Windows Analysis Report
Pago pendiente.exe

Overview

General Information

Sample name: Pago pendiente.exe
Analysis ID: 1430321
MD5: 9a308e1ea62b7ede8876e433178957d1
SHA1: dac00f0068f3f97a71faf15577ce0c7d855ff691
SHA256: ae300b28b2240d11d01e9066a26a88349258d4016c41460604c9ff5bb64c9b6d
Tags: exe
Infos:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM3
Yara detected FormBook
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection
barindex
Antivirus detection for URL or domain
Source: http://www.urxetqt.com/gs12/www.hjgd.xyz Avira URL Cloud: Label: phishing
Source: http://www.urxetqt.com Avira URL Cloud: Label: phishing
Source: http://www.urxetqt.com/gs12/ Avira URL Cloud: Label: phishing
Found malware configuration
Source: 00000007.00000002.4443703751.0000000002C20000.00000040.10000000.00040000.00000000.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.lolabeautystudios.com/gs12/"], "decoy": ["juniavilela.com", "italiahealth.club", "freefoodpro.com", "qqmotor.co", "mosahacatering.com", "wocc.club", "tourly360.com", "airzf.com", "eternalknot1008.com", "pons.cc", "zdryueva.com", "bodution.website", "vip8g100013.top", "3box.club", "bestoffersinoneplace.com", "tronbank.club", "hlysh.live", "allfireofferapp.sbs", "goldenvistaservices.com", "theconfidencebl-youprint.com", "doping.digital", "urxetqt.com", "utahdatecoach.com", "coworkingvalencia.pro", "thebeautybarandco.com", "umastyle.club", "demandstudiosnews.com", "k2securityhn.com", "teacakesandtadpoles.com", "epacksystems.network", "y2llvq.vip", "udin88b.us", "simonettipressurewashing.com", "baansbliss.com", "messyplayclub.com", "panaco.co", "kustomequipment.com", "actnowgreen.com", "tallawahyouthfoundation.com", "novistashop.com", "oversight418354.email", "ypsom.info", "enerableoffi.club", "otirugkyt.com", "mappedbyamanda.com", "vibelola.com", "nexelab.com", "zgcple.info", "maiores-veritatis.com", "wonderdread.cloud", "signomo.com", "uspsdirect.shop", "finessebuilding.com", "heavydutywearpart.com", "51win.ink", "b-a-s-e.net", "xianqianjin.fun", "domscott.art", "rtp-tambakslot5000.site", "sports565.com", "kpi-finder.com", "taylor.capital", "1993520.xyz", "hjgd.xyz"]}
Multi AV Scanner detection for submitted file
Source: Pago pendiente.exe ReversingLabs: Detection: 23%
Yara detected FormBook
Source: Yara match File source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Pago pendiente.exe.4f1f2f8.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Pago pendiente.exe.4eaf4d8.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000002.4443703751.0000000002C20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.4443748619.0000000002C50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2071471834.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2011441165.0000000004DCF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2011441165.00000000044AE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.4443338371.00000000025A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Machine Learning detection for sample
Source: Pago pendiente.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: Pago pendiente.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: Pago pendiente.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: RegSvcs.pdb, source: explorer.exe, 00000006.00000002.4459657953.0000000010E7F000.00000004.80000000.00040000.00000000.sdmp, control.exe, 00000007.00000002.4444528823.0000000004CFF000.00000004.10000000.00040000.00000000.sdmp, control.exe, 00000007.00000002.4443405031.000000000282B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: control.pdb source: RegSvcs.exe, 00000005.00000002.2072131724.0000000000FA7000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.2072038092.0000000000F00000.00000040.10000000.00040000.00000000.sdmp, control.exe, control.exe, 00000007.00000002.4443192720.0000000000060000.00000040.80000000.00040000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: RegSvcs.exe, 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, control.exe, 00000007.00000002.4443991237.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, control.exe, 00000007.00000003.2075562332.00000000045FF000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000007.00000002.4443991237.000000000494E000.00000040.00001000.00020000.00000000.sdmp, control.exe, 00000007.00000003.2072079557.000000000444B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: RegSvcs.exe, RegSvcs.exe, 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, control.exe, control.exe, 00000007.00000002.4443991237.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, control.exe, 00000007.00000003.2075562332.00000000045FF000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000007.00000002.4443991237.000000000494E000.00000040.00001000.00020000.00000000.sdmp, control.exe, 00000007.00000003.2072079557.000000000444B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: control.pdbUGP source: RegSvcs.exe, 00000005.00000002.2072131724.0000000000FA7000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.2072038092.0000000000F00000.00000040.10000000.00040000.00000000.sdmp, control.exe, 00000007.00000002.4443192720.0000000000060000.00000040.80000000.00040000.00000000.sdmp
Source: Binary string: RegSvcs.pdb source: explorer.exe, 00000006.00000002.4459657953.0000000010E7F000.00000004.80000000.00040000.00000000.sdmp, control.exe, 00000007.00000002.4444528823.0000000004CFF000.00000004.10000000.00040000.00000000.sdmp, control.exe, 00000007.00000002.4443405031.000000000282B000.00000004.00000020.00020000.00000000.sdmp
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then pop esi 5_2_00417322
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then pop edi 5_2_00416CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then pop edi 5_2_00417D70
Source: C:\Windows\SysWOW64\control.exe Code function: 4x nop then pop esi 7_2_025B7322
Source: C:\Windows\SysWOW64\control.exe Code function: 4x nop then pop edi 7_2_025B6CF0
Source: C:\Windows\SysWOW64\control.exe Code function: 4x nop then pop edi 7_2_025B7D70

Networking
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 103.224.212.216 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 3.33.130.190 80 Jump to behavior
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.lolabeautystudios.com/gs12/
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /gs12/?4h0=l5+ohMyXvfUY1BXURi/VBBPK89EwzQ1xmTW49ppdAXwminvYBxYYysXiCF4Xd1c73Byq&vT=LtxxLba HTTP/1.1Host: www.tronbank.clubConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /gs12/?4h0=sKMZ9JWmyHzsFnuZp0fZtWbmtlVDzCM4ZbYLfRKv+HtPtGiIGUjdRyYwPYcfKf7QGcOF&vT=LtxxLba HTTP/1.1Host: www.signomo.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /gs12/?4h0=DR9+51q0CIrIDgcjStoZ4W0ewB14phJf97sbOZAiDLbqJph64OQ6FfPwpz0r/rXmCdIn&vT=LtxxLba HTTP/1.1Host: www.airzf.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /gs12/?4h0=q59tBajeIo68CyAO1CDG6iJlXnRVkR/RpgQvK7vE3BQj9j+5I7CNTMK9jJbO36qf2KSo&vT=LtxxLba HTTP/1.1Host: www.k2securityhn.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 3.33.130.190 3.33.130.190
Source: Joe Sandbox View IP Address: 103.224.212.216 103.224.212.216
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: AMAZONEXPANSIONGB AMAZONEXPANSIONGB
Source: Joe Sandbox View ASN Name: TRELLIAN-AS-APTrellianPtyLimitedAU TRELLIAN-AS-APTrellianPtyLimitedAU
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Windows\explorer.exe Code function: 6_2_0E4CEF82 getaddrinfo,setsockopt,recv, 6_2_0E4CEF82
Source: global traffic HTTP traffic detected: GET /gs12/?4h0=l5+ohMyXvfUY1BXURi/VBBPK89EwzQ1xmTW49ppdAXwminvYBxYYysXiCF4Xd1c73Byq&vT=LtxxLba HTTP/1.1Host: www.tronbank.clubConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /gs12/?4h0=sKMZ9JWmyHzsFnuZp0fZtWbmtlVDzCM4ZbYLfRKv+HtPtGiIGUjdRyYwPYcfKf7QGcOF&vT=LtxxLba HTTP/1.1Host: www.signomo.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /gs12/?4h0=DR9+51q0CIrIDgcjStoZ4W0ewB14phJf97sbOZAiDLbqJph64OQ6FfPwpz0r/rXmCdIn&vT=LtxxLba HTTP/1.1Host: www.airzf.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /gs12/?4h0=q59tBajeIo68CyAO1CDG6iJlXnRVkR/RpgQvK7vE3BQj9j+5I7CNTMK9jJbO36qf2KSo&vT=LtxxLba HTTP/1.1Host: www.k2securityhn.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: unknown DNS traffic detected: queries for: www.tronbank.club
Source: explorer.exe, 00000006.00000000.2026275554.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2026275554.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4448347462.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4448347462.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: explorer.exe, 00000006.00000002.4443289671.0000000000F13000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2011068724.0000000000F13000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.v
Source: explorer.exe, 00000006.00000000.2026275554.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2026275554.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4448347462.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4448347462.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: explorer.exe, 00000006.00000000.2026275554.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2026275554.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4448347462.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4448347462.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: explorer.exe, 00000006.00000000.2026275554.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2026275554.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4448347462.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4448347462.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: explorer.exe, 00000006.00000000.2026275554.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4448347462.00000000099C0000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: explorer.exe, 00000006.00000000.2024943669.0000000008870000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000002.4447767327.0000000008890000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000002.4447077896.0000000007DC0000.00000002.00000001.00040000.00000000.sdmp String found in binary or memory: http://schemas.micro
Source: Pago pendiente.exe, 00000000.00000002.2008580882.00000000034E3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Pago pendiente.exe String found in binary or memory: http://tempuri.org/DataSet1.xsd
Source: explorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.51win.ink
Source: explorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.51win.ink/gs12/
Source: explorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.51win.ink/gs12/ch_cf
Source: explorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.51win.inkReferer:
Source: explorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.actnowgreen.com
Source: explorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.actnowgreen.com/gs12/
Source: explorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.actnowgreen.com/gs12/www.udin88b.us
Source: explorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.actnowgreen.comReferer:
Source: explorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.airzf.com
Source: explorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.airzf.com/gs12/
Source: explorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.airzf.com/gs12/www.actnowgreen.com
Source: explorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.airzf.comReferer:
Source: explorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.eternalknot1008.com
Source: explorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.eternalknot1008.com/gs12/
Source: explorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.eternalknot1008.com/gs12/www.zgcple.info
Source: explorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.eternalknot1008.comReferer:
Source: explorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.hjgd.xyz
Source: explorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.hjgd.xyz/gs12/
Source: explorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.hjgd.xyz/gs12/www.airzf.com
Source: explorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.hjgd.xyzReferer:
Source: explorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.k2securityhn.com
Source: explorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.k2securityhn.com/gs12/
Source: explorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.k2securityhn.com/gs12/www.wonderdread.cloud
Source: explorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.k2securityhn.comReferer:
Source: explorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.lolabeautystudios.com
Source: explorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.lolabeautystudios.com/gs12/
Source: explorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.lolabeautystudios.com/gs12/www.y2llvq.vip
Source: explorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.lolabeautystudios.comReferer:
Source: explorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.signomo.com
Source: explorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.signomo.com/gs12/
Source: explorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.signomo.com/gs12/www.urxetqt.com
Source: explorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.signomo.comReferer:
Source: explorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.sports565.com
Source: explorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.sports565.com/gs12/
Source: explorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.sports565.com/gs12/www.lolabeautystudios.com
Source: explorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.sports565.comReferer:
Source: explorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.tronbank.club
Source: explorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.tronbank.club/gs12/
Source: explorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.tronbank.club/gs12/www.signomo.com
Source: explorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.tronbank.clubReferer:
Source: explorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.udin88b.us
Source: explorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.udin88b.us/gs12/
Source: explorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.udin88b.us/gs12/www.eternalknot1008.com
Source: explorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.udin88b.usReferer:
Source: explorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.umastyle.club
Source: explorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.umastyle.club/gs12/
Source: explorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.umastyle.club/gs12/www.sports565.com
Source: explorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.umastyle.clubReferer:
Source: explorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.urxetqt.com
Source: explorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.urxetqt.com/gs12/
Source: explorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.urxetqt.com/gs12/www.hjgd.xyz
Source: explorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.urxetqt.comReferer:
Source: explorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.wonderdread.cloud
Source: explorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.wonderdread.cloud/gs12/
Source: explorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.wonderdread.cloud/gs12/www.umastyle.club
Source: explorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.wonderdread.cloudReferer:
Source: explorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.y2llvq.vip
Source: explorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.y2llvq.vip/gs12/
Source: explorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.y2llvq.vip/gs12/www.51win.ink
Source: explorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.y2llvq.vipReferer:
Source: explorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.zgcple.info
Source: explorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.zgcple.info/gs12/
Source: explorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.zgcple.info/gs12/www.k2securityhn.com
Source: explorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.zgcple.infoReferer:
Source: explorer.exe, 00000006.00000000.2029302609.000000000C4DC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe
Source: explorer.exe, 00000006.00000000.2020705290.00000000076F8000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 00000006.00000000.2026275554.0000000009ADB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4448347462.0000000009ADB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 00000006.00000002.4445926904.0000000007637000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2020705290.0000000007637000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 00000006.00000002.4444586531.00000000035FA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3095397354.00000000035FA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2016481468.00000000035FA000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://arc.msn.coml
Source: explorer.exe, 00000006.00000003.3097001927.0000000009BB1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4449891914.0000000009C22000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3097220261.0000000009C21000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2026275554.0000000009B41000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3096490276.0000000009BB1000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://excel.office.com
Source: explorer.exe, 00000006.00000002.4449957042.0000000009D42000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3096490276.0000000009D42000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2026275554.0000000009B41000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://outlook.com
Source: explorer.exe, 00000006.00000002.4454283275.000000000C460000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2029302609.000000000C460000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://powerpoint.office.comcember
Source: explorer.exe, 00000006.00000000.2026275554.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4448347462.00000000099C0000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://wns.windows.com/)s
