0118A9A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010CA840	8_2_010CA840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C2840	8_2_010C2840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010A68B8	8_2_010A68B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010EE8F0	8_2_010EE8F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0117AB40	8_2_0117AB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01176BD7	8_2_01176BD7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010BEA80	8_2_010BEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0115CD1F	8_2_0115CD1F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010CAD00	8_2_010CAD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010D8DBF	8_2_010D8DBF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010BADE0	8_2_010BADE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C0C00	8_2_010C0C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01160CB5	8_2_01160CB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010B0CF2	8_2_010B0CF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01162F30	8_2_01162F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01102F28	8_2_01102F28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010E0F30	8_2_010E0F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01134F40	8_2_01134F40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0113EFA0	8_2_0113EFA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010B2FC8	8_2_010B2FC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010CCFE0	8_2_010CCFE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0117EE26	8_2_0117EE26
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C0E59	8_2_010C0E59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0117CE93	8_2_0117CE93
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010D2E90	8_2_010D2E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C8ECF	8_2_010C8ECF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0117EEDB	8_2_0117EEDB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010F516C	8_2_010F516C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0118B16B	8_2_0118B16B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010AF172	8_2_010AF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010CB1B0	8_2_010CB1B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C70C0	8_2_010C70C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0116F0CC	8_2_0116F0CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0117F0E0	8_2_0117F0E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_011770E9	8_2_011770E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0117132D	8_2_0117132D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010AD34C	8_2_010AD34C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0110739A	8_2_0110739A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C33F3	8_2_010C33F3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C52A0	8_2_010C52A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010DB2C0	8_2_010DB2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_011612ED	8_2_011612ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010DD2F0	8_2_010DD2F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01177571	8_2_01177571
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0115D5B0	8_2_0115D5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_011895C3	8_2_011895C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0117F43F	8_2_0117F43F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010B1460	8_2_010B1460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C3497	8_2_010C3497
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0117F7B0	8_2_0117F7B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01105630	8_2_01105630
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_011716CC	8_2_011716CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01155910	8_2_01155910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C9950	8_2_010C9950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010DB950	8_2_010DB950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0112D800	8_2_0112D800
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010B1840	8_2_010B1840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C38E0	8_2_010C38E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0117FB76	8_2_0117FB76
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010DFB80	8_2_010DFB80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01135BF0	8_2_01135BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010FDBF9	8_2_010FDBF9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01177A46	8_2_01177A46
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0117FA49	8_2_0117FA49
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01133A6C	8_2_01133A6C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01105AA0	8_2_01105AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01161AA3	8_2_01161AA3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0115DAAC	8_2_0115DAAC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0116DAC6	8_2_0116DAC6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C3D40	8_2_010C3D40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01171D5A	8_2_01171D5A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01177D73	8_2_01177D73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010DFDC0	8_2_010DFDC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01139C32	8_2_01139C32
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010D9C44	8_2_010D9C44
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0117FCF2	8_2_0117FCF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0117FF09	8_2_0117FF09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C1F92	8_2_010C1F92
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0117FFB1	8_2_0117FFB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C9EB0	8_2_010C9EB0
Source: C:\Windows\explorer.exe	Code function: 9_2_0E7DE232	9_2_0E7DE232
Source: C:\Windows\explorer.exe	Code function: 9_2_0E7D8B30	9_2_0E7D8B30
Source: C:\Windows\explorer.exe	Code function: 9_2_0E7D8B32	9_2_0E7D8B32
Source: C:\Windows\explorer.exe	Code function: 9_2_0E7DD036	9_2_0E7DD036
Source: C:\Windows\explorer.exe	Code function: 9_2_0E7D4082	9_2_0E7D4082
Source: C:\Windows\explorer.exe	Code function: 9_2_0E7DB912	9_2_0E7DB912
Source: C:\Windows\explorer.exe	Code function: 9_2_0E7D5D02	9_2_0E7D5D02
Source: C:\Windows\explorer.exe	Code function: 9_2_0E7E15CD	9_2_0E7E15CD
Source: C:\Windows\explorer.exe	Code function: 9_2_0F7E6B32	9_2_0F7E6B32
Source: C:\Windows\explorer.exe	Code function: 9_2_0F7E6B30	9_2_0F7E6B30
Source: C:\Windows\explorer.exe	Code function: 9_2_0F7EC232	9_2_0F7EC232
Source: C:\Windows\explorer.exe	Code function: 9_2_0F7E9912	9_2_0F7E9912
Source: C:\Windows\explorer.exe	Code function: 9_2_0F7E3D02	9_2_0F7E3D02
Source: C:\Windows\explorer.exe	Code function: 9_2_0F7EF5CD	9_2_0F7EF5CD
Source: C:\Windows\explorer.exe	Code function: 9_2_0F7EB036	9_2_0F7EB036
Source: C:\Windows\explorer.exe	Code function: 9_2_0F7E2082	9_2_0F7E2082
Source: C:\Windows\explorer.exe	Code function: 9_2_0F94F232	9_2_0F94F232
Source: C:\Windows\explorer.exe	Code function: 9_2_0F9525CD	9_2_0F9525CD
Source: C:\Windows\explorer.exe	Code function: 9_2_0F94C912	9_2_0F94C912
Source: C:\Windows\explorer.exe	Code function: 9_2_0F946D02	9_2_0F946D02
Source: C:\Windows\explorer.exe	Code function: 9_2_0F949B30	9_2_0F949B30
Source: C:\Windows\explorer.exe	Code function: 9_2_0F949B32	9_2_0F949B32
Source: C:\Windows\explorer.exe	Code function: 9_2_0F945082	9_2_0F945082
Source: C:\Windows\explorer.exe	Code function: 9_2_0F94E036	9_2_0F94E036
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Code function: 11_2_00E725C0	11_2_00E725C0
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Code function: 11_2_00E70871	11_2_00E70871
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Code function: 11_2_00E71360	11_2_00E71360
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Code function: 11_2_00E734A8	11_2_00E734A8
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Code function: 11_2_00E71BC0	11_2_00E71BC0
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Code function: 11_2_00E742F9	11_2_00E742F9
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Code function: 11_2_00E74308	11_2_00E74308
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Code function: 11_2_00E7C680	11_2_00E7C680
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Code function: 11_2_00E7C673	11_2_00E7C673
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Code function: 11_2_00E75178	11_2_00E75178
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Code function: 11_2_00E715F8	11_2_00E715F8
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Code function: 11_2_00E755B0	11_2_00E755B0
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Code function: 11_2_00E75768	11_2_00E75768
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Code function: 11_2_00E75758	11_2_00E75758
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Code function: 11_2_00E759F8	11_2_00E759F8
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Code function: 11_2_09677990	11_2_09677990
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Code function: 11_2_09670B70	11_2_09670B70
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Code function: 11_2_09675A78	11_2_09675A78
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Code function: 11_2_09671C90	11_2_09671C90
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Code function: 11_2_09670040	11_2_09670040
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Code function: 11_2_09676018	11_2_09676018
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Code function: 11_2_096770E0	11_2_096770E0
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Code function: 11_2_096712D8	11_2_096712D8
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Code function: 11_2_09675638	11_2_09675638
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Code function: 11_2_09673968	11_2_09673968
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Code function: 11_2_09676920	11_2_09676920
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Code function: 11_2_09674BA8	11_2_09674BA8
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Code function: 11_2_0967ED30	11_2_0967ED30
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Code function: 11_2_09674DC7	11_2_09674DC7
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Code function: 11_2_09674DC8	11_2_09674DC8
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Code function: 11_2_09675CC0	11_2_09675CC0
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Code function: 11_2_09677F70	11_2_09677F70
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Code function: 11_2_0967F170	11_2_0967F170
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Code function: 11_2_0967F180	11_2_0967F180
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Code function: 11_2_09675040	11_2_09675040
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Code function: 11_2_09674518	11_2_09674518
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Code function: 11_2_0967F5A9	11_2_0967F5A9
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Code function: 11_2_0967F5B8	11_2_0967F5B8
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Code function: 11_2_09676460	11_2_09676460
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Code function: 11_2_09671720	11_2_09671720
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Code function: 11_2_09B16BF0	11_2_09B16BF0
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Code function: 11_2_09B102A0	11_2_09B102A0
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Code function: 11_2_09B10290	11_2_09B10290
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Code function: 11_2_09B106D8	11_2_09B106D8
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Code function: 11_2_09B106C9	11_2_09B106C9
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Code function: 11_2_09B16E10	11_2_09B16E10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0041E82B	15_2_0041E82B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_00401030	15_2_00401030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0041D585	15_2_0041D585
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_00402D90	15_2_00402D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_00409E4B	15_2_00409E4B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_00409E50	15_2_00409E50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_00402FB0	15_2_00402FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0158F172	15_2_0158F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_015D516C	15_2_015D516C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_015AB1B0	15_2_015AB1B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_015A0000	15_2_015A0000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_015A70C0	15_2_015A70C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0158D34C	15_2_0158D34C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_015BD2F0	15_2_015BD2F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_015A52A0	15_2_015A52A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01591460	15_2_01591460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_015AB730	15_2_015AB730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0159C7C0	15_2_0159C7C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_015917EC	15_2_015917EC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_015A9950	15_2_015A9950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_015BB950	15_2_015BB950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_015B6962	15_2_015B6962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_015A5990	15_2_015A5990
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_015A29A0	15_2_015A29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_015928F0	15_2_015928F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_015CE8F0	15_2_015CE8F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_015A38E0	15_2_015A38E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_015868B8	15_2_015868B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_015DDBF9	15_2_015DDBF9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01569B80	15_2_01569B80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0159EA80	15_2_0159EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_015A3D40	15_2_015A3D40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_015A8DC0	15_2_015A8DC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_015B8DBF	15_2_015B8DBF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_015A0C00	15_2_015A0C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_015B9C20	15_2_015B9C20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01563FD5	15_2_01563FD5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01563FD2	15_2_01563FD2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01592FC8	15_2_01592FC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_015ACFE0	15_2_015ACFE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_015A1F92	15_2_015A1F92
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_015A0E59	15_2_015A0E59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_015B2E90	15_2_015B2E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_015A9EB0	15_2_015A9EB0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_0024540A	16_2_0024540A
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_00244C10	16_2_00244C10
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_00254875	16_2_00254875
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_002474B1	16_2_002474B1
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_00249144	16_2_00249144
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_0026695A	16_2_0026695A
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_00264191	16_2_00264191
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_00247A34	16_2_00247A34
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_0024EE03	16_2_0024EE03
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_00263E66	16_2_00263E66
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_0024D660	16_2_0024D660
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_00246E57	16_2_00246E57
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_00253EB3	16_2_00253EB3
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_00255A86	16_2_00255A86
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_0026769E	16_2_0026769E
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_00254EC1	16_2_00254EC1
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_00246B20	16_2_00246B20
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_00250740	16_2_00250740
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_00250BF0	16_2_00250BF0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_034AA352	16_2_034AA352
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_034B03E6	16_2_034B03E6
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_033FE3F0	16_2_033FE3F0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_03490274	16_2_03490274
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_034702C0	16_2_034702C0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_03478158	16_2_03478158
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_033E0100	16_2_033E0100
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_0348A118	16_2_0348A118
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_034A81CC	16_2_034A81CC
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_034B01AA	16_2_034B01AA
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_034A41A2	16_2_034A41A2
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_03482000	16_2_03482000
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_03414750	16_2_03414750
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_033F0770	16_2_033F0770
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_033EC7C0	16_2_033EC7C0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_0340C6E0	16_2_0340C6E0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_033F0535	16_2_033F0535
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_034B0591	16_2_034B0591
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_034A2446	16_2_034A2446
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_03494420	16_2_03494420
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_0349E4F6	16_2_0349E4F6
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_034AAB40	16_2_034AAB40
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_034A6BD7	16_2_034A6BD7
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_033EEA80	16_2_033EEA80
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_03406962	16_2_03406962
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_033F29A0	16_2_033F29A0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_034BA9A6	16_2_034BA9A6
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_033FA840	16_2_033FA840
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_033F2840	16_2_033F2840
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_033D68B8	16_2_033D68B8
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_0341E8F0	16_2_0341E8F0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_03464F40	16_2_03464F40
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_03432F28	16_2_03432F28
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_03410F30	16_2_03410F30
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_03492F30	16_2_03492F30
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_0346EFA0	16_2_0346EFA0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_033E2FC8	16_2_033E2FC8
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_033F0E59	16_2_033F0E59
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_034AEE26	16_2_034AEE26
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_034AEEDB	16_2_034AEEDB
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_03402E90	16_2_03402E90
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_034ACE93	16_2_034ACE93
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_033FAD00	16_2_033FAD00
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_0348CD1F	16_2_0348CD1F
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_033EADE0	16_2_033EADE0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_03408DBF	16_2_03408DBF
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_033F0C00	16_2_033F0C00
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_033E0CF2	16_2_033E0CF2
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_03490CB5	16_2_03490CB5
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_034A132D	16_2_034A132D
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_033DD34C	16_2_033DD34C
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_0343739A	16_2_0343739A
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_0340B2C0	16_2_0340B2C0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_033F52A0	16_2_033F52A0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_034912ED	16_2_034912ED
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_0340D2F0	16_2_0340D2F0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_034BB16B	16_2_034BB16B
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_0342516C	16_2_0342516C
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_033DF172	16_2_033DF172
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_033FB1B0	16_2_033FB1B0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_0349F0CC	16_2_0349F0CC
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_034A70E9	16_2_034A70E9
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_034AF0E0	16_2_034AF0E0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_033F70C0	16_2_033F70C0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_034AF7B0	16_2_034AF7B0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_03435630	16_2_03435630
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_034A16CC	16_2_034A16CC
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_034A7571	16_2_034A7571
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_034B95C3	16_2_034B95C3
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_0348D5B0	16_2_0348D5B0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_033E1460	16_2_033E1460
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_034AF43F	16_2_034AF43F
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_034AFB76	16_2_034AFB76
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_03465BF0	16_2_03465BF0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_0342DBF9	16_2_0342DBF9
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_0340FB80	16_2_0340FB80
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_034AFA49	16_2_034AFA49
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_034A7A46	16_2_034A7A46
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_03463A6C	16_2_03463A6C
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_0349DAC6	16_2_0349DAC6
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_03435AA0	16_2_03435AA0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_0348DAAC	16_2_0348DAAC
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_03491AA3	16_2_03491AA3
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_0340B950	16_2_0340B950
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_03485910	16_2_03485910
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_033F9950	16_2_033F9950
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_0345D800	16_2_0345D800
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_033F38E0	16_2_033F38E0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_034AFF09	16_2_034AFF09
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_033F1F92	16_2_033F1F92
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_033B3FD2	16_2_033B3FD2
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_033B3FD5	16_2_033B3FD5
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_034AFFB1	16_2_034AFFB1
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_033F9EB0	16_2_033F9EB0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_034A1D5A	16_2_034A1D5A
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_034A7D73	16_2_034A7D73
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_033F3D40	16_2_033F3D40
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_0340FDC0	16_2_0340FDC0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_03469C32	16_2_03469C32
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_034AFCF2	16_2_034AFCF2
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_027EE82B	16_2_027EE82B
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_027D9E50	16_2_027D9E50
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_027D9E4B	16_2_027D9E4B
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_027D2FB0	16_2_027D2FB0

Found potential string decryption / allocating functions

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 01107E54 appears 129 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 0112EA12 appears 37 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 01107EB0 appears 31 times
Source: C:\Windows\SysWOW64\cmd.exe	Code function: String function: 0345EA12 appears 86 times
Source: C:\Windows\SysWOW64\cmd.exe	Code function: String function: 03437E54 appears 107 times
Source: C:\Windows\SysWOW64\cmd.exe	Code function: String function: 03425130 appears 58 times
Source: C:\Windows\SysWOW64\cmd.exe	Code function: String function: 0346F290 appears 103 times
Source: C:\Windows\SysWOW64\cmd.exe	Code function: String function: 033DB970 appears 262 times

Sample file is different than original file name gathered from version info

Source: Bankcerticate223pdf.exe, 00000000.00000002.1744026413.0000000007EE0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameCaptive.dll" vs Bankcerticate223pdf.exe
Source: Bankcerticate223pdf.exe, 00000000.00000002.1744906590.000000000881F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameepCs.exe" vs Bankcerticate223pdf.exe
Source: Bankcerticate223pdf.exe, 00000000.00000002.1737968293.00000000013AE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Bankcerticate223pdf.exe
Source: Bankcerticate223pdf.exe, 00000000.00000002.1741689555.0000000004D1E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs Bankcerticate223pdf.exe
Source: Bankcerticate223pdf.exe, 00000000.00000002.1746850433.000000000EC50000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs Bankcerticate223pdf.exe
Source: Bankcerticate223pdf.exe, 00000000.00000002.1741689555.0000000004AE4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCaptive.dll" vs Bankcerticate223pdf.exe
Source: Bankcerticate223pdf.exe, 00000000.00000000.1684752209.0000000000CC2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameepCs.exe" vs Bankcerticate223pdf.exe
Source: Bankcerticate223pdf.exe	Binary or memory string: OriginalFilenameepCs.exe" vs Bankcerticate223pdf.exe

Uses 32bit PE files

Source: Bankcerticate223pdf.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 15.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 15.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 15.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 15.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 15.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 15.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.Bankcerticate223pdf.exe.4ae4148.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0.2.Bankcerticate223pdf.exe.4ae4148.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.Bankcerticate223pdf.exe.4ae4148.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000002.4158536381.0000000002FD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000010.00000002.4158536381.0000000002FD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000010.00000002.4158536381.0000000002FD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000002.4157948381.00000000027D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000010.00000002.4157948381.00000000027D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000010.00000002.4157948381.00000000027D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000002.1789025375.00000000047BF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000B.00000002.1789025375.00000000047BF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000002.1789025375.00000000047BF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000002.4158598483.0000000003000000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000010.00000002.4158598483.0000000003000000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000010.00000002.4158598483.0000000003000000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000011.00000002.1799194770.00000000009D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000011.00000002.1799194770.00000000009D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000011.00000002.1799194770.00000000009D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.1741689555.0000000004D1E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000000.00000002.1741689555.0000000004D1E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.1741689555.0000000004D1E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000002.1792804943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000F.00000002.1792804943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000F.00000002.1792804943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.1741689555.0000000004AE4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000000.00000002.1741689555.0000000004AE4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.1741689555.0000000004AE4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: Bankcerticate223pdf.exe PID: 5408, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: cvRSCwXQ.exe PID: 7536, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: RegSvcs.exe PID: 7696, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: cmd.exe PID: 7720, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: wscript.exe PID: 7728, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: Bankcerticate223pdf.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: cvRSCwXQ.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.evad.winEXE@28/15@12/0

Source: C:\Windows\SysWOW64\cmd.exe

Code function: 16_2_0026A759 memset,GetDiskFreeSpaceExW,??_V@YAXPAX@Z,

16_2_0026A759

Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe

File created: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7644:120:WilError_03
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Mutant created: NULL
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Mutant created: \Sessions\1\BaseNamedObjects\qeBfodUmscfBzf
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3524:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7792:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4176:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7216:120:WilError_03

Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe

File created: C:\Users\user\AppData\Local\Temp\tmp8D97.tmp

Jump to behavior

Source: Bankcerticate223pdf.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Bankcerticate223pdf.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Bankcerticate223pdf.exe	Virustotal: Detection: 33%
Source: Bankcerticate223pdf.exe	ReversingLabs: Detection: 34%

Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe

File read: C:\Users\user\Desktop\Bankcerticate223pdf.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Bankcerticate223pdf.exe "C:\Users\user\Desktop\Bankcerticate223pdf.exe"
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Bankcerticate223pdf.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\cvRSCwXQ.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cvRSCwXQ" /XML "C:\Users\user\AppData\Local\Temp\tmp8D97.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: unknown	Process created: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe C:\Users\user\AppData\Roaming\cvRSCwXQ.exe
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cvRSCwXQ" /XML "C:\Users\user\AppData\Local\Temp\tmp9DE3.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\SysWOW64\cmd.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\SysWOW64\wscript.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Bankcerticate223pdf.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\cvRSCwXQ.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cvRSCwXQ" /XML "C:\Users\user\AppData\Local\Temp\tmp8D97.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\SysWOW64\cmd.exe"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\SysWOW64\wscript.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cvRSCwXQ" /XML "C:\Users\user\AppData\Local\Temp\tmp9DE3.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: version.dll

Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: Bankcerticate223pdf.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Bankcerticate223pdf.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: wscript.pdbGCTL source: RegSvcs.exe, 00000008.00000002.1795690506.0000000001020000.00000040.10000000.00040000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.1795049620.0000000000C27000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000011.00000002.1799615963.0000000000E10000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: RegSvcs.pdb, source: explorer.exe, 00000009.00000002.4178475160.0000000010B5F000.00000004.80000000.00040000.00000000.sdmp, cmd.exe, 00000010.00000002.4159552520.00000000038FF000.00000004.10000000.00040000.00000000.sdmp, cmd.exe, 00000010.00000002.4158321746.0000000002CE5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: cmd.pdbUGP source: RegSvcs.exe, 0000000F.00000002.1799282057.00000000018C0000.00000040.10000000.00040000.00000000.sdmp, cmd.exe, 00000010.00000002.4157706817.0000000000240000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: RegSvcs.exe, 0000000F.00000002.1794317883.0000000001560000.00000040.00001000.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.4158931647.000000000354E000.00000040.00001000.00020000.00000000.sdmp, cmd.exe, 00000010.00000003.1795281362.0000000003200000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000003.1793090894.0000000003059000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.4158931647.00000000033B0000.00000040.00001000.00020000.00000000.sdmp, wscript.exe, 00000011.00000002.1800249537.0000000004E70000.00000040.00001000.00020000.00000000.sdmp, wscript.exe, 00000011.00000002.1800249537.000000000500E000.00000040.00001000.00020000.00000000.sdmp, wscript.exe, 00000011.00000003.1796869110.0000000004CBB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000011.00000003.1794644748.0000000004B0F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: RegSvcs.exe, RegSvcs.exe, 0000000F.00000002.1794317883.0000000001560000.00000040.00001000.00020000.00000000.sdmp, cmd.exe, cmd.exe, 00000010.00000002.4158931647.000000000354E000.00000040.00001000.00020000.00000000.sdmp, cmd.exe, 00000010.00000003.1795281362.0000000003200000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000003.1793090894.0000000003059000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.4158931647.00000000033B0000.00000040.00001000.00020000.00000000.sdmp, wscript.exe, 00000011.00000002.1800249537.0000000004E70000.00000040.00001000.00020000.00000000.sdmp, wscript.exe, 00000011.00000002.1800249537.000000000500E000.00000040.00001000.00020000.00000000.sdmp, wscript.exe, 00000011.00000003.1796869110.0000000004CBB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000011.00000003.1794644748.0000000004B0F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wscript.pdb source: RegSvcs.exe, 00000008.00000002.1795690506.0000000001020000.00000040.10000000.00040000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.1795049620.0000000000C27000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000011.00000002.1799615963.0000000000E10000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: RegSvcs.pdb source: explorer.exe, 00000009.00000002.4178475160.0000000010B5F000.00000004.80000000.00040000.00000000.sdmp, cmd.exe, 00000010.00000002.4159552520.00000000038FF000.00000004.10000000.00040000.00000000.sdmp, cmd.exe, 00000010.00000002.4158321746.0000000002CE5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: cmd.pdb source: RegSvcs.exe, 0000000F.00000002.1799282057.00000000018C0000.00000040.10000000.00040000.00000000.sdmp, cmd.exe, cmd.exe, 00000010.00000002.4157706817.0000000000240000.00000040.80000000.00040000.00000000.sdmp