Source: explorer.exe, 00000006.00000000.2026275554.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4448347462.00000000099C0000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://word.office.comon
Source: explorer.exe, 00000006.00000002.4459657953.000000001136F000.00000004.80000000.00040000.00000000.sdmp, control.exe, 00000007.00000002.4444528823.00000000051EF000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: https://www.cloudflare.com/5xx-error-landing

E-Banking Fraud
barindex
Yara detected FormBook
Source: Yara match File source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Pago pendiente.exe.4f1f2f8.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Pago pendiente.exe.4eaf4d8.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000002.4443703751.0000000002C20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.4443748619.0000000002C50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2071471834.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2011441165.0000000004DCF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2011441165.00000000044AE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.4443338371.00000000025A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 5.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.Pago pendiente.exe.4f1f2f8.8.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0.2.Pago pendiente.exe.4f1f2f8.8.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.Pago pendiente.exe.4f1f2f8.8.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.Pago pendiente.exe.4eaf4d8.9.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0.2.Pago pendiente.exe.4eaf4d8.9.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.Pago pendiente.exe.4eaf4d8.9.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.4443703751.0000000002C20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000007.00000002.4443703751.0000000002C20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.4443703751.0000000002C20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.4443748619.0000000002C50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000007.00000002.4443748619.0000000002C50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.4443748619.0000000002C50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.2071471834.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000002.2071471834.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.2071471834.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.2011441165.0000000004DCF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000000.00000002.2011441165.0000000004DCF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.2011441165.0000000004DCF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.2011441165.00000000044AE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000000.00000002.2011441165.00000000044AE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.2011441165.00000000044AE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.4443338371.00000000025A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000007.00000002.4443338371.00000000025A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.4443338371.00000000025A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.4458911697.000000000E4E6000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_772cc62d Author: unknown
Source: Process Memory Space: Pago pendiente.exe PID: 5824, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: RegSvcs.exe PID: 5840, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: control.exe PID: 1644, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
.NET source code contains very large array initializations
Source: Pago pendiente.exe, Program.cs Large array initialization: : array initializer size 566442
Source: 0.2.Pago pendiente.exe.7700000.11.raw.unpack, HomeView.cs Large array initialization: : array initializer size 33604
Source: 0.2.Pago pendiente.exe.32f8498.5.raw.unpack, HomeView.cs Large array initialization: : array initializer size 33604
Contains functionality to call native functions
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_0041A360 NtCreateFile, 5_2_0041A360
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_0041A410 NtReadFile, 5_2_0041A410
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_0041A490 NtClose, 5_2_0041A490
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_0041A540 NtAllocateVirtualMemory, 5_2_0041A540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_0041A35A NtCreateFile, 5_2_0041A35A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_0041A53B NtAllocateVirtualMemory, 5_2_0041A53B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01472B60 NtClose,LdrInitializeThunk, 5_2_01472B60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01472BF0 NtAllocateVirtualMemory,LdrInitializeThunk, 5_2_01472BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01472AD0 NtReadFile,LdrInitializeThunk, 5_2_01472AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01472D10 NtMapViewOfSection,LdrInitializeThunk, 5_2_01472D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01472D30 NtUnmapViewOfSection,LdrInitializeThunk, 5_2_01472D30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01472DD0 NtDelayExecution,LdrInitializeThunk, 5_2_01472DD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01472DF0 NtQuerySystemInformation,LdrInitializeThunk, 5_2_01472DF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01472C70 NtFreeVirtualMemory,LdrInitializeThunk, 5_2_01472C70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01472CA0 NtQueryInformationToken,LdrInitializeThunk, 5_2_01472CA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01472F30 NtCreateSection,LdrInitializeThunk, 5_2_01472F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01472FE0 NtCreateFile,LdrInitializeThunk, 5_2_01472FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01472F90 NtProtectVirtualMemory,LdrInitializeThunk, 5_2_01472F90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01472FB0 NtResumeThread,LdrInitializeThunk, 5_2_01472FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01472E80 NtReadVirtualMemory,LdrInitializeThunk, 5_2_01472E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01472EA0 NtAdjustPrivilegesToken,LdrInitializeThunk, 5_2_01472EA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01474340 NtSetContextThread, 5_2_01474340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01474650 NtSuspendThread, 5_2_01474650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01472BE0 NtQueryValueKey, 5_2_01472BE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01472B80 NtQueryInformationFile, 5_2_01472B80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01472BA0 NtEnumerateValueKey, 5_2_01472BA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01472AF0 NtWriteFile, 5_2_01472AF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01472AB0 NtWaitForSingleObject, 5_2_01472AB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01472D00 NtSetInformationFile, 5_2_01472D00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01472DB0 NtEnumerateKey, 5_2_01472DB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01472C60 NtCreateKey, 5_2_01472C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01472C00 NtQueryInformationProcess, 5_2_01472C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01472CC0 NtQueryVirtualMemory, 5_2_01472CC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01472CF0 NtOpenProcess, 5_2_01472CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01472F60 NtCreateProcessEx, 5_2_01472F60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01472FA0 NtQuerySection, 5_2_01472FA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01472E30 NtWriteVirtualMemory, 5_2_01472E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01472EE0 NtQueueApcThread, 5_2_01472EE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01473010 NtOpenDirectoryObject, 5_2_01473010
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01473090 NtSetValueKey, 5_2_01473090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014735C0 NtCreateMutant, 5_2_014735C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014739B0 NtGetContextThread, 5_2_014739B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01473D70 NtOpenThread, 5_2_01473D70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01473D10 NtOpenProcessToken, 5_2_01473D10
Source: C:\Windows\explorer.exe Code function: 6_2_0E4CFE12 NtProtectVirtualMemory, 6_2_0E4CFE12
Source: C:\Windows\explorer.exe Code function: 6_2_0E4CE232 NtCreateFile, 6_2_0E4CE232
Source: C:\Windows\explorer.exe Code function: 6_2_0E4CFE0A NtProtectVirtualMemory, 6_2_0E4CFE0A
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_04822CA0 NtQueryInformationToken,LdrInitializeThunk, 7_2_04822CA0
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_04822C60 NtCreateKey,LdrInitializeThunk, 7_2_04822C60
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_04822C70 NtFreeVirtualMemory,LdrInitializeThunk, 7_2_04822C70
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_04822DD0 NtDelayExecution,LdrInitializeThunk, 7_2_04822DD0
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_04822DF0 NtQuerySystemInformation,LdrInitializeThunk, 7_2_04822DF0
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_04822D10 NtMapViewOfSection,LdrInitializeThunk, 7_2_04822D10
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_04822EA0 NtAdjustPrivilegesToken,LdrInitializeThunk, 7_2_04822EA0
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_04822FE0 NtCreateFile,LdrInitializeThunk, 7_2_04822FE0
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_04822F30 NtCreateSection,LdrInitializeThunk, 7_2_04822F30
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_04822AD0 NtReadFile,LdrInitializeThunk, 7_2_04822AD0
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_04822BE0 NtQueryValueKey,LdrInitializeThunk, 7_2_04822BE0
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_04822BF0 NtAllocateVirtualMemory,LdrInitializeThunk, 7_2_04822BF0
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_04822B60 NtClose,LdrInitializeThunk, 7_2_04822B60
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_048235C0 NtCreateMutant,LdrInitializeThunk, 7_2_048235C0
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_04824650 NtSuspendThread, 7_2_04824650
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_04824340 NtSetContextThread, 7_2_04824340
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_04822CC0 NtQueryVirtualMemory, 7_2_04822CC0
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_04822CF0 NtOpenProcess, 7_2_04822CF0
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_04822C00 NtQueryInformationProcess, 7_2_04822C00
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_04822DB0 NtEnumerateKey, 7_2_04822DB0
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_04822D00 NtSetInformationFile, 7_2_04822D00
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_04822D30 NtUnmapViewOfSection, 7_2_04822D30
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_04822E80 NtReadVirtualMemory, 7_2_04822E80
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_04822EE0 NtQueueApcThread, 7_2_04822EE0
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_04822E30 NtWriteVirtualMemory, 7_2_04822E30
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_04822F90 NtProtectVirtualMemory, 7_2_04822F90
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_04822FA0 NtQuerySection, 7_2_04822FA0
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_04822FB0 NtResumeThread, 7_2_04822FB0
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_04822F60 NtCreateProcessEx, 7_2_04822F60
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_04822AB0 NtWaitForSingleObject, 7_2_04822AB0
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_04822AF0 NtWriteFile, 7_2_04822AF0
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_04822B80 NtQueryInformationFile, 7_2_04822B80
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_04822BA0 NtEnumerateValueKey, 7_2_04822BA0
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_04823090 NtSetValueKey, 7_2_04823090
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_04823010 NtOpenDirectoryObject, 7_2_04823010
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_04823D10 NtOpenProcessToken, 7_2_04823D10
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_04823D70 NtOpenThread, 7_2_04823D70
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_048239B0 NtGetContextThread, 7_2_048239B0
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_025BA360 NtCreateFile, 7_2_025BA360
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_025BA410 NtReadFile, 7_2_025BA410
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_025BA490 NtClose, 7_2_025BA490
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_025BA540 NtAllocateVirtualMemory, 7_2_025BA540
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_025BA35A NtCreateFile, 7_2_025BA35A
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_025BA53B NtAllocateVirtualMemory, 7_2_025BA53B
Detected potential crypto function
Source: C:\Users\user\Desktop\Pago pendiente.exe Code function: 0_2_031AD91C 0_2_031AD91C
Source: C:\Users\user\Desktop\Pago pendiente.exe Code function: 0_2_058B0518 0_2_058B0518
Source: C:\Users\user\Desktop\Pago pendiente.exe Code function: 0_2_058B0510 0_2_058B0510
Source: C:\Users\user\Desktop\Pago pendiente.exe Code function: 0_2_07726798 0_2_07726798
Source: C:\Users\user\Desktop\Pago pendiente.exe Code function: 0_2_07729528 0_2_07729528
Source: C:\Users\user\Desktop\Pago pendiente.exe Code function: 0_2_077245F8 0_2_077245F8
Source: C:\Users\user\Desktop\Pago pendiente.exe Code function: 0_2_07729840 0_2_07729840
Source: C:\Users\user\Desktop\Pago pendiente.exe Code function: 0_2_077258E8 0_2_077258E8
Source: C:\Users\user\Desktop\Pago pendiente.exe Code function: 0_2_07726717 0_2_07726717
Source: C:\Users\user\Desktop\Pago pendiente.exe Code function: 0_2_0772A7C0 0_2_0772A7C0
Source: C:\Users\user\Desktop\Pago pendiente.exe Code function: 0_2_0772A7B0 0_2_0772A7B0
Source: C:\Users\user\Desktop\Pago pendiente.exe Code function: 0_2_07727678 0_2_07727678
Source: C:\Users\user\Desktop\Pago pendiente.exe Code function: 0_2_0772663F 0_2_0772663F
Source: C:\Users\user\Desktop\Pago pendiente.exe Code function: 0_2_07727688 0_2_07727688
Source: C:\Users\user\Desktop\Pago pendiente.exe Code function: 0_2_07724560 0_2_07724560
Source: C:\Users\user\Desktop\Pago pendiente.exe Code function: 0_2_07728540 0_2_07728540
Source: C:\Users\user\Desktop\Pago pendiente.exe Code function: 0_2_07728531 0_2_07728531
Source: C:\Users\user\Desktop\Pago pendiente.exe Code function: 0_2_07729518 0_2_07729518
Source: C:\Users\user\Desktop\Pago pendiente.exe Code function: 0_2_07725345 0_2_07725345
Source: C:\Users\user\Desktop\Pago pendiente.exe Code function: 0_2_07725348 0_2_07725348
Source: C:\Users\user\Desktop\Pago pendiente.exe Code function: 0_2_07724E71 0_2_07724E71
Source: C:\Users\user\Desktop\Pago pendiente.exe Code function: 0_2_0772BEE8 0_2_0772BEE8
Source: C:\Users\user\Desktop\Pago pendiente.exe Code function: 0_2_0772BED8 0_2_0772BED8
Source: C:\Users\user\Desktop\Pago pendiente.exe Code function: 0_2_07724E80 0_2_07724E80
Source: C:\Users\user\Desktop\Pago pendiente.exe Code function: 0_2_07723AE8 0_2_07723AE8
Source: C:\Users\user\Desktop\Pago pendiente.exe Code function: 0_2_07728AE8 0_2_07728AE8
Source: C:\Users\user\Desktop\Pago pendiente.exe Code function: 0_2_07723AD8 0_2_07723AD8
Source: C:\Users\user\Desktop\Pago pendiente.exe Code function: 0_2_0772DAC6 0_2_0772DAC6
Source: C:\Users\user\Desktop\Pago pendiente.exe Code function: 0_2_07729831 0_2_07729831
Source: C:\Users\user\Desktop\Pago pendiente.exe Code function: 0_2_077258D8 0_2_077258D8
Source: C:\Users\user\Desktop\Pago pendiente.exe Code function: 0_2_077288B0 0_2_077288B0
Source: C:\Users\user\Desktop\Pago pendiente.exe Code function: 0_2_077288A3 0_2_077288A3
Source: C:\Users\user\Desktop\Pago pendiente.exe Code function: 0_2_07A51E98 0_2_07A51E98
Source: C:\Users\user\Desktop\Pago pendiente.exe Code function: 0_2_07A5B630 0_2_07A5B630
Source: C:\Users\user\Desktop\Pago pendiente.exe Code function: 0_2_07A51E88 0_2_07A51E88
Source: C:\Users\user\Desktop\Pago pendiente.exe Code function: 0_2_07A55688 0_2_07A55688
Source: C:\Users\user\Desktop\Pago pendiente.exe Code function: 0_2_07A55698 0_2_07A55698
Source: C:\Users\user\Desktop\Pago pendiente.exe Code function: 0_2_07A56EE8 0_2_07A56EE8
Source: C:\Users\user\Desktop\Pago pendiente.exe Code function: 0_2_07A54E28 0_2_07A54E28
Source: C:\Users\user\Desktop\Pago pendiente.exe Code function: 0_2_07A55260 0_2_07A55260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_00401028 5_2_00401028
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_00401030 5_2_00401030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_0041D9B7 5_2_0041D9B7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_0041E214 5_2_0041E214
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_0041ECEE 5_2_0041ECEE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_00402D88 5_2_00402D88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_00402D90 5_2_00402D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_00409E5B 5_2_00409E5B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_00409E60 5_2_00409E60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_0041D6A4 5_2_0041D6A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_00402FB0 5_2_00402FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014C8158 5_2_014C8158
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01430100 5_2_01430100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014DA118 5_2_014DA118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014F81CC 5_2_014F81CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014F41A2 5_2_014F41A2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_015001AA 5_2_015001AA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014D2000 5_2_014D2000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014FA352 5_2_014FA352