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_099E036B push ecx; ret	0_2_099E036C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010B09AD push ecx; mov dword ptr [esp], ecx	8_2_010B09B6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010CEFE3 push esi; ret	8_2_010CEFE5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01081FEC push eax; iretd	8_2_01081FED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010CBFEA push ebx; retf	8_2_010CBFEB
Source: C:\Windows\explorer.exe	Code function: 9_2_0E7E1B1E push esp; retn 0000h	9_2_0E7E1B1F
Source: C:\Windows\explorer.exe	Code function: 9_2_0E7E1B02 push esp; retn 0000h	9_2_0E7E1B03
Source: C:\Windows\explorer.exe	Code function: 9_2_0E7E19B5 push esp; retn 0000h	9_2_0E7E1AE7
Source: C:\Windows\explorer.exe	Code function: 9_2_0F7EFB1E push esp; retn 0000h	9_2_0F7EFB1F
Source: C:\Windows\explorer.exe	Code function: 9_2_0F7EFB02 push esp; retn 0000h	9_2_0F7EFB03
Source: C:\Windows\explorer.exe	Code function: 9_2_0F7EF9B5 push esp; retn 0000h	9_2_0F7EFAE7
Source: C:\Windows\explorer.exe	Code function: 9_2_0F9529B5 push esp; retn 0000h	9_2_0F952AE7
Source: C:\Windows\explorer.exe	Code function: 9_2_0F952B1E push esp; retn 0000h	9_2_0F952B1F
Source: C:\Windows\explorer.exe	Code function: 9_2_0F952B02 push esp; retn 0000h	9_2_0F952B03
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Code function: 11_2_0967036B push ecx; ret	11_2_0967036C
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Code function: 11_2_09B135E0 push esp; ret	11_2_09B135ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0041209D pushfd ; ret	15_2_0041209E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_00407A8D push ecx; ret	15_2_00407A8F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0041D475 push eax; ret	15_2_0041D4C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0041D4C2 push eax; ret	15_2_0041D4C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0041D4CB push eax; ret	15_2_0041D532
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0041E49E push es; retf	15_2_0041E49F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0041D52C push eax; ret	15_2_0041D532
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0156B008 push es; iretd	15_2_0156B009
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0156135E push eax; iretd	15_2_01561369
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0156225F pushad ; ret	15_2_015627F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_015627FA pushad ; ret	15_2_015627F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01569939 push es; iretd	15_2_01569940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_015909AD push ecx; mov dword ptr [esp], ecx	15_2_015909B6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0156283D push eax; iretd	15_2_01562858
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_002571ED push ecx; ret	16_2_00257200

Source: Bankcerticate223pdf.exe	Static PE information: section name: .text entropy: 7.5345051773355625
Source: cvRSCwXQ.exe.0.dr	Static PE information: section name: .text entropy: 7.5345051773355625

Drops PE files

Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe

File created: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cvRSCwXQ" /XML "C:\Users\user\AppData\Local\Temp\tmp8D97.tmp"

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: Bankcerticate223pdf.exe PID: 5408, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cvRSCwXQ.exe PID: 7536, type: MEMORYSTR

Switches to a custom stack to bypass stack traces

Source: C:\Windows\SysWOW64\cmd.exe	API/Special instruction interceptor: Address: 7FFE2220D324
Source: C:\Windows\SysWOW64\cmd.exe	API/Special instruction interceptor: Address: 7FFE22210774
Source: C:\Windows\SysWOW64\cmd.exe	API/Special instruction interceptor: Address: 7FFE2220D944
Source: C:\Windows\SysWOW64\cmd.exe	API/Special instruction interceptor: Address: 7FFE2220D504
Source: C:\Windows\SysWOW64\cmd.exe	API/Special instruction interceptor: Address: 7FFE2220D544
Source: C:\Windows\SysWOW64\cmd.exe	API/Special instruction interceptor: Address: 7FFE2220D1E4
Source: C:\Windows\SysWOW64\cmd.exe	API/Special instruction interceptor: Address: 7FFE22210154
Source: C:\Windows\SysWOW64\cmd.exe	API/Special instruction interceptor: Address: 7FFE2220D8A4
Source: C:\Windows\SysWOW64\cmd.exe	API/Special instruction interceptor: Address: 7FFE2220DA44

Tries to detect virtualization through RDTSC time measurements

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	RDTSC instruction interceptor: First address: 409904 second address: 40990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	RDTSC instruction interceptor: First address: 409B6E second address: 409B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmd.exe	RDTSC instruction interceptor: First address: 27D9904 second address: 27D990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\wscript.exe	RDTSC instruction interceptor: First address: 9D9904 second address: 9D990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmd.exe	RDTSC instruction interceptor: First address: 27D9B6E second address: 27D9B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\wscript.exe	RDTSC instruction interceptor: First address: 9D9B6E second address: 9D9B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Memory allocated: 1600000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Memory allocated: 3290000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Memory allocated: 30B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Memory allocated: 56E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Memory allocated: 66E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Memory allocated: 6810000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Memory allocated: 7810000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Memory allocated: B9E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Memory allocated: A000000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Memory allocated: C9E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Memory allocated: D9E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Memory allocated: ECD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Memory allocated: FCD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Memory allocated: 10CD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Memory allocated: E70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Memory allocated: 2D30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Memory allocated: 2B70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Memory allocated: 52E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Memory allocated: 62E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Memory allocated: 6410000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Memory allocated: 7410000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Memory allocated: AE50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Memory allocated: 9680000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Memory allocated: BE50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Memory allocated: CE50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Memory allocated: E140000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Memory allocated: F140000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Memory allocated: 10140000 memory reserve \| memory write watch	Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 8_2_010AE0D0 rdtsc

8_2_010AE0D0

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7189	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2413	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7108	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1489	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 4836	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 5104	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 874	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 876	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Window / User API: threadDelayed 408
Source: C:\Windows\SysWOW64\cmd.exe	Window / User API: threadDelayed 9564

Found large amount of non-executed APIs

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	API coverage: 0.8 %
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	API coverage: 6.2 %
Source: C:\Windows\SysWOW64\cmd.exe	API coverage: 0.8 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe TID: 480	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7348	Thread sleep time: -5534023222112862s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7304	Thread sleep count: 7108 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7304	Thread sleep count: 1489 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7364	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7336	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 8056	Thread sleep count: 4836 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 8056	Thread sleep time: -9672000s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 8056	Thread sleep count: 5104 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 8056	Thread sleep time: -10208000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe TID: 7584	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe TID: 7848	Thread sleep count: 408 > 30
Source: C:\Windows\SysWOW64\cmd.exe TID: 7848	Thread sleep time: -816000s >= -30000s
Source: C:\Windows\SysWOW64\cmd.exe TID: 7848	Thread sleep count: 9564 > 30
Source: C:\Windows\SysWOW64\cmd.exe TID: 7848	Thread sleep time: -19128000s >= -30000s

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\cmd.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\cmd.exe	Last function: Thread delayed

Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_0025589A FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapReAlloc,FindNextFileW,FindClose,GetLastError,FindClose,	16_2_0025589A
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_00250207 FindFirstFileW,FindClose,memcpy,_wcsnicmp,_wcsicmp,memmove,	16_2_00250207
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_00263E66 FindFirstFileW,FindNextFileW,FindClose,	16_2_00263E66
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_00254EC1 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,	16_2_00254EC1
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_0024532E GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPAX@Z,FindNextFileW,??_V@YAXPAX@Z,SetLastError,??_V@YAXPAX@Z,GetLastError,FindClose,	16_2_0024532E

Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\NULL	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	File opened: C:\Users\user\AppData\Local\Temp\acrocef_low\NULL	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\Acrobat\NULL	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\Acrobat	Jump to behavior

Source: explorer.exe, 00000009.00000000.1742873528.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: k&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 00000009.00000002.4165294972.0000000009815000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NECVMWar VMware SATA CD00\w
Source: explorer.exe, 00000009.00000002.4161508658.00000000078A0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}$
Source: explorer.exe, 00000009.00000000.1742873528.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 00000009.00000002.4158057912.0000000001240000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&0000000}
Source: explorer.exe, 00000009.00000000.1728391940.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000009.00000000.1742873528.0000000009977000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000009.00000002.4161508658.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NXTTAVMWare
Source: explorer.exe, 00000009.00000002.4165294972.0000000009815000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f&0&000000
Source: explorer.exe, 00000009.00000000.1741100099.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4165294972.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1741100099.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4165294972.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3111399030.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3111399030.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000009.00000000.1742873528.0000000009977000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: explorer.exe, 00000009.00000000.1728391940.0000000007A34000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4161508658.0000000007A34000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWen-GBnx
Source: explorer.exe, 00000009.00000002.4158057912.0000000001240000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: explorer.exe, 00000009.00000002.4165163018.0000000009660000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000er
Source: explorer.exe, 00000009.00000002.4158057912.0000000001240000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe

Process information queried: ProcessInformation

Jump to behavior

Checks if the current process is being debugged

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\cmd.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\wscript.exe	Process queried: DebugPort

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 8_2_010AE0D0 rdtsc

8_2_010AE0D0

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 8_2_010F2B60 NtClose,LdrInitializeThunk,