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_0144E3F0 5_2_0144E3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_015003E6 5_2_015003E6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014E0274 5_2_014E0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014C02C0 5_2_014C02C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01440535 5_2_01440535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01500591 5_2_01500591
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014F2446 5_2_014F2446
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014E4420 5_2_014E4420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014EE4F6 5_2_014EE4F6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01464750 5_2_01464750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01440770 5_2_01440770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_0143C7C0 5_2_0143C7C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_0145C6E0 5_2_0145C6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01456962 5_2_01456962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014429A0 5_2_014429A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_0150A9A6 5_2_0150A9A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_0144A840 5_2_0144A840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01442840 5_2_01442840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_0146E8F0 5_2_0146E8F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014268B8 5_2_014268B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014FAB40 5_2_014FAB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014F6BD7 5_2_014F6BD7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_0143EA80 5_2_0143EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_0144AD00 5_2_0144AD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014DCD1F 5_2_014DCD1F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_0143ADE0 5_2_0143ADE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01458DBF 5_2_01458DBF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01440C00 5_2_01440C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01430CF2 5_2_01430CF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014E0CB5 5_2_014E0CB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014B4F40 5_2_014B4F40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01482F28 5_2_01482F28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01460F30 5_2_01460F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014E2F30 5_2_014E2F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01432FC8 5_2_01432FC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_0144CFE0 5_2_0144CFE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014BEFA0 5_2_014BEFA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01440E59 5_2_01440E59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014FEE26 5_2_014FEE26
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014FEEDB 5_2_014FEEDB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01452E90 5_2_01452E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014FCE93 5_2_014FCE93
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_0147516C 5_2_0147516C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_0142F172 5_2_0142F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_0150B16B 5_2_0150B16B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_0144B1B0 5_2_0144B1B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014EF0CC 5_2_014EF0CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014470C0 5_2_014470C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014F70E9 5_2_014F70E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014FF0E0 5_2_014FF0E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_0142D34C 5_2_0142D34C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014F132D 5_2_014F132D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_0148739A 5_2_0148739A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_0145B2C0 5_2_0145B2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014E12ED 5_2_014E12ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014452A0 5_2_014452A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014F7571 5_2_014F7571
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_015095C3 5_2_015095C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014DD5B0 5_2_014DD5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01431460 5_2_01431460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014FF43F 5_2_014FF43F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014FF7B0 5_2_014FF7B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01485630 5_2_01485630
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014F16CC 5_2_014F16CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01449950 5_2_01449950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_0145B950 5_2_0145B950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014D5910 5_2_014D5910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014AD800 5_2_014AD800
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014438E0 5_2_014438E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014FFB76 5_2_014FFB76
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014B5BF0 5_2_014B5BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_0147DBF9 5_2_0147DBF9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_0145FB80 5_2_0145FB80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014FFA49 5_2_014FFA49
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014F7A46 5_2_014F7A46
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014B3A6C 5_2_014B3A6C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014EDAC6 5_2_014EDAC6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014DDAAC 5_2_014DDAAC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01485AA0 5_2_01485AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014E1AA3 5_2_014E1AA3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01443D40 5_2_01443D40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014F1D5A 5_2_014F1D5A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014F7D73 5_2_014F7D73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_0145FDC0 5_2_0145FDC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014B9C32 5_2_014B9C32
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014FFCF2 5_2_014FFCF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014FFF09 5_2_014FFF09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01441F92 5_2_01441F92
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014FFFB1 5_2_014FFFB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01449EB0 5_2_01449EB0
Source: C:\Windows\explorer.exe Code function: 6_2_0E4CE232 6_2_0E4CE232
Source: C:\Windows\explorer.exe Code function: 6_2_0E4CD036 6_2_0E4CD036
Source: C:\Windows\explorer.exe Code function: 6_2_0E4C4082 6_2_0E4C4082
Source: C:\Windows\explorer.exe Code function: 6_2_0E4C5D02 6_2_0E4C5D02
Source: C:\Windows\explorer.exe Code function: 6_2_0E4CB912 6_2_0E4CB912
Source: C:\Windows\explorer.exe Code function: 6_2_0E4C8B30 6_2_0E4C8B30
Source: C:\Windows\explorer.exe Code function: 6_2_0E4C8B32 6_2_0E4C8B32
Source: C:\Windows\explorer.exe Code function: 6_2_0E4D15CD 6_2_0E4D15CD
Source: C:\Windows\explorer.exe Code function: 6_2_101CB036 6_2_101CB036
Source: C:\Windows\explorer.exe Code function: 6_2_101C2082 6_2_101C2082
Source: C:\Windows\explorer.exe Code function: 6_2_101C9912 6_2_101C9912
Source: C:\Windows\explorer.exe Code function: 6_2_101C3D02 6_2_101C3D02
Source: C:\Windows\explorer.exe Code function: 6_2_101CF5CD 6_2_101CF5CD
Source: C:\Windows\explorer.exe Code function: 6_2_101CC232 6_2_101CC232
Source: C:\Windows\explorer.exe Code function: 6_2_101C6B30 6_2_101C6B30
Source: C:\Windows\explorer.exe Code function: 6_2_101C6B32 6_2_101C6B32
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_0006764B 7_2_0006764B
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_0006305C 7_2_0006305C
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_0006978B 7_2_0006978B
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_0489E4F6 7_2_0489E4F6
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_04894420 7_2_04894420
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_048A2446 7_2_048A2446
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_048B0591 7_2_048B0591
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047F0535 7_2_047F0535
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_0480C6E0 7_2_0480C6E0
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047F0770 7_2_047F0770
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047EC7C0 7_2_047EC7C0
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_04814750 7_2_04814750
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_04882000 7_2_04882000
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_048B01AA 7_2_048B01AA
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_048A41A2 7_2_048A41A2
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_048A81CC 7_2_048A81CC
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047E0100 7_2_047E0100
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_0488A118 7_2_0488A118
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_04878158 7_2_04878158
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_048702C0 7_2_048702C0
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_04890274 7_2_04890274
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_048B03E6 7_2_048B03E6
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047FE3F0 7_2_047FE3F0
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_048AA352 7_2_048AA352
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_04890CB5 7_2_04890CB5
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047F0C00 7_2_047F0C00
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047E0CF2 7_2_047E0CF2
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_04808DBF 7_2_04808DBF
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047FAD00 7_2_047FAD00
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_0488CD1F 7_2_0488CD1F
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047EADE0 7_2_047EADE0
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_04802E90 7_2_04802E90
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_048ACE93 7_2_048ACE93
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047F0E59 7_2_047F0E59
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_048AEEDB 7_2_048AEEDB
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_048AEE26 7_2_048AEE26
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_0486EFA0 7_2_0486EFA0
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047FCFE0 7_2_047FCFE0
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_04832F28 7_2_04832F28
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_04810F30 7_2_04810F30
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047E2FC8 7_2_047E2FC8
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_04892F30 7_2_04892F30
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_04864F40 7_2_04864F40
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047F2840 7_2_047F2840
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047FA840 7_2_047FA840
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_0481E8F0 7_2_0481E8F0
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047D68B8 7_2_047D68B8
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_048BA9A6 7_2_048BA9A6
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047F29A0 7_2_047F29A0
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_04806962 7_2_04806962
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047EEA80 7_2_047EEA80
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_048A6BD7 7_2_048A6BD7
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_048AAB40 7_2_048AAB40
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047E1460 7_2_047E1460
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_048AF43F 7_2_048AF43F
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_0488D5B0 7_2_0488D5B0
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_048B95C3 7_2_048B95C3
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_048A7571 7_2_048A7571
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_048A16CC 7_2_048A16CC
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_04835630 7_2_04835630
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_048AF7B0 7_2_048AF7B0
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_0489F0CC 7_2_0489F0CC
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_048A70E9 7_2_048A70E9
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_048AF0E0 7_2_048AF0E0
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047F70C0 7_2_047F70C0
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047DF172 7_2_047DF172
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047FB1B0 7_2_047FB1B0
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_048BB16B 7_2_048BB16B
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_0482516C 7_2_0482516C
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_0480B2C0 7_2_0480B2C0
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_048912ED 7_2_048912ED
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047F52A0 7_2_047F52A0
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_0483739A 7_2_0483739A
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047DD34C 7_2_047DD34C
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_048A132D 7_2_048A132D
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_048AFCF2 7_2_048AFCF2
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_04869C32 7_2_04869C32
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047F3D40 7_2_047F3D40
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_0480FDC0 7_2_0480FDC0
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_048A1D5A 7_2_048A1D5A
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_048A7D73 7_2_048A7D73
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047F9EB0 7_2_047F9EB0
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_048AFFB1 7_2_048AFFB1
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_048AFF09 7_2_048AFF09
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047B3FD2 7_2_047B3FD2
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047B3FD5 7_2_047B3FD5
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047F1F92 7_2_047F1F92
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_0485D800 7_2_0485D800
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047F38E0 7_2_047F38E0
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047F9950 7_2_047F9950
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_04885910 7_2_04885910
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_0480B950 7_2_0480B950
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_04835AA0 7_2_04835AA0
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_0488DAAC 7_2_0488DAAC
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_04891AA3 7_2_04891AA3
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_0489DAC6 7_2_0489DAC6
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_048AFA49 7_2_048AFA49
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_048A7A46 7_2_048A7A46
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_04863A6C 7_2_04863A6C
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_0480FB80 7_2_0480FB80
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_04865BF0 7_2_04865BF0
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_0482DBF9 7_2_0482DBF9
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_048AFB76 7_2_048AFB76
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_025A9E5B 7_2_025A9E5B
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_025A9E60 7_2_025A9E60
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_025A2FB0 7_2_025A2FB0
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_025BECEE 7_2_025BECEE
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_025A2D90 7_2_025A2D90
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_025A2D88 7_2_025A2D88
Found potential string decryption / allocating functions
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: String function: 01475130 appears 58 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: String function: 014BF290 appears 105 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: String function: 014AEA12 appears 86 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: String function: 01487E54 appears 111 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: String function: 0142B970 appears 280 times
Source: C:\Windows\SysWOW64\control.exe Code function: String function: 0486F290 appears 105 times
Source: C:\Windows\SysWOW64\control.exe Code function: String function: 047DB970 appears 280 times
Source: C:\Windows\SysWOW64\control.exe Code function: String function: 04825130 appears 58 times
Source: C:\Windows\SysWOW64\control.exe Code function: String function: 0485EA12 appears 86 times
Source: C:\Windows\SysWOW64\control.exe Code function: String function: 04837E54 appears 111 times
Sample file is different than original file name gathered from version info
Source: Pago pendiente.exe, 00000000.00000002.2011441165.0000000004DCF000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs Pago pendiente.exe
Source: Pago pendiente.exe, 00000000.00000002.2008580882.00000000032D1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameSimpleLogin.dll8 vs Pago pendiente.exe
Source: Pago pendiente.exe, 00000000.00000002.2006528335.000000000130E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs Pago pendiente.exe
Source: Pago pendiente.exe, 00000000.00000002.2016169605.0000000005300000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs Pago pendiente.exe
Source: Pago pendiente.exe, 00000000.00000002.2020493928.0000000007700000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameSimpleLogin.dll8 vs Pago pendiente.exe
Source: Pago pendiente.exe Binary or memory string: OriginalFilenameJOoy.exeB vs Pago pendiente.exe
Uses 32bit PE files
Source: Pago pendiente.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 5.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.Pago pendiente.exe.4f1f2f8.8.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0.2.Pago pendiente.exe.4f1f2f8.8.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.Pago pendiente.exe.4f1f2f8.8.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.Pago pendiente.exe.4eaf4d8.9.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0.2.Pago pendiente.exe.4eaf4d8.9.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.Pago pendiente.exe.4eaf4d8.9.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.4443703751.0000000002C20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000007.00000002.4443703751.0000000002C20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.4443703751.0000000002C20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.4443748619.0000000002C50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000007.00000002.4443748619.0000000002C50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.4443748619.0000000002C50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.2071471834.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000002.2071471834.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.2071471834.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.2011441165.0000000004DCF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000000.00000002.2011441165.0000000004DCF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.2011441165.0000000004DCF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.2011441165.00000000044AE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000000.00000002.2011441165.00000000044AE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.2011441165.00000000044AE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.4443338371.00000000025A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000007.00000002.4443338371.00000000025A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.4443338371.00000000025A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.4458911697.000000000E4E6000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_772cc62d os = windows, severity = x86, creation_date = 2022-05-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8343b5d02d74791ba2d5d52d19a759f761de2b5470d935000bc27ea6c0633f5, id = 772cc62d-345c-42d8-97ab-f67e447ddca4, last_modified = 2022-07-18
Source: Process Memory Space: Pago pendiente.exe PID: 5824, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: RegSvcs.exe PID: 5840, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: control.exe PID: 1644, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Pago pendiente.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 0.2.Pago pendiente.exe.5300000.10.raw.unpack, IQKgXNAjhiaS4o0dDr.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Pago pendiente.exe.4eaf4d8.9.raw.unpack, IQKgXNAjhiaS4o0dDr.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Pago pendiente.exe.4eaf4d8.9.raw.unpack, GDVHnCd8e4hct1HQKy.cs Security API names: _0020.SetAccessControl
Source: 0.2.Pago pendiente.exe.4eaf4d8.9.raw.unpack, GDVHnCd8e4hct1HQKy.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Pago pendiente.exe.4eaf4d8.9.raw.unpack, GDVHnCd8e4hct1HQKy.cs Security API names: _0020.AddAccessRule
Source: 0.2.Pago pendiente.exe.4f1f2f8.8.raw.unpack, IQKgXNAjhiaS4o0dDr.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Pago pendiente.exe.4f1f2f8.8.raw.unpack, GDVHnCd8e4hct1HQKy.cs Security API names: _0020.SetAccessControl
Source: 0.2.Pago pendiente.exe.4f1f2f8.8.raw.unpack, GDVHnCd8e4hct1HQKy.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Pago pendiente.exe.4f1f2f8.8.raw.unpack, GDVHnCd8e4hct1HQKy.cs Security API names: _0020.AddAccessRule
Source: 0.2.Pago pendiente.exe.5300000.10.raw.unpack, GDVHnCd8e4hct1HQKy.cs Security API names: _0020.SetAccessControl
Source: 0.2.Pago pendiente.exe.5300000.10.raw.unpack, GDVHnCd8e4hct1HQKy.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Pago pendiente.exe.5300000.10.raw.unpack, GDVHnCd8e4hct1HQKy.cs Security API names: _0020.AddAccessRule
Source: classification engine Classification label: mal100.troj.evad.winEXE@11/6@12/3
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_000638B0 HeapSetInformation,StrCmpICW,CompareStringOrdinal,CompareStringOrdinal,CoTaskMemFree,StrCmpICW,IsOS,CompareStringOrdinal,StrCmpICW,StrCmpICW,lstrlenW,AllowSetForegroundWindow,ShellExecuteExW,CoInitializeEx,CoCreateInstance,CoUninitialize, 7_2_000638B0
Source: C:\Users\user\Desktop\Pago pendiente.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Pago pendiente.exe.log Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6428:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6360:120:WilError_03
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_iofqxz1p.z2x.ps1 Jump to behavior
Source: Pago pendiente.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: Pago pendiente.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\Pago pendiente.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\Pago pendiente.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: Pago pendiente.exe ReversingLabs: Detection: 23%
Source: C:\Users\user\Desktop\Pago pendiente.exe File read: C:\Users\user\Desktop\Pago pendiente.exe:Zone.Identifier Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Pago pendiente.exe "C:\Users\user\Desktop\Pago pendiente.exe"
Source: C:\Users\user\Desktop\Pago pendiente.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Pago pendiente.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Pago pendiente.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\control.exe "C:\Windows\SysWOW64\control.exe"
Source: C:\Windows\SysWOW64\control.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Pago pendiente.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Pago pendiente.exe" Jump to behavior
Source: C:\Users\user\Desktop\Pago pendiente.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\control.exe "C:\Windows\SysWOW64\control.exe" Jump to behavior
Source: C:\Windows\SysWOW64\control.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" Jump to behavior
Source: C:\Users\user\Desktop\Pago pendiente.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\Pago pendiente.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\Pago pendiente.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Pago pendiente.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\Pago pendiente.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Pago pendiente.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Pago pendiente.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Pago pendiente.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\Pago pendiente.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\Pago pendiente.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\Pago pendiente.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Pago pendiente.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\Pago pendiente.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\Pago pendiente.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\Pago pendiente.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\Desktop\Pago pendiente.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\Pago pendiente.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\Pago pendiente.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\Pago pendiente.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Pago pendiente.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\Pago pendiente.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\Pago pendiente.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\Pago pendiente.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\Pago pendiente.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\Pago pendiente.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\Pago pendiente.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\Pago pendiente.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\Pago pendiente.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\Pago pendiente.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\Pago pendiente.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\Pago pendiente.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\Pago pendiente.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\Pago pendiente.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\Pago pendiente.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\Pago pendiente.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\Pago pendiente.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: workfoldersshell.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: windows.cloudstore.schema.shell.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: vcruntime140_1.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: msvcp140.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Windows\SysWOW64\control.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\Pago pendiente.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\Pago pendiente.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: Pago pendiente.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: Pago pendiente.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: RegSvcs.pdb, source: explorer.exe, 00000006.00000002.4459657953.0000000010E7F000.00000004.80000000.00040000.00000000.sdmp, control.exe, 00000007.00000002.4444528823.0000000004CFF000.00000004.10000000.00040000.00000000.sdmp, control.exe, 00000007.00000002.4443405031.000000000282B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: control.pdb source: RegSvcs.exe, 00000005.00000002.2072131724.0000000000FA7000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.2072038092.0000000000F00000.00000040.10000000.00040000.00000000.sdmp, control.exe, control.exe, 00000007.00000002.4443192720.0000000000060000.00000040.80000000.00040000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: RegSvcs.exe, 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, control.exe, 00000007.00000002.4443991237.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, control.exe, 00000007.00000003.2075562332.00000000045FF000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000007.00000002.4443991237.000000000494E000.00000040.00001000.00020000.00000000.sdmp, control.exe, 00000007.00000003.2072079557.000000000444B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: RegSvcs.exe, RegSvcs.exe, 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, control.exe, control.exe, 00000007.00000002.4443991237.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, control.exe, 00000007.00000003.2075562332.00000000045FF000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000007.00000002.4443991237.000000000494E000.00000040.00001000.00020000.00000000.sdmp, control.exe, 00000007.00000003.2072079557.000000000444B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: control.pdbUGP source: RegSvcs.exe, 00000005.00000002.2072131724.0000000000FA7000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.2072038092.0000000000F00000.00000040.10000000.00040000.00000000.sdmp, control.exe, 00000007.00000002.4443192720.0000000000060000.00000040.80000000.00040000.00000000.sdmp
Source: Binary string: RegSvcs.pdb source: explorer.exe, 00000006.00000002.4459657953.0000000010E7F000.00000004.80000000.00040000.00000000.sdmp, control.exe, 00000007.00000002.4444528823.0000000004CFF000.00000004.10000000.00040000.00000000.sdmp, control.exe, 00000007.00000002.4443405031.000000000282B000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: Pago pendiente.exe, Form1.cs .Net Code: InitializeComponent
Source: 0.2.Pago pendiente.exe.7700000.11.raw.unpack, HomeView.cs .Net Code: System.Reflection.Assembly.Load(byte[])
Source: 0.2.Pago pendiente.exe.32f8498.5.raw.unpack, HomeView.cs .Net Code: System.Reflection.Assembly.Load(byte[])
Source: 0.2.Pago pendiente.exe.4eaf4d8.9.raw.unpack, GDVHnCd8e4hct1HQKy.cs .Net Code: nM5Y8yY844OV97SlUkr System.Reflection.Assembly.Load(byte[])
Source: 0.2.Pago pendiente.exe.5300000.10.raw.unpack, GDVHnCd8e4hct1HQKy.cs .Net Code: nM5Y8yY844OV97SlUkr System.Reflection.Assembly.Load(byte[])
Source: 0.2.Pago pendiente.exe.4f1f2f8.8.raw.unpack, GDVHnCd8e4hct1HQKy.cs .Net Code: nM5Y8yY844OV97SlUkr System.Reflection.Assembly.Load(byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Pago pendiente.exe Code function: 0_2_077261E5 pushad ; retf 0_2_077261E6
Source: C:\Users\user\Desktop\Pago pendiente.exe Code function: 0_2_077261EF pushad ; retf 0_2_077261F0
Source: C:\Users\user\Desktop\Pago pendiente.exe Code function: 0_2_07A545D4 push ebp; retf 0_2_07A545D5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_00417024 push ecx; iretd 5_2_00417025
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_004170C2 push edx; ret 5_2_004170CA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_004073EB push ebp; ret 5_2_004073EC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_00416CC8 push D1939A9Fh; retf 5_2_00416CCD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_0041D4B5 push eax; ret 5_2_0041D508
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_0041D56C push eax; ret 5_2_0041D572
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_0041D502 push eax; ret 5_2_0041D508
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_0041D50B push eax; ret 5_2_0041D572
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014309AD push ecx; mov dword ptr [esp], ecx 5_2_014309B6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_0140135E push eax; iretd 5_2_01401369
Source: C:\Windows\explorer.exe Code function: 6_2_0E4D1B02 push esp; retn 0000h 6_2_0E4D1B03
Source: C:\Windows\explorer.exe Code function: 6_2_0E4D1B1E push esp; retn 0000h 6_2_0E4D1B1F
Source: C:\Windows\explorer.exe Code function: 6_2_0E4D19B5 push esp; retn 0000h 6_2_0E4D1AE7
Source: C:\Windows\explorer.exe Code function: 6_2_101CF9B5 push esp; retn 0000h 6_2_101CFAE7
Source: C:\Windows\explorer.exe Code function: 6_2_101CFB1E push esp; retn 0000h 6_2_101CFB1F
Source: C:\Windows\explorer.exe Code function: 6_2_101CFB02 push esp; retn 0000h 6_2_101CFB03
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_0006486D push ecx; ret 7_2_00064880
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047B27FA pushad ; ret 7_2_047B27F9
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047B225F pushad ; ret 7_2_047B27F9
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047B283D push eax; iretd 7_2_047B2858
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047E09AD push ecx; mov dword ptr [esp], ecx 7_2_047E09B6
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_025A73EB push ebp; ret 7_2_025A73EC
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_025B7024 push ecx; iretd 7_2_025B7025
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_025B70C2 push edx; ret 7_2_025B70CA
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_025BD4B5 push eax; ret 7_2_025BD508
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_025BD56C push eax; ret 7_2_025BD572
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_025BD50B push eax; ret 7_2_025BD572
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_025BD502 push eax; ret 7_2_025BD508
Source: Pago pendiente.exe Static PE information: section name: .text entropy: 7.9402587845762955
Source: 0.2.Pago pendiente.exe.4eaf4d8.9.raw.unpack, p9IUFAmHiMdrlKeUBu.cs High entropy of concatenated method names: 'ptJbMH6R4K', 'eeXbuRFTuS', 'KOrbG4TY6Y', 'dpSb96egsG', 'sUYbJ1a2cO', 'SM3bDBJv5Z', 'Ui0b6YTyr8', 'PQW7Q3wFcG', 'TbL7iDSMqG', 'CAS7j6pI8J'
Source: 0.2.Pago pendiente.exe.4eaf4d8.9.raw.unpack, rMMxMYJxa9lPbCugfv.cs High entropy of concatenated method names: 'Dispose', 'JOfMjer7K7', 'WVRY20O88F', 'eMveeCcEUB', 'frRMmCKFRR', 'idgMzItJqD', 'ProcessDialogKey', 'IyAYLx00SK', 'ynAYMybQBX', 'aSHYY09IUF'
Source: 0.2.Pago pendiente.exe.4eaf4d8.9.raw.unpack, Ye8cD83ilgP4Q1dM8q.cs High entropy of concatenated method names: 'r7ccAysw1i', 's2ockC5LHL', 'LKPcTAIniD', 'BYAc2ITeqN', 'RWRcnnxrfl', 'c2ycU56NTS', 'sL4cg6YBFM', 'qpLcW54Wsc', 'T7lcPhWTmD', 'T9ScCVDb94'
Source: 0.2.Pago pendiente.exe.4eaf4d8.9.raw.unpack, IQKgXNAjhiaS4o0dDr.cs High entropy of concatenated method names: 'yBrJKZ4sdF', 'aHMJljN128', 'SkkJtE58EK', 'rH0JyBnhWo', 'FqxJh5MKZI', 'VfGJvxZTcy', 'pPYJQlQ7hO', 'I8NJidQ8w0', 'eLEJjFS28b', 'bPLJmAND8K'
Source: 0.2.Pago pendiente.exe.4eaf4d8.9.raw.unpack, GDVHnCd8e4hct1HQKy.cs High entropy of concatenated method names: 'RcEu8Gup93', 'jDhu9V47tw', 'nNduJMVobt', 'rLnuriQ63y', 'VGsuDPnL0K', 'tVMu6VYJLB', 'A5KuotME0x', 'G01uds6eG6', 'QuDuF8TjKr', 'WisuORrG7Q'
Source: 0.2.Pago pendiente.exe.4eaf4d8.9.raw.unpack, AXKOa9YvYah2ILJNRV.cs High entropy of concatenated method names: 'rydSsc1G5', 'VUPXxX8LA', 'Qfl5ewpkV', 'QkERYAgBA', 'on2kEUkGZ', 'z1WN4QuSw', 'N175s9bHombUWO9Oth', 'ATc4RvVGSuVbIix8lM', 'IXN7PXEZJ', 'rdSVRMTAQ'
Source: 0.2.Pago pendiente.exe.4eaf4d8.9.raw.unpack, AHoIF0TeuJQfgUnWf4.cs High entropy of concatenated method names: 'irZ68JCcTg', 'YWl6JUY4OV', 'GwP6DIM2FB', 'Dam6o7pwZv', 'S1G6dO7QKA', 'dJADhHqHw1', 'a6iDv8SqWs', 'CfWDQgDPG1', 'JotDie8pdE', 'O5QDjLSd8E'
Source: 0.2.Pago pendiente.exe.4eaf4d8.9.raw.unpack, HPe8TuMuoArV3iWmnaG.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'uIjVKOptQe', 'yKPVlv5DUh', 'PdgVtCh4ke', 'kwAVyFJLPP', 'hkuVhtg9Dm', 'VKlVveExIS', 'PflVQp4i6h'
Source: 0.2.Pago pendiente.exe.4eaf4d8.9.raw.unpack, hUIdvJzp3hSwOD6Knr.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'l4ubcMiwUK', 'VfBbB32Zwu', 'cufb0fWrSy', 'kVlbpgBB4b', 'jmIb7voSKk', 'euhbbS27jo', 'QQAbVYep01'
Source: 0.2.Pago pendiente.exe.4eaf4d8.9.raw.unpack, cyZmYlkmRq3rAqHw2h.cs High entropy of concatenated method names: 'TZUrX95S8N', 'Ohhr5rP6rX', 'aiBrA62GJb', 'hVSrkgyt31', 'txSrBSkhAt', 'TNgr0393Xf', 'SbGrpEGVto', 'brxr7JeAuD', 'NlVrbvaEZb', 'RxDrVXFGx6'
Source: 0.2.Pago pendiente.exe.4eaf4d8.9.raw.unpack, Cv3u2mMLqgVyop0G1AN.cs High entropy of concatenated method names: 'QE9bwYLlcx', 'lFYbx8ZWHq', 'QECbSXGNq7', 'up9bXaaXRy', 'L2Jbf5gSnI', 'i26b5MNxtF', 'IPEbRZ6nZg', 'feLbAFLIyZ', 'SX2bkZB8WM', 'vZGbNpl7X9'
Source: 0.2.Pago pendiente.exe.4eaf4d8.9.raw.unpack, M4qQq4G1UrG1lP8ZE3.cs High entropy of concatenated method names: 'yqnMoQKgXN', 'YhiMdaS4o0', 'RmRMOq3rAq', 'Kw2M4hTpd1', 'rlcMBQyXHo', 'NF0M0euJQf', 'zDSt40cPsStBkEWNhs', 'YbGCJpH1L1Lx4m0ik3', 'i9WMMlK87V', 'X5FMuNCWaF'
Source: 0.2.Pago pendiente.exe.4eaf4d8.9.raw.unpack, Fpd1sFNOxY2GMblcQy.cs High entropy of concatenated method names: 'sTBDfZihnL', 'USEDRBxAHj', 'RhIreDRDPG', 'LaIrnBLx6j', 'bOWrUEnLaP', 'CYarHfEKWu', 'na5rgoqaWL', 'chgrW8aZPo', 'snGrILIsl5', 'cuhrPnjlWJ'