8_2_010F2B60

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Windows\SysWOW64\cmd.exe

Code function: 16_2_00262E37 IsDebuggerPresent,

16_2_00262E37

Contains functionality to read the PEB

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01170115 mov eax, dword ptr fs:[00000030h]	8_2_01170115
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0115A118 mov ecx, dword ptr fs:[00000030h]	8_2_0115A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0115A118 mov eax, dword ptr fs:[00000030h]	8_2_0115A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0115A118 mov eax, dword ptr fs:[00000030h]	8_2_0115A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0115A118 mov eax, dword ptr fs:[00000030h]	8_2_0115A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0115E10E mov eax, dword ptr fs:[00000030h]	8_2_0115E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0115E10E mov ecx, dword ptr fs:[00000030h]	8_2_0115E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0115E10E mov eax, dword ptr fs:[00000030h]	8_2_0115E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0115E10E mov eax, dword ptr fs:[00000030h]	8_2_0115E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0115E10E mov ecx, dword ptr fs:[00000030h]	8_2_0115E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0115E10E mov eax, dword ptr fs:[00000030h]	8_2_0115E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0115E10E mov eax, dword ptr fs:[00000030h]	8_2_0115E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0115E10E mov ecx, dword ptr fs:[00000030h]	8_2_0115E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0115E10E mov eax, dword ptr fs:[00000030h]	8_2_0115E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0115E10E mov ecx, dword ptr fs:[00000030h]	8_2_0115E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010E0124 mov eax, dword ptr fs:[00000030h]	8_2_010E0124
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010B2140 mov ecx, dword ptr fs:[00000030h]	8_2_010B2140
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010B2140 mov eax, dword ptr fs:[00000030h]	8_2_010B2140
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01148158 mov eax, dword ptr fs:[00000030h]	8_2_01148158
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01144144 mov eax, dword ptr fs:[00000030h]	8_2_01144144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01144144 mov eax, dword ptr fs:[00000030h]	8_2_01144144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01144144 mov ecx, dword ptr fs:[00000030h]	8_2_01144144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01144144 mov eax, dword ptr fs:[00000030h]	8_2_01144144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01144144 mov eax, dword ptr fs:[00000030h]	8_2_01144144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010AC156 mov eax, dword ptr fs:[00000030h]	8_2_010AC156
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010B6154 mov eax, dword ptr fs:[00000030h]	8_2_010B6154
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010B6154 mov eax, dword ptr fs:[00000030h]	8_2_010B6154
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01184164 mov eax, dword ptr fs:[00000030h]	8_2_01184164
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01184164 mov eax, dword ptr fs:[00000030h]	8_2_01184164
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010F0185 mov eax, dword ptr fs:[00000030h]	8_2_010F0185
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0113019F mov eax, dword ptr fs:[00000030h]	8_2_0113019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0113019F mov eax, dword ptr fs:[00000030h]	8_2_0113019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0113019F mov eax, dword ptr fs:[00000030h]	8_2_0113019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0113019F mov eax, dword ptr fs:[00000030h]	8_2_0113019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01154180 mov eax, dword ptr fs:[00000030h]	8_2_01154180
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01154180 mov eax, dword ptr fs:[00000030h]	8_2_01154180
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010AA197 mov eax, dword ptr fs:[00000030h]	8_2_010AA197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010AA197 mov eax, dword ptr fs:[00000030h]	8_2_010AA197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010AA197 mov eax, dword ptr fs:[00000030h]	8_2_010AA197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0116C188 mov eax, dword ptr fs:[00000030h]	8_2_0116C188
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0116C188 mov eax, dword ptr fs:[00000030h]	8_2_0116C188
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0112E1D0 mov eax, dword ptr fs:[00000030h]	8_2_0112E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0112E1D0 mov eax, dword ptr fs:[00000030h]	8_2_0112E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0112E1D0 mov ecx, dword ptr fs:[00000030h]	8_2_0112E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0112E1D0 mov eax, dword ptr fs:[00000030h]	8_2_0112E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0112E1D0 mov eax, dword ptr fs:[00000030h]	8_2_0112E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_011761C3 mov eax, dword ptr fs:[00000030h]	8_2_011761C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_011761C3 mov eax, dword ptr fs:[00000030h]	8_2_011761C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C61D1 mov eax, dword ptr fs:[00000030h]	8_2_010C61D1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C61D1 mov eax, dword ptr fs:[00000030h]	8_2_010C61D1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010E01F8 mov eax, dword ptr fs:[00000030h]	8_2_010E01F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_011861E5 mov eax, dword ptr fs:[00000030h]	8_2_011861E5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01134000 mov ecx, dword ptr fs:[00000030h]	8_2_01134000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01152000 mov eax, dword ptr fs:[00000030h]	8_2_01152000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01152000 mov eax, dword ptr fs:[00000030h]	8_2_01152000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01152000 mov eax, dword ptr fs:[00000030h]	8_2_01152000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01152000 mov eax, dword ptr fs:[00000030h]	8_2_01152000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01152000 mov eax, dword ptr fs:[00000030h]	8_2_01152000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01152000 mov eax, dword ptr fs:[00000030h]	8_2_01152000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01152000 mov eax, dword ptr fs:[00000030h]	8_2_01152000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01152000 mov eax, dword ptr fs:[00000030h]	8_2_01152000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010CE016 mov eax, dword ptr fs:[00000030h]	8_2_010CE016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010CE016 mov eax, dword ptr fs:[00000030h]	8_2_010CE016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010CE016 mov eax, dword ptr fs:[00000030h]	8_2_010CE016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010CE016 mov eax, dword ptr fs:[00000030h]	8_2_010CE016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01146030 mov eax, dword ptr fs:[00000030h]	8_2_01146030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010AA020 mov eax, dword ptr fs:[00000030h]	8_2_010AA020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010AC020 mov eax, dword ptr fs:[00000030h]	8_2_010AC020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01136050 mov eax, dword ptr fs:[00000030h]	8_2_01136050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010B2050 mov eax, dword ptr fs:[00000030h]	8_2_010B2050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010EA060 mov eax, dword ptr fs:[00000030h]	8_2_010EA060
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010DC073 mov eax, dword ptr fs:[00000030h]	8_2_010DC073
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010B208A mov eax, dword ptr fs:[00000030h]	8_2_010B208A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010A80A0 mov eax, dword ptr fs:[00000030h]	8_2_010A80A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_011760B8 mov eax, dword ptr fs:[00000030h]	8_2_011760B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_011760B8 mov ecx, dword ptr fs:[00000030h]	8_2_011760B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_011480A8 mov eax, dword ptr fs:[00000030h]	8_2_011480A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_011320DE mov eax, dword ptr fs:[00000030h]	8_2_011320DE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010B80E9 mov eax, dword ptr fs:[00000030h]	8_2_010B80E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010AA0E3 mov ecx, dword ptr fs:[00000030h]	8_2_010AA0E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_011360E0 mov eax, dword ptr fs:[00000030h]	8_2_011360E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010AC0F0 mov eax, dword ptr fs:[00000030h]	8_2_010AC0F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010F20F0 mov ecx, dword ptr fs:[00000030h]	8_2_010F20F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010EA30B mov eax, dword ptr fs:[00000030h]	8_2_010EA30B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010EA30B mov eax, dword ptr fs:[00000030h]	8_2_010EA30B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010EA30B mov eax, dword ptr fs:[00000030h]	8_2_010EA30B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010AC310 mov ecx, dword ptr fs:[00000030h]	8_2_010AC310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010D0310 mov ecx, dword ptr fs:[00000030h]	8_2_010D0310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010B2324 mov eax, dword ptr fs:[00000030h]	8_2_010B2324
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01188324 mov eax, dword ptr fs:[00000030h]	8_2_01188324
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01188324 mov ecx, dword ptr fs:[00000030h]	8_2_01188324
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01188324 mov eax, dword ptr fs:[00000030h]	8_2_01188324
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01188324 mov eax, dword ptr fs:[00000030h]	8_2_01188324
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0117A352 mov eax, dword ptr fs:[00000030h]	8_2_0117A352
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01158350 mov ecx, dword ptr fs:[00000030h]	8_2_01158350
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0113035C mov eax, dword ptr fs:[00000030h]	8_2_0113035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0113035C mov eax, dword ptr fs:[00000030h]	8_2_0113035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0113035C mov eax, dword ptr fs:[00000030h]	8_2_0113035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0113035C mov ecx, dword ptr fs:[00000030h]	8_2_0113035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0113035C mov eax, dword ptr fs:[00000030h]	8_2_0113035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0113035C mov eax, dword ptr fs:[00000030h]	8_2_0113035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0118634F mov eax, dword ptr fs:[00000030h]	8_2_0118634F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01132349 mov eax, dword ptr fs:[00000030h]	8_2_01132349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01132349 mov eax, dword ptr fs:[00000030h]	8_2_01132349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01132349 mov eax, dword ptr fs:[00000030h]	8_2_01132349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01132349 mov eax, dword ptr fs:[00000030h]	8_2_01132349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01132349 mov eax, dword ptr fs:[00000030h]	8_2_01132349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01132349 mov eax, dword ptr fs:[00000030h]	8_2_01132349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01132349 mov eax, dword ptr fs:[00000030h]	8_2_01132349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01132349 mov eax, dword ptr fs:[00000030h]	8_2_01132349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01132349 mov eax, dword ptr fs:[00000030h]	8_2_01132349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01132349 mov eax, dword ptr fs:[00000030h]	8_2_01132349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01132349 mov eax, dword ptr fs:[00000030h]	8_2_01132349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01132349 mov eax, dword ptr fs:[00000030h]	8_2_01132349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01132349 mov eax, dword ptr fs:[00000030h]	8_2_01132349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01132349 mov eax, dword ptr fs:[00000030h]	8_2_01132349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01132349 mov eax, dword ptr fs:[00000030h]	8_2_01132349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0115437C mov eax, dword ptr fs:[00000030h]	8_2_0115437C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010AE388 mov eax, dword ptr fs:[00000030h]	8_2_010AE388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010AE388 mov eax, dword ptr fs:[00000030h]	8_2_010AE388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010AE388 mov eax, dword ptr fs:[00000030h]	8_2_010AE388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010D438F mov eax, dword ptr fs:[00000030h]	8_2_010D438F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010D438F mov eax, dword ptr fs:[00000030h]	8_2_010D438F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010A8397 mov eax, dword ptr fs:[00000030h]	8_2_010A8397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010A8397 mov eax, dword ptr fs:[00000030h]	8_2_010A8397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010A8397 mov eax, dword ptr fs:[00000030h]	8_2_010A8397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_011543D4 mov eax, dword ptr fs:[00000030h]	8_2_011543D4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_011543D4 mov eax, dword ptr fs:[00000030h]	8_2_011543D4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010BA3C0 mov eax, dword ptr fs:[00000030h]	8_2_010BA3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010BA3C0 mov eax, dword ptr fs:[00000030h]	8_2_010BA3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010BA3C0 mov eax, dword ptr fs:[00000030h]	8_2_010BA3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010BA3C0 mov eax, dword ptr fs:[00000030h]	8_2_010BA3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010BA3C0 mov eax, dword ptr fs:[00000030h]	8_2_010BA3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010BA3C0 mov eax, dword ptr fs:[00000030h]	8_2_010BA3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010B83C0 mov eax, dword ptr fs:[00000030h]	8_2_010B83C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010B83C0 mov eax, dword ptr fs:[00000030h]	8_2_010B83C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010B83C0 mov eax, dword ptr fs:[00000030h]	8_2_010B83C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010B83C0 mov eax, dword ptr fs:[00000030h]	8_2_010B83C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0115E3DB mov eax, dword ptr fs:[00000030h]	8_2_0115E3DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0115E3DB mov eax, dword ptr fs:[00000030h]	8_2_0115E3DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0115E3DB mov ecx, dword ptr fs:[00000030h]	8_2_0115E3DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0115E3DB mov eax, dword ptr fs:[00000030h]	8_2_0115E3DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_011363C0 mov eax, dword ptr fs:[00000030h]	8_2_011363C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0116C3CD mov eax, dword ptr fs:[00000030h]	8_2_0116C3CD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C03E9 mov eax, dword ptr fs:[00000030h]	8_2_010C03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C03E9 mov eax, dword ptr fs:[00000030h]	8_2_010C03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C03E9 mov eax, dword ptr fs:[00000030h]	8_2_010C03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C03E9 mov eax, dword ptr fs:[00000030h]	8_2_010C03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C03E9 mov eax, dword ptr fs:[00000030h]	8_2_010C03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C03E9 mov eax, dword ptr fs:[00000030h]	8_2_010C03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C03E9 mov eax, dword ptr fs:[00000030h]	8_2_010C03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C03E9 mov eax, dword ptr fs:[00000030h]	8_2_010C03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010E63FF mov eax, dword ptr fs:[00000030h]	8_2_010E63FF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010CE3F0 mov eax, dword ptr fs:[00000030h]	8_2_010CE3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010CE3F0 mov eax, dword ptr fs:[00000030h]	8_2_010CE3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010CE3F0 mov eax, dword ptr fs:[00000030h]	8_2_010CE3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C0218 mov eax, dword ptr fs:[00000030h]	8_2_010C0218
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010A823B mov eax, dword ptr fs:[00000030h]	8_2_010A823B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0118625D mov eax, dword ptr fs:[00000030h]	8_2_0118625D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0116A250 mov eax, dword ptr fs:[00000030h]	8_2_0116A250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0116A250 mov eax, dword ptr fs:[00000030h]	8_2_0116A250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01138243 mov eax, dword ptr fs:[00000030h]	8_2_01138243
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01138243 mov ecx, dword ptr fs:[00000030h]	8_2_01138243
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010B6259 mov eax, dword ptr fs:[00000030h]	8_2_010B6259
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010AA250 mov eax, dword ptr fs:[00000030h]	8_2_010AA250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010A826B mov eax, dword ptr fs:[00000030h]	8_2_010A826B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01160274 mov eax, dword ptr fs:[00000030h]	8_2_01160274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01160274 mov eax, dword ptr fs:[00000030h]	8_2_01160274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01160274 mov eax, dword ptr fs:[00000030h]	8_2_01160274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01160274 mov eax, dword ptr fs:[00000030h]	8_2_01160274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01160274 mov eax, dword ptr fs:[00000030h]	8_2_01160274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01160274 mov eax, dword ptr fs:[00000030h]	8_2_01160274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01160274 mov eax, dword ptr fs:[00000030h]	8_2_01160274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01160274 mov eax, dword ptr fs:[00000030h]	8_2_01160274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01160274 mov eax, dword ptr fs:[00000030h]	8_2_01160274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01160274 mov eax, dword ptr fs:[00000030h]	8_2_01160274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01160274 mov eax, dword ptr fs:[00000030h]	8_2_01160274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01160274 mov eax, dword ptr fs:[00000030h]	8_2_01160274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010B4260 mov eax, dword ptr fs:[00000030h]	8_2_010B4260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010B4260 mov eax, dword ptr fs:[00000030h]	8_2_010B4260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010B4260 mov eax, dword ptr fs:[00000030h]	8_2_010B4260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010EE284 mov eax, dword ptr fs:[00000030h]	8_2_010EE284
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010EE284 mov eax, dword ptr fs:[00000030h]	8_2_010EE284
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01130283 mov eax, dword ptr fs:[00000030h]	8_2_01130283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01130283 mov eax, dword ptr fs:[00000030h]	8_2_01130283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01130283 mov eax, dword ptr fs:[00000030h]	8_2_01130283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C02A0 mov eax, dword ptr fs:[00000030h]	8_2_010C02A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C02A0 mov eax, dword ptr fs:[00000030h]	8_2_010C02A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_011462A0 mov eax, dword ptr fs:[00000030h]	8_2_011462A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_011462A0 mov ecx, dword ptr fs:[00000030h]	8_2_011462A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_011462A0 mov eax, dword ptr fs:[00000030h]	8_2_011462A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_011462A0 mov eax, dword ptr fs:[00000030h]	8_2_011462A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_011462A0 mov eax, dword ptr fs:[00000030h]	8_2_011462A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_011462A0 mov eax, dword ptr fs:[00000030h]	8_2_011462A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010BA2C3 mov eax, dword ptr fs:[00000030h]	8_2_010BA2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010BA2C3 mov eax, dword ptr fs:[00000030h]	8_2_010BA2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010BA2C3 mov eax, dword ptr fs:[00000030h]	8_2_010BA2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010BA2C3 mov eax, dword ptr fs:[00000030h]	8_2_010BA2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010BA2C3 mov eax, dword ptr fs:[00000030h]	8_2_010BA2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_011862D6 mov eax, dword ptr fs:[00000030h]	8_2_011862D6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C02E1 mov eax, dword ptr fs:[00000030h]	8_2_010C02E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C02E1 mov eax, dword ptr fs:[00000030h]	8_2_010C02E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C02E1 mov eax, dword ptr fs:[00000030h]	8_2_010C02E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010D02FE mov ecx, dword ptr fs:[00000030h]	8_2_010D02FE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01146500 mov eax, dword ptr fs:[00000030h]	8_2_01146500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01184500 mov eax, dword ptr fs:[00000030h]	8_2_01184500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01184500 mov eax, dword ptr fs:[00000030h]	8_2_01184500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01184500 mov eax, dword ptr fs:[00000030h]	8_2_01184500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01184500 mov eax, dword ptr fs:[00000030h]	8_2_01184500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01184500 mov eax, dword ptr fs:[00000030h]	8_2_01184500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01184500 mov eax, dword ptr fs:[00000030h]	8_2_01184500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01184500 mov eax, dword ptr fs:[00000030h]	8_2_01184500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010DE53E mov eax, dword ptr fs:[00000030h]	8_2_010DE53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010DE53E mov eax, dword ptr fs:[00000030h]	8_2_010DE53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010DE53E mov eax, dword ptr fs:[00000030h]	8_2_010DE53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010DE53E mov eax, dword ptr fs:[00000030h]	8_2_010DE53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010DE53E mov eax, dword ptr fs:[00000030h]	8_2_010DE53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C0535 mov eax, dword ptr fs:[00000030h]	8_2_010C0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C0535 mov eax, dword ptr fs:[00000030h]	8_2_010C0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C0535 mov eax, dword ptr fs:[00000030h]	8_2_010C0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C0535 mov eax, dword ptr fs:[00000030h]	8_2_010C0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C0535 mov eax, dword ptr fs:[00000030h]	8_2_010C0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C0535 mov eax, dword ptr fs:[00000030h]	8_2_010C0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010B8550 mov eax, dword ptr fs:[00000030h]	8_2_010B8550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010B8550 mov eax, dword ptr fs:[00000030h]	8_2_010B8550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010E656A mov eax, dword ptr fs:[00000030h]	8_2_010E656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010E656A mov eax, dword ptr fs:[00000030h]	8_2_010E656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010E656A mov eax, dword ptr fs:[00000030h]	8_2_010E656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010E4588 mov eax, dword ptr fs:[00000030h]	8_2_010E4588
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010B2582 mov eax, dword ptr fs:[00000030h]	8_2_010B2582
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010B2582 mov ecx, dword ptr fs:[00000030h]	8_2_010B2582
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010AA580 mov ecx, dword ptr fs:[00000030h]	8_2_010AA580
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010AA580 mov eax, dword ptr fs:[00000030h]	8_2_010AA580
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010EE59C mov eax, dword ptr fs:[00000030h]	8_2_010EE59C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_011305A7 mov eax, dword ptr fs:[00000030h]	8_2_011305A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_011305A7 mov eax, dword ptr fs:[00000030h]	8_2_011305A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_011305A7 mov eax, dword ptr fs:[00000030h]	8_2_011305A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010D45B1 mov eax, dword ptr fs:[00000030h]	8_2_010D45B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010D45B1 mov eax, dword ptr fs:[00000030h]	8_2_010D45B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010EE5CF mov eax, dword ptr fs:[00000030h]	8_2_010EE5CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010EE5CF mov eax, dword ptr fs:[00000030h]	8_2_010EE5CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010B65D0 mov eax, dword ptr fs:[00000030h]	8_2_010B65D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010EA5D0 mov eax, dword ptr fs:[00000030h]	8_2_010EA5D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010EA5D0 mov eax, dword ptr fs:[00000030h]	8_2_010EA5D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010EC5ED mov eax, dword ptr fs:[00000030h]	8_2_010EC5ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010EC5ED mov eax, dword ptr fs:[00000030h]	8_2_010EC5ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010DE5E7 mov eax, dword ptr fs:[00000030h]	8_2_010DE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010DE5E7 mov eax, dword ptr fs:[00000030h]	8_2_010DE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010DE5E7 mov eax, dword ptr fs:[00000030h]	8_2_010DE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010DE5E7 mov eax, dword ptr fs:[00000030h]	8_2_010DE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010DE5E7 mov eax, dword ptr fs:[00000030h]	8_2_010DE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010DE5E7 mov eax, dword ptr fs:[00000030h]	8_2_010DE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010DE5E7 mov eax, dword ptr fs:[00000030h]	8_2_010DE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010DE5E7 mov eax, dword ptr fs:[00000030h]	8_2_010DE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010B25E0 mov eax, dword ptr fs:[00000030h]	8_2_010B25E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010E8402 mov eax, dword ptr fs:[00000030h]	8_2_010E8402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010E8402 mov eax, dword ptr fs:[00000030h]	8_2_010E8402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010E8402 mov eax, dword ptr fs:[00000030h]	8_2_010E8402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010AE420 mov eax, dword ptr fs:[00000030h]	8_2_010AE420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010AE420 mov eax, dword ptr fs:[00000030h]	8_2_010AE420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010AE420 mov eax, dword ptr fs:[00000030h]	8_2_010AE420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010AC427 mov eax, dword ptr fs:[00000030h]	8_2_010AC427
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01136420 mov eax, dword ptr fs:[00000030h]	8_2_01136420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01136420 mov eax, dword ptr fs:[00000030h]	8_2_01136420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01136420 mov eax, dword ptr fs:[00000030h]	8_2_01136420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01136420 mov eax, dword ptr fs:[00000030h]	8_2_01136420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01136420 mov eax, dword ptr fs:[00000030h]	8_2_01136420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01136420 mov eax, dword ptr fs:[00000030h]	8_2_01136420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01136420 mov eax, dword ptr fs:[00000030h]	8_2_01136420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0116A456 mov eax, dword ptr fs:[00000030h]	8_2_0116A456
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010EE443 mov eax, dword ptr fs:[00000030h]	8_2_010EE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010EE443 mov eax, dword ptr fs:[00000030h]	8_2_010EE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010EE443 mov eax, dword ptr fs:[00000030h]	8_2_010EE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010EE443 mov eax, dword ptr fs:[00000030h]	8_2_010EE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010EE443 mov eax, dword ptr fs:[00000030h]	8_2_010EE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010EE443 mov eax, dword ptr fs:[00000030h]	8_2_010EE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010EE443 mov eax, dword ptr fs:[00000030h]	8_2_010EE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010EE443 mov eax, dword ptr fs:[00000030h]	8_2_010EE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010A645D mov eax, dword ptr fs:[00000030h]	8_2_010A645D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010D245A mov eax, dword ptr fs:[00000030h]	8_2_010D245A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0113C460 mov ecx, dword ptr fs:[00000030h]	8_2_0113C460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010DA470 mov eax, dword ptr fs:[00000030h]	8_2_010DA470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010DA470 mov eax, dword ptr fs:[00000030h]	8_2_010DA470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010DA470 mov eax, dword ptr fs:[00000030h]	8_2_010DA470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0116A49A mov eax, dword ptr fs:[00000030h]	8_2_0116A49A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010B64AB mov eax, dword ptr fs:[00000030h]	8_2_010B64AB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0113A4B0 mov eax, dword ptr fs:[00000030h]	8_2_0113A4B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010E44B0 mov ecx, dword ptr fs:[00000030h]	8_2_010E44B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010B04E5 mov ecx, dword ptr fs:[00000030h]	8_2_010B04E5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010EC700 mov eax, dword ptr fs:[00000030h]	8_2_010EC700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010B0710 mov eax, dword ptr fs:[00000030h]	8_2_010B0710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010E0710 mov eax, dword ptr fs:[00000030h]	8_2_010E0710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0112C730 mov eax, dword ptr fs:[00000030h]	8_2_0112C730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010EC720 mov eax, dword ptr fs:[00000030h]	8_2_010EC720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010EC720 mov eax, dword ptr fs:[00000030h]	8_2_010EC720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010E273C mov eax, dword ptr fs:[00000030h]	8_2_010E273C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010E273C mov ecx, dword ptr fs:[00000030h]	8_2_010E273C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010E273C mov eax, dword ptr fs:[00000030h]	8_2_010E273C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010E674D mov esi, dword ptr fs:[00000030h]	8_2_010E674D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010E674D mov eax, dword ptr fs:[00000030h]	8_2_010E674D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010E674D mov eax, dword ptr fs:[00000030h]	8_2_010E674D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01134755 mov eax, dword ptr fs:[00000030h]	8_2_01134755
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010AA740 mov eax, dword ptr fs:[00000030h]	8_2_010AA740
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0113E75D mov eax, dword ptr fs:[00000030h]	8_2_0113E75D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010B0750 mov eax, dword ptr fs:[00000030h]	8_2_010B0750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010F2750 mov eax, dword ptr fs:[00000030h]	8_2_010F2750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010F2750 mov eax, dword ptr fs:[00000030h]	8_2_010F2750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010B8770 mov eax, dword ptr fs:[00000030h]	8_2_010B8770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C0770 mov eax, dword ptr fs:[00000030h]	8_2_010C0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C0770 mov eax, dword ptr fs:[00000030h]	8_2_010C0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C0770 mov eax, dword ptr fs:[00000030h]	8_2_010C0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C0770 mov eax, dword ptr fs:[00000030h]	8_2_010C0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C0770 mov eax, dword ptr fs:[00000030h]	8_2_010C0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C0770 mov eax, dword ptr fs:[00000030h]	8_2_010C0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C0770 mov eax, dword ptr fs:[00000030h]	8_2_010C0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C0770 mov eax, dword ptr fs:[00000030h]	8_2_010C0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C0770 mov eax, dword ptr fs:[00000030h]	8_2_010C0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C0770 mov eax, dword ptr fs:[00000030h]	8_2_010C0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C0770 mov eax, dword ptr fs:[00000030h]	8_2_010C0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C0770 mov eax, dword ptr fs:[00000030h]	8_2_010C0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0115678E mov eax, dword ptr fs:[00000030h]	8_2_0115678E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010B07AF mov eax, dword ptr fs:[00000030h]	8_2_010B07AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_011647A0 mov eax, dword ptr fs:[00000030h]	8_2_011647A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010BC7C0 mov eax, dword ptr fs:[00000030h]	8_2_010BC7C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_011307C3 mov eax, dword ptr fs:[00000030h]	8_2_011307C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010D27ED mov eax, dword ptr fs:[00000030h]	8_2_010D27ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010D27ED mov eax, dword ptr fs:[00000030h]	8_2_010D27ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010D27ED mov eax, dword ptr fs:[00000030h]	8_2_010D27ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010B47FB mov eax, dword ptr fs:[00000030h]	8_2_010B47FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010B47FB mov eax, dword ptr fs:[00000030h]	8_2_010B47FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0113E7E1 mov eax, dword ptr fs:[00000030h]	8_2_0113E7E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C260B mov eax, dword ptr fs:[00000030h]	8_2_010C260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C260B mov eax, dword ptr fs:[00000030h]	8_2_010C260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C260B mov eax, dword ptr fs:[00000030h]	8_2_010C260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C260B mov eax, dword ptr fs:[00000030h]	8_2_010C260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C260B mov eax, dword ptr fs:[00000030h]	8_2_010C260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C260B mov eax, dword ptr fs:[00000030h]	8_2_010C260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C260B mov eax, dword ptr fs:[00000030h]	8_2_010C260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010F2619 mov eax, dword ptr fs:[00000030h]	8_2_010F2619
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0112E609 mov eax, dword ptr fs:[00000030h]	8_2_0112E609
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010B262C mov eax, dword ptr fs:[00000030h]	8_2_010B262C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010CE627 mov eax, dword ptr fs:[00000030h]	8_2_010CE627
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010E6620 mov eax, dword ptr fs:[00000030h]	8_2_010E6620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010E8620 mov eax, dword ptr fs:[00000030h]	8_2_010E8620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010CC640 mov eax, dword ptr fs:[00000030h]	8_2_010CC640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010EA660 mov eax, dword ptr fs:[00000030h]	8_2_010EA660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010EA660 mov eax, dword ptr fs:[00000030h]	8_2_010EA660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0117866E mov eax, dword ptr fs:[00000030h]	8_2_0117866E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0117866E mov eax, dword ptr fs:[00000030h]	8_2_0117866E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010E2674 mov eax, dword ptr fs:[00000030h]	8_2_010E2674
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010B4690 mov eax, dword ptr fs:[00000030h]	8_2_010B4690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010B4690 mov eax, dword ptr fs:[00000030h]	8_2_010B4690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010EC6A6 mov eax, dword ptr fs:[00000030h]	8_2_010EC6A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010E66B0 mov eax, dword ptr fs:[00000030h]	8_2_010E66B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010EA6C7 mov ebx, dword ptr fs:[00000030h]	8_2_010EA6C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010EA6C7 mov eax, dword ptr fs:[00000030h]	8_2_010EA6C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0112E6F2 mov eax, dword ptr fs:[00000030h]	8_2_0112E6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0112E6F2 mov eax, dword ptr fs:[00000030h]	8_2_0112E6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0112E6F2 mov eax, dword ptr fs:[00000030h]	8_2_0112E6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0112E6F2 mov eax, dword ptr fs:[00000030h]	8_2_0112E6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_011306F1 mov eax, dword ptr fs:[00000030h]	8_2_011306F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_011306F1 mov eax, dword ptr fs:[00000030h]	8_2_011306F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0113C912 mov eax, dword ptr fs:[00000030h]	8_2_0113C912
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010A8918 mov eax, dword ptr fs:[00000030h]	8_2_010A8918
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010A8918 mov eax, dword ptr fs:[00000030h]	8_2_010A8918
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0112E908 mov eax, dword ptr fs:[00000030h]	8_2_0112E908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0112E908 mov eax, dword ptr fs:[00000030h]	8_2_0112E908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0113892A mov eax, dword ptr fs:[00000030h]	8_2_0113892A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0114892B mov eax, dword ptr fs:[00000030h]	8_2_0114892B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01130946 mov eax, dword ptr fs:[00000030h]	8_2_01130946
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01184940 mov eax, dword ptr fs:[00000030h]	8_2_01184940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010F096E mov eax, dword ptr fs:[00000030h]	8_2_010F096E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010F096E mov edx, dword ptr fs:[00000030h]	8_2_010F096E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010F096E mov eax, dword ptr fs:[00000030h]	8_2_010F096E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01154978 mov eax, dword ptr fs:[00000030h]	8_2_01154978
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01154978 mov eax, dword ptr fs:[00000030h]	8_2_01154978
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010D6962 mov eax, dword ptr fs:[00000030h]	8_2_010D6962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010D6962 mov eax, dword ptr fs:[00000030h]	8_2_010D6962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010D6962 mov eax, dword ptr fs:[00000030h]	8_2_010D6962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0113C97C mov eax, dword ptr fs:[00000030h]	8_2_0113C97C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_011389B3 mov esi, dword ptr fs:[00000030h]	8_2_011389B3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_011389B3 mov eax, dword ptr fs:[00000030h]	8_2_011389B3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_011389B3 mov eax, dword ptr fs:[00000030h]	8_2_011389B3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010B09AD mov eax, dword ptr fs:[00000030h]	8_2_010B09AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010B09AD mov eax, dword ptr fs:[00000030h]	8_2_010B09AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C29A0 mov eax, dword ptr fs:[00000030h]	8_2_010C29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C29A0 mov eax, dword ptr fs:[00000030h]	8_2_010C29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C29A0 mov eax, dword ptr fs:[00000030h]	8_2_010C29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C29A0 mov eax, dword ptr fs:[00000030h]	8_2_010C29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C29A0 mov eax, dword ptr fs:[00000030h]	8_2_010C29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C29A0 mov eax, dword ptr fs:[00000030h]	8_2_010C29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C29A0 mov eax, dword ptr fs:[00000030h]	8_2_010C29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C29A0 mov eax, dword ptr fs:[00000030h]	8_2_010C29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C29A0 mov eax, dword ptr fs:[00000030h]	8_2_010C29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C29A0 mov eax, dword ptr fs:[00000030h]	8_2_010C29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C29A0 mov eax, dword ptr fs:[00000030h]	8_2_010C29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C29A0 mov eax, dword ptr fs:[00000030h]	8_2_010C29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C29A0 mov eax, dword ptr fs:[00000030h]	8_2_010C29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0117A9D3 mov eax, dword ptr fs:[00000030h]	8_2_0117A9D3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_011469C0 mov eax, dword ptr fs:[00000030h]	8_2_011469C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010BA9D0 mov eax, dword ptr fs:[00000030h]	8_2_010BA9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010BA9D0 mov eax, dword ptr fs:[00000030h]	8_2_010BA9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010BA9D0 mov eax, dword ptr fs:[00000030h]	8_2_010BA9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010BA9D0 mov eax, dword ptr fs:[00000030h]	8_2_010BA9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010BA9D0 mov eax, dword ptr fs:[00000030h]	8_2_010BA9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010BA9D0 mov eax, dword ptr fs:[00000030h]	8_2_010BA9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010E49D0 mov eax, dword ptr fs:[00000030h]	8_2_010E49D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0113E9E0 mov eax, dword ptr fs:[00000030h]	8_2_0113E9E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010E29F9 mov eax, dword ptr fs:[00000030h]	8_2_010E29F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010E29F9 mov eax, dword ptr fs:[00000030h]	8_2_010E29F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0113C810 mov eax, dword ptr fs:[00000030h]	8_2_0113C810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0115483A mov eax, dword ptr fs:[00000030h]	8_2_0115483A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0115483A mov eax, dword ptr fs:[00000030h]	8_2_0115483A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010D2835 mov eax, dword ptr fs:[00000030h]	8_2_010D2835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010D2835 mov eax, dword ptr fs:[00000030h]	8_2_010D2835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010D2835 mov eax, dword ptr fs:[00000030h]	8_2_010D2835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010D2835 mov ecx, dword ptr fs:[00000030h]	8_2_010D2835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010D2835 mov eax, dword ptr fs:[00000030h]	8_2_010D2835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010D2835 mov eax, dword ptr fs:[00000030h]	8_2_010D2835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010EA830 mov eax, dword ptr fs:[00000030h]	8_2_010EA830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C2840 mov ecx, dword ptr fs:[00000030h]	8_2_010C2840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010B4859 mov eax, dword ptr fs:[00000030h]	8_2_010B4859
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010B4859 mov eax, dword ptr fs:[00000030h]	8_2_010B4859
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010E0854 mov eax, dword ptr fs:[00000030h]	8_2_010E0854
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0113E872 mov eax, dword ptr fs:[00000030h]	8_2_0113E872
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0113E872 mov eax, dword ptr fs:[00000030h]	8_2_0113E872
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01146870 mov eax, dword ptr fs:[00000030h]	8_2_01146870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01146870 mov eax, dword ptr fs:[00000030h]	8_2_01146870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010B0887 mov eax, dword ptr fs:[00000030h]	8_2_010B0887
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0113C89D mov eax, dword ptr fs:[00000030h]	8_2_0113C89D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010DE8C0 mov eax, dword ptr fs:[00000030h]	8_2_010DE8C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_011808C0 mov eax, dword ptr fs:[00000030h]	8_2_011808C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0117A8E4 mov eax, dword ptr fs:[00000030h]	8_2_0117A8E4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010EC8F9 mov eax, dword ptr fs:[00000030h]	8_2_010EC8F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010EC8F9 mov eax, dword ptr fs:[00000030h]	8_2_010EC8F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0112EB1D mov eax, dword ptr fs:[00000030h]	8_2_0112EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0112EB1D mov eax, dword ptr fs:[00000030h]	8_2_0112EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0112EB1D mov eax, dword ptr fs:[00000030h]	8_2_0112EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0112EB1D mov eax, dword ptr fs:[00000030h]	8_2_0112EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0112EB1D mov eax, dword ptr fs:[00000030h]	8_2_0112EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0112EB1D mov eax, dword ptr fs:[00000030h]	8_2_0112EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0112EB1D mov eax, dword ptr fs:[00000030h]	8_2_0112EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0112EB1D mov eax, dword ptr fs:[00000030h]	8_2_0112EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0112EB1D mov eax, dword ptr fs:[00000030h]	8_2_0112EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01184B00 mov eax, dword ptr fs:[00000030h]	8_2_01184B00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010DEB20 mov eax, dword ptr fs:[00000030h]	8_2_010DEB20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010DEB20 mov eax, dword ptr fs:[00000030h]	8_2_010DEB20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01178B28 mov eax, dword ptr fs:[00000030h]	8_2_01178B28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01178B28 mov eax, dword ptr fs:[00000030h]	8_2_01178B28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0115EB50 mov eax, dword ptr fs:[00000030h]	8_2_0115EB50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01182B57 mov eax, dword ptr fs:[00000030h]	8_2_01182B57
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01182B57 mov eax, dword ptr fs:[00000030h]	8_2_01182B57
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01182B57 mov eax, dword ptr fs:[00000030h]	8_2_01182B57
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01182B57 mov eax, dword ptr fs:[00000030h]	8_2_01182B57
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01146B40 mov eax, dword ptr fs:[00000030h]	8_2_01146B40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01146B40 mov eax, dword ptr fs:[00000030h]	8_2_01146B40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0117AB40 mov eax, dword ptr fs:[00000030h]	8_2_0117AB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01158B42 mov eax, dword ptr fs:[00000030h]	8_2_01158B42
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010A8B50 mov eax, dword ptr fs:[00000030h]	8_2_010A8B50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01164B4B mov eax, dword ptr fs:[00000030h]	8_2_01164B4B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01164B4B mov eax, dword ptr fs:[00000030h]	8_2_01164B4B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010ACB7E mov eax, dword ptr fs:[00000030h]	8_2_010ACB7E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C2B79 mov eax, dword ptr fs:[00000030h]	8_2_010C2B79
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C2B79 mov eax, dword ptr fs:[00000030h]	8_2_010C2B79
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C2B79 mov eax, dword ptr fs:[00000030h]	8_2_010C2B79
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01164BB0 mov eax, dword ptr fs:[00000030h]	8_2_01164BB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01164BB0 mov eax, dword ptr fs:[00000030h]	8_2_01164BB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C0BBE mov eax, dword ptr fs:[00000030h]	8_2_010C0BBE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C0BBE mov eax, dword ptr fs:[00000030h]	8_2_010C0BBE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0115EBD0 mov eax, dword ptr fs:[00000030h]	8_2_0115EBD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010B0BCD mov eax, dword ptr fs:[00000030h]	8_2_010B0BCD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010B0BCD mov eax, dword ptr fs:[00000030h]	8_2_010B0BCD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010B0BCD mov eax, dword ptr fs:[00000030h]	8_2_010B0BCD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010D0BCB mov eax, dword ptr fs:[00000030h]	8_2_010D0BCB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010D0BCB mov eax, dword ptr fs:[00000030h]	8_2_010D0BCB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010D0BCB mov eax, dword ptr fs:[00000030h]	8_2_010D0BCB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0113CBF0 mov eax, dword ptr fs:[00000030h]	8_2_0113CBF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010DEBFC mov eax, dword ptr fs:[00000030h]	8_2_010DEBFC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010B8BF0 mov eax, dword ptr fs:[00000030h]	8_2_010B8BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010B8BF0 mov eax, dword ptr fs:[00000030h]	8_2_010B8BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010B8BF0 mov eax, dword ptr fs:[00000030h]	8_2_010B8BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010E8BF0 mov ecx, dword ptr fs:[00000030h]	8_2_010E8BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010E8BF0 mov eax, dword ptr fs:[00000030h]	8_2_010E8BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010E8BF0 mov eax, dword ptr fs:[00000030h]	8_2_010E8BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0113CA11 mov eax, dword ptr fs:[00000030h]	8_2_0113CA11
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010A8A00 mov eax, dword ptr fs:[00000030h]	8_2_010A8A00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010A8A00 mov eax, dword ptr fs:[00000030h]	8_2_010A8A00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010DEA2E mov eax, dword ptr fs:[00000030h]	8_2_010DEA2E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010ECA24 mov eax, dword ptr fs:[00000030h]	8_2_010ECA24
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010ECA38 mov eax, dword ptr fs:[00000030h]	8_2_010ECA38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010D4A35 mov eax, dword ptr fs:[00000030h]	8_2_010D4A35
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010D4A35 mov eax, dword ptr fs:[00000030h]	8_2_010D4A35
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C0A5B mov eax, dword ptr fs:[00000030h]	8_2_010C0A5B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C0A5B mov eax, dword ptr fs:[00000030h]	8_2_010C0A5B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010B6A50 mov eax, dword ptr fs:[00000030h]	8_2_010B6A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010B6A50 mov eax, dword ptr fs:[00000030h]	8_2_010B6A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010B6A50 mov eax, dword ptr fs:[00000030h]	8_2_010B6A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010B6A50 mov eax, dword ptr fs:[00000030h]	8_2_010B6A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010B6A50 mov eax, dword ptr fs:[00000030h]	8_2_010B6A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010B6A50 mov eax, dword ptr fs:[00000030h]	8_2_010B6A50