Source: 0.2.Pago pendiente.exe.4eaf4d8.9.raw.unpack, x7wBW7KwVdGRUhw4G0.cs High entropy of concatenated method names: 'BHmBPRL8nw', 'RpIBZ01ddK', 'IWQBK0QRp2', 'lW7BlGBUe4', 'KPFB2sJggf', 'VcRBeUCbxU', 'J6cBnFqXgA', 'DTYBUbFk0k', 'HW9BHgoWbE', 'gZYBgvhG4A'
Source: 0.2.Pago pendiente.exe.4eaf4d8.9.raw.unpack, gRCKFRiRDdgItJqDny.cs High entropy of concatenated method names: 'R2Q796ZjJ0', 'nGH7J1RSiL', 'cWo7rjppKl', 'M4n7D9PpUl', 'qY076f68Vm', 'Q5S7oPrHjm', 'SFy7djiqUW', 'DpX7Fsi2CQ', 'hO97OPJ947', 'sky74VCD4G'
Source: 0.2.Pago pendiente.exe.4eaf4d8.9.raw.unpack, cX4ZgRg3HpJweDXnri.cs High entropy of concatenated method names: 'uvOo9Flv6v', 'C59or7autg', 'pu2o6nkMlY', 'yyK6m3kqSR', 'TAJ6zgUuBZ', 'hXfoLttTSi', 'eXxoM62lBt', 'hAOoYkeKgm', 'SdGou63t9e', 'w0MoGvcpUM'
Source: 0.2.Pago pendiente.exe.4eaf4d8.9.raw.unpack, G3nNu1yLLZWCVb0s4T.cs High entropy of concatenated method names: 'I0epOVONQy', 'U5wp42Kpdw', 'ToString', 'Gkgp9AVYmT', 'bdypJPZiGi', 'WWFprCO0mW', 'ecVpDSJPS1', 'MTrp6kLwKR', 'jhipoLFcxT', 'QxapdnyfIX'
Source: 0.2.Pago pendiente.exe.4eaf4d8.9.raw.unpack, Dx00SKjxnAybQBXMSH.cs High entropy of concatenated method names: 'K0n7TAD3YQ', 'jBa72rbjiR', 'BeB7eVO3Pj', 'AxG7n4qmbF', 'uLp7Kdq7Fk', 'z2g7UnZ9Eq', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Pago pendiente.exe.4eaf4d8.9.raw.unpack, Mj6eLHr9Gfok1X3SWR.cs High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'gsRYjndp2q', 'R5bYmWxL1B', 'g9gYzAOCnp', 'CtEuLqr905', 'We3uM0cMgf', 'ExiuY7YWrV', 'iCLuuAajeV', 'wQR1QxYiF46ddfUAkNL'
Source: 0.2.Pago pendiente.exe.4eaf4d8.9.raw.unpack, JiUYX5IaJZrrF9fpAJ.cs High entropy of concatenated method names: 'RyKowX41g1', 'zU0oxhhmtr', 'wq2oSV2sd3', 'NvQoXbyikM', 'FbHof9mDFB', 'ALWo5TqOAw', 'CohoRBr8Fh', 'tjJoAaNnKp', 'MQrokDwjcJ', 'qoRoN9tfQ7'
Source: 0.2.Pago pendiente.exe.4eaf4d8.9.raw.unpack, FmJaeetirRTGV3GUfA.cs High entropy of concatenated method names: 'ToString', 'bq60ClfX1X', 'psn02UaZq6', 'VHO0e9q9o6', 'fFJ0nbCFsR', 'xjd0U58dlC', 'sAZ0HDeoAe', 'sox0g7Bv8w', 'NF40WmuXuD', 'ePd0Is7qtL'
Source: 0.2.Pago pendiente.exe.4eaf4d8.9.raw.unpack, ifpL5MvflcOluxXgWa.cs High entropy of concatenated method names: 'cV7piNaiMo', 'BxepmnLu6c', 'yjq7L0FqN2', 'GlD7MGNJvi', 'gbxpCDRT9N', 'qKOpZaCMop', 'rPPp31NpuZ', 'Nx1pKOH96S', 'bSJplEqxLd', 'FqWptCqVYD'
Source: 0.2.Pago pendiente.exe.5300000.10.raw.unpack, p9IUFAmHiMdrlKeUBu.cs High entropy of concatenated method names: 'ptJbMH6R4K', 'eeXbuRFTuS', 'KOrbG4TY6Y', 'dpSb96egsG', 'sUYbJ1a2cO', 'SM3bDBJv5Z', 'Ui0b6YTyr8', 'PQW7Q3wFcG', 'TbL7iDSMqG', 'CAS7j6pI8J'
Source: 0.2.Pago pendiente.exe.5300000.10.raw.unpack, rMMxMYJxa9lPbCugfv.cs High entropy of concatenated method names: 'Dispose', 'JOfMjer7K7', 'WVRY20O88F', 'eMveeCcEUB', 'frRMmCKFRR', 'idgMzItJqD', 'ProcessDialogKey', 'IyAYLx00SK', 'ynAYMybQBX', 'aSHYY09IUF'
Source: 0.2.Pago pendiente.exe.5300000.10.raw.unpack, Ye8cD83ilgP4Q1dM8q.cs High entropy of concatenated method names: 'r7ccAysw1i', 's2ockC5LHL', 'LKPcTAIniD', 'BYAc2ITeqN', 'RWRcnnxrfl', 'c2ycU56NTS', 'sL4cg6YBFM', 'qpLcW54Wsc', 'T7lcPhWTmD', 'T9ScCVDb94'
Source: 0.2.Pago pendiente.exe.5300000.10.raw.unpack, IQKgXNAjhiaS4o0dDr.cs High entropy of concatenated method names: 'yBrJKZ4sdF', 'aHMJljN128', 'SkkJtE58EK', 'rH0JyBnhWo', 'FqxJh5MKZI', 'VfGJvxZTcy', 'pPYJQlQ7hO', 'I8NJidQ8w0', 'eLEJjFS28b', 'bPLJmAND8K'
Source: 0.2.Pago pendiente.exe.5300000.10.raw.unpack, GDVHnCd8e4hct1HQKy.cs High entropy of concatenated method names: 'RcEu8Gup93', 'jDhu9V47tw', 'nNduJMVobt', 'rLnuriQ63y', 'VGsuDPnL0K', 'tVMu6VYJLB', 'A5KuotME0x', 'G01uds6eG6', 'QuDuF8TjKr', 'WisuORrG7Q'
Source: 0.2.Pago pendiente.exe.5300000.10.raw.unpack, AXKOa9YvYah2ILJNRV.cs High entropy of concatenated method names: 'rydSsc1G5', 'VUPXxX8LA', 'Qfl5ewpkV', 'QkERYAgBA', 'on2kEUkGZ', 'z1WN4QuSw', 'N175s9bHombUWO9Oth', 'ATc4RvVGSuVbIix8lM', 'IXN7PXEZJ', 'rdSVRMTAQ'
Source: 0.2.Pago pendiente.exe.5300000.10.raw.unpack, AHoIF0TeuJQfgUnWf4.cs High entropy of concatenated method names: 'irZ68JCcTg', 'YWl6JUY4OV', 'GwP6DIM2FB', 'Dam6o7pwZv', 'S1G6dO7QKA', 'dJADhHqHw1', 'a6iDv8SqWs', 'CfWDQgDPG1', 'JotDie8pdE', 'O5QDjLSd8E'
Source: 0.2.Pago pendiente.exe.5300000.10.raw.unpack, HPe8TuMuoArV3iWmnaG.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'uIjVKOptQe', 'yKPVlv5DUh', 'PdgVtCh4ke', 'kwAVyFJLPP', 'hkuVhtg9Dm', 'VKlVveExIS', 'PflVQp4i6h'
Source: 0.2.Pago pendiente.exe.5300000.10.raw.unpack, hUIdvJzp3hSwOD6Knr.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'l4ubcMiwUK', 'VfBbB32Zwu', 'cufb0fWrSy', 'kVlbpgBB4b', 'jmIb7voSKk', 'euhbbS27jo', 'QQAbVYep01'
Source: 0.2.Pago pendiente.exe.5300000.10.raw.unpack, cyZmYlkmRq3rAqHw2h.cs High entropy of concatenated method names: 'TZUrX95S8N', 'Ohhr5rP6rX', 'aiBrA62GJb', 'hVSrkgyt31', 'txSrBSkhAt', 'TNgr0393Xf', 'SbGrpEGVto', 'brxr7JeAuD', 'NlVrbvaEZb', 'RxDrVXFGx6'
Source: 0.2.Pago pendiente.exe.5300000.10.raw.unpack, Cv3u2mMLqgVyop0G1AN.cs High entropy of concatenated method names: 'QE9bwYLlcx', 'lFYbx8ZWHq', 'QECbSXGNq7', 'up9bXaaXRy', 'L2Jbf5gSnI', 'i26b5MNxtF', 'IPEbRZ6nZg', 'feLbAFLIyZ', 'SX2bkZB8WM', 'vZGbNpl7X9'
Source: 0.2.Pago pendiente.exe.5300000.10.raw.unpack, M4qQq4G1UrG1lP8ZE3.cs High entropy of concatenated method names: 'yqnMoQKgXN', 'YhiMdaS4o0', 'RmRMOq3rAq', 'Kw2M4hTpd1', 'rlcMBQyXHo', 'NF0M0euJQf', 'zDSt40cPsStBkEWNhs', 'YbGCJpH1L1Lx4m0ik3', 'i9WMMlK87V', 'X5FMuNCWaF'
Source: 0.2.Pago pendiente.exe.5300000.10.raw.unpack, Fpd1sFNOxY2GMblcQy.cs High entropy of concatenated method names: 'sTBDfZihnL', 'USEDRBxAHj', 'RhIreDRDPG', 'LaIrnBLx6j', 'bOWrUEnLaP', 'CYarHfEKWu', 'na5rgoqaWL', 'chgrW8aZPo', 'snGrILIsl5', 'cuhrPnjlWJ'
Source: 0.2.Pago pendiente.exe.5300000.10.raw.unpack, x7wBW7KwVdGRUhw4G0.cs High entropy of concatenated method names: 'BHmBPRL8nw', 'RpIBZ01ddK', 'IWQBK0QRp2', 'lW7BlGBUe4', 'KPFB2sJggf', 'VcRBeUCbxU', 'J6cBnFqXgA', 'DTYBUbFk0k', 'HW9BHgoWbE', 'gZYBgvhG4A'
Source: 0.2.Pago pendiente.exe.5300000.10.raw.unpack, gRCKFRiRDdgItJqDny.cs High entropy of concatenated method names: 'R2Q796ZjJ0', 'nGH7J1RSiL', 'cWo7rjppKl', 'M4n7D9PpUl', 'qY076f68Vm', 'Q5S7oPrHjm', 'SFy7djiqUW', 'DpX7Fsi2CQ', 'hO97OPJ947', 'sky74VCD4G'
Source: 0.2.Pago pendiente.exe.5300000.10.raw.unpack, cX4ZgRg3HpJweDXnri.cs High entropy of concatenated method names: 'uvOo9Flv6v', 'C59or7autg', 'pu2o6nkMlY', 'yyK6m3kqSR', 'TAJ6zgUuBZ', 'hXfoLttTSi', 'eXxoM62lBt', 'hAOoYkeKgm', 'SdGou63t9e', 'w0MoGvcpUM'
Source: 0.2.Pago pendiente.exe.5300000.10.raw.unpack, G3nNu1yLLZWCVb0s4T.cs High entropy of concatenated method names: 'I0epOVONQy', 'U5wp42Kpdw', 'ToString', 'Gkgp9AVYmT', 'bdypJPZiGi', 'WWFprCO0mW', 'ecVpDSJPS1', 'MTrp6kLwKR', 'jhipoLFcxT', 'QxapdnyfIX'
Source: 0.2.Pago pendiente.exe.5300000.10.raw.unpack, Dx00SKjxnAybQBXMSH.cs High entropy of concatenated method names: 'K0n7TAD3YQ', 'jBa72rbjiR', 'BeB7eVO3Pj', 'AxG7n4qmbF', 'uLp7Kdq7Fk', 'z2g7UnZ9Eq', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Pago pendiente.exe.5300000.10.raw.unpack, Mj6eLHr9Gfok1X3SWR.cs High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'gsRYjndp2q', 'R5bYmWxL1B', 'g9gYzAOCnp', 'CtEuLqr905', 'We3uM0cMgf', 'ExiuY7YWrV', 'iCLuuAajeV', 'wQR1QxYiF46ddfUAkNL'
Source: 0.2.Pago pendiente.exe.5300000.10.raw.unpack, JiUYX5IaJZrrF9fpAJ.cs High entropy of concatenated method names: 'RyKowX41g1', 'zU0oxhhmtr', 'wq2oSV2sd3', 'NvQoXbyikM', 'FbHof9mDFB', 'ALWo5TqOAw', 'CohoRBr8Fh', 'tjJoAaNnKp', 'MQrokDwjcJ', 'qoRoN9tfQ7'
Source: 0.2.Pago pendiente.exe.5300000.10.raw.unpack, FmJaeetirRTGV3GUfA.cs High entropy of concatenated method names: 'ToString', 'bq60ClfX1X', 'psn02UaZq6', 'VHO0e9q9o6', 'fFJ0nbCFsR', 'xjd0U58dlC', 'sAZ0HDeoAe', 'sox0g7Bv8w', 'NF40WmuXuD', 'ePd0Is7qtL'
Source: 0.2.Pago pendiente.exe.5300000.10.raw.unpack, ifpL5MvflcOluxXgWa.cs High entropy of concatenated method names: 'cV7piNaiMo', 'BxepmnLu6c', 'yjq7L0FqN2', 'GlD7MGNJvi', 'gbxpCDRT9N', 'qKOpZaCMop', 'rPPp31NpuZ', 'Nx1pKOH96S', 'bSJplEqxLd', 'FqWptCqVYD'
Source: 0.2.Pago pendiente.exe.4f1f2f8.8.raw.unpack, p9IUFAmHiMdrlKeUBu.cs High entropy of concatenated method names: 'ptJbMH6R4K', 'eeXbuRFTuS', 'KOrbG4TY6Y', 'dpSb96egsG', 'sUYbJ1a2cO', 'SM3bDBJv5Z', 'Ui0b6YTyr8', 'PQW7Q3wFcG', 'TbL7iDSMqG', 'CAS7j6pI8J'
Source: 0.2.Pago pendiente.exe.4f1f2f8.8.raw.unpack, rMMxMYJxa9lPbCugfv.cs High entropy of concatenated method names: 'Dispose', 'JOfMjer7K7', 'WVRY20O88F', 'eMveeCcEUB', 'frRMmCKFRR', 'idgMzItJqD', 'ProcessDialogKey', 'IyAYLx00SK', 'ynAYMybQBX', 'aSHYY09IUF'
Source: 0.2.Pago pendiente.exe.4f1f2f8.8.raw.unpack, Ye8cD83ilgP4Q1dM8q.cs High entropy of concatenated method names: 'r7ccAysw1i', 's2ockC5LHL', 'LKPcTAIniD', 'BYAc2ITeqN', 'RWRcnnxrfl', 'c2ycU56NTS', 'sL4cg6YBFM', 'qpLcW54Wsc', 'T7lcPhWTmD', 'T9ScCVDb94'
Source: 0.2.Pago pendiente.exe.4f1f2f8.8.raw.unpack, IQKgXNAjhiaS4o0dDr.cs High entropy of concatenated method names: 'yBrJKZ4sdF', 'aHMJljN128', 'SkkJtE58EK', 'rH0JyBnhWo', 'FqxJh5MKZI', 'VfGJvxZTcy', 'pPYJQlQ7hO', 'I8NJidQ8w0', 'eLEJjFS28b', 'bPLJmAND8K'
Source: 0.2.Pago pendiente.exe.4f1f2f8.8.raw.unpack, GDVHnCd8e4hct1HQKy.cs High entropy of concatenated method names: 'RcEu8Gup93', 'jDhu9V47tw', 'nNduJMVobt', 'rLnuriQ63y', 'VGsuDPnL0K', 'tVMu6VYJLB', 'A5KuotME0x', 'G01uds6eG6', 'QuDuF8TjKr', 'WisuORrG7Q'
Source: 0.2.Pago pendiente.exe.4f1f2f8.8.raw.unpack, AXKOa9YvYah2ILJNRV.cs High entropy of concatenated method names: 'rydSsc1G5', 'VUPXxX8LA', 'Qfl5ewpkV', 'QkERYAgBA', 'on2kEUkGZ', 'z1WN4QuSw', 'N175s9bHombUWO9Oth', 'ATc4RvVGSuVbIix8lM', 'IXN7PXEZJ', 'rdSVRMTAQ'
Source: 0.2.Pago pendiente.exe.4f1f2f8.8.raw.unpack, AHoIF0TeuJQfgUnWf4.cs High entropy of concatenated method names: 'irZ68JCcTg', 'YWl6JUY4OV', 'GwP6DIM2FB', 'Dam6o7pwZv', 'S1G6dO7QKA', 'dJADhHqHw1', 'a6iDv8SqWs', 'CfWDQgDPG1', 'JotDie8pdE', 'O5QDjLSd8E'
Source: 0.2.Pago pendiente.exe.4f1f2f8.8.raw.unpack, HPe8TuMuoArV3iWmnaG.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'uIjVKOptQe', 'yKPVlv5DUh', 'PdgVtCh4ke', 'kwAVyFJLPP', 'hkuVhtg9Dm', 'VKlVveExIS', 'PflVQp4i6h'
Source: 0.2.Pago pendiente.exe.4f1f2f8.8.raw.unpack, hUIdvJzp3hSwOD6Knr.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'l4ubcMiwUK', 'VfBbB32Zwu', 'cufb0fWrSy', 'kVlbpgBB4b', 'jmIb7voSKk', 'euhbbS27jo', 'QQAbVYep01'
Source: 0.2.Pago pendiente.exe.4f1f2f8.8.raw.unpack, cyZmYlkmRq3rAqHw2h.cs High entropy of concatenated method names: 'TZUrX95S8N', 'Ohhr5rP6rX', 'aiBrA62GJb', 'hVSrkgyt31', 'txSrBSkhAt', 'TNgr0393Xf', 'SbGrpEGVto', 'brxr7JeAuD', 'NlVrbvaEZb', 'RxDrVXFGx6'
Source: 0.2.Pago pendiente.exe.4f1f2f8.8.raw.unpack, Cv3u2mMLqgVyop0G1AN.cs High entropy of concatenated method names: 'QE9bwYLlcx', 'lFYbx8ZWHq', 'QECbSXGNq7', 'up9bXaaXRy', 'L2Jbf5gSnI', 'i26b5MNxtF', 'IPEbRZ6nZg', 'feLbAFLIyZ', 'SX2bkZB8WM', 'vZGbNpl7X9'
Source: 0.2.Pago pendiente.exe.4f1f2f8.8.raw.unpack, M4qQq4G1UrG1lP8ZE3.cs High entropy of concatenated method names: 'yqnMoQKgXN', 'YhiMdaS4o0', 'RmRMOq3rAq', 'Kw2M4hTpd1', 'rlcMBQyXHo', 'NF0M0euJQf', 'zDSt40cPsStBkEWNhs', 'YbGCJpH1L1Lx4m0ik3', 'i9WMMlK87V', 'X5FMuNCWaF'
Source: 0.2.Pago pendiente.exe.4f1f2f8.8.raw.unpack, Fpd1sFNOxY2GMblcQy.cs High entropy of concatenated method names: 'sTBDfZihnL', 'USEDRBxAHj', 'RhIreDRDPG', 'LaIrnBLx6j', 'bOWrUEnLaP', 'CYarHfEKWu', 'na5rgoqaWL', 'chgrW8aZPo', 'snGrILIsl5', 'cuhrPnjlWJ'
Source: 0.2.Pago pendiente.exe.4f1f2f8.8.raw.unpack, x7wBW7KwVdGRUhw4G0.cs High entropy of concatenated method names: 'BHmBPRL8nw', 'RpIBZ01ddK', 'IWQBK0QRp2', 'lW7BlGBUe4', 'KPFB2sJggf', 'VcRBeUCbxU', 'J6cBnFqXgA', 'DTYBUbFk0k', 'HW9BHgoWbE', 'gZYBgvhG4A'
Source: 0.2.Pago pendiente.exe.4f1f2f8.8.raw.unpack, gRCKFRiRDdgItJqDny.cs High entropy of concatenated method names: 'R2Q796ZjJ0', 'nGH7J1RSiL', 'cWo7rjppKl', 'M4n7D9PpUl', 'qY076f68Vm', 'Q5S7oPrHjm', 'SFy7djiqUW', 'DpX7Fsi2CQ', 'hO97OPJ947', 'sky74VCD4G'
Source: 0.2.Pago pendiente.exe.4f1f2f8.8.raw.unpack, cX4ZgRg3HpJweDXnri.cs High entropy of concatenated method names: 'uvOo9Flv6v', 'C59or7autg', 'pu2o6nkMlY', 'yyK6m3kqSR', 'TAJ6zgUuBZ', 'hXfoLttTSi', 'eXxoM62lBt', 'hAOoYkeKgm', 'SdGou63t9e', 'w0MoGvcpUM'
Source: 0.2.Pago pendiente.exe.4f1f2f8.8.raw.unpack, G3nNu1yLLZWCVb0s4T.cs High entropy of concatenated method names: 'I0epOVONQy', 'U5wp42Kpdw', 'ToString', 'Gkgp9AVYmT', 'bdypJPZiGi', 'WWFprCO0mW', 'ecVpDSJPS1', 'MTrp6kLwKR', 'jhipoLFcxT', 'QxapdnyfIX'
Source: 0.2.Pago pendiente.exe.4f1f2f8.8.raw.unpack, Dx00SKjxnAybQBXMSH.cs High entropy of concatenated method names: 'K0n7TAD3YQ', 'jBa72rbjiR', 'BeB7eVO3Pj', 'AxG7n4qmbF', 'uLp7Kdq7Fk', 'z2g7UnZ9Eq', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Pago pendiente.exe.4f1f2f8.8.raw.unpack, Mj6eLHr9Gfok1X3SWR.cs High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'gsRYjndp2q', 'R5bYmWxL1B', 'g9gYzAOCnp', 'CtEuLqr905', 'We3uM0cMgf', 'ExiuY7YWrV', 'iCLuuAajeV', 'wQR1QxYiF46ddfUAkNL'
Source: 0.2.Pago pendiente.exe.4f1f2f8.8.raw.unpack, JiUYX5IaJZrrF9fpAJ.cs High entropy of concatenated method names: 'RyKowX41g1', 'zU0oxhhmtr', 'wq2oSV2sd3', 'NvQoXbyikM', 'FbHof9mDFB', 'ALWo5TqOAw', 'CohoRBr8Fh', 'tjJoAaNnKp', 'MQrokDwjcJ', 'qoRoN9tfQ7'
Source: 0.2.Pago pendiente.exe.4f1f2f8.8.raw.unpack, FmJaeetirRTGV3GUfA.cs High entropy of concatenated method names: 'ToString', 'bq60ClfX1X', 'psn02UaZq6', 'VHO0e9q9o6', 'fFJ0nbCFsR', 'xjd0U58dlC', 'sAZ0HDeoAe', 'sox0g7Bv8w', 'NF40WmuXuD', 'ePd0Is7qtL'
Source: 0.2.Pago pendiente.exe.4f1f2f8.8.raw.unpack, ifpL5MvflcOluxXgWa.cs High entropy of concatenated method names: 'cV7piNaiMo', 'BxepmnLu6c', 'yjq7L0FqN2', 'GlD7MGNJvi', 'gbxpCDRT9N', 'qKOpZaCMop', 'rPPp31NpuZ', 'Nx1pKOH96S', 'bSJplEqxLd', 'FqWptCqVYD'

Hooking and other Techniques for Hiding and Protection
barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Users\user\Desktop\Pago pendiente.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pago pendiente.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pago pendiente.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pago pendiente.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pago pendiente.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pago pendiente.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pago pendiente.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pago pendiente.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pago pendiente.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pago pendiente.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pago pendiente.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pago pendiente.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pago pendiente.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pago pendiente.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pago pendiente.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pago pendiente.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pago pendiente.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pago pendiente.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pago pendiente.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pago pendiente.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pago pendiente.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pago pendiente.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pago pendiente.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pago pendiente.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pago pendiente.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pago pendiente.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pago pendiente.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pago pendiente.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pago pendiente.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pago pendiente.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pago pendiente.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pago pendiente.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pago pendiente.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pago pendiente.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pago pendiente.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pago pendiente.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pago pendiente.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pago pendiente.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pago pendiente.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pago pendiente.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pago pendiente.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pago pendiente.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pago pendiente.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pago pendiente.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pago pendiente.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pago pendiente.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pago pendiente.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pago pendiente.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pago pendiente.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pago pendiente.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pago pendiente.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\control.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: Pago pendiente.exe PID: 5824, type: MEMORYSTR
Tries to detect virtualization through RDTSC time measurements
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe RDTSC instruction interceptor: First address: 409904 second address: 40990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe RDTSC instruction interceptor: First address: 409B7E second address: 409B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\control.exe RDTSC instruction interceptor: First address: 25A9904 second address: 25A990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\control.exe RDTSC instruction interceptor: First address: 25A9B7E second address: 25A9B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\Pago pendiente.exe Memory allocated: 3130000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Pago pendiente.exe Memory allocated: 32D0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Pago pendiente.exe Memory allocated: 52D0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Pago pendiente.exe Memory allocated: 9840000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Pago pendiente.exe Memory allocated: A840000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Pago pendiente.exe Memory allocated: AA60000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Pago pendiente.exe Memory allocated: BA60000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Pago pendiente.exe Memory allocated: BF80000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Pago pendiente.exe Memory allocated: CF80000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Pago pendiente.exe Memory allocated: DF80000 memory reserve | memory write watch Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_00409AB0 rdtsc 5_2_00409AB0