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Windows\SysWOW64\cmd.exe

Code function: 16_2_00256800 GetProcessHeap,RtlFreeHeap,

16_2_00256800

Enables debug privileges

Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_00256EC0 SetUnhandledExceptionFilter,		16_2_00256EC0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_00256B40 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		16_2_00256B40

Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Bankcerticate223pdf.exe"
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\cvRSCwXQ.exe"
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Bankcerticate223pdf.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\cvRSCwXQ.exe"	Jump to behavior

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and write			Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and write			Jump to behavior

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	NtClose: Indirect: 0x154A56C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	NtQueueApcThread: Indirect: 0x154A4F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	NtQueueApcThread: Indirect: 0xBFA4F2	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	NtClose: Indirect: 0xBFA56C

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A			Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: NULL target: C:\Windows\SysWOW64\wscript.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: NULL target: C:\Windows\SysWOW64\wscript.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: NULL target: C:\Windows\SysWOW64\cmd.exe protection: execute and read and write
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: NULL target: C:\Windows\SysWOW64\cmd.exe protection: execute and read and write
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread register set: target process: 2580	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread register set: target process: 2580
Source: C:\Windows\SysWOW64\cmd.exe	Thread register set: target process: 2580

Queues an APC in another process (thread injection)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Sample uses process hollowing technique

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section unmapped: C:\Windows\SysWOW64\wscript.exe base address: E10000			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section unmapped: C:\Windows\SysWOW64\cmd.exe base address: 240000

Writes to foreign memory regions

Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 602008	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 401000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: D72008	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Bankcerticate223pdf.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\cvRSCwXQ.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cvRSCwXQ" /XML "C:\Users\user\AppData\Local\Temp\tmp8D97.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cvRSCwXQ" /XML "C:\Users\user\AppData\Local\Temp\tmp9DE3.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

Source: explorer.exe, 00000009.00000003.3111399030.0000000009815000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1741100099.0000000009815000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4158684864.00000000018A0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000009.00000002.4158684864.00000000018A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000009.00000000.1722661538.00000000018A1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000009.00000000.1721630165.0000000001240000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4158057912.0000000001240000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 1Progman$
Source: explorer.exe, 00000009.00000002.4158684864.00000000018A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000009.00000000.1722661538.00000000018A1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000009.00000002.4158684864.00000000018A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000009.00000000.1722661538.00000000018A1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: }Program Manager

Contains functionality to query locales information (e.g. system language)

Source: C:\Windows\SysWOW64\cmd.exe	Code function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,GetDateFormatW,memmove,GetDateFormatW,realloc,GetDateFormatW,memmove,GetLastError,GetLastError,realloc,	16_2_00246854
Source: C:\Windows\SysWOW64\cmd.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,setlocale,	16_2_00248572
Source: C:\Windows\SysWOW64\cmd.exe	Code function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetTimeFormatW,	16_2_00249310

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Users\user\Desktop\Bankcerticate223pdf.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Queries volume information: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Code function: 16_2_00246854 GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,GetDateFormatW,memmove,GetDateFormatW,realloc,GetDateFormatW,memmove,GetLastError,GetLastError,realloc,

16_2_00246854

Source: C:\Windows\SysWOW64\cmd.exe

Code function: 16_2_00244D08 GetVersion,

16_2_00244D08

Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 15.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Bankcerticate223pdf.exe.4ae4148.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000002.4158536381.0000000002FD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.4157948381.00000000027D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1789025375.00000000047BF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.4158598483.0000000003000000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.1799194770.00000000009D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1741689555.0000000004D1E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.1792804943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1741689555.0000000004AE4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 15.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Bankcerticate223pdf.exe.4ae4148.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000002.4158536381.0000000002FD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.4157948381.00000000027D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1789025375.00000000047BF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.4158598483.0000000003000000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.1799194770.00000000009D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1741689555.0000000004D1E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.1792804943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1741689555.0000000004AE4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

Contacted Domains

Name	IP	Active
www.ammamiaitalia.net	unknown	unknown
www.ruck-driver-jobs-86708.bond	unknown	unknown
www.omptables.xyz	unknown	unknown
www.amsexgirls.website	unknown	unknown
www.nalyzator.fun	unknown	unknown
www.eat-pumps-31610.bond	unknown	unknown
www.strange.store	unknown	unknown
www.nfluencer-marketing-41832.bond	unknown	unknown
www.idzev.shop	unknown	unknown
www.harepoint.legal	unknown	unknown
www.coplus.market	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
www.8435.pizza/a02d/	false		high

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Bankcerticate223pdf.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://www.strange.store/a02d/	Avira URL Cloud: Label: malware
Source: http://www.strange.store/a02d/www.coplus.market	Avira URL Cloud: Label: malware
Source: http://www.estionprojetsccpm.online/a02d/	Avira URL Cloud: Label: malware
Source: http://www.harepoint.legal/a02d/www.amsexgirls.website	Avira URL Cloud: Label: malware
Source: http://www.ammamiaitalia.net/a02d/www.idzev.shop	Avira URL Cloud: Label: malware
Source: http://www.ruck-driver-jobs-86708.bond/a02d/www.eat-pumps-31610.bond	Avira URL Cloud: Label: malware
Source: http://www.coplus.market/a02d/www.omptables.xyz	Avira URL Cloud: Label: malware
Source: http://www.eat-pumps-31610.bond/a02d/	Avira URL Cloud: Label: malware
Source: http://www.4cw.lat/a02d/	Avira URL Cloud: Label: malware
Source: http://www.amsexgirls.website/a02d/www.ammamiaitalia.net	Avira URL Cloud: Label: malware
Source: http://www.omptables.xyz/a02d/	Avira URL Cloud: Label: malware
Source: http://www.ruck-driver-jobs-86708.bond/a02d/	Avira URL Cloud: Label: malware
Source: http://www.amsexgirls.website/a02d/	Avira URL Cloud: Label: malware
Source: http://www.ammamiaitalia.net/a02d/	Avira URL Cloud: Label: malware
Source: http://www.idzev.shop/a02d/	Avira URL Cloud: Label: malware
Source: http://www.omptables.xyz/a02d/www.nalyzator.fun	Avira URL Cloud: Label: malware
Source: http://www.rh799295w.vip/a02d/www.4cw.lat	Avira URL Cloud: Label: malware
Source: http://www.yhbvc.xyz/a02d/www.ruck-driver-jobs-86708.bond	Avira URL Cloud: Label: malware
Source: http://www.estionprojetsccpm.online/a02d/www.8435.pizza	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe

Avira: detection malicious, Label: HEUR/AGEN.1310400

Found malware configuration

Source: 00000010.00000002.4158536381.0000000002FD0000.00000040.10000000.00040000.00000000.sdmp

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe

ReversingLabs: Detection: 34%

Multi AV Scanner detection for submitted file

Source: Bankcerticate223pdf.exe	Virustotal: Detection: 33%			Perma Link
Source: Bankcerticate223pdf.exe	ReversingLabs: Detection: 34%

Yara detected FormBook

Source: Yara match	File source: 15.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Bankcerticate223pdf.exe.4ae4148.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000002.4158536381.0000000002FD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.4157948381.00000000027D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1789025375.00000000047BF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.4158598483.0000000003000000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.1799194770.00000000009D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1741689555.0000000004D1E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.1792804943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1741689555.0000000004AE4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: Bankcerticate223pdf.exe

Joe Sandbox ML: detected

Uses 32bit PE files

Source: Bankcerticate223pdf.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Bankcerticate223pdf.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: wscript.pdbGCTL source: RegSvcs.exe, 00000008.00000002.1795690506.0000000001020000.00000040.10000000.00040000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.1795049620.0000000000C27000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000011.00000002.1799615963.0000000000E10000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: RegSvcs.pdb, source: explorer.exe, 00000009.00000002.4178475160.0000000010B5F000.00000004.80000000.00040000.00000000.sdmp, cmd.exe, 00000010.00000002.4159552520.00000000038FF000.00000004.10000000.00040000.00000000.sdmp, cmd.exe, 00000010.00000002.4158321746.0000000002CE5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: cmd.pdbUGP source: RegSvcs.exe, 0000000F.00000002.1799282057.00000000018C0000.00000040.10000000.00040000.00000000.sdmp, cmd.exe, 00000010.00000002.4157706817.0000000000240000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: RegSvcs.exe, 0000000F.00000002.1794317883.0000000001560000.00000040.00001000.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.4158931647.000000000354E000.00000040.00001000.00020000.00000000.sdmp, cmd.exe, 00000010.00000003.1795281362.0000000003200000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000003.1793090894.0000000003059000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.4158931647.00000000033B0000.00000040.00001000.00020000.00000000.sdmp, wscript.exe, 00000011.00000002.1800249537.0000000004E70000.00000040.00001000.00020000.00000000.sdmp, wscript.exe, 00000011.00000002.1800249537.000000000500E000.00000040.00001000.00020000.00000000.sdmp, wscript.exe, 00000011.00000003.1796869110.0000000004CBB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000011.00000003.1794644748.0000000004B0F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: RegSvcs.exe, RegSvcs.exe, 0000000F.00000002.1794317883.0000000001560000.00000040.00001000.00020000.00000000.sdmp, cmd.exe, cmd.exe, 00000010.00000002.4158931647.000000000354E000.00000040.00001000.00020000.00000000.sdmp, cmd.exe, 00000010.00000003.1795281362.0000000003200000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000003.1793090894.0000000003059000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.4158931647.00000000033B0000.00000040.00001000.00020000.00000000.sdmp, wscript.exe, 00000011.00000002.1800249537.0000000004E70000.00000040.00001000.00020000.00000000.sdmp, wscript.exe, 00000011.00000002.1800249537.000000000500E000.00000040.00001000.00020000.00000000.sdmp, wscript.exe, 00000011.00000003.1796869110.0000000004CBB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000011.00000003.1794644748.0000000004B0F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wscript.pdb source: RegSvcs.exe, 00000008.00000002.1795690506.0000000001020000.00000040.10000000.00040000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.1795049620.0000000000C27000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000011.00000002.1799615963.0000000000E10000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: RegSvcs.pdb source: explorer.exe, 00000009.00000002.4178475160.0000000010B5F000.00000004.80000000.00040000.00000000.sdmp, cmd.exe, 00000010.00000002.4159552520.00000000038FF000.00000004.10000000.00040000.00000000.sdmp, cmd.exe, 00000010.00000002.4158321746.0000000002CE5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: cmd.pdb source: RegSvcs.exe, 0000000F.00000002.1799282057.00000000018C0000.00000040.10000000.00040000.00000000.sdmp, cmd.exe, cmd.exe, 00000010.00000002.4157706817.0000000000240000.00000040.80000000.00040000.00000000.sdmp

Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_0025589A FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapReAlloc,FindNextFileW,FindClose,GetLastError,FindClose,	16_2_0025589A
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_00250207 FindFirstFileW,FindClose,memcpy,_wcsnicmp,_wcsicmp,memmove,	16_2_00250207
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_00263E66 FindFirstFileW,FindNextFileW,FindClose,	16_2_00263E66
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_00254EC1 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,	16_2_00254EC1
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_0024532E GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPAX@Z,FindNextFileW,??_V@YAXPAX@Z,SetLastError,??_V@YAXPAX@Z,GetLastError,FindClose,	16_2_0024532E

Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\NULL	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	File opened: C:\Users\user\AppData\Local\Temp\acrocef_low\NULL	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\Acrobat\NULL	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\Acrobat	Jump to behavior

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then pop esi		15_2_00417235
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 4x nop then pop esi		16_2_027E7235

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.8435.pizza/a02d/

Performs DNS queries to domains with low reputation

Source:

DNS query: www.omptables.xyz

Tries to resolve many domain names, but no domain seems valid

Source: unknown	DNS traffic detected: query: www.nfluencer-marketing-41832.bond replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.coplus.market replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.omptables.xyz replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.nalyzator.fun replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.ammamiaitalia.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.idzev.shop replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.amsexgirls.website replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.ruck-driver-jobs-86708.bond replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.harepoint.legal replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.strange.store replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.eat-pumps-31610.bond replaycode: Name error (3)

Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Source: unknown	DNS traffic detected: query: www.nfluencer-marketing-41832.bond replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.coplus.market replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.omptables.xyz replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.nalyzator.fun replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.ammamiaitalia.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.idzev.shop replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.amsexgirls.website replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.ruck-driver-jobs-86708.bond replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.harepoint.legal replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.strange.store replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.eat-pumps-31610.bond replaycode: Name error (3)

Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	DNS traffic detected: DNS query: www.nfluencer-marketing-41832.bond
Source: global traffic	DNS traffic detected: DNS query: www.ruck-driver-jobs-86708.bond
Source: global traffic	DNS traffic detected: DNS query: www.eat-pumps-31610.bond
Source: global traffic	DNS traffic detected: DNS query: www.harepoint.legal
Source: global traffic	DNS traffic detected: DNS query: www.amsexgirls.website
Source: global traffic	DNS traffic detected: DNS query: www.ammamiaitalia.net
Source: global traffic	DNS traffic detected: DNS query: www.idzev.shop
Source: global traffic	DNS traffic detected: DNS query: www.strange.store
Source: global traffic	DNS traffic detected: DNS query: www.coplus.market
Source: global traffic	DNS traffic detected: DNS query: www.omptables.xyz
Source: global traffic	DNS traffic detected: DNS query: www.nalyzator.fun

Source: explorer.exe, 00000009.00000000.1741100099.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4161508658.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1728391940.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4165294972.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3111399030.000000000982D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: explorer.exe, 00000009.00000000.1741100099.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4161508658.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1728391940.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4165294972.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3111399030.000000000982D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: explorer.exe, 00000009.00000000.1741100099.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4161508658.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1728391940.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4165294972.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3111399030.000000000982D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: explorer.exe, 00000009.00000000.1741100099.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4161508658.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1728391940.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4165294972.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3111399030.000000000982D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: explorer.exe, 00000009.00000000.1728391940.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4161508658.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: explorer.exe, 00000009.00000000.1738141569.0000000008720000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000009.00000002.4163406763.0000000007F40000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000009.00000000.1743197029.0000000009B60000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: Bankcerticate223pdf.exe, 00000000.00000002.1739595988.0000000003291000.00000004.00000800.00020000.00000000.sdmp, cvRSCwXQ.exe, 0000000B.00000002.1786290809.0000000003130000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.4cw.lat
Source: explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.4cw.lat/a02d/
Source: explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.4cw.latReferer:
Source: explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.8435.pizza
Source: explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.8435.pizza/a02d/
Source: explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.8435.pizza/a02d/www.rh799295w.vip
Source: explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.8435.pizzaReferer:
Source: explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ammamiaitalia.net
Source: explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ammamiaitalia.net/a02d/
Source: explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ammamiaitalia.net/a02d/www.idzev.shop
Source: explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ammamiaitalia.netReferer:
Source: explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.amsexgirls.website
Source: explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.amsexgirls.website/a02d/
Source: explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.amsexgirls.website/a02d/www.ammamiaitalia.net
Source: explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.amsexgirls.websiteReferer:
Source: Bankcerticate223pdf.exe, 00000000.00000002.1745426587.0000000009A42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000009.00000000.1745205480.000000000C964000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108659121.000000000C96C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108840251.000000000C999000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109262060.000000000C9AE000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: Bankcerticate223pdf.exe, 00000000.00000002.1745426587.0000000009A42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.coplus.market
Source: explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.coplus.market/a02d/
Source: explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.coplus.market/a02d/www.omptables.xyz
Source: explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.coplus.marketReferer:
Source: explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.eat-pumps-31610.bond
Source: explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.eat-pumps-31610.bond/a02d/
Source: explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.eat-pumps-31610.bond/a02d/www.harepoint.legal
Source: explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.eat-pumps-31610.bondReferer:
Source: explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.estionprojetsccpm.online
Source: explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.estionprojetsccpm.online/a02d/
Source: explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.estionprojetsccpm.online/a02d/www.8435.pizza
Source: explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.estionprojetsccpm.onlineReferer:
Source: Bankcerticate223pdf.exe, 00000000.00000002.1745426587.0000000009A42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: Bankcerticate223pdf.exe, 00000000.00000002.1745426587.0000000009A42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: Bankcerticate223pdf.exe, 00000000.00000002.1745426587.0000000009A42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: Bankcerticate223pdf.exe, 00000000.00000002.1745426587.0000000009A42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: Bankcerticate223pdf.exe, 00000000.00000002.1745426587.0000000009A42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: Bankcerticate223pdf.exe, 00000000.00000002.1745426587.0000000009A42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: Bankcerticate223pdf.exe, 00000000.00000002.1745426587.0000000009A42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: Bankcerticate223pdf.exe, 00000000.00000002.1745426587.0000000009A42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: Bankcerticate223pdf.exe, 00000000.00000002.1745426587.0000000009A42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: Bankcerticate223pdf.exe, 00000000.00000002.1745426587.0000000009A42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: Bankcerticate223pdf.exe, 00000000.00000002.1745426587.0000000009A42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: Bankcerticate223pdf.exe, 00000000.00000002.1745426587.0000000009A42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: Bankcerticate223pdf.exe, 00000000.00000002.1745426587.0000000009A42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: Bankcerticate223pdf.exe, 00000000.00000002.1745426587.0000000009A42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: Bankcerticate223pdf.exe, 00000000.00000002.1745426587.0000000009A42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.harepoint.legal
Source: explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.harepoint.legal/a02d/
Source: explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.harepoint.legal/a02d/www.amsexgirls.website
Source: explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.harepoint.legalReferer:
Source: explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.idzev.shop
Source: explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.idzev.shop/a02d/
Source: explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.idzev.shop/a02d/www.strange.store
Source: explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.idzev.shopReferer:
Source: Bankcerticate223pdf.exe, 00000000.00000002.1745426587.0000000009A42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.nalyzator.fun
Source: explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.nalyzator.fun/a02d/
Source: explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.nalyzator.fun/a02d/www.estionprojetsccpm.online
Source: explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.nalyzator.funReferer:
Source: explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.nfluencer-marketing-41832.bond
Source: explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.nfluencer-marketing-41832.bond/a02d/
Source: explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.nfluencer-marketing-41832.bond/a02d/www.yhbvc.xyz
Source: explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.nfluencer-marketing-41832.bondReferer:
Source: explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.omptables.xyz
Source: explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.omptables.xyz/a02d/
Source: explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.omptables.xyz/a02d/www.nalyzator.fun
Source: explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.omptables.xyzReferer:
Source: explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.rh799295w.vip
Source: explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.rh799295w.vip/a02d/
Source: explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.rh799295w.vip/a02d/www.4cw.lat
Source: explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.rh799295w.vipReferer:
Source: explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ruck-driver-jobs-86708.bond
Source: explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ruck-driver-jobs-86708.bond/a02d/
Source: explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ruck-driver-jobs-86708.bond/a02d/www.eat-pumps-31610.bond
Source: explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ruck-driver-jobs-86708.bondReferer:
Source: Bankcerticate223pdf.exe, 00000000.00000002.1745426587.0000000009A42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: Bankcerticate223pdf.exe, 00000000.00000002.1745426587.0000000009A42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: Bankcerticate223pdf.exe, 00000000.00000002.1745426587.0000000009A42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.strange.store
Source: explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.strange.store/a02d/
Source: explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.strange.store/a02d/www.coplus.market
Source: explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.strange.storeReferer:
Source: Bankcerticate223pdf.exe, 00000000.00000002.1745426587.0000000009A42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: Bankcerticate223pdf.exe, 00000000.00000002.1745426587.0000000009A42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: Bankcerticate223pdf.exe, 00000000.00000002.1745426587.0000000009A42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.yhbvc.xyz
Source: explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.yhbvc.xyz/a02d/
Source: explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.yhbvc.xyz/a02d/www.ruck-driver-jobs-86708.bond
Source: explorer.exe, 00000009.00000002.4166809229.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3109611335.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3480510031.000000000991E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3108541372.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.yhbvc.xyzReferer:
Source: Bankcerticate223pdf.exe, 00000000.00000002.1745426587.0000000009A42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: explorer.exe, 00000009.00000002.4161508658.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1728391940.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/Vh5j3k
Source: explorer.exe, 00000009.00000002.4161508658.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1728391940.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/odirmr
Source: explorer.exe, 00000009.00000000.1745205480.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 00000009.00000002.4165294972.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1741100099.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3111399030.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 00000009.00000002.4165294972.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1741100099.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3111399030.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/q
Source: explorer.exe, 00000009.00000002.4159596387.000000000370D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1721630165.0000000001240000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1724813031.0000000003700000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4158057912.0000000001240000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 00000009.00000002.4165294972.0000000009702000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1741100099.00000000096DF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3111399030.0000000009701000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?&
Source: explorer.exe, 00000009.00000000.1728391940.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4161508658.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=0CC40BF291614022B7DF6E2143E8A6AF&timeOut=5000&oc
Source: explorer.exe, 00000009.00000002.4165294972.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1728391940.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1741100099.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4161508658.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3111399030.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
Source: explorer.exe, 00000009.00000002.4165294972.0000000009702000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1741100099.00000000096DF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3111399030.0000000009701000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.comi
Source: explorer.exe, 00000009.00000002.4161508658.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/staticsb/statics/latest/traffic/Notification/desktop/svg/RoadHazard.svg
Source: explorer.exe, 00000009.00000002.4161508658.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
Source: explorer.exe, 00000009.00000002.4161508658.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svg
Source: explorer.exe, 00000009.00000000.1728391940.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4161508658.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/humidity.svg
Source: explorer.exe, 00000009.00000000.1728391940.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4161508658.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
Source: explorer.exe, 00000009.00000000.1728391940.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4161508658.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
Source: explorer.exe, 00000009.00000000.1728391940.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4161508658.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu
Source: explorer.exe, 00000009.00000000.1728391940.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4161508658.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu-dark
Source: explorer.exe, 00000009.00000000.1728391940.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4161508658.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu
Source: explorer.exe, 00000009.00000000.1728391940.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4161508658.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu-dark
Source: explorer.exe, 00000009.00000000.1728391940.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4161508658.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY
Source: explorer.exe, 00000009.00000000.1728391940.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4161508658.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY-dark
Source: explorer.exe, 00000009.00000002.4173438175.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1745205480.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://excel.office.com
Source: explorer.exe, 00000009.00000000.1728391940.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4161508658.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
Source: explorer.exe, 00000009.00000000.1728391940.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4161508658.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1hlXIY.img
Source: explorer.exe, 00000009.00000000.1728391940.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4161508658.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAKSoFp.img
Source: explorer.exe, 00000009.00000000.1728391940.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4161508658.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAXaopi.img
Source: explorer.exe, 00000009.00000000.1728391940.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4161508658.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAgi0nZ.img
Source: explorer.exe, 00000009.00000000.1728391940.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4161508658.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBqlLky.img
Source: explorer.exe, 00000009.00000000.1728391940.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4161508658.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img.s-msn.com/tenant/amp/entityid/AAbC0oi.img
Source: explorer.exe, 00000009.00000002.4173438175.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1745205480.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://outlook.com_
Source: explorer.exe, 00000009.00000002.4173438175.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1745205480.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://powerpoint.office.comcember
Source: explorer.exe, 00000009.00000000.1728391940.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4161508658.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://simpleflying.com/how-do-you-become-an-air-traffic-controller/
Source: explorer.exe, 00000009.00000000.1728391940.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4161508658.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000009.00000000.1728391940.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4161508658.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000009.00000000.1745205480.000000000C557000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4173438175.000000000C557000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://wns.windows.com/L
Source: explorer.exe, 00000009.00000002.4173438175.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1745205480.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://word.office.com
Source: explorer.exe, 00000009.00000000.1728391940.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4161508658.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/lifestyle/lifestyle-buzz/biden-makes-decision-that-will-impact-more-than-1
Source: explorer.exe, 00000009.00000000.1728391940.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4161508658.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/lifestyle/travel/i-ve-worked-at-a-campsite-for-5-years-these-are-the-15-mi
Source: explorer.exe, 00000009.00000000.1728391940.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1728391940.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4161508658.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4161508658.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/13-states-that-don-t-tax-your-retirement-income/ar-A
Source: explorer.exe, 00000009.00000000.1728391940.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4161508658.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/no-wonder-the-american-public-is-confused-if-you-re-
Source: explorer.exe, 00000009.00000000.1728391940.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4161508658.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/clarence-thomas-in-spotlight-as-supreme-court-delivers-blow-
Source: explorer.exe, 00000009.00000000.1728391940.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4161508658.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/exclusive-john-kelly-goes-on-the-record-to-confirm-several-d
Source: explorer.exe, 00000009.00000000.1728391940.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4161508658.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/topic/breast%20cancer%20awareness%20month?ocid=winp1headerevent
Source: explorer.exe, 00000009.00000000.1728391940.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4161508658.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/a-nationwide-emergency-alert-will-be-sent-to-all-u-s-cellphones-we
Source: explorer.exe, 00000009.00000000.1728391940.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4161508658.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/metro-officials-still-investigating-friday-s-railcar-derailment/ar
Source: explorer.exe, 00000009.00000002.4161508658.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/when-does-daylight-saving-time-end-2023-here-s-when-to-set-your-cl
Source: explorer.exe, 00000009.00000000.1728391940.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4161508658.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/world/agostini-krausz-and-l-huillier-win-physics-nobel-for-looking-at
Source: explorer.exe, 00000009.00000000.1728391940.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4161508658.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/rest-of-hurricane-season-in-uncharted-waters-because-of
Source: explorer.exe, 00000009.00000000.1728391940.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4161508658.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/us-weather-super-el-nino-to-bring-more-flooding-and-win
Source: explorer.exe, 00000009.00000000.1728391940.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4161508658.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com:443/en-us/feed
Source: explorer.exe, 00000009.00000000.1728391940.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4161508658.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.rd.com/list/polite-habits-campers-dislike/
Source: explorer.exe, 00000009.00000000.1728391940.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4161508658.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.rd.com/newsletter/?int_source=direct&int_medium=rd.com&int_campaign=nlrda_20221001_toppe