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\Pago pendiente.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 5983 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3765 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 9744 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: foregroundWindowGot 874 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: foregroundWindowGot 874 Jump to behavior
Source: C:\Windows\SysWOW64\control.exe Window / User API: threadDelayed 9840 Jump to behavior
Found decision node followed by non-executed suspicious APIs
Source: C:\Windows\explorer.exe Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
Found large amount of non-executed APIs
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe API coverage: 1.6 %
Source: C:\Windows\SysWOW64\control.exe API coverage: 1.6 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\Pago pendiente.exe TID: 5644 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2412 Thread sleep time: -6456360425798339s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 4536 Thread sleep count: 197 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 4536 Thread sleep time: -394000s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 4536 Thread sleep count: 9744 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 4536 Thread sleep time: -19488000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\control.exe TID: 1632 Thread sleep count: 131 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\control.exe TID: 1632 Thread sleep time: -262000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\control.exe TID: 1632 Thread sleep count: 9840 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\control.exe TID: 1632 Thread sleep time: -19680000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\SysWOW64\control.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\control.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\Pago pendiente.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: explorer.exe, 00000006.00000003.3096752770.0000000009C92000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
Source: explorer.exe, 00000006.00000000.2020705290.00000000076F8000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}99105f770555d7dd
Source: explorer.exe, 00000006.00000000.2026275554.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4448347462.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW0r
Source: explorer.exe, 00000006.00000003.3096490276.0000000009BB1000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 00000006.00000003.3789657905.0000000009BB1000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: NXTcaVMWare
Source: explorer.exe, 00000006.00000003.3096752770.0000000009C92000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000006.00000002.4448347462.0000000009B41000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000%
Source: explorer.exe, 00000006.00000003.3095397354.0000000003554000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware, Inc.
Source: explorer.exe, 00000006.00000003.3096752770.0000000009C92000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware SATA CD00
Source: Pago pendiente.exe, 00000000.00000002.2006572080.0000000001341000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}&
Source: explorer.exe, 00000006.00000000.2011068724.0000000000F13000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000A
Source: explorer.exe, 00000006.00000003.3095397354.0000000003554000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware-42 27 d9 2e dc 89 72 dX
Source: explorer.exe, 00000006.00000000.2020705290.00000000076F8000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}^
Source: Pago pendiente.exe, 00000000.00000002.2006572080.0000000001341000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: explorer.exe, 00000006.00000000.2026275554.0000000009B2C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4448347462.0000000009B2C000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000006.00000003.3095397354.0000000003554000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware, Inc.NoneVMware-42 27 d9 2e dc 89 72 dX
Source: explorer.exe, 00000006.00000003.3095397354.0000000003554000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware,p
Source: explorer.exe, 00000006.00000003.3096490276.0000000009BB1000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000_
Source: explorer.exe, 00000006.00000003.3096752770.0000000009C92000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}0#{5-
Source: explorer.exe, 00000006.00000000.2011068724.0000000000F13000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: explorer.exe, 00000006.00000002.4448347462.0000000009B41000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000006.00000002.4445926904.000000000769A000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Checks if the current process is being debugged
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\control.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_00409AB0 rdtsc 5_2_00409AB0
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_0040ACF0 LdrLoadDll, 5_2_0040ACF0
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_000669F5 IsDebuggerPresent, 7_2_000669F5
Contains functionality to read the PEB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014C4144 mov eax, dword ptr fs:[00000030h] 5_2_014C4144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014C4144 mov eax, dword ptr fs:[00000030h] 5_2_014C4144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014C4144 mov ecx, dword ptr fs:[00000030h] 5_2_014C4144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014C4144 mov eax, dword ptr fs:[00000030h] 5_2_014C4144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014C4144 mov eax, dword ptr fs:[00000030h] 5_2_014C4144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_0142C156 mov eax, dword ptr fs:[00000030h] 5_2_0142C156
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014C8158 mov eax, dword ptr fs:[00000030h] 5_2_014C8158
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01436154 mov eax, dword ptr fs:[00000030h] 5_2_01436154
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01436154 mov eax, dword ptr fs:[00000030h] 5_2_01436154
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01504164 mov eax, dword ptr fs:[00000030h] 5_2_01504164
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01504164 mov eax, dword ptr fs:[00000030h] 5_2_01504164
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014DE10E mov eax, dword ptr fs:[00000030h] 5_2_014DE10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014DE10E mov ecx, dword ptr fs:[00000030h] 5_2_014DE10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014DE10E mov eax, dword ptr fs:[00000030h] 5_2_014DE10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014DE10E mov eax, dword ptr fs:[00000030h] 5_2_014DE10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014DE10E mov ecx, dword ptr fs:[00000030h] 5_2_014DE10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014DE10E mov eax, dword ptr fs:[00000030h] 5_2_014DE10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014DE10E mov eax, dword ptr fs:[00000030h] 5_2_014DE10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014DE10E mov ecx, dword ptr fs:[00000030h] 5_2_014DE10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014DE10E mov eax, dword ptr fs:[00000030h] 5_2_014DE10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014DE10E mov ecx, dword ptr fs:[00000030h] 5_2_014DE10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014DA118 mov ecx, dword ptr fs:[00000030h] 5_2_014DA118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014DA118 mov eax, dword ptr fs:[00000030h] 5_2_014DA118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014DA118 mov eax, dword ptr fs:[00000030h] 5_2_014DA118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014DA118 mov eax, dword ptr fs:[00000030h] 5_2_014DA118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014F0115 mov eax, dword ptr fs:[00000030h] 5_2_014F0115
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01460124 mov eax, dword ptr fs:[00000030h] 5_2_01460124
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014F61C3 mov eax, dword ptr fs:[00000030h] 5_2_014F61C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014F61C3 mov eax, dword ptr fs:[00000030h] 5_2_014F61C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014AE1D0 mov eax, dword ptr fs:[00000030h] 5_2_014AE1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014AE1D0 mov eax, dword ptr fs:[00000030h] 5_2_014AE1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014AE1D0 mov ecx, dword ptr fs:[00000030h] 5_2_014AE1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014AE1D0 mov eax, dword ptr fs:[00000030h] 5_2_014AE1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014AE1D0 mov eax, dword ptr fs:[00000030h] 5_2_014AE1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_015061E5 mov eax, dword ptr fs:[00000030h] 5_2_015061E5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014601F8 mov eax, dword ptr fs:[00000030h] 5_2_014601F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01470185 mov eax, dword ptr fs:[00000030h] 5_2_01470185
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014EC188 mov eax, dword ptr fs:[00000030h] 5_2_014EC188
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014EC188 mov eax, dword ptr fs:[00000030h] 5_2_014EC188
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014D4180 mov eax, dword ptr fs:[00000030h] 5_2_014D4180
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014D4180 mov eax, dword ptr fs:[00000030h] 5_2_014D4180
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014B019F mov eax, dword ptr fs:[00000030h] 5_2_014B019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014B019F mov eax, dword ptr fs:[00000030h] 5_2_014B019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014B019F mov eax, dword ptr fs:[00000030h] 5_2_014B019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014B019F mov eax, dword ptr fs:[00000030h] 5_2_014B019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_0142A197 mov eax, dword ptr fs:[00000030h] 5_2_0142A197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_0142A197 mov eax, dword ptr fs:[00000030h] 5_2_0142A197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_0142A197 mov eax, dword ptr fs:[00000030h] 5_2_0142A197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01432050 mov eax, dword ptr fs:[00000030h] 5_2_01432050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014B6050 mov eax, dword ptr fs:[00000030h] 5_2_014B6050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_0145C073 mov eax, dword ptr fs:[00000030h] 5_2_0145C073
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014B4000 mov ecx, dword ptr fs:[00000030h] 5_2_014B4000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014D2000 mov eax, dword ptr fs:[00000030h] 5_2_014D2000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014D2000 mov eax, dword ptr fs:[00000030h] 5_2_014D2000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014D2000 mov eax, dword ptr fs:[00000030h] 5_2_014D2000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014D2000 mov eax, dword ptr fs:[00000030h] 5_2_014D2000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014D2000 mov eax, dword ptr fs:[00000030h] 5_2_014D2000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014D2000 mov eax, dword ptr fs:[00000030h] 5_2_014D2000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014D2000 mov eax, dword ptr fs:[00000030h] 5_2_014D2000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014D2000 mov eax, dword ptr fs:[00000030h] 5_2_014D2000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_0144E016 mov eax, dword ptr fs:[00000030h] 5_2_0144E016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_0144E016 mov eax, dword ptr fs:[00000030h] 5_2_0144E016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_0144E016 mov eax, dword ptr fs:[00000030h] 5_2_0144E016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_0144E016 mov eax, dword ptr fs:[00000030h] 5_2_0144E016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_0142A020 mov eax, dword ptr fs:[00000030h] 5_2_0142A020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_0142C020 mov eax, dword ptr fs:[00000030h] 5_2_0142C020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014C6030 mov eax, dword ptr fs:[00000030h] 5_2_014C6030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014B20DE mov eax, dword ptr fs:[00000030h] 5_2_014B20DE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_0142A0E3 mov ecx, dword ptr fs:[00000030h] 5_2_0142A0E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014380E9 mov eax, dword ptr fs:[00000030h] 5_2_014380E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014B60E0 mov eax, dword ptr fs:[00000030h] 5_2_014B60E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_0142C0F0 mov eax, dword ptr fs:[00000030h] 5_2_0142C0F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014720F0 mov ecx, dword ptr fs:[00000030h] 5_2_014720F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_0143208A mov eax, dword ptr fs:[00000030h] 5_2_0143208A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014280A0 mov eax, dword ptr fs:[00000030h] 5_2_014280A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014C80A8 mov eax, dword ptr fs:[00000030h] 5_2_014C80A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014F60B8 mov eax, dword ptr fs:[00000030h] 5_2_014F60B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014F60B8 mov ecx, dword ptr fs:[00000030h] 5_2_014F60B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014B2349 mov eax, dword ptr fs:[00000030h] 5_2_014B2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014B2349 mov eax, dword ptr fs:[00000030h] 5_2_014B2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014B2349 mov eax, dword ptr fs:[00000030h] 5_2_014B2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014B2349 mov eax, dword ptr fs:[00000030h] 5_2_014B2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014B2349 mov eax, dword ptr fs:[00000030h] 5_2_014B2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014B2349 mov eax, dword ptr fs:[00000030h] 5_2_014B2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014B2349 mov eax, dword ptr fs:[00000030h] 5_2_014B2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014B2349 mov eax, dword ptr fs:[00000030h] 5_2_014B2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014B2349 mov eax, dword ptr fs:[00000030h] 5_2_014B2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014B2349 mov eax, dword ptr fs:[00000030h] 5_2_014B2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014B2349 mov eax, dword ptr fs:[00000030h] 5_2_014B2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014B2349 mov eax, dword ptr fs:[00000030h] 5_2_014B2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014B2349 mov eax, dword ptr fs:[00000030h] 5_2_014B2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014B2349 mov eax, dword ptr fs:[00000030h] 5_2_014B2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014B2349 mov eax, dword ptr fs:[00000030h] 5_2_014B2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014B035C mov eax, dword ptr fs:[00000030h] 5_2_014B035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014B035C mov eax, dword ptr fs:[00000030h] 5_2_014B035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014B035C mov eax, dword ptr fs:[00000030h] 5_2_014B035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014B035C mov ecx, dword ptr fs:[00000030h] 5_2_014B035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014B035C mov eax, dword ptr fs:[00000030h] 5_2_014B035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014B035C mov eax, dword ptr fs:[00000030h] 5_2_014B035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014FA352 mov eax, dword ptr fs:[00000030h] 5_2_014FA352
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014D8350 mov ecx, dword ptr fs:[00000030h] 5_2_014D8350
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_0150634F mov eax, dword ptr fs:[00000030h] 5_2_0150634F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014D437C mov eax, dword ptr fs:[00000030h] 5_2_014D437C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_0146A30B mov eax, dword ptr fs:[00000030h] 5_2_0146A30B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_0146A30B mov eax, dword ptr fs:[00000030h] 5_2_0146A30B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_0146A30B mov eax, dword ptr fs:[00000030h] 5_2_0146A30B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_0142C310 mov ecx, dword ptr fs:[00000030h] 5_2_0142C310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01450310 mov ecx, dword ptr fs:[00000030h] 5_2_01450310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01508324 mov eax, dword ptr fs:[00000030h] 5_2_01508324
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01508324 mov ecx, dword ptr fs:[00000030h] 5_2_01508324
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01508324 mov eax, dword ptr fs:[00000030h] 5_2_01508324
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01508324 mov eax, dword ptr fs:[00000030h] 5_2_01508324