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 15.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Bankcerticate223pdf.exe.4ae4148.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000002.4158536381.0000000002FD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.4157948381.00000000027D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1789025375.00000000047BF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.4158598483.0000000003000000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.1799194770.00000000009D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1741689555.0000000004D1E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.1792804943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1741689555.0000000004AE4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 15.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 15.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 15.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 15.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 15.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 15.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.Bankcerticate223pdf.exe.4ae4148.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0.2.Bankcerticate223pdf.exe.4ae4148.1.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.Bankcerticate223pdf.exe.4ae4148.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000002.4158536381.0000000002FD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000010.00000002.4158536381.0000000002FD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000010.00000002.4158536381.0000000002FD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000002.4157948381.00000000027D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000010.00000002.4157948381.00000000027D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000010.00000002.4157948381.00000000027D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.1789025375.00000000047BF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000B.00000002.1789025375.00000000047BF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000002.1789025375.00000000047BF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000002.4158598483.0000000003000000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000010.00000002.4158598483.0000000003000000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000010.00000002.4158598483.0000000003000000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000011.00000002.1799194770.00000000009D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000011.00000002.1799194770.00000000009D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000011.00000002.1799194770.00000000009D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.1741689555.0000000004D1E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000000.00000002.1741689555.0000000004D1E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.1741689555.0000000004D1E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000002.1792804943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000F.00000002.1792804943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000F.00000002.1792804943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.1741689555.0000000004AE4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000000.00000002.1741689555.0000000004AE4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.1741689555.0000000004AE4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: Bankcerticate223pdf.exe PID: 5408, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: cvRSCwXQ.exe PID: 7536, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: RegSvcs.exe PID: 7696, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: cmd.exe PID: 7720, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: wscript.exe PID: 7728, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Contains functionality to call native functions

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010F2B60 NtClose,LdrInitializeThunk,	8_2_010F2B60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010F2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	8_2_010F2BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010F2AD0 NtReadFile,LdrInitializeThunk,	8_2_010F2AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010F2D10 NtMapViewOfSection,LdrInitializeThunk,	8_2_010F2D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010F2D30 NtUnmapViewOfSection,LdrInitializeThunk,	8_2_010F2D30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010F2DD0 NtDelayExecution,LdrInitializeThunk,	8_2_010F2DD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010F2DF0 NtQuerySystemInformation,LdrInitializeThunk,	8_2_010F2DF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010F2C70 NtFreeVirtualMemory,LdrInitializeThunk,	8_2_010F2C70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010F2CA0 NtQueryInformationToken,LdrInitializeThunk,	8_2_010F2CA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010F2F30 NtCreateSection,LdrInitializeThunk,	8_2_010F2F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010F2F90 NtProtectVirtualMemory,LdrInitializeThunk,	8_2_010F2F90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010F2FB0 NtResumeThread,LdrInitializeThunk,	8_2_010F2FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010F2FE0 NtCreateFile,LdrInitializeThunk,	8_2_010F2FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010F2E80 NtReadVirtualMemory,LdrInitializeThunk,	8_2_010F2E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010F2EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,	8_2_010F2EA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010F4340 NtSetContextThread,	8_2_010F4340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010F4650 NtSuspendThread,	8_2_010F4650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010F2B80 NtQueryInformationFile,	8_2_010F2B80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010F2BA0 NtEnumerateValueKey,	8_2_010F2BA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010F2BE0 NtQueryValueKey,	8_2_010F2BE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010F2AB0 NtWaitForSingleObject,	8_2_010F2AB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010F2AF0 NtWriteFile,	8_2_010F2AF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010F2D00 NtSetInformationFile,	8_2_010F2D00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010F2DB0 NtEnumerateKey,	8_2_010F2DB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010F2C00 NtQueryInformationProcess,	8_2_010F2C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010F2C60 NtCreateKey,	8_2_010F2C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010F2CC0 NtQueryVirtualMemory,	8_2_010F2CC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010F2CF0 NtOpenProcess,	8_2_010F2CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010F2F60 NtCreateProcessEx,	8_2_010F2F60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010F2FA0 NtQuerySection,	8_2_010F2FA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010F2E30 NtWriteVirtualMemory,	8_2_010F2E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010F2EE0 NtQueueApcThread,	8_2_010F2EE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010F3010 NtOpenDirectoryObject,	8_2_010F3010
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010F3090 NtSetValueKey,	8_2_010F3090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010F35C0 NtCreateMutant,	8_2_010F35C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010F39B0 NtGetContextThread,	8_2_010F39B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010F3D10 NtOpenProcessToken,	8_2_010F3D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010F3D70 NtOpenThread,	8_2_010F3D70
Source: C:\Windows\explorer.exe	Code function: 9_2_0F950E12 NtProtectVirtualMemory,	9_2_0F950E12
Source: C:\Windows\explorer.exe	Code function: 9_2_0F94F232 NtCreateFile,	9_2_0F94F232
Source: C:\Windows\explorer.exe	Code function: 9_2_0F950E0A NtProtectVirtualMemory,	9_2_0F950E0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0041A320 NtCreateFile,	15_2_0041A320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0041A3D0 NtReadFile,	15_2_0041A3D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0041A450 NtClose,	15_2_0041A450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0041A500 NtAllocateVirtualMemory,	15_2_0041A500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0041A31D NtCreateFile,	15_2_0041A31D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0041A44B NtClose,	15_2_0041A44B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0041A4FA NtAllocateVirtualMemory,	15_2_0041A4FA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0041A57A NtAllocateVirtualMemory,	15_2_0041A57A
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_00254823 NtQueryVolumeInformationFile,GetFileInformationByHandleEx,	16_2_00254823
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_0025643A NtOpenThreadToken,NtOpenProcessToken,NtClose,	16_2_0025643A
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_00267460 EnterCriticalSection,LeaveCriticalSection,fprintf,fflush,TryAcquireSRWLockExclusive,NtCancelSynchronousIoFile,ReleaseSRWLockExclusive,_get_osfhandle,FlushConsoleInputBuffer,	16_2_00267460
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_002564CA NtQueryInformationToken,	16_2_002564CA
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_0026A135 NtSetInformationFile,	16_2_0026A135
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_00256500 NtQueryInformationToken,NtQueryInformationToken,	16_2_00256500
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_0026C1FA SetLastError,CreateDirectoryW,CreateFileW,RtlDosPathNameToNtPathName_U,memset,memcpy,memcpy,NtFsControlFile,RtlNtStatusToDosError,SetLastError,CloseHandle,RtlFreeHeap,RemoveDirectoryW,	16_2_0026C1FA
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_00244E3B _setjmp3,NtQueryInformationProcess,NtSetInformationProcess,NtSetInformationProcess,longjmp,	16_2_00244E3B
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_00254759 RtlDosPathNameToRelativeNtPathName_U_WithStatus,NtOpenFile,RtlReleaseRelativeName,RtlFreeUnicodeString,CloseHandle,DeleteFileW,GetLastError,	16_2_00254759
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_03422B60 NtClose,LdrInitializeThunk,	16_2_03422B60
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_03422AD0 NtReadFile,LdrInitializeThunk,	16_2_03422AD0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_03422F30 NtCreateSection,LdrInitializeThunk,	16_2_03422F30
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_03422FE0 NtCreateFile,LdrInitializeThunk,	16_2_03422FE0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_03422EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,	16_2_03422EA0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_03422D10 NtMapViewOfSection,LdrInitializeThunk,	16_2_03422D10
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_03422DD0 NtDelayExecution,LdrInitializeThunk,	16_2_03422DD0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_03422DF0 NtQuerySystemInformation,LdrInitializeThunk,	16_2_03422DF0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_03422C60 NtCreateKey,LdrInitializeThunk,	16_2_03422C60
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_03422C70 NtFreeVirtualMemory,LdrInitializeThunk,	16_2_03422C70
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_03422CA0 NtQueryInformationToken,LdrInitializeThunk,	16_2_03422CA0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_034235C0 NtCreateMutant,LdrInitializeThunk,	16_2_034235C0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_03424340 NtSetContextThread,	16_2_03424340
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_03424650 NtSuspendThread,	16_2_03424650
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_03422BE0 NtQueryValueKey,	16_2_03422BE0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_03422BF0 NtAllocateVirtualMemory,	16_2_03422BF0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_03422B80 NtQueryInformationFile,	16_2_03422B80
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_03422BA0 NtEnumerateValueKey,	16_2_03422BA0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_03422AF0 NtWriteFile,	16_2_03422AF0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_03422AB0 NtWaitForSingleObject,	16_2_03422AB0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_03422F60 NtCreateProcessEx,	16_2_03422F60
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_03422F90 NtProtectVirtualMemory,	16_2_03422F90
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_03422FA0 NtQuerySection,	16_2_03422FA0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_03422FB0 NtResumeThread,	16_2_03422FB0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_03422E30 NtWriteVirtualMemory,	16_2_03422E30
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_03422EE0 NtQueueApcThread,	16_2_03422EE0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_03422E80 NtReadVirtualMemory,	16_2_03422E80
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_03422D00 NtSetInformationFile,	16_2_03422D00
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_03422D30 NtUnmapViewOfSection,	16_2_03422D30
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_03422DB0 NtEnumerateKey,	16_2_03422DB0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_03422C00 NtQueryInformationProcess,	16_2_03422C00
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_03422CC0 NtQueryVirtualMemory,	16_2_03422CC0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_03422CF0 NtOpenProcess,	16_2_03422CF0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_03423010 NtOpenDirectoryObject,	16_2_03423010
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_03423090 NtSetValueKey,	16_2_03423090
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_034239B0 NtGetContextThread,	16_2_034239B0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_03423D70 NtOpenThread,	16_2_03423D70
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_03423D10 NtOpenProcessToken,	16_2_03423D10
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_027EA320 NtCreateFile,	16_2_027EA320
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_027EA3D0 NtReadFile,	16_2_027EA3D0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_027EA450 NtClose,	16_2_027EA450
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_027EA31D NtCreateFile,	16_2_027EA31D
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_027EA44B NtClose,	16_2_027EA44B

Contains functionality to communicate with device drivers

Source: C:\Windows\SysWOW64\cmd.exe

16_2_00244C10

Contains functionality to launch a process as a different user

Source: C:\Windows\SysWOW64\cmd.exe

16_2_00249458

Detected potential crypto function

Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_016425C0	0_2_016425C0
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_01640871	0_2_01640871
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_01641360	0_2_01641360
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_016434A8	0_2_016434A8
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_01641BC0	0_2_01641BC0
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_01644308	0_2_01644308
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_016442F9	0_2_016442F9
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_0164C680	0_2_0164C680
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_01645178	0_2_01645178
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_016433B8	0_2_016433B8
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_016412FD	0_2_016412FD
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_016415F8	0_2_016415F8
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_016455A1	0_2_016455A1
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_016455B0	0_2_016455B0
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_01645768	0_2_01645768
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_01645758	0_2_01645758
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_016459E8	0_2_016459E8
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_016459F8	0_2_016459F8
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_099E7990	0_2_099E7990
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_099E0B70	0_2_099E0B70
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_099E5A78	0_2_099E5A78
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_099E1C90	0_2_099E1C90
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_099E70E0	0_2_099E70E0
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_099E6018	0_2_099E6018
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_099E0040	0_2_099E0040
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_099E12D8	0_2_099E12D8
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_099E5638	0_2_099E5638
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_099E7980	0_2_099E7980
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_099E6910	0_2_099E6910
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_099E6920	0_2_099E6920
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_099E3959	0_2_099E3959
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_099E3968	0_2_099E3968
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_099E4B98	0_2_099E4B98
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_099E4BA8	0_2_099E4BA8
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_099E0AD0	0_2_099E0AD0
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_099E5A69	0_2_099E5A69
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_099E4DB8	0_2_099E4DB8
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_099E4DC8	0_2_099E4DC8
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_099EED30	0_2_099EED30
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_099E1C81	0_2_099E1C81
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_099E5CB1	0_2_099E5CB1
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_099E5CC0	0_2_099E5CC0
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_099E5F21	0_2_099E5F21
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_099E7F70	0_2_099E7F70
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_099E7F60	0_2_099E7F60
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_099EF180	0_2_099EF180
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_099EF170	0_2_099EF170
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_099E70D0	0_2_099E70D0
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_099E6008	0_2_099E6008
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_099E0006	0_2_099E0006
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_099E5030	0_2_099E5030
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_099E5040	0_2_099E5040
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_099E12C9	0_2_099E12C9
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_099EF5B8	0_2_099EF5B8
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_099EF5A9	0_2_099EF5A9
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_099E4518	0_2_099E4518
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_099E4508	0_2_099E4508
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_099E3561	0_2_099E3561
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_099E6451	0_2_099E6451
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_099E6460	0_2_099E6460
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_099E1711	0_2_099E1711
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_099E1720	0_2_099E1720
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_099E5629	0_2_099E5629
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_099F6D70	0_2_099F6D70
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_099F0290	0_2_099F0290
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_099F02A0	0_2_099F02A0
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_099F06D8	0_2_099F06D8
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_099F06C9	0_2_099F06C9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010B0100	8_2_010B0100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0115A118	8_2_0115A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01148158	8_2_01148158
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_011801AA	8_2_011801AA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_011741A2	8_2_011741A2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_011781CC	8_2_011781CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01152000	8_2_01152000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0117A352	8_2_0117A352
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010CE3F0	8_2_010CE3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_011803E6	8_2_011803E6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01160274	8_2_01160274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_011402C0	8_2_011402C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C0535	8_2_010C0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01180591	8_2_01180591
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01164420	8_2_01164420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01172446	8_2_01172446
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0116E4F6	8_2_0116E4F6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010E4750	8_2_010E4750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C0770	8_2_010C0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010BC7C0	8_2_010BC7C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010DC6E0	8_2_010DC6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010D6962	8_2_010D6962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C29A0	8_2_010C29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0118A9A6	8_2_0118A9A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010CA840	8_2_010CA840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C2840	8_2_010C2840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010A68B8	8_2_010A68B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010EE8F0	8_2_010EE8F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0117AB40	8_2_0117AB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01176BD7	8_2_01176BD7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010BEA80	8_2_010BEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0115CD1F	8_2_0115CD1F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010CAD00	8_2_010CAD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010D8DBF	8_2_010D8DBF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010BADE0	8_2_010BADE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C0C00	8_2_010C0C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01160CB5	8_2_01160CB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010B0CF2	8_2_010B0CF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01162F30	8_2_01162F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01102F28	8_2_01102F28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010E0F30	8_2_010E0F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01134F40	8_2_01134F40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0113EFA0	8_2_0113EFA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010B2FC8	8_2_010B2FC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010CCFE0	8_2_010CCFE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0117EE26	8_2_0117EE26
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C0E59	8_2_010C0E59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0117CE93	8_2_0117CE93
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010D2E90	8_2_010D2E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C8ECF	8_2_010C8ECF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0117EEDB	8_2_0117EEDB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010F516C	8_2_010F516C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0118B16B	8_2_0118B16B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010AF172	8_2_010AF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010CB1B0	8_2_010CB1B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C70C0	8_2_010C70C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0116F0CC	8_2_0116F0CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0117F0E0	8_2_0117F0E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_011770E9	8_2_011770E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0117132D	8_2_0117132D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010AD34C	8_2_010AD34C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0110739A	8_2_0110739A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C33F3	8_2_010C33F3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C52A0	8_2_010C52A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010DB2C0	8_2_010DB2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_011612ED	8_2_011612ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010DD2F0	8_2_010DD2F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01177571	8_2_01177571
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0115D5B0	8_2_0115D5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_011895C3	8_2_011895C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0117F43F	8_2_0117F43F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010B1460	8_2_010B1460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C3497	8_2_010C3497
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0117F7B0	8_2_0117F7B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01105630	8_2_01105630
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_011716CC	8_2_011716CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01155910	8_2_01155910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C9950	8_2_010C9950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010DB950	8_2_010DB950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0112D800	8_2_0112D800
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010B1840	8_2_010B1840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C38E0	8_2_010C38E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0117FB76	8_2_0117FB76
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010DFB80	8_2_010DFB80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01135BF0	8_2_01135BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010FDBF9	8_2_010FDBF9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01177A46	8_2_01177A46
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0117FA49	8_2_0117FA49
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01133A6C	8_2_01133A6C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01105AA0	8_2_01105AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01161AA3	8_2_01161AA3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0115DAAC	8_2_0115DAAC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0116DAC6	8_2_0116DAC6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C3D40	8_2_010C3D40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01171D5A	8_2_01171D5A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01177D73	8_2_01177D73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010DFDC0	8_2_010DFDC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01139C32	8_2_01139C32
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010D9C44	8_2_010D9C44
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0117FCF2	8_2_0117FCF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0117FF09	8_2_0117FF09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C1F92	8_2_010C1F92
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0117FFB1	8_2_0117FFB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C9EB0	8_2_010C9EB0
Source: C:\Windows\explorer.exe	Code function: 9_2_0E7DE232	9_2_0E7DE232
Source: C:\Windows\explorer.exe	Code function: 9_2_0E7D8B30	9_2_0E7D8B30
Source: C:\Windows\explorer.exe	Code function: 9_2_0E7D8B32	9_2_0E7D8B32
Source: C:\Windows\explorer.exe	Code function: 9_2_0E7DD036	9_2_0E7DD036
Source: C:\Windows\explorer.exe	Code function: 9_2_0E7D4082	9_2_0E7D4082
Source: C:\Windows\explorer.exe	Code function: 9_2_0E7DB912	9_2_0E7DB912
Source: C:\Windows\explorer.exe	Code function: 9_2_0E7D5D02	9_2_0E7D5D02
Source: C:\Windows\explorer.exe	Code function: 9_2_0E7E15CD	9_2_0E7E15CD
Source: C:\Windows\explorer.exe	Code function: 9_2_0F7E6B32	9_2_0F7E6B32
Source: C:\Windows\explorer.exe	Code function: 9_2_0F7E6B30	9_2_0F7E6B30
Source: C:\Windows\explorer.exe	Code function: 9_2_0F7EC232	9_2_0F7EC232
Source: C:\Windows\explorer.exe	Code function: 9_2_0F7E9912	9_2_0F7E9912
Source: C:\Windows\explorer.exe	Code function: 9_2_0F7E3D02	9_2_0F7E3D02
Source: C:\Windows\explorer.exe	Code function: 9_2_0F7EF5CD	9_2_0F7EF5CD
Source: C:\Windows\explorer.exe	Code function: 9_2_0F7EB036	9_2_0F7EB036
Source: C:\Windows\explorer.exe	Code function: 9_2_0F7E2082	9_2_0F7E2082
Source: C:\Windows\explorer.exe	Code function: 9_2_0F94F232	9_2_0F94F232
Source: C:\Windows\explorer.exe	Code function: 9_2_0F9525CD	9_2_0F9525CD
Source: C:\Windows\explorer.exe	Code function: 9_2_0F94C912	9_2_0F94C912
Source: C:\Windows\explorer.exe	Code function: 9_2_0F946D02	9_2_0F946D02
Source: C:\Windows\explorer.exe	Code function: 9_2_0F949B30	9_2_0F949B30
Source: C:\Windows\explorer.exe	Code function: 9_2_0F949B32	9_2_0F949B32
Source: C:\Windows\explorer.exe	Code function: 9_2_0F945082	9_2_0F945082
Source: C:\Windows\explorer.exe	Code function: 9_2_0F94E036	9_2_0F94E036
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Code function: 11_2_00E725C0	11_2_00E725C0
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Code function: 11_2_00E70871	11_2_00E70871
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Code function: 11_2_00E71360	11_2_00E71360
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Code function: 11_2_00E734A8	11_2_00E734A8
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Code function: 11_2_00E71BC0	11_2_00E71BC0
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Code function: 11_2_00E742F9	11_2_00E742F9
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Code function: 11_2_00E74308	11_2_00E74308
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Code function: 11_2_00E7C680	11_2_00E7C680
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Code function: 11_2_00E7C673	11_2_00E7C673
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Code function: 11_2_00E75178	11_2_00E75178
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Code function: 11_2_00E715F8	11_2_00E715F8
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Code function: 11_2_00E755B0	11_2_00E755B0
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Code function: 11_2_00E75768	11_2_00E75768
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Code function: 11_2_00E75758	11_2_00E75758
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Code function: 11_2_00E759F8	11_2_00E759F8
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Code function: 11_2_09677990	11_2_09677990
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Code function: 11_2_09670B70	11_2_09670B70
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Code function: 11_2_09675A78	11_2_09675A78
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Code function: 11_2_09671C90	11_2_09671C90
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Code function: 11_2_09670040	11_2_09670040
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Code function: 11_2_09676018	11_2_09676018
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Code function: 11_2_096770E0	11_2_096770E0
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Code function: 11_2_096712D8	11_2_096712D8
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Code function: 11_2_09675638	11_2_09675638
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Code function: 11_2_09673968	11_2_09673968
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Code function: 11_2_09676920	11_2_09676920
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Code function: 11_2_09674BA8	11_2_09674BA8
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Code function: 11_2_0967ED30	11_2_0967ED30
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Code function: 11_2_09674DC7	11_2_09674DC7
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Code function: 11_2_09674DC8	11_2_09674DC8
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Code function: 11_2_09675CC0	11_2_09675CC0
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Code function: 11_2_09677F70	11_2_09677F70
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Code function: 11_2_0967F170	11_2_0967F170
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Code function: 11_2_0967F180	11_2_0967F180
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Code function: 11_2_09675040	11_2_09675040
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Code function: 11_2_09674518	11_2_09674518
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Code function: 11_2_0967F5A9	11_2_0967F5A9
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Code function: 11_2_0967F5B8	11_2_0967F5B8
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Code function: 11_2_09676460	11_2_09676460
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Code function: 11_2_09671720	11_2_09671720
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Code function: 11_2_09B16BF0	11_2_09B16BF0
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Code function: 11_2_09B102A0	11_2_09B102A0
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Code function: 11_2_09B10290	11_2_09B10290
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Code function: 11_2_09B106D8	11_2_09B106D8
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Code function: 11_2_09B106C9	11_2_09B106C9
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Code function: 11_2_09B16E10	11_2_09B16E10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0041E82B	15_2_0041E82B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_00401030	15_2_00401030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0041D585	15_2_0041D585
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_00402D90	15_2_00402D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_00409E4B	15_2_00409E4B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_00409E50	15_2_00409E50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_00402FB0	15_2_00402FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0158F172	15_2_0158F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_015D516C	15_2_015D516C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_015AB1B0	15_2_015AB1B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_015A0000	15_2_015A0000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_015A70C0	15_2_015A70C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0158D34C	15_2_0158D34C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_015BD2F0	15_2_015BD2F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_015A52A0	15_2_015A52A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01591460	15_2_01591460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_015AB730	15_2_015AB730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0159C7C0	15_2_0159C7C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_015917EC	15_2_015917EC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_015A9950	15_2_015A9950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_015BB950	15_2_015BB950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_015B6962	15_2_015B6962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_015A5990	15_2_015A5990
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_015A29A0	15_2_015A29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_015928F0	15_2_015928F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_015CE8F0	15_2_015CE8F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_015A38E0	15_2_015A38E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_015868B8	15_2_015868B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_015DDBF9	15_2_015DDBF9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01569B80	15_2_01569B80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0159EA80	15_2_0159EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_015A3D40	15_2_015A3D40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_015A8DC0	15_2_015A8DC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_015B8DBF	15_2_015B8DBF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_015A0C00	15_2_015A0C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_015B9C20	15_2_015B9C20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01563FD5	15_2_01563FD5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01563FD2	15_2_01563FD2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01592FC8	15_2_01592FC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_015ACFE0	15_2_015ACFE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_015A1F92	15_2_015A1F92
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_015A0E59	15_2_015A0E59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_015B2E90	15_2_015B2E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_015A9EB0	15_2_015A9EB0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_0024540A	16_2_0024540A
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_00244C10	16_2_00244C10
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_00254875	16_2_00254875
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_002474B1	16_2_002474B1
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_00249144	16_2_00249144
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_0026695A	16_2_0026695A
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_00264191	16_2_00264191
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_00247A34	16_2_00247A34
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_0024EE03	16_2_0024EE03
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_00263E66	16_2_00263E66
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_0024D660	16_2_0024D660
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_00246E57	16_2_00246E57
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_00253EB3	16_2_00253EB3
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_00255A86	16_2_00255A86
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_0026769E	16_2_0026769E
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_00254EC1	16_2_00254EC1
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_00246B20	16_2_00246B20
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_00250740	16_2_00250740
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_00250BF0	16_2_00250BF0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_034AA352	16_2_034AA352
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_034B03E6	16_2_034B03E6
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_033FE3F0	16_2_033FE3F0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_03490274	16_2_03490274
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_034702C0	16_2_034702C0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_03478158	16_2_03478158
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_033E0100	16_2_033E0100
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_0348A118	16_2_0348A118
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_034A81CC	16_2_034A81CC
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_034B01AA	16_2_034B01AA
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_034A41A2	16_2_034A41A2
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_03482000	16_2_03482000
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_03414750	16_2_03414750
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_033F0770	16_2_033F0770
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_033EC7C0	16_2_033EC7C0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_0340C6E0	16_2_0340C6E0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_033F0535	16_2_033F0535
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_034B0591	16_2_034B0591
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_034A2446	16_2_034A2446
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_03494420	16_2_03494420
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_0349E4F6	16_2_0349E4F6
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_034AAB40	16_2_034AAB40
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_034A6BD7	16_2_034A6BD7
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_033EEA80	16_2_033EEA80
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_03406962	16_2_03406962
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_033F29A0	16_2_033F29A0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_034BA9A6	16_2_034BA9A6
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_033FA840	16_2_033FA840
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_033F2840	16_2_033F2840
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_033D68B8	16_2_033D68B8
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_0341E8F0	16_2_0341E8F0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_03464F40	16_2_03464F40
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_03432F28	16_2_03432F28
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_03410F30	16_2_03410F30
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_03492F30	16_2_03492F30
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_0346EFA0	16_2_0346EFA0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_033E2FC8	16_2_033E2FC8
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_033F0E59	16_2_033F0E59
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_034AEE26	16_2_034AEE26
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_034AEEDB	16_2_034AEEDB
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_03402E90	16_2_03402E90
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_034ACE93	16_2_034ACE93
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_033FAD00	16_2_033FAD00
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_0348CD1F	16_2_0348CD1F
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_033EADE0	16_2_033EADE0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_03408DBF	16_2_03408DBF
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_033F0C00	16_2_033F0C00
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_033E0CF2	16_2_033E0CF2
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_03490CB5	16_2_03490CB5
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_034A132D	16_2_034A132D
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_033DD34C	16_2_033DD34C
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_0343739A	16_2_0343739A
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_0340B2C0	16_2_0340B2C0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_033F52A0	16_2_033F52A0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_034912ED	16_2_034912ED
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_0340D2F0	16_2_0340D2F0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_034BB16B	16_2_034BB16B
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_0342516C	16_2_0342516C
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_033DF172	16_2_033DF172
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_033FB1B0	16_2_033FB1B0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_0349F0CC	16_2_0349F0CC
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_034A70E9	16_2_034A70E9
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_034AF0E0	16_2_034AF0E0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_033F70C0	16_2_033F70C0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_034AF7B0	16_2_034AF7B0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_03435630	16_2_03435630
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_034A16CC	16_2_034A16CC
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_034A7571	16_2_034A7571
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_034B95C3	16_2_034B95C3
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_0348D5B0	16_2_0348D5B0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_033E1460	16_2_033E1460
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_034AF43F	16_2_034AF43F
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_034AFB76	16_2_034AFB76
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_03465BF0	16_2_03465BF0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_0342DBF9	16_2_0342DBF9
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_0340FB80	16_2_0340FB80
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_034AFA49	16_2_034AFA49
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_034A7A46	16_2_034A7A46
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_03463A6C	16_2_03463A6C
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_0349DAC6	16_2_0349DAC6
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_03435AA0	16_2_03435AA0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_0348DAAC	16_2_0348DAAC
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_03491AA3	16_2_03491AA3
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_0340B950	16_2_0340B950
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_03485910	16_2_03485910
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_033F9950	16_2_033F9950
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_0345D800	16_2_0345D800
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_033F38E0	16_2_033F38E0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_034AFF09	16_2_034AFF09
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_033F1F92	16_2_033F1F92
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_033B3FD2	16_2_033B3FD2
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_033B3FD5	16_2_033B3FD5
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_034AFFB1	16_2_034AFFB1
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_033F9EB0	16_2_033F9EB0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_034A1D5A	16_2_034A1D5A
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_034A7D73	16_2_034A7D73
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_033F3D40	16_2_033F3D40
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_0340FDC0	16_2_0340FDC0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_03469C32	16_2_03469C32
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_034AFCF2	16_2_034AFCF2
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_027EE82B	16_2_027EE82B
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_027D9E50	16_2_027D9E50
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_027D9E4B	16_2_027D9E4B
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_027D2FB0	16_2_027D2FB0

Found potential string decryption / allocating functions

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 01107E54 appears 129 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 0112EA12 appears 37 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 01107EB0 appears 31 times
Source: C:\Windows\SysWOW64\cmd.exe	Code function: String function: 0345EA12 appears 86 times
Source: C:\Windows\SysWOW64\cmd.exe	Code function: String function: 03437E54 appears 107 times
Source: C:\Windows\SysWOW64\cmd.exe	Code function: String function: 03425130 appears 58 times
Source: C:\Windows\SysWOW64\cmd.exe	Code function: String function: 0346F290 appears 103 times
Source: C:\Windows\SysWOW64\cmd.exe	Code function: String function: 033DB970 appears 262 times

Sample file is different than original file name gathered from version info

Source: Bankcerticate223pdf.exe, 00000000.00000002.1744026413.0000000007EE0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameCaptive.dll" vs Bankcerticate223pdf.exe
Source: Bankcerticate223pdf.exe, 00000000.00000002.1744906590.000000000881F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameepCs.exe" vs Bankcerticate223pdf.exe
Source: Bankcerticate223pdf.exe, 00000000.00000002.1737968293.00000000013AE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Bankcerticate223pdf.exe
Source: Bankcerticate223pdf.exe, 00000000.00000002.1741689555.0000000004D1E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs Bankcerticate223pdf.exe
Source: Bankcerticate223pdf.exe, 00000000.00000002.1746850433.000000000EC50000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs Bankcerticate223pdf.exe
Source: Bankcerticate223pdf.exe, 00000000.00000002.1741689555.0000000004AE4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCaptive.dll" vs Bankcerticate223pdf.exe
Source: Bankcerticate223pdf.exe, 00000000.00000000.1684752209.0000000000CC2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameepCs.exe" vs Bankcerticate223pdf.exe
Source: Bankcerticate223pdf.exe	Binary or memory string: OriginalFilenameepCs.exe" vs Bankcerticate223pdf.exe

Uses 32bit PE files

Source: Bankcerticate223pdf.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 15.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 15.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 15.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 15.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 15.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 15.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.Bankcerticate223pdf.exe.4ae4148.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0.2.Bankcerticate223pdf.exe.4ae4148.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.Bankcerticate223pdf.exe.4ae4148.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000002.4158536381.0000000002FD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000010.00000002.4158536381.0000000002FD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000010.00000002.4158536381.0000000002FD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000002.4157948381.00000000027D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000010.00000002.4157948381.00000000027D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000010.00000002.4157948381.00000000027D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000002.1789025375.00000000047BF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000B.00000002.1789025375.00000000047BF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000002.1789025375.00000000047BF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000002.4158598483.0000000003000000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000010.00000002.4158598483.0000000003000000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000010.00000002.4158598483.0000000003000000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000011.00000002.1799194770.00000000009D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000011.00000002.1799194770.00000000009D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000011.00000002.1799194770.00000000009D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.1741689555.0000000004D1E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000000.00000002.1741689555.0000000004D1E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.1741689555.0000000004D1E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000002.1792804943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000F.00000002.1792804943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000F.00000002.1792804943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.1741689555.0000000004AE4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000000.00000002.1741689555.0000000004AE4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.1741689555.0000000004AE4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: Bankcerticate223pdf.exe PID: 5408, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: cvRSCwXQ.exe PID: 7536, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: RegSvcs.exe PID: 7696, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: cmd.exe PID: 7720, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: wscript.exe PID: 7728, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: Bankcerticate223pdf.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: cvRSCwXQ.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.evad.winEXE@28/15@12/0

Source: C:\Windows\SysWOW64\cmd.exe

Code function: 16_2_0026A759 memset,GetDiskFreeSpaceExW,??_V@YAXPAX@Z,

16_2_0026A759

Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe

File created: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7644:120:WilError_03
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Mutant created: NULL
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Mutant created: \Sessions\1\BaseNamedObjects\qeBfodUmscfBzf
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3524:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7792:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4176:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7216:120:WilError_03

Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe

File created: C:\Users\user\AppData\Local\Temp\tmp8D97.tmp

Jump to behavior

Source: Bankcerticate223pdf.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Bankcerticate223pdf.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Bankcerticate223pdf.exe	Virustotal: Detection: 33%
Source: Bankcerticate223pdf.exe	ReversingLabs: Detection: 34%

Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe

File read: C:\Users\user\Desktop\Bankcerticate223pdf.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Bankcerticate223pdf.exe "C:\Users\user\Desktop\Bankcerticate223pdf.exe"
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Bankcerticate223pdf.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\cvRSCwXQ.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cvRSCwXQ" /XML "C:\Users\user\AppData\Local\Temp\tmp8D97.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: unknown	Process created: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe C:\Users\user\AppData\Roaming\cvRSCwXQ.exe
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cvRSCwXQ" /XML "C:\Users\user\AppData\Local\Temp\tmp9DE3.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\SysWOW64\cmd.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\SysWOW64\wscript.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Bankcerticate223pdf.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\cvRSCwXQ.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cvRSCwXQ" /XML "C:\Users\user\AppData\Local\Temp\tmp8D97.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\SysWOW64\cmd.exe"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\SysWOW64\wscript.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cvRSCwXQ" /XML "C:\Users\user\AppData\Local\Temp\tmp9DE3.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: version.dll

Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: Bankcerticate223pdf.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Bankcerticate223pdf.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: wscript.pdbGCTL source: RegSvcs.exe, 00000008.00000002.1795690506.0000000001020000.00000040.10000000.00040000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.1795049620.0000000000C27000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000011.00000002.1799615963.0000000000E10000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: RegSvcs.pdb, source: explorer.exe, 00000009.00000002.4178475160.0000000010B5F000.00000004.80000000.00040000.00000000.sdmp, cmd.exe, 00000010.00000002.4159552520.00000000038FF000.00000004.10000000.00040000.00000000.sdmp, cmd.exe, 00000010.00000002.4158321746.0000000002CE5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: cmd.pdbUGP source: RegSvcs.exe, 0000000F.00000002.1799282057.00000000018C0000.00000040.10000000.00040000.00000000.sdmp, cmd.exe, 00000010.00000002.4157706817.0000000000240000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: RegSvcs.exe, 0000000F.00000002.1794317883.0000000001560000.00000040.00001000.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.4158931647.000000000354E000.00000040.00001000.00020000.00000000.sdmp, cmd.exe, 00000010.00000003.1795281362.0000000003200000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000003.1793090894.0000000003059000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.4158931647.00000000033B0000.00000040.00001000.00020000.00000000.sdmp, wscript.exe, 00000011.00000002.1800249537.0000000004E70000.00000040.00001000.00020000.00000000.sdmp, wscript.exe, 00000011.00000002.1800249537.000000000500E000.00000040.00001000.00020000.00000000.sdmp, wscript.exe, 00000011.00000003.1796869110.0000000004CBB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000011.00000003.1794644748.0000000004B0F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: RegSvcs.exe, RegSvcs.exe, 0000000F.00000002.1794317883.0000000001560000.00000040.00001000.00020000.00000000.sdmp, cmd.exe, cmd.exe, 00000010.00000002.4158931647.000000000354E000.00000040.00001000.00020000.00000000.sdmp, cmd.exe, 00000010.00000003.1795281362.0000000003200000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000003.1793090894.0000000003059000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.4158931647.00000000033B0000.00000040.00001000.00020000.00000000.sdmp, wscript.exe, 00000011.00000002.1800249537.0000000004E70000.00000040.00001000.00020000.00000000.sdmp, wscript.exe, 00000011.00000002.1800249537.000000000500E000.00000040.00001000.00020000.00000000.sdmp, wscript.exe, 00000011.00000003.1796869110.0000000004CBB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000011.00000003.1794644748.0000000004B0F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wscript.pdb source: RegSvcs.exe, 00000008.00000002.1795690506.0000000001020000.00000040.10000000.00040000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.1795049620.0000000000C27000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000011.00000002.1799615963.0000000000E10000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: RegSvcs.pdb source: explorer.exe, 00000009.00000002.4178475160.0000000010B5F000.00000004.80000000.00040000.00000000.sdmp, cmd.exe, 00000010.00000002.4159552520.00000000038FF000.00000004.10000000.00040000.00000000.sdmp, cmd.exe, 00000010.00000002.4158321746.0000000002CE5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: cmd.pdb source: RegSvcs.exe, 0000000F.00000002.1799282057.00000000018C0000.00000040.10000000.00040000.00000000.sdmp, cmd.exe, cmd.exe, 00000010.00000002.4157706817.0000000000240000.00000040.80000000.00040000.00000000.sdmp

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Code function: 0_2_099E036B push ecx; ret	0_2_099E036C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010B09AD push ecx; mov dword ptr [esp], ecx	8_2_010B09B6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010CEFE3 push esi; ret	8_2_010CEFE5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01081FEC push eax; iretd	8_2_01081FED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010CBFEA push ebx; retf	8_2_010CBFEB
Source: C:\Windows\explorer.exe	Code function: 9_2_0E7E1B1E push esp; retn 0000h	9_2_0E7E1B1F
Source: C:\Windows\explorer.exe	Code function: 9_2_0E7E1B02 push esp; retn 0000h	9_2_0E7E1B03
Source: C:\Windows\explorer.exe	Code function: 9_2_0E7E19B5 push esp; retn 0000h	9_2_0E7E1AE7
Source: C:\Windows\explorer.exe	Code function: 9_2_0F7EFB1E push esp; retn 0000h	9_2_0F7EFB1F
Source: C:\Windows\explorer.exe	Code function: 9_2_0F7EFB02 push esp; retn 0000h	9_2_0F7EFB03
Source: C:\Windows\explorer.exe	Code function: 9_2_0F7EF9B5 push esp; retn 0000h	9_2_0F7EFAE7
Source: C:\Windows\explorer.exe	Code function: 9_2_0F9529B5 push esp; retn 0000h	9_2_0F952AE7
Source: C:\Windows\explorer.exe	Code function: 9_2_0F952B1E push esp; retn 0000h	9_2_0F952B1F
Source: C:\Windows\explorer.exe	Code function: 9_2_0F952B02 push esp; retn 0000h	9_2_0F952B03
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Code function: 11_2_0967036B push ecx; ret	11_2_0967036C
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Code function: 11_2_09B135E0 push esp; ret	11_2_09B135ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0041209D pushfd ; ret	15_2_0041209E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_00407A8D push ecx; ret	15_2_00407A8F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0041D475 push eax; ret	15_2_0041D4C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0041D4C2 push eax; ret	15_2_0041D4C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0041D4CB push eax; ret	15_2_0041D532
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0041E49E push es; retf	15_2_0041E49F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0041D52C push eax; ret	15_2_0041D532
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0156B008 push es; iretd	15_2_0156B009
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0156135E push eax; iretd	15_2_01561369
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0156225F pushad ; ret	15_2_015627F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_015627FA pushad ; ret	15_2_015627F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01569939 push es; iretd	15_2_01569940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_015909AD push ecx; mov dword ptr [esp], ecx	15_2_015909B6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0156283D push eax; iretd	15_2_01562858
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_002571ED push ecx; ret	16_2_00257200

Source: Bankcerticate223pdf.exe	Static PE information: section name: .text entropy: 7.5345051773355625
Source: cvRSCwXQ.exe.0.dr	Static PE information: section name: .text entropy: 7.5345051773355625

Drops PE files

Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe

File created: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cvRSCwXQ" /XML "C:\Users\user\AppData\Local\Temp\tmp8D97.tmp"

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: Bankcerticate223pdf.exe PID: 5408, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cvRSCwXQ.exe PID: 7536, type: MEMORYSTR

Switches to a custom stack to bypass stack traces

Source: C:\Windows\SysWOW64\cmd.exe	API/Special instruction interceptor: Address: 7FFE2220D324
Source: C:\Windows\SysWOW64\cmd.exe	API/Special instruction interceptor: Address: 7FFE22210774
Source: C:\Windows\SysWOW64\cmd.exe	API/Special instruction interceptor: Address: 7FFE2220D944
Source: C:\Windows\SysWOW64\cmd.exe	API/Special instruction interceptor: Address: 7FFE2220D504
Source: C:\Windows\SysWOW64\cmd.exe	API/Special instruction interceptor: Address: 7FFE2220D544
Source: C:\Windows\SysWOW64\cmd.exe	API/Special instruction interceptor: Address: 7FFE2220D1E4
Source: C:\Windows\SysWOW64\cmd.exe	API/Special instruction interceptor: Address: 7FFE22210154
Source: C:\Windows\SysWOW64\cmd.exe	API/Special instruction interceptor: Address: 7FFE2220D8A4
Source: C:\Windows\SysWOW64\cmd.exe	API/Special instruction interceptor: Address: 7FFE2220DA44

Tries to detect virtualization through RDTSC time measurements

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	RDTSC instruction interceptor: First address: 409904 second address: 40990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	RDTSC instruction interceptor: First address: 409B6E second address: 409B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmd.exe	RDTSC instruction interceptor: First address: 27D9904 second address: 27D990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\wscript.exe	RDTSC instruction interceptor: First address: 9D9904 second address: 9D990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmd.exe	RDTSC instruction interceptor: First address: 27D9B6E second address: 27D9B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\wscript.exe	RDTSC instruction interceptor: First address: 9D9B6E second address: 9D9B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Memory allocated: 1600000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Memory allocated: 3290000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Memory allocated: 30B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Memory allocated: 56E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Memory allocated: 66E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Memory allocated: 6810000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Memory allocated: 7810000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Memory allocated: B9E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Memory allocated: A000000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Memory allocated: C9E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Memory allocated: D9E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Memory allocated: ECD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Memory allocated: FCD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Memory allocated: 10CD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Memory allocated: E70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Memory allocated: 2D30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Memory allocated: 2B70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Memory allocated: 52E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Memory allocated: 62E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Memory allocated: 6410000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Memory allocated: 7410000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Memory allocated: AE50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Memory allocated: 9680000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Memory allocated: BE50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Memory allocated: CE50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Memory allocated: E140000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Memory allocated: F140000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Memory allocated: 10140000 memory reserve \| memory write watch	Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 8_2_010AE0D0 rdtsc

8_2_010AE0D0

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7189	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2413	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7108	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1489	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 4836	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 5104	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 874	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 876	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Window / User API: threadDelayed 408
Source: C:\Windows\SysWOW64\cmd.exe	Window / User API: threadDelayed 9564

Found large amount of non-executed APIs

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	API coverage: 0.8 %
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	API coverage: 6.2 %
Source: C:\Windows\SysWOW64\cmd.exe	API coverage: 0.8 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe TID: 480	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7348	Thread sleep time: -5534023222112862s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7304	Thread sleep count: 7108 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7304	Thread sleep count: 1489 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7364	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7336	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 8056	Thread sleep count: 4836 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 8056	Thread sleep time: -9672000s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 8056	Thread sleep count: 5104 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 8056	Thread sleep time: -10208000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe TID: 7584	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe TID: 7848	Thread sleep count: 408 > 30
Source: C:\Windows\SysWOW64\cmd.exe TID: 7848	Thread sleep time: -816000s >= -30000s
Source: C:\Windows\SysWOW64\cmd.exe TID: 7848	Thread sleep count: 9564 > 30
Source: C:\Windows\SysWOW64\cmd.exe TID: 7848	Thread sleep time: -19128000s >= -30000s

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\cmd.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\cmd.exe	Last function: Thread delayed

Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_0025589A FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapReAlloc,FindNextFileW,FindClose,GetLastError,FindClose,	16_2_0025589A
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_00250207 FindFirstFileW,FindClose,memcpy,_wcsnicmp,_wcsicmp,memmove,	16_2_00250207
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_00263E66 FindFirstFileW,FindNextFileW,FindClose,	16_2_00263E66
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_00254EC1 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,	16_2_00254EC1
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_0024532E GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPAX@Z,FindNextFileW,??_V@YAXPAX@Z,SetLastError,??_V@YAXPAX@Z,GetLastError,FindClose,	16_2_0024532E

Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\NULL	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	File opened: C:\Users\user\AppData\Local\Temp\acrocef_low\NULL	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\Acrobat\NULL	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\Acrobat	Jump to behavior