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014EC3CD mov eax, dword ptr fs:[00000030h] 5_2_014EC3CD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_0143A3C0 mov eax, dword ptr fs:[00000030h] 5_2_0143A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_0143A3C0 mov eax, dword ptr fs:[00000030h] 5_2_0143A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_0143A3C0 mov eax, dword ptr fs:[00000030h] 5_2_0143A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_0143A3C0 mov eax, dword ptr fs:[00000030h] 5_2_0143A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_0143A3C0 mov eax, dword ptr fs:[00000030h] 5_2_0143A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_0143A3C0 mov eax, dword ptr fs:[00000030h] 5_2_0143A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014383C0 mov eax, dword ptr fs:[00000030h] 5_2_014383C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014383C0 mov eax, dword ptr fs:[00000030h] 5_2_014383C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014383C0 mov eax, dword ptr fs:[00000030h] 5_2_014383C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014383C0 mov eax, dword ptr fs:[00000030h] 5_2_014383C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014B63C0 mov eax, dword ptr fs:[00000030h] 5_2_014B63C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014DE3DB mov eax, dword ptr fs:[00000030h] 5_2_014DE3DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014DE3DB mov eax, dword ptr fs:[00000030h] 5_2_014DE3DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014DE3DB mov ecx, dword ptr fs:[00000030h] 5_2_014DE3DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014DE3DB mov eax, dword ptr fs:[00000030h] 5_2_014DE3DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014D43D4 mov eax, dword ptr fs:[00000030h] 5_2_014D43D4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014D43D4 mov eax, dword ptr fs:[00000030h] 5_2_014D43D4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014403E9 mov eax, dword ptr fs:[00000030h] 5_2_014403E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014403E9 mov eax, dword ptr fs:[00000030h] 5_2_014403E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014403E9 mov eax, dword ptr fs:[00000030h] 5_2_014403E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014403E9 mov eax, dword ptr fs:[00000030h] 5_2_014403E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014403E9 mov eax, dword ptr fs:[00000030h] 5_2_014403E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014403E9 mov eax, dword ptr fs:[00000030h] 5_2_014403E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014403E9 mov eax, dword ptr fs:[00000030h] 5_2_014403E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014403E9 mov eax, dword ptr fs:[00000030h] 5_2_014403E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_0144E3F0 mov eax, dword ptr fs:[00000030h] 5_2_0144E3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_0144E3F0 mov eax, dword ptr fs:[00000030h] 5_2_0144E3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_0144E3F0 mov eax, dword ptr fs:[00000030h] 5_2_0144E3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014663FF mov eax, dword ptr fs:[00000030h] 5_2_014663FF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_0142E388 mov eax, dword ptr fs:[00000030h] 5_2_0142E388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_0142E388 mov eax, dword ptr fs:[00000030h] 5_2_0142E388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_0142E388 mov eax, dword ptr fs:[00000030h] 5_2_0142E388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_0145438F mov eax, dword ptr fs:[00000030h] 5_2_0145438F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_0145438F mov eax, dword ptr fs:[00000030h] 5_2_0145438F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01428397 mov eax, dword ptr fs:[00000030h] 5_2_01428397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01428397 mov eax, dword ptr fs:[00000030h] 5_2_01428397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01428397 mov eax, dword ptr fs:[00000030h] 5_2_01428397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014B8243 mov eax, dword ptr fs:[00000030h] 5_2_014B8243
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014B8243 mov ecx, dword ptr fs:[00000030h] 5_2_014B8243
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_0150625D mov eax, dword ptr fs:[00000030h] 5_2_0150625D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_0142A250 mov eax, dword ptr fs:[00000030h] 5_2_0142A250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01436259 mov eax, dword ptr fs:[00000030h] 5_2_01436259
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014EA250 mov eax, dword ptr fs:[00000030h] 5_2_014EA250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014EA250 mov eax, dword ptr fs:[00000030h] 5_2_014EA250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01434260 mov eax, dword ptr fs:[00000030h] 5_2_01434260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01434260 mov eax, dword ptr fs:[00000030h] 5_2_01434260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01434260 mov eax, dword ptr fs:[00000030h] 5_2_01434260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_0142826B mov eax, dword ptr fs:[00000030h] 5_2_0142826B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014E0274 mov eax, dword ptr fs:[00000030h] 5_2_014E0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014E0274 mov eax, dword ptr fs:[00000030h] 5_2_014E0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014E0274 mov eax, dword ptr fs:[00000030h] 5_2_014E0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014E0274 mov eax, dword ptr fs:[00000030h] 5_2_014E0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014E0274 mov eax, dword ptr fs:[00000030h] 5_2_014E0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014E0274 mov eax, dword ptr fs:[00000030h] 5_2_014E0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014E0274 mov eax, dword ptr fs:[00000030h] 5_2_014E0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014E0274 mov eax, dword ptr fs:[00000030h] 5_2_014E0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014E0274 mov eax, dword ptr fs:[00000030h] 5_2_014E0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014E0274 mov eax, dword ptr fs:[00000030h] 5_2_014E0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014E0274 mov eax, dword ptr fs:[00000030h] 5_2_014E0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014E0274 mov eax, dword ptr fs:[00000030h] 5_2_014E0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_0142823B mov eax, dword ptr fs:[00000030h] 5_2_0142823B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_0143A2C3 mov eax, dword ptr fs:[00000030h] 5_2_0143A2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_0143A2C3 mov eax, dword ptr fs:[00000030h] 5_2_0143A2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_0143A2C3 mov eax, dword ptr fs:[00000030h] 5_2_0143A2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_0143A2C3 mov eax, dword ptr fs:[00000030h] 5_2_0143A2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_0143A2C3 mov eax, dword ptr fs:[00000030h] 5_2_0143A2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_015062D6 mov eax, dword ptr fs:[00000030h] 5_2_015062D6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014402E1 mov eax, dword ptr fs:[00000030h] 5_2_014402E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014402E1 mov eax, dword ptr fs:[00000030h] 5_2_014402E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014402E1 mov eax, dword ptr fs:[00000030h] 5_2_014402E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_0146E284 mov eax, dword ptr fs:[00000030h] 5_2_0146E284
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_0146E284 mov eax, dword ptr fs:[00000030h] 5_2_0146E284
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014B0283 mov eax, dword ptr fs:[00000030h] 5_2_014B0283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014B0283 mov eax, dword ptr fs:[00000030h] 5_2_014B0283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014B0283 mov eax, dword ptr fs:[00000030h] 5_2_014B0283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014402A0 mov eax, dword ptr fs:[00000030h] 5_2_014402A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014402A0 mov eax, dword ptr fs:[00000030h] 5_2_014402A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014C62A0 mov eax, dword ptr fs:[00000030h] 5_2_014C62A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014C62A0 mov ecx, dword ptr fs:[00000030h] 5_2_014C62A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014C62A0 mov eax, dword ptr fs:[00000030h] 5_2_014C62A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014C62A0 mov eax, dword ptr fs:[00000030h] 5_2_014C62A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014C62A0 mov eax, dword ptr fs:[00000030h] 5_2_014C62A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014C62A0 mov eax, dword ptr fs:[00000030h] 5_2_014C62A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01438550 mov eax, dword ptr fs:[00000030h] 5_2_01438550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01438550 mov eax, dword ptr fs:[00000030h] 5_2_01438550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_0146656A mov eax, dword ptr fs:[00000030h] 5_2_0146656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_0146656A mov eax, dword ptr fs:[00000030h] 5_2_0146656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_0146656A mov eax, dword ptr fs:[00000030h] 5_2_0146656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014C6500 mov eax, dword ptr fs:[00000030h] 5_2_014C6500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01504500 mov eax, dword ptr fs:[00000030h] 5_2_01504500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01504500 mov eax, dword ptr fs:[00000030h] 5_2_01504500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01504500 mov eax, dword ptr fs:[00000030h] 5_2_01504500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01504500 mov eax, dword ptr fs:[00000030h] 5_2_01504500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01504500 mov eax, dword ptr fs:[00000030h] 5_2_01504500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01504500 mov eax, dword ptr fs:[00000030h] 5_2_01504500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01504500 mov eax, dword ptr fs:[00000030h] 5_2_01504500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01440535 mov eax, dword ptr fs:[00000030h] 5_2_01440535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01440535 mov eax, dword ptr fs:[00000030h] 5_2_01440535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01440535 mov eax, dword ptr fs:[00000030h] 5_2_01440535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01440535 mov eax, dword ptr fs:[00000030h] 5_2_01440535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01440535 mov eax, dword ptr fs:[00000030h] 5_2_01440535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01440535 mov eax, dword ptr fs:[00000030h] 5_2_01440535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_0145E53E mov eax, dword ptr fs:[00000030h] 5_2_0145E53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_0145E53E mov eax, dword ptr fs:[00000030h] 5_2_0145E53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_0145E53E mov eax, dword ptr fs:[00000030h] 5_2_0145E53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_0145E53E mov eax, dword ptr fs:[00000030h] 5_2_0145E53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_0145E53E mov eax, dword ptr fs:[00000030h] 5_2_0145E53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_0146E5CF mov eax, dword ptr fs:[00000030h] 5_2_0146E5CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_0146E5CF mov eax, dword ptr fs:[00000030h] 5_2_0146E5CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014365D0 mov eax, dword ptr fs:[00000030h] 5_2_014365D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_0146A5D0 mov eax, dword ptr fs:[00000030h] 5_2_0146A5D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_0146A5D0 mov eax, dword ptr fs:[00000030h] 5_2_0146A5D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_0145E5E7 mov eax, dword ptr fs:[00000030h] 5_2_0145E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_0145E5E7 mov eax, dword ptr fs:[00000030h] 5_2_0145E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_0145E5E7 mov eax, dword ptr fs:[00000030h] 5_2_0145E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_0145E5E7 mov eax, dword ptr fs:[00000030h] 5_2_0145E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_0145E5E7 mov eax, dword ptr fs:[00000030h] 5_2_0145E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_0145E5E7 mov eax, dword ptr fs:[00000030h] 5_2_0145E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_0145E5E7 mov eax, dword ptr fs:[00000030h] 5_2_0145E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_0145E5E7 mov eax, dword ptr fs:[00000030h] 5_2_0145E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014325E0 mov eax, dword ptr fs:[00000030h] 5_2_014325E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_0146C5ED mov eax, dword ptr fs:[00000030h] 5_2_0146C5ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_0146C5ED mov eax, dword ptr fs:[00000030h] 5_2_0146C5ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01432582 mov eax, dword ptr fs:[00000030h] 5_2_01432582
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01432582 mov ecx, dword ptr fs:[00000030h] 5_2_01432582
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01464588 mov eax, dword ptr fs:[00000030h] 5_2_01464588
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_0146E59C mov eax, dword ptr fs:[00000030h] 5_2_0146E59C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014B05A7 mov eax, dword ptr fs:[00000030h] 5_2_014B05A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014B05A7 mov eax, dword ptr fs:[00000030h] 5_2_014B05A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014B05A7 mov eax, dword ptr fs:[00000030h] 5_2_014B05A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014545B1 mov eax, dword ptr fs:[00000030h] 5_2_014545B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014545B1 mov eax, dword ptr fs:[00000030h] 5_2_014545B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_0146E443 mov eax, dword ptr fs:[00000030h] 5_2_0146E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_0146E443 mov eax, dword ptr fs:[00000030h] 5_2_0146E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_0146E443 mov eax, dword ptr fs:[00000030h] 5_2_0146E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_0146E443 mov eax, dword ptr fs:[00000030h] 5_2_0146E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_0146E443 mov eax, dword ptr fs:[00000030h] 5_2_0146E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_0146E443 mov eax, dword ptr fs:[00000030h] 5_2_0146E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_0146E443 mov eax, dword ptr fs:[00000030h] 5_2_0146E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_0146E443 mov eax, dword ptr fs:[00000030h] 5_2_0146E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014EA456 mov eax, dword ptr fs:[00000030h] 5_2_014EA456
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_0142645D mov eax, dword ptr fs:[00000030h] 5_2_0142645D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_0145245A mov eax, dword ptr fs:[00000030h] 5_2_0145245A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014BC460 mov ecx, dword ptr fs:[00000030h] 5_2_014BC460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_0145A470 mov eax, dword ptr fs:[00000030h] 5_2_0145A470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_0145A470 mov eax, dword ptr fs:[00000030h] 5_2_0145A470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_0145A470 mov eax, dword ptr fs:[00000030h] 5_2_0145A470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01468402 mov eax, dword ptr fs:[00000030h] 5_2_01468402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01468402 mov eax, dword ptr fs:[00000030h] 5_2_01468402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01468402 mov eax, dword ptr fs:[00000030h] 5_2_01468402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_0142E420 mov eax, dword ptr fs:[00000030h] 5_2_0142E420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_0142E420 mov eax, dword ptr fs:[00000030h] 5_2_0142E420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_0142E420 mov eax, dword ptr fs:[00000030h] 5_2_0142E420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_0142C427 mov eax, dword ptr fs:[00000030h] 5_2_0142C427
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014B6420 mov eax, dword ptr fs:[00000030h] 5_2_014B6420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014B6420 mov eax, dword ptr fs:[00000030h] 5_2_014B6420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014B6420 mov eax, dword ptr fs:[00000030h] 5_2_014B6420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014B6420 mov eax, dword ptr fs:[00000030h] 5_2_014B6420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014B6420 mov eax, dword ptr fs:[00000030h] 5_2_014B6420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014B6420 mov eax, dword ptr fs:[00000030h] 5_2_014B6420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014B6420 mov eax, dword ptr fs:[00000030h] 5_2_014B6420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_0146A430 mov eax, dword ptr fs:[00000030h] 5_2_0146A430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014304E5 mov ecx, dword ptr fs:[00000030h] 5_2_014304E5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014EA49A mov eax, dword ptr fs:[00000030h] 5_2_014EA49A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014364AB mov eax, dword ptr fs:[00000030h] 5_2_014364AB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014644B0 mov ecx, dword ptr fs:[00000030h] 5_2_014644B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014BA4B0 mov eax, dword ptr fs:[00000030h] 5_2_014BA4B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_0146674D mov esi, dword ptr fs:[00000030h] 5_2_0146674D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_0146674D mov eax, dword ptr fs:[00000030h] 5_2_0146674D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_0146674D mov eax, dword ptr fs:[00000030h] 5_2_0146674D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01430750 mov eax, dword ptr fs:[00000030h] 5_2_01430750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014BE75D mov eax, dword ptr fs:[00000030h] 5_2_014BE75D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01472750 mov eax, dword ptr fs:[00000030h] 5_2_01472750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01472750 mov eax, dword ptr fs:[00000030h] 5_2_01472750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014B4755 mov eax, dword ptr fs:[00000030h] 5_2_014B4755