Source: explorer.exe, 00000009.00000000.1742873528.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: k&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 00000009.00000002.4165294972.0000000009815000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NECVMWar VMware SATA CD00\w
Source: explorer.exe, 00000009.00000002.4161508658.00000000078A0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}$
Source: explorer.exe, 00000009.00000000.1742873528.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 00000009.00000002.4158057912.0000000001240000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&0000000}
Source: explorer.exe, 00000009.00000000.1728391940.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000009.00000000.1742873528.0000000009977000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000009.00000002.4161508658.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NXTTAVMWare
Source: explorer.exe, 00000009.00000002.4165294972.0000000009815000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f&0&000000
Source: explorer.exe, 00000009.00000000.1741100099.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4165294972.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1741100099.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4165294972.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3111399030.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3111399030.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000009.00000000.1742873528.0000000009977000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: explorer.exe, 00000009.00000000.1728391940.0000000007A34000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4161508658.0000000007A34000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWen-GBnx
Source: explorer.exe, 00000009.00000002.4158057912.0000000001240000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: explorer.exe, 00000009.00000002.4165163018.0000000009660000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000er
Source: explorer.exe, 00000009.00000002.4158057912.0000000001240000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe

Process information queried: ProcessInformation

Jump to behavior

Checks if the current process is being debugged

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\cmd.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\wscript.exe	Process queried: DebugPort

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 8_2_010AE0D0 rdtsc

8_2_010AE0D0

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 8_2_010F2B60 NtClose,LdrInitializeThunk,

8_2_010F2B60

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Windows\SysWOW64\cmd.exe

Code function: 16_2_00262E37 IsDebuggerPresent,

16_2_00262E37

Contains functionality to read the PEB

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01170115 mov eax, dword ptr fs:[00000030h]	8_2_01170115
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0115A118 mov ecx, dword ptr fs:[00000030h]	8_2_0115A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0115A118 mov eax, dword ptr fs:[00000030h]	8_2_0115A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0115A118 mov eax, dword ptr fs:[00000030h]	8_2_0115A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0115A118 mov eax, dword ptr fs:[00000030h]	8_2_0115A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0115E10E mov eax, dword ptr fs:[00000030h]	8_2_0115E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0115E10E mov ecx, dword ptr fs:[00000030h]	8_2_0115E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0115E10E mov eax, dword ptr fs:[00000030h]	8_2_0115E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0115E10E mov eax, dword ptr fs:[00000030h]	8_2_0115E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0115E10E mov ecx, dword ptr fs:[00000030h]	8_2_0115E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0115E10E mov eax, dword ptr fs:[00000030h]	8_2_0115E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0115E10E mov eax, dword ptr fs:[00000030h]	8_2_0115E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0115E10E mov ecx, dword ptr fs:[00000030h]	8_2_0115E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0115E10E mov eax, dword ptr fs:[00000030h]	8_2_0115E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0115E10E mov ecx, dword ptr fs:[00000030h]	8_2_0115E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010E0124 mov eax, dword ptr fs:[00000030h]	8_2_010E0124
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010B2140 mov ecx, dword ptr fs:[00000030h]	8_2_010B2140
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010B2140 mov eax, dword ptr fs:[00000030h]	8_2_010B2140
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01148158 mov eax, dword ptr fs:[00000030h]	8_2_01148158
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01144144 mov eax, dword ptr fs:[00000030h]	8_2_01144144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01144144 mov eax, dword ptr fs:[00000030h]	8_2_01144144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01144144 mov ecx, dword ptr fs:[00000030h]	8_2_01144144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01144144 mov eax, dword ptr fs:[00000030h]	8_2_01144144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01144144 mov eax, dword ptr fs:[00000030h]	8_2_01144144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010AC156 mov eax, dword ptr fs:[00000030h]	8_2_010AC156
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010B6154 mov eax, dword ptr fs:[00000030h]	8_2_010B6154
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010B6154 mov eax, dword ptr fs:[00000030h]	8_2_010B6154
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01184164 mov eax, dword ptr fs:[00000030h]	8_2_01184164
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01184164 mov eax, dword ptr fs:[00000030h]	8_2_01184164
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010F0185 mov eax, dword ptr fs:[00000030h]	8_2_010F0185
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0113019F mov eax, dword ptr fs:[00000030h]	8_2_0113019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0113019F mov eax, dword ptr fs:[00000030h]	8_2_0113019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0113019F mov eax, dword ptr fs:[00000030h]	8_2_0113019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0113019F mov eax, dword ptr fs:[00000030h]	8_2_0113019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01154180 mov eax, dword ptr fs:[00000030h]	8_2_01154180
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01154180 mov eax, dword ptr fs:[00000030h]	8_2_01154180
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010AA197 mov eax, dword ptr fs:[00000030h]	8_2_010AA197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010AA197 mov eax, dword ptr fs:[00000030h]	8_2_010AA197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010AA197 mov eax, dword ptr fs:[00000030h]	8_2_010AA197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0116C188 mov eax, dword ptr fs:[00000030h]	8_2_0116C188
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0116C188 mov eax, dword ptr fs:[00000030h]	8_2_0116C188
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0112E1D0 mov eax, dword ptr fs:[00000030h]	8_2_0112E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0112E1D0 mov eax, dword ptr fs:[00000030h]	8_2_0112E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0112E1D0 mov ecx, dword ptr fs:[00000030h]	8_2_0112E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0112E1D0 mov eax, dword ptr fs:[00000030h]	8_2_0112E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0112E1D0 mov eax, dword ptr fs:[00000030h]	8_2_0112E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_011761C3 mov eax, dword ptr fs:[00000030h]	8_2_011761C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_011761C3 mov eax, dword ptr fs:[00000030h]	8_2_011761C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C61D1 mov eax, dword ptr fs:[00000030h]	8_2_010C61D1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C61D1 mov eax, dword ptr fs:[00000030h]	8_2_010C61D1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010E01F8 mov eax, dword ptr fs:[00000030h]	8_2_010E01F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_011861E5 mov eax, dword ptr fs:[00000030h]	8_2_011861E5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01134000 mov ecx, dword ptr fs:[00000030h]	8_2_01134000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01152000 mov eax, dword ptr fs:[00000030h]	8_2_01152000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01152000 mov eax, dword ptr fs:[00000030h]	8_2_01152000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01152000 mov eax, dword ptr fs:[00000030h]	8_2_01152000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01152000 mov eax, dword ptr fs:[00000030h]	8_2_01152000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01152000 mov eax, dword ptr fs:[00000030h]	8_2_01152000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01152000 mov eax, dword ptr fs:[00000030h]	8_2_01152000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01152000 mov eax, dword ptr fs:[00000030h]	8_2_01152000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01152000 mov eax, dword ptr fs:[00000030h]	8_2_01152000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010CE016 mov eax, dword ptr fs:[00000030h]	8_2_010CE016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010CE016 mov eax, dword ptr fs:[00000030h]	8_2_010CE016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010CE016 mov eax, dword ptr fs:[00000030h]	8_2_010CE016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010CE016 mov eax, dword ptr fs:[00000030h]	8_2_010CE016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01146030 mov eax, dword ptr fs:[00000030h]	8_2_01146030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010AA020 mov eax, dword ptr fs:[00000030h]	8_2_010AA020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010AC020 mov eax, dword ptr fs:[00000030h]	8_2_010AC020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01136050 mov eax, dword ptr fs:[00000030h]	8_2_01136050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010B2050 mov eax, dword ptr fs:[00000030h]	8_2_010B2050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010EA060 mov eax, dword ptr fs:[00000030h]	8_2_010EA060
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010DC073 mov eax, dword ptr fs:[00000030h]	8_2_010DC073
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010B208A mov eax, dword ptr fs:[00000030h]	8_2_010B208A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010A80A0 mov eax, dword ptr fs:[00000030h]	8_2_010A80A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_011760B8 mov eax, dword ptr fs:[00000030h]	8_2_011760B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_011760B8 mov ecx, dword ptr fs:[00000030h]	8_2_011760B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_011480A8 mov eax, dword ptr fs:[00000030h]	8_2_011480A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_011320DE mov eax, dword ptr fs:[00000030h]	8_2_011320DE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010B80E9 mov eax, dword ptr fs:[00000030h]	8_2_010B80E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010AA0E3 mov ecx, dword ptr fs:[00000030h]	8_2_010AA0E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_011360E0 mov eax, dword ptr fs:[00000030h]	8_2_011360E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010AC0F0 mov eax, dword ptr fs:[00000030h]	8_2_010AC0F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010F20F0 mov ecx, dword ptr fs:[00000030h]	8_2_010F20F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010EA30B mov eax, dword ptr fs:[00000030h]	8_2_010EA30B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010EA30B mov eax, dword ptr fs:[00000030h]	8_2_010EA30B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010EA30B mov eax, dword ptr fs:[00000030h]	8_2_010EA30B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010AC310 mov ecx, dword ptr fs:[00000030h]	8_2_010AC310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010D0310 mov ecx, dword ptr fs:[00000030h]	8_2_010D0310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010B2324 mov eax, dword ptr fs:[00000030h]	8_2_010B2324
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01188324 mov eax, dword ptr fs:[00000030h]	8_2_01188324
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01188324 mov ecx, dword ptr fs:[00000030h]	8_2_01188324
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01188324 mov eax, dword ptr fs:[00000030h]	8_2_01188324
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01188324 mov eax, dword ptr fs:[00000030h]	8_2_01188324
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0117A352 mov eax, dword ptr fs:[00000030h]	8_2_0117A352
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01158350 mov ecx, dword ptr fs:[00000030h]	8_2_01158350
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0113035C mov eax, dword ptr fs:[00000030h]	8_2_0113035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0113035C mov eax, dword ptr fs:[00000030h]	8_2_0113035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0113035C mov eax, dword ptr fs:[00000030h]	8_2_0113035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0113035C mov ecx, dword ptr fs:[00000030h]	8_2_0113035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0113035C mov eax, dword ptr fs:[00000030h]	8_2_0113035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0113035C mov eax, dword ptr fs:[00000030h]	8_2_0113035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0118634F mov eax, dword ptr fs:[00000030h]	8_2_0118634F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01132349 mov eax, dword ptr fs:[00000030h]	8_2_01132349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01132349 mov eax, dword ptr fs:[00000030h]	8_2_01132349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01132349 mov eax, dword ptr fs:[00000030h]	8_2_01132349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01132349 mov eax, dword ptr fs:[00000030h]	8_2_01132349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01132349 mov eax, dword ptr fs:[00000030h]	8_2_01132349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01132349 mov eax, dword ptr fs:[00000030h]	8_2_01132349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01132349 mov eax, dword ptr fs:[00000030h]	8_2_01132349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01132349 mov eax, dword ptr fs:[00000030h]	8_2_01132349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01132349 mov eax, dword ptr fs:[00000030h]	8_2_01132349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01132349 mov eax, dword ptr fs:[00000030h]	8_2_01132349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01132349 mov eax, dword ptr fs:[00000030h]	8_2_01132349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01132349 mov eax, dword ptr fs:[00000030h]	8_2_01132349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01132349 mov eax, dword ptr fs:[00000030h]	8_2_01132349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01132349 mov eax, dword ptr fs:[00000030h]	8_2_01132349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01132349 mov eax, dword ptr fs:[00000030h]	8_2_01132349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0115437C mov eax, dword ptr fs:[00000030h]	8_2_0115437C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010AE388 mov eax, dword ptr fs:[00000030h]	8_2_010AE388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010AE388 mov eax, dword ptr fs:[00000030h]	8_2_010AE388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010AE388 mov eax, dword ptr fs:[00000030h]	8_2_010AE388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010D438F mov eax, dword ptr fs:[00000030h]	8_2_010D438F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010D438F mov eax, dword ptr fs:[00000030h]	8_2_010D438F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010A8397 mov eax, dword ptr fs:[00000030h]	8_2_010A8397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010A8397 mov eax, dword ptr fs:[00000030h]	8_2_010A8397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010A8397 mov eax, dword ptr fs:[00000030h]	8_2_010A8397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_011543D4 mov eax, dword ptr fs:[00000030h]	8_2_011543D4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_011543D4 mov eax, dword ptr fs:[00000030h]	8_2_011543D4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010BA3C0 mov eax, dword ptr fs:[00000030h]	8_2_010BA3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010BA3C0 mov eax, dword ptr fs:[00000030h]	8_2_010BA3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010BA3C0 mov eax, dword ptr fs:[00000030h]	8_2_010BA3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010BA3C0 mov eax, dword ptr fs:[00000030h]	8_2_010BA3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010BA3C0 mov eax, dword ptr fs:[00000030h]	8_2_010BA3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010BA3C0 mov eax, dword ptr fs:[00000030h]	8_2_010BA3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010B83C0 mov eax, dword ptr fs:[00000030h]	8_2_010B83C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010B83C0 mov eax, dword ptr fs:[00000030h]	8_2_010B83C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010B83C0 mov eax, dword ptr fs:[00000030h]	8_2_010B83C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010B83C0 mov eax, dword ptr fs:[00000030h]	8_2_010B83C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0115E3DB mov eax, dword ptr fs:[00000030h]	8_2_0115E3DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0115E3DB mov eax, dword ptr fs:[00000030h]	8_2_0115E3DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0115E3DB mov ecx, dword ptr fs:[00000030h]	8_2_0115E3DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0115E3DB mov eax, dword ptr fs:[00000030h]	8_2_0115E3DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_011363C0 mov eax, dword ptr fs:[00000030h]	8_2_011363C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0116C3CD mov eax, dword ptr fs:[00000030h]	8_2_0116C3CD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C03E9 mov eax, dword ptr fs:[00000030h]	8_2_010C03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C03E9 mov eax, dword ptr fs:[00000030h]	8_2_010C03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C03E9 mov eax, dword ptr fs:[00000030h]	8_2_010C03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C03E9 mov eax, dword ptr fs:[00000030h]	8_2_010C03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C03E9 mov eax, dword ptr fs:[00000030h]	8_2_010C03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C03E9 mov eax, dword ptr fs:[00000030h]	8_2_010C03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C03E9 mov eax, dword ptr fs:[00000030h]	8_2_010C03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C03E9 mov eax, dword ptr fs:[00000030h]	8_2_010C03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010E63FF mov eax, dword ptr fs:[00000030h]	8_2_010E63FF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010CE3F0 mov eax, dword ptr fs:[00000030h]	8_2_010CE3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010CE3F0 mov eax, dword ptr fs:[00000030h]	8_2_010CE3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010CE3F0 mov eax, dword ptr fs:[00000030h]	8_2_010CE3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C0218 mov eax, dword ptr fs:[00000030h]	8_2_010C0218
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010A823B mov eax, dword ptr fs:[00000030h]	8_2_010A823B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0118625D mov eax, dword ptr fs:[00000030h]	8_2_0118625D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0116A250 mov eax, dword ptr fs:[00000030h]	8_2_0116A250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0116A250 mov eax, dword ptr fs:[00000030h]	8_2_0116A250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01138243 mov eax, dword ptr fs:[00000030h]	8_2_01138243
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01138243 mov ecx, dword ptr fs:[00000030h]	8_2_01138243
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010B6259 mov eax, dword ptr fs:[00000030h]	8_2_010B6259
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010AA250 mov eax, dword ptr fs:[00000030h]	8_2_010AA250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010A826B mov eax, dword ptr fs:[00000030h]	8_2_010A826B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01160274 mov eax, dword ptr fs:[00000030h]	8_2_01160274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01160274 mov eax, dword ptr fs:[00000030h]	8_2_01160274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01160274 mov eax, dword ptr fs:[00000030h]	8_2_01160274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01160274 mov eax, dword ptr fs:[00000030h]	8_2_01160274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01160274 mov eax, dword ptr fs:[00000030h]	8_2_01160274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01160274 mov eax, dword ptr fs:[00000030h]	8_2_01160274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01160274 mov eax, dword ptr fs:[00000030h]	8_2_01160274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01160274 mov eax, dword ptr fs:[00000030h]	8_2_01160274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01160274 mov eax, dword ptr fs:[00000030h]	8_2_01160274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01160274 mov eax, dword ptr fs:[00000030h]	8_2_01160274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01160274 mov eax, dword ptr fs:[00000030h]	8_2_01160274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01160274 mov eax, dword ptr fs:[00000030h]	8_2_01160274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010B4260 mov eax, dword ptr fs:[00000030h]	8_2_010B4260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010B4260 mov eax, dword ptr fs:[00000030h]	8_2_010B4260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010B4260 mov eax, dword ptr fs:[00000030h]	8_2_010B4260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010EE284 mov eax, dword ptr fs:[00000030h]	8_2_010EE284
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010EE284 mov eax, dword ptr fs:[00000030h]	8_2_010EE284
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01130283 mov eax, dword ptr fs:[00000030h]	8_2_01130283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01130283 mov eax, dword ptr fs:[00000030h]	8_2_01130283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01130283 mov eax, dword ptr fs:[00000030h]	8_2_01130283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C02A0 mov eax, dword ptr fs:[00000030h]	8_2_010C02A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C02A0 mov eax, dword ptr fs:[00000030h]	8_2_010C02A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_011462A0 mov eax, dword ptr fs:[00000030h]	8_2_011462A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_011462A0 mov ecx, dword ptr fs:[00000030h]	8_2_011462A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_011462A0 mov eax, dword ptr fs:[00000030h]	8_2_011462A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_011462A0 mov eax, dword ptr fs:[00000030h]	8_2_011462A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_011462A0 mov eax, dword ptr fs:[00000030h]	8_2_011462A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_011462A0 mov eax, dword ptr fs:[00000030h]	8_2_011462A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010BA2C3 mov eax, dword ptr fs:[00000030h]	8_2_010BA2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010BA2C3 mov eax, dword ptr fs:[00000030h]	8_2_010BA2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010BA2C3 mov eax, dword ptr fs:[00000030h]	8_2_010BA2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010BA2C3 mov eax, dword ptr fs:[00000030h]	8_2_010BA2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010BA2C3 mov eax, dword ptr fs:[00000030h]	8_2_010BA2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_011862D6 mov eax, dword ptr fs:[00000030h]	8_2_011862D6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C02E1 mov eax, dword ptr fs:[00000030h]	8_2_010C02E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C02E1 mov eax, dword ptr fs:[00000030h]	8_2_010C02E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C02E1 mov eax, dword ptr fs:[00000030h]	8_2_010C02E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010D02FE mov ecx, dword ptr fs:[00000030h]	8_2_010D02FE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01146500 mov eax, dword ptr fs:[00000030h]	8_2_01146500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01184500 mov eax, dword ptr fs:[00000030h]	8_2_01184500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01184500 mov eax, dword ptr fs:[00000030h]	8_2_01184500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01184500 mov eax, dword ptr fs:[00000030h]	8_2_01184500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01184500 mov eax, dword ptr fs:[00000030h]	8_2_01184500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01184500 mov eax, dword ptr fs:[00000030h]	8_2_01184500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01184500 mov eax, dword ptr fs:[00000030h]	8_2_01184500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01184500 mov eax, dword ptr fs:[00000030h]	8_2_01184500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010DE53E mov eax, dword ptr fs:[00000030h]	8_2_010DE53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010DE53E mov eax, dword ptr fs:[00000030h]	8_2_010DE53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010DE53E mov eax, dword ptr fs:[00000030h]	8_2_010DE53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010DE53E mov eax, dword ptr fs:[00000030h]	8_2_010DE53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010DE53E mov eax, dword ptr fs:[00000030h]	8_2_010DE53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C0535 mov eax, dword ptr fs:[00000030h]	8_2_010C0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C0535 mov eax, dword ptr fs:[00000030h]	8_2_010C0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C0535 mov eax, dword ptr fs:[00000030h]	8_2_010C0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C0535 mov eax, dword ptr fs:[00000030h]	8_2_010C0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C0535 mov eax, dword ptr fs:[00000030h]	8_2_010C0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C0535 mov eax, dword ptr fs:[00000030h]	8_2_010C0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010B8550 mov eax, dword ptr fs:[00000030h]	8_2_010B8550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010B8550 mov eax, dword ptr fs:[00000030h]	8_2_010B8550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010E656A mov eax, dword ptr fs:[00000030h]	8_2_010E656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010E656A mov eax, dword ptr fs:[00000030h]	8_2_010E656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010E656A mov eax, dword ptr fs:[00000030h]	8_2_010E656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010E4588 mov eax, dword ptr fs:[00000030h]	8_2_010E4588
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010B2582 mov eax, dword ptr fs:[00000030h]	8_2_010B2582
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010B2582 mov ecx, dword ptr fs:[00000030h]	8_2_010B2582
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010AA580 mov ecx, dword ptr fs:[00000030h]	8_2_010AA580
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010AA580 mov eax, dword ptr fs:[00000030h]	8_2_010AA580
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010EE59C mov eax, dword ptr fs:[00000030h]	8_2_010EE59C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_011305A7 mov eax, dword ptr fs:[00000030h]	8_2_011305A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_011305A7 mov eax, dword ptr fs:[00000030h]	8_2_011305A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_011305A7 mov eax, dword ptr fs:[00000030h]	8_2_011305A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010D45B1 mov eax, dword ptr fs:[00000030h]	8_2_010D45B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010D45B1 mov eax, dword ptr fs:[00000030h]	8_2_010D45B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010EE5CF mov eax, dword ptr fs:[00000030h]	8_2_010EE5CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010EE5CF mov eax, dword ptr fs:[00000030h]	8_2_010EE5CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010B65D0 mov eax, dword ptr fs:[00000030h]	8_2_010B65D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010EA5D0 mov eax, dword ptr fs:[00000030h]	8_2_010EA5D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010EA5D0 mov eax, dword ptr fs:[00000030h]	8_2_010EA5D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010EC5ED mov eax, dword ptr fs:[00000030h]	8_2_010EC5ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010EC5ED mov eax, dword ptr fs:[00000030h]	8_2_010EC5ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010DE5E7 mov eax, dword ptr fs:[00000030h]	8_2_010DE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010DE5E7 mov eax, dword ptr fs:[00000030h]	8_2_010DE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010DE5E7 mov eax, dword ptr fs:[00000030h]	8_2_010DE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010DE5E7 mov eax, dword ptr fs:[00000030h]	8_2_010DE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010DE5E7 mov eax, dword ptr fs:[00000030h]	8_2_010DE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010DE5E7 mov eax, dword ptr fs:[00000030h]	8_2_010DE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010DE5E7 mov eax, dword ptr fs:[00000030h]	8_2_010DE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010DE5E7 mov eax, dword ptr fs:[00000030h]	8_2_010DE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010B25E0 mov eax, dword ptr fs:[00000030h]	8_2_010B25E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010E8402 mov eax, dword ptr fs:[00000030h]	8_2_010E8402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010E8402 mov eax, dword ptr fs:[00000030h]	8_2_010E8402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010E8402 mov eax, dword ptr fs:[00000030h]	8_2_010E8402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010AE420 mov eax, dword ptr fs:[00000030h]	8_2_010AE420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010AE420 mov eax, dword ptr fs:[00000030h]	8_2_010AE420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010AE420 mov eax, dword ptr fs:[00000030h]	8_2_010AE420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010AC427 mov eax, dword ptr fs:[00000030h]	8_2_010AC427
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01136420 mov eax, dword ptr fs:[00000030h]	8_2_01136420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01136420 mov eax, dword ptr fs:[00000030h]	8_2_01136420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01136420 mov eax, dword ptr fs:[00000030h]	8_2_01136420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01136420 mov eax, dword ptr fs:[00000030h]	8_2_01136420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01136420 mov eax, dword ptr fs:[00000030h]	8_2_01136420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01136420 mov eax, dword ptr fs:[00000030h]	8_2_01136420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01136420 mov eax, dword ptr fs:[00000030h]	8_2_01136420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0116A456 mov eax, dword ptr fs:[00000030h]	8_2_0116A456
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010EE443 mov eax, dword ptr fs:[00000030h]	8_2_010EE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010EE443 mov eax, dword ptr fs:[00000030h]	8_2_010EE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010EE443 mov eax, dword ptr fs:[00000030h]	8_2_010EE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010EE443 mov eax, dword ptr fs:[00000030h]	8_2_010EE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010EE443 mov eax, dword ptr fs:[00000030h]	8_2_010EE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010EE443 mov eax, dword ptr fs:[00000030h]	8_2_010EE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010EE443 mov eax, dword ptr fs:[00000030h]	8_2_010EE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010EE443 mov eax, dword ptr fs:[00000030h]	8_2_010EE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010A645D mov eax, dword ptr fs:[00000030h]	8_2_010A645D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010D245A mov eax, dword ptr fs:[00000030h]	8_2_010D245A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0113C460 mov ecx, dword ptr fs:[00000030h]	8_2_0113C460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010DA470 mov eax, dword ptr fs:[00000030h]	8_2_010DA470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010DA470 mov eax, dword ptr fs:[00000030h]	8_2_010DA470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010DA470 mov eax, dword ptr fs:[00000030h]	8_2_010DA470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0116A49A mov eax, dword ptr fs:[00000030h]	8_2_0116A49A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010B64AB mov eax, dword ptr fs:[00000030h]	8_2_010B64AB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0113A4B0 mov eax, dword ptr fs:[00000030h]	8_2_0113A4B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010E44B0 mov ecx, dword ptr fs:[00000030h]	8_2_010E44B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010B04E5 mov ecx, dword ptr fs:[00000030h]	8_2_010B04E5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010EC700 mov eax, dword ptr fs:[00000030h]	8_2_010EC700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010B0710 mov eax, dword ptr fs:[00000030h]	8_2_010B0710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010E0710 mov eax, dword ptr fs:[00000030h]	8_2_010E0710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0112C730 mov eax, dword ptr fs:[00000030h]	8_2_0112C730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010EC720 mov eax, dword ptr fs:[00000030h]	8_2_010EC720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010EC720 mov eax, dword ptr fs:[00000030h]	8_2_010EC720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010E273C mov eax, dword ptr fs:[00000030h]	8_2_010E273C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010E273C mov ecx, dword ptr fs:[00000030h]	8_2_010E273C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010E273C mov eax, dword ptr fs:[00000030h]	8_2_010E273C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010E674D mov esi, dword ptr fs:[00000030h]	8_2_010E674D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010E674D mov eax, dword ptr fs:[00000030h]	8_2_010E674D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010E674D mov eax, dword ptr fs:[00000030h]	8_2_010E674D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01134755 mov eax, dword ptr fs:[00000030h]	8_2_01134755
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010AA740 mov eax, dword ptr fs:[00000030h]	8_2_010AA740
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0113E75D mov eax, dword ptr fs:[00000030h]	8_2_0113E75D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010B0750 mov eax, dword ptr fs:[00000030h]	8_2_010B0750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010F2750 mov eax, dword ptr fs:[00000030h]	8_2_010F2750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010F2750 mov eax, dword ptr fs:[00000030h]	8_2_010F2750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010B8770 mov eax, dword ptr fs:[00000030h]	8_2_010B8770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C0770 mov eax, dword ptr fs:[00000030h]	8_2_010C0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C0770 mov eax, dword ptr fs:[00000030h]	8_2_010C0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C0770 mov eax, dword ptr fs:[00000030h]	8_2_010C0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C0770 mov eax, dword ptr fs:[00000030h]	8_2_010C0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C0770 mov eax, dword ptr fs:[00000030h]	8_2_010C0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C0770 mov eax, dword ptr fs:[00000030h]	8_2_010C0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C0770 mov eax, dword ptr fs:[00000030h]	8_2_010C0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C0770 mov eax, dword ptr fs:[00000030h]	8_2_010C0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C0770 mov eax, dword ptr fs:[00000030h]	8_2_010C0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C0770 mov eax, dword ptr fs:[00000030h]	8_2_010C0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C0770 mov eax, dword ptr fs:[00000030h]	8_2_010C0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C0770 mov eax, dword ptr fs:[00000030h]	8_2_010C0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0115678E mov eax, dword ptr fs:[00000030h]	8_2_0115678E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010B07AF mov eax, dword ptr fs:[00000030h]	8_2_010B07AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_011647A0 mov eax, dword ptr fs:[00000030h]	8_2_011647A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010BC7C0 mov eax, dword ptr fs:[00000030h]	8_2_010BC7C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_011307C3 mov eax, dword ptr fs:[00000030h]	8_2_011307C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010D27ED mov eax, dword ptr fs:[00000030h]	8_2_010D27ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010D27ED mov eax, dword ptr fs:[00000030h]	8_2_010D27ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010D27ED mov eax, dword ptr fs:[00000030h]	8_2_010D27ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010B47FB mov eax, dword ptr fs:[00000030h]	8_2_010B47FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010B47FB mov eax, dword ptr fs:[00000030h]	8_2_010B47FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0113E7E1 mov eax, dword ptr fs:[00000030h]	8_2_0113E7E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C260B mov eax, dword ptr fs:[00000030h]	8_2_010C260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C260B mov eax, dword ptr fs:[00000030h]	8_2_010C260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C260B mov eax, dword ptr fs:[00000030h]	8_2_010C260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C260B mov eax, dword ptr fs:[00000030h]	8_2_010C260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C260B mov eax, dword ptr fs:[00000030h]	8_2_010C260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C260B mov eax, dword ptr fs:[00000030h]	8_2_010C260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C260B mov eax, dword ptr fs:[00000030h]	8_2_010C260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010F2619 mov eax, dword ptr fs:[00000030h]	8_2_010F2619
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0112E609 mov eax, dword ptr fs:[00000030h]	8_2_0112E609
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010B262C mov eax, dword ptr fs:[00000030h]	8_2_010B262C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010CE627 mov eax, dword ptr fs:[00000030h]	8_2_010CE627
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010E6620 mov eax, dword ptr fs:[00000030h]	8_2_010E6620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010E8620 mov eax, dword ptr fs:[00000030h]	8_2_010E8620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010CC640 mov eax, dword ptr fs:[00000030h]	8_2_010CC640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010EA660 mov eax, dword ptr fs:[00000030h]	8_2_010EA660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010EA660 mov eax, dword ptr fs:[00000030h]	8_2_010EA660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0117866E mov eax, dword ptr fs:[00000030h]	8_2_0117866E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0117866E mov eax, dword ptr fs:[00000030h]	8_2_0117866E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010E2674 mov eax, dword ptr fs:[00000030h]	8_2_010E2674
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010B4690 mov eax, dword ptr fs:[00000030h]	8_2_010B4690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010B4690 mov eax, dword ptr fs:[00000030h]	8_2_010B4690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010EC6A6 mov eax, dword ptr fs:[00000030h]	8_2_010EC6A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010E66B0 mov eax, dword ptr fs:[00000030h]	8_2_010E66B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010EA6C7 mov ebx, dword ptr fs:[00000030h]	8_2_010EA6C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010EA6C7 mov eax, dword ptr fs:[00000030h]	8_2_010EA6C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0112E6F2 mov eax, dword ptr fs:[00000030h]	8_2_0112E6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0112E6F2 mov eax, dword ptr fs:[00000030h]	8_2_0112E6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0112E6F2 mov eax, dword ptr fs:[00000030h]	8_2_0112E6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0112E6F2 mov eax, dword ptr fs:[00000030h]	8_2_0112E6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_011306F1 mov eax, dword ptr fs:[00000030h]	8_2_011306F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_011306F1 mov eax, dword ptr fs:[00000030h]	8_2_011306F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0113C912 mov eax, dword ptr fs:[00000030h]	8_2_0113C912
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010A8918 mov eax, dword ptr fs:[00000030h]	8_2_010A8918
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010A8918 mov eax, dword ptr fs:[00000030h]	8_2_010A8918
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0112E908 mov eax, dword ptr fs:[00000030h]	8_2_0112E908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0112E908 mov eax, dword ptr fs:[00000030h]	8_2_0112E908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0113892A mov eax, dword ptr fs:[00000030h]	8_2_0113892A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0114892B mov eax, dword ptr fs:[00000030h]	8_2_0114892B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01130946 mov eax, dword ptr fs:[00000030h]	8_2_01130946
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01184940 mov eax, dword ptr fs:[00000030h]	8_2_01184940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010F096E mov eax, dword ptr fs:[00000030h]	8_2_010F096E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010F096E mov edx, dword ptr fs:[00000030h]	8_2_010F096E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010F096E mov eax, dword ptr fs:[00000030h]	8_2_010F096E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01154978 mov eax, dword ptr fs:[00000030h]	8_2_01154978
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01154978 mov eax, dword ptr fs:[00000030h]	8_2_01154978
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010D6962 mov eax, dword ptr fs:[00000030h]	8_2_010D6962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010D6962 mov eax, dword ptr fs:[00000030h]	8_2_010D6962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010D6962 mov eax, dword ptr fs:[00000030h]	8_2_010D6962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0113C97C mov eax, dword ptr fs:[00000030h]	8_2_0113C97C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_011389B3 mov esi, dword ptr fs:[00000030h]	8_2_011389B3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_011389B3 mov eax, dword ptr fs:[00000030h]	8_2_011389B3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_011389B3 mov eax, dword ptr fs:[00000030h]	8_2_011389B3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010B09AD mov eax, dword ptr fs:[00000030h]	8_2_010B09AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010B09AD mov eax, dword ptr fs:[00000030h]	8_2_010B09AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C29A0 mov eax, dword ptr fs:[00000030h]	8_2_010C29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C29A0 mov eax, dword ptr fs:[00000030h]	8_2_010C29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C29A0 mov eax, dword ptr fs:[00000030h]	8_2_010C29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C29A0 mov eax, dword ptr fs:[00000030h]	8_2_010C29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C29A0 mov eax, dword ptr fs:[00000030h]	8_2_010C29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C29A0 mov eax, dword ptr fs:[00000030h]	8_2_010C29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C29A0 mov eax, dword ptr fs:[00000030h]	8_2_010C29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C29A0 mov eax, dword ptr fs:[00000030h]	8_2_010C29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C29A0 mov eax, dword ptr fs:[00000030h]	8_2_010C29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C29A0 mov eax, dword ptr fs:[00000030h]	8_2_010C29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C29A0 mov eax, dword ptr fs:[00000030h]	8_2_010C29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C29A0 mov eax, dword ptr fs:[00000030h]	8_2_010C29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C29A0 mov eax, dword ptr fs:[00000030h]	8_2_010C29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0117A9D3 mov eax, dword ptr fs:[00000030h]	8_2_0117A9D3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_011469C0 mov eax, dword ptr fs:[00000030h]	8_2_011469C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010BA9D0 mov eax, dword ptr fs:[00000030h]	8_2_010BA9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010BA9D0 mov eax, dword ptr fs:[00000030h]	8_2_010BA9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010BA9D0 mov eax, dword ptr fs:[00000030h]	8_2_010BA9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010BA9D0 mov eax, dword ptr fs:[00000030h]	8_2_010BA9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010BA9D0 mov eax, dword ptr fs:[00000030h]	8_2_010BA9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010BA9D0 mov eax, dword ptr fs:[00000030h]	8_2_010BA9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010E49D0 mov eax, dword ptr fs:[00000030h]	8_2_010E49D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0113E9E0 mov eax, dword ptr fs:[00000030h]	8_2_0113E9E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010E29F9 mov eax, dword ptr fs:[00000030h]	8_2_010E29F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010E29F9 mov eax, dword ptr fs:[00000030h]	8_2_010E29F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0113C810 mov eax, dword ptr fs:[00000030h]	8_2_0113C810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0115483A mov eax, dword ptr fs:[00000030h]	8_2_0115483A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0115483A mov eax, dword ptr fs:[00000030h]	8_2_0115483A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010D2835 mov eax, dword ptr fs:[00000030h]	8_2_010D2835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010D2835 mov eax, dword ptr fs:[00000030h]	8_2_010D2835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010D2835 mov eax, dword ptr fs:[00000030h]	8_2_010D2835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010D2835 mov ecx, dword ptr fs:[00000030h]	8_2_010D2835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010D2835 mov eax, dword ptr fs:[00000030h]	8_2_010D2835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010D2835 mov eax, dword ptr fs:[00000030h]	8_2_010D2835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010EA830 mov eax, dword ptr fs:[00000030h]	8_2_010EA830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C2840 mov ecx, dword ptr fs:[00000030h]	8_2_010C2840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010B4859 mov eax, dword ptr fs:[00000030h]	8_2_010B4859
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010B4859 mov eax, dword ptr fs:[00000030h]	8_2_010B4859
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010E0854 mov eax, dword ptr fs:[00000030h]	8_2_010E0854
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0113E872 mov eax, dword ptr fs:[00000030h]	8_2_0113E872
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0113E872 mov eax, dword ptr fs:[00000030h]	8_2_0113E872
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01146870 mov eax, dword ptr fs:[00000030h]	8_2_01146870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01146870 mov eax, dword ptr fs:[00000030h]	8_2_01146870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010B0887 mov eax, dword ptr fs:[00000030h]	8_2_010B0887
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0113C89D mov eax, dword ptr fs:[00000030h]	8_2_0113C89D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010DE8C0 mov eax, dword ptr fs:[00000030h]	8_2_010DE8C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_011808C0 mov eax, dword ptr fs:[00000030h]	8_2_011808C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0117A8E4 mov eax, dword ptr fs:[00000030h]	8_2_0117A8E4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010EC8F9 mov eax, dword ptr fs:[00000030h]	8_2_010EC8F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010EC8F9 mov eax, dword ptr fs:[00000030h]	8_2_010EC8F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0112EB1D mov eax, dword ptr fs:[00000030h]	8_2_0112EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0112EB1D mov eax, dword ptr fs:[00000030h]	8_2_0112EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0112EB1D mov eax, dword ptr fs:[00000030h]	8_2_0112EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0112EB1D mov eax, dword ptr fs:[00000030h]	8_2_0112EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0112EB1D mov eax, dword ptr fs:[00000030h]	8_2_0112EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0112EB1D mov eax, dword ptr fs:[00000030h]	8_2_0112EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0112EB1D mov eax, dword ptr fs:[00000030h]	8_2_0112EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0112EB1D mov eax, dword ptr fs:[00000030h]	8_2_0112EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0112EB1D mov eax, dword ptr fs:[00000030h]	8_2_0112EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01184B00 mov eax, dword ptr fs:[00000030h]	8_2_01184B00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010DEB20 mov eax, dword ptr fs:[00000030h]	8_2_010DEB20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010DEB20 mov eax, dword ptr fs:[00000030h]	8_2_010DEB20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01178B28 mov eax, dword ptr fs:[00000030h]	8_2_01178B28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01178B28 mov eax, dword ptr fs:[00000030h]	8_2_01178B28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0115EB50 mov eax, dword ptr fs:[00000030h]	8_2_0115EB50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01182B57 mov eax, dword ptr fs:[00000030h]	8_2_01182B57
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01182B57 mov eax, dword ptr fs:[00000030h]	8_2_01182B57
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01182B57 mov eax, dword ptr fs:[00000030h]	8_2_01182B57
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01182B57 mov eax, dword ptr fs:[00000030h]	8_2_01182B57
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01146B40 mov eax, dword ptr fs:[00000030h]	8_2_01146B40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01146B40 mov eax, dword ptr fs:[00000030h]	8_2_01146B40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0117AB40 mov eax, dword ptr fs:[00000030h]	8_2_0117AB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01158B42 mov eax, dword ptr fs:[00000030h]	8_2_01158B42
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010A8B50 mov eax, dword ptr fs:[00000030h]	8_2_010A8B50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01164B4B mov eax, dword ptr fs:[00000030h]	8_2_01164B4B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01164B4B mov eax, dword ptr fs:[00000030h]	8_2_01164B4B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010ACB7E mov eax, dword ptr fs:[00000030h]	8_2_010ACB7E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C2B79 mov eax, dword ptr fs:[00000030h]	8_2_010C2B79
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C2B79 mov eax, dword ptr fs:[00000030h]	8_2_010C2B79
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C2B79 mov eax, dword ptr fs:[00000030h]	8_2_010C2B79
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01164BB0 mov eax, dword ptr fs:[00000030h]	8_2_01164BB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01164BB0 mov eax, dword ptr fs:[00000030h]	8_2_01164BB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C0BBE mov eax, dword ptr fs:[00000030h]	8_2_010C0BBE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C0BBE mov eax, dword ptr fs:[00000030h]	8_2_010C0BBE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0115EBD0 mov eax, dword ptr fs:[00000030h]	8_2_0115EBD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010B0BCD mov eax, dword ptr fs:[00000030h]	8_2_010B0BCD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010B0BCD mov eax, dword ptr fs:[00000030h]	8_2_010B0BCD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010B0BCD mov eax, dword ptr fs:[00000030h]	8_2_010B0BCD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010D0BCB mov eax, dword ptr fs:[00000030h]	8_2_010D0BCB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010D0BCB mov eax, dword ptr fs:[00000030h]	8_2_010D0BCB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010D0BCB mov eax, dword ptr fs:[00000030h]	8_2_010D0BCB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0113CBF0 mov eax, dword ptr fs:[00000030h]	8_2_0113CBF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010DEBFC mov eax, dword ptr fs:[00000030h]	8_2_010DEBFC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010B8BF0 mov eax, dword ptr fs:[00000030h]	8_2_010B8BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010B8BF0 mov eax, dword ptr fs:[00000030h]	8_2_010B8BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010B8BF0 mov eax, dword ptr fs:[00000030h]	8_2_010B8BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010E8BF0 mov ecx, dword ptr fs:[00000030h]	8_2_010E8BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010E8BF0 mov eax, dword ptr fs:[00000030h]	8_2_010E8BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010E8BF0 mov eax, dword ptr fs:[00000030h]	8_2_010E8BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0113CA11 mov eax, dword ptr fs:[00000030h]	8_2_0113CA11
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010A8A00 mov eax, dword ptr fs:[00000030h]	8_2_010A8A00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010A8A00 mov eax, dword ptr fs:[00000030h]	8_2_010A8A00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010DEA2E mov eax, dword ptr fs:[00000030h]	8_2_010DEA2E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010ECA24 mov eax, dword ptr fs:[00000030h]	8_2_010ECA24
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010ECA38 mov eax, dword ptr fs:[00000030h]	8_2_010ECA38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010D4A35 mov eax, dword ptr fs:[00000030h]	8_2_010D4A35
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010D4A35 mov eax, dword ptr fs:[00000030h]	8_2_010D4A35
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C0A5B mov eax, dword ptr fs:[00000030h]	8_2_010C0A5B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010C0A5B mov eax, dword ptr fs:[00000030h]	8_2_010C0A5B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010B6A50 mov eax, dword ptr fs:[00000030h]	8_2_010B6A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010B6A50 mov eax, dword ptr fs:[00000030h]	8_2_010B6A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010B6A50 mov eax, dword ptr fs:[00000030h]	8_2_010B6A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010B6A50 mov eax, dword ptr fs:[00000030h]	8_2_010B6A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010B6A50 mov eax, dword ptr fs:[00000030h]	8_2_010B6A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010B6A50 mov eax, dword ptr fs:[00000030h]	8_2_010B6A50