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01438770 mov eax, dword ptr fs:[00000030h] 5_2_01438770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01440770 mov eax, dword ptr fs:[00000030h] 5_2_01440770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01440770 mov eax, dword ptr fs:[00000030h] 5_2_01440770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01440770 mov eax, dword ptr fs:[00000030h] 5_2_01440770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01440770 mov eax, dword ptr fs:[00000030h] 5_2_01440770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01440770 mov eax, dword ptr fs:[00000030h] 5_2_01440770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01440770 mov eax, dword ptr fs:[00000030h] 5_2_01440770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01440770 mov eax, dword ptr fs:[00000030h] 5_2_01440770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01440770 mov eax, dword ptr fs:[00000030h] 5_2_01440770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01440770 mov eax, dword ptr fs:[00000030h] 5_2_01440770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01440770 mov eax, dword ptr fs:[00000030h] 5_2_01440770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01440770 mov eax, dword ptr fs:[00000030h] 5_2_01440770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01440770 mov eax, dword ptr fs:[00000030h] 5_2_01440770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_0146C700 mov eax, dword ptr fs:[00000030h] 5_2_0146C700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01430710 mov eax, dword ptr fs:[00000030h] 5_2_01430710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01460710 mov eax, dword ptr fs:[00000030h] 5_2_01460710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_0146C720 mov eax, dword ptr fs:[00000030h] 5_2_0146C720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_0146C720 mov eax, dword ptr fs:[00000030h] 5_2_0146C720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_0146273C mov eax, dword ptr fs:[00000030h] 5_2_0146273C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_0146273C mov ecx, dword ptr fs:[00000030h] 5_2_0146273C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_0146273C mov eax, dword ptr fs:[00000030h] 5_2_0146273C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014AC730 mov eax, dword ptr fs:[00000030h] 5_2_014AC730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_0143C7C0 mov eax, dword ptr fs:[00000030h] 5_2_0143C7C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014B07C3 mov eax, dword ptr fs:[00000030h] 5_2_014B07C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014527ED mov eax, dword ptr fs:[00000030h] 5_2_014527ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014527ED mov eax, dword ptr fs:[00000030h] 5_2_014527ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014527ED mov eax, dword ptr fs:[00000030h] 5_2_014527ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014BE7E1 mov eax, dword ptr fs:[00000030h] 5_2_014BE7E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014347FB mov eax, dword ptr fs:[00000030h] 5_2_014347FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014347FB mov eax, dword ptr fs:[00000030h] 5_2_014347FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014D678E mov eax, dword ptr fs:[00000030h] 5_2_014D678E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014307AF mov eax, dword ptr fs:[00000030h] 5_2_014307AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014E47A0 mov eax, dword ptr fs:[00000030h] 5_2_014E47A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_0144C640 mov eax, dword ptr fs:[00000030h] 5_2_0144C640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014F866E mov eax, dword ptr fs:[00000030h] 5_2_014F866E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014F866E mov eax, dword ptr fs:[00000030h] 5_2_014F866E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_0146A660 mov eax, dword ptr fs:[00000030h] 5_2_0146A660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_0146A660 mov eax, dword ptr fs:[00000030h] 5_2_0146A660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01462674 mov eax, dword ptr fs:[00000030h] 5_2_01462674
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014AE609 mov eax, dword ptr fs:[00000030h] 5_2_014AE609
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_0144260B mov eax, dword ptr fs:[00000030h] 5_2_0144260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_0144260B mov eax, dword ptr fs:[00000030h] 5_2_0144260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_0144260B mov eax, dword ptr fs:[00000030h] 5_2_0144260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_0144260B mov eax, dword ptr fs:[00000030h] 5_2_0144260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_0144260B mov eax, dword ptr fs:[00000030h] 5_2_0144260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_0144260B mov eax, dword ptr fs:[00000030h] 5_2_0144260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_0144260B mov eax, dword ptr fs:[00000030h] 5_2_0144260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01472619 mov eax, dword ptr fs:[00000030h] 5_2_01472619
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_0144E627 mov eax, dword ptr fs:[00000030h] 5_2_0144E627
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01466620 mov eax, dword ptr fs:[00000030h] 5_2_01466620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01468620 mov eax, dword ptr fs:[00000030h] 5_2_01468620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_0143262C mov eax, dword ptr fs:[00000030h] 5_2_0143262C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_0146A6C7 mov ebx, dword ptr fs:[00000030h] 5_2_0146A6C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_0146A6C7 mov eax, dword ptr fs:[00000030h] 5_2_0146A6C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014AE6F2 mov eax, dword ptr fs:[00000030h] 5_2_014AE6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014AE6F2 mov eax, dword ptr fs:[00000030h] 5_2_014AE6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014AE6F2 mov eax, dword ptr fs:[00000030h] 5_2_014AE6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014AE6F2 mov eax, dword ptr fs:[00000030h] 5_2_014AE6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014B06F1 mov eax, dword ptr fs:[00000030h] 5_2_014B06F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014B06F1 mov eax, dword ptr fs:[00000030h] 5_2_014B06F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01434690 mov eax, dword ptr fs:[00000030h] 5_2_01434690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01434690 mov eax, dword ptr fs:[00000030h] 5_2_01434690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_0146C6A6 mov eax, dword ptr fs:[00000030h] 5_2_0146C6A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014666B0 mov eax, dword ptr fs:[00000030h] 5_2_014666B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014B0946 mov eax, dword ptr fs:[00000030h] 5_2_014B0946
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01504940 mov eax, dword ptr fs:[00000030h] 5_2_01504940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01456962 mov eax, dword ptr fs:[00000030h] 5_2_01456962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01456962 mov eax, dword ptr fs:[00000030h] 5_2_01456962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01456962 mov eax, dword ptr fs:[00000030h] 5_2_01456962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_0147096E mov eax, dword ptr fs:[00000030h] 5_2_0147096E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_0147096E mov edx, dword ptr fs:[00000030h] 5_2_0147096E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_0147096E mov eax, dword ptr fs:[00000030h] 5_2_0147096E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014D4978 mov eax, dword ptr fs:[00000030h] 5_2_014D4978
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014D4978 mov eax, dword ptr fs:[00000030h] 5_2_014D4978
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014BC97C mov eax, dword ptr fs:[00000030h] 5_2_014BC97C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014AE908 mov eax, dword ptr fs:[00000030h] 5_2_014AE908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014AE908 mov eax, dword ptr fs:[00000030h] 5_2_014AE908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014BC912 mov eax, dword ptr fs:[00000030h] 5_2_014BC912
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01428918 mov eax, dword ptr fs:[00000030h] 5_2_01428918
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01428918 mov eax, dword ptr fs:[00000030h] 5_2_01428918
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014B892A mov eax, dword ptr fs:[00000030h] 5_2_014B892A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014C892B mov eax, dword ptr fs:[00000030h] 5_2_014C892B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014C69C0 mov eax, dword ptr fs:[00000030h] 5_2_014C69C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_0143A9D0 mov eax, dword ptr fs:[00000030h] 5_2_0143A9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_0143A9D0 mov eax, dword ptr fs:[00000030h] 5_2_0143A9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_0143A9D0 mov eax, dword ptr fs:[00000030h] 5_2_0143A9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_0143A9D0 mov eax, dword ptr fs:[00000030h] 5_2_0143A9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_0143A9D0 mov eax, dword ptr fs:[00000030h] 5_2_0143A9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_0143A9D0 mov eax, dword ptr fs:[00000030h] 5_2_0143A9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014649D0 mov eax, dword ptr fs:[00000030h] 5_2_014649D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014FA9D3 mov eax, dword ptr fs:[00000030h] 5_2_014FA9D3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014BE9E0 mov eax, dword ptr fs:[00000030h] 5_2_014BE9E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014629F9 mov eax, dword ptr fs:[00000030h] 5_2_014629F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014629F9 mov eax, dword ptr fs:[00000030h] 5_2_014629F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014429A0 mov eax, dword ptr fs:[00000030h] 5_2_014429A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014429A0 mov eax, dword ptr fs:[00000030h] 5_2_014429A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014429A0 mov eax, dword ptr fs:[00000030h] 5_2_014429A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014429A0 mov eax, dword ptr fs:[00000030h] 5_2_014429A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014429A0 mov eax, dword ptr fs:[00000030h] 5_2_014429A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014429A0 mov eax, dword ptr fs:[00000030h] 5_2_014429A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014429A0 mov eax, dword ptr fs:[00000030h] 5_2_014429A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014429A0 mov eax, dword ptr fs:[00000030h] 5_2_014429A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014429A0 mov eax, dword ptr fs:[00000030h] 5_2_014429A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014429A0 mov eax, dword ptr fs:[00000030h] 5_2_014429A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014429A0 mov eax, dword ptr fs:[00000030h] 5_2_014429A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014429A0 mov eax, dword ptr fs:[00000030h] 5_2_014429A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014429A0 mov eax, dword ptr fs:[00000030h] 5_2_014429A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014309AD mov eax, dword ptr fs:[00000030h] 5_2_014309AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014309AD mov eax, dword ptr fs:[00000030h] 5_2_014309AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014B89B3 mov esi, dword ptr fs:[00000030h] 5_2_014B89B3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014B89B3 mov eax, dword ptr fs:[00000030h] 5_2_014B89B3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014B89B3 mov eax, dword ptr fs:[00000030h] 5_2_014B89B3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01442840 mov ecx, dword ptr fs:[00000030h] 5_2_01442840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01460854 mov eax, dword ptr fs:[00000030h] 5_2_01460854
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01434859 mov eax, dword ptr fs:[00000030h] 5_2_01434859
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01434859 mov eax, dword ptr fs:[00000030h] 5_2_01434859
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014BE872 mov eax, dword ptr fs:[00000030h] 5_2_014BE872
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014BE872 mov eax, dword ptr fs:[00000030h] 5_2_014BE872
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014C6870 mov eax, dword ptr fs:[00000030h] 5_2_014C6870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014C6870 mov eax, dword ptr fs:[00000030h] 5_2_014C6870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014BC810 mov eax, dword ptr fs:[00000030h] 5_2_014BC810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01452835 mov eax, dword ptr fs:[00000030h] 5_2_01452835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01452835 mov eax, dword ptr fs:[00000030h] 5_2_01452835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01452835 mov eax, dword ptr fs:[00000030h] 5_2_01452835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01452835 mov ecx, dword ptr fs:[00000030h] 5_2_01452835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01452835 mov eax, dword ptr fs:[00000030h] 5_2_01452835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01452835 mov eax, dword ptr fs:[00000030h] 5_2_01452835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_0146A830 mov eax, dword ptr fs:[00000030h] 5_2_0146A830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014D483A mov eax, dword ptr fs:[00000030h] 5_2_014D483A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014D483A mov eax, dword ptr fs:[00000030h] 5_2_014D483A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_0145E8C0 mov eax, dword ptr fs:[00000030h] 5_2_0145E8C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_015008C0 mov eax, dword ptr fs:[00000030h] 5_2_015008C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014FA8E4 mov eax, dword ptr fs:[00000030h] 5_2_014FA8E4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_0146C8F9 mov eax, dword ptr fs:[00000030h] 5_2_0146C8F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_0146C8F9 mov eax, dword ptr fs:[00000030h] 5_2_0146C8F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01430887 mov eax, dword ptr fs:[00000030h] 5_2_01430887
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014BC89D mov eax, dword ptr fs:[00000030h] 5_2_014BC89D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014E4B4B mov eax, dword ptr fs:[00000030h] 5_2_014E4B4B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014E4B4B mov eax, dword ptr fs:[00000030h] 5_2_014E4B4B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01502B57 mov eax, dword ptr fs:[00000030h] 5_2_01502B57
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01502B57 mov eax, dword ptr fs:[00000030h] 5_2_01502B57
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01502B57 mov eax, dword ptr fs:[00000030h] 5_2_01502B57
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01502B57 mov eax, dword ptr fs:[00000030h] 5_2_01502B57
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014C6B40 mov eax, dword ptr fs:[00000030h] 5_2_014C6B40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014C6B40 mov eax, dword ptr fs:[00000030h] 5_2_014C6B40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014FAB40 mov eax, dword ptr fs:[00000030h] 5_2_014FAB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014D8B42 mov eax, dword ptr fs:[00000030h] 5_2_014D8B42
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01428B50 mov eax, dword ptr fs:[00000030h] 5_2_01428B50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014DEB50 mov eax, dword ptr fs:[00000030h] 5_2_014DEB50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_0142CB7E mov eax, dword ptr fs:[00000030h] 5_2_0142CB7E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01504B00 mov eax, dword ptr fs:[00000030h] 5_2_01504B00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014AEB1D mov eax, dword ptr fs:[00000030h] 5_2_014AEB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014AEB1D mov eax, dword ptr fs:[00000030h] 5_2_014AEB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014AEB1D mov eax, dword ptr fs:[00000030h] 5_2_014AEB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014AEB1D mov eax, dword ptr fs:[00000030h] 5_2_014AEB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014AEB1D mov eax, dword ptr fs:[00000030h] 5_2_014AEB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014AEB1D mov eax, dword ptr fs:[00000030h] 5_2_014AEB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014AEB1D mov eax, dword ptr fs:[00000030h] 5_2_014AEB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014AEB1D mov eax, dword ptr fs:[00000030h] 5_2_014AEB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014AEB1D mov eax, dword ptr fs:[00000030h] 5_2_014AEB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_0145EB20 mov eax, dword ptr fs:[00000030h] 5_2_0145EB20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_0145EB20 mov eax, dword ptr fs:[00000030h] 5_2_0145EB20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014F8B28 mov eax, dword ptr fs:[00000030h] 5_2_014F8B28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014F8B28 mov eax, dword ptr fs:[00000030h] 5_2_014F8B28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01450BCB mov eax, dword ptr fs:[00000030h] 5_2_01450BCB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01450BCB mov eax, dword