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Windows\SysWOW64\cmd.exe

Code function: 16_2_00256800 GetProcessHeap,RtlFreeHeap,

16_2_00256800

Enables debug privileges

Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_00256EC0 SetUnhandledExceptionFilter,		16_2_00256EC0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_00256B40 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		16_2_00256B40

Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Bankcerticate223pdf.exe"
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\cvRSCwXQ.exe"
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Bankcerticate223pdf.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\cvRSCwXQ.exe"	Jump to behavior

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and write			Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and write			Jump to behavior

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	NtClose: Indirect: 0x154A56C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	NtQueueApcThread: Indirect: 0x154A4F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	NtQueueApcThread: Indirect: 0xBFA4F2	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	NtClose: Indirect: 0xBFA56C

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A			Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: NULL target: C:\Windows\SysWOW64\wscript.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: NULL target: C:\Windows\SysWOW64\wscript.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: NULL target: C:\Windows\SysWOW64\cmd.exe protection: execute and read and write
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: NULL target: C:\Windows\SysWOW64\cmd.exe protection: execute and read and write
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread register set: target process: 2580	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread register set: target process: 2580
Source: C:\Windows\SysWOW64\cmd.exe	Thread register set: target process: 2580

Queues an APC in another process (thread injection)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Sample uses process hollowing technique

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section unmapped: C:\Windows\SysWOW64\wscript.exe base address: E10000			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section unmapped: C:\Windows\SysWOW64\cmd.exe base address: 240000

Writes to foreign memory regions

Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 602008	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 401000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: D72008	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Bankcerticate223pdf.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\cvRSCwXQ.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cvRSCwXQ" /XML "C:\Users\user\AppData\Local\Temp\tmp8D97.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cvRSCwXQ" /XML "C:\Users\user\AppData\Local\Temp\tmp9DE3.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

Source: explorer.exe, 00000009.00000003.3111399030.0000000009815000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1741100099.0000000009815000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4158684864.00000000018A0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000009.00000002.4158684864.00000000018A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000009.00000000.1722661538.00000000018A1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000009.00000000.1721630165.0000000001240000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4158057912.0000000001240000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 1Progman$
Source: explorer.exe, 00000009.00000002.4158684864.00000000018A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000009.00000000.1722661538.00000000018A1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000009.00000002.4158684864.00000000018A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000009.00000000.1722661538.00000000018A1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: }Program Manager

Contains functionality to query locales information (e.g. system language)

Source: C:\Windows\SysWOW64\cmd.exe	Code function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,GetDateFormatW,memmove,GetDateFormatW,realloc,GetDateFormatW,memmove,GetLastError,GetLastError,realloc,	16_2_00246854
Source: C:\Windows\SysWOW64\cmd.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,setlocale,	16_2_00248572
Source: C:\Windows\SysWOW64\cmd.exe	Code function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetTimeFormatW,	16_2_00249310

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Users\user\Desktop\Bankcerticate223pdf.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Queries volume information: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

16_2_00246854

Source: C:\Windows\SysWOW64\cmd.exe

Code function: 16_2_00244D08 GetVersion,

16_2_00244D08

Source: C:\Users\user\Desktop\Bankcerticate223pdf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 15.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Bankcerticate223pdf.exe.4ae4148.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000002.4158536381.0000000002FD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.4157948381.00000000027D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1789025375.00000000047BF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.4158598483.0000000003000000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.1799194770.00000000009D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1741689555.0000000004D1E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.1792804943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1741689555.0000000004AE4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 15.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Bankcerticate223pdf.exe.4ae4148.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000002.4158536381.0000000002FD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.4157948381.00000000027D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1789025375.00000000047BF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.4158598483.0000000003000000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.1799194770.00000000009D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1741689555.0000000004D1E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.1792804943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1741689555.0000000004AE4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Windows Analysis Report
Bankcerticate223pdf.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Domains

Contacted URLs

ID:	1592537
Product:	CloudBasic
Start time:	09:11:05
Start date:	16.01.2025
Sample:	Bankcerticate223pdf.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	05bf21401fdd83ba54d1ad55f909e590
SHA1:	47efbfdfcfe6a39499d1bd5bf0fe2a27ade6c0ff
SHA256:	efd65e32b20afe5bd0541a097bb5f4e7f741875b2c65cab7f08c04a645ccdf6f
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Bankcerticate223pdf.exe.log	ASCII text, with CRLF line terminators	1330C80CAAC9A0FB172F202485E9B1E8	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\cvRSCwXQ.exe.log	ASCII text, with CRLF line terminators	1330C80CAAC9A0FB172F202485E9B1E8	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	data	A19005820D55B15F1053DF703CBCA83A	10D21D9080DEEBA12AD945FD8DFF4DE73C72E4B2	CEC4E17F0149A396725A9A44B6E5EEB38D434D66D756CCF2A60D7CB32E56E2C3
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0caxruox.skh.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_abu4iwsx.evb.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_aiyd0en2.sqh.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_apmely4u.yzi.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_brrn4jqa.q2k.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ptixplv1.uv0.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rxjqrb3d.qvx.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ut1gaemg.1xf.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\tmp8D97.tmp	XML 1.0 document, ASCII text	3ACAB1BC41671052FDB3F33FC60EA926	278850A615CA9242D176543B5F5C4DEC440C6F04	F0FD230A1309A2003526E622250FF1A6FFD66958DA724A45F8DA93AD122FE1FB
C:\Users\user\AppData\Local\Temp\tmp9DE3.tmp	XML 1.0 document, ASCII text	3ACAB1BC41671052FDB3F33FC60EA926	278850A615CA9242D176543B5F5C4DEC440C6F04	F0FD230A1309A2003526E622250FF1A6FFD66958DA724A45F8DA93AD122FE1FB
C:\Users\user\AppData\Roaming\cvRSCwXQ.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	05BF21401FDD83BA54D1AD55F909E590	47EFBFDFCFE6A39499D1BD5BF0FE2A27ADE6C0FF	EFD65E32B20AFE5BD0541A097BB5F4E7F741875B2C65CAB7F08C04A645CCDF6F
C:\Users\user\AppData\Roaming\cvRSCwXQ.exe:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309

Windows Analysis Report Bankcerticate223pdf.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Domains

Contacted URLs

Windows Analysis Report
Bankcerticate223pdf.exe

Malware Threat Intel
Provided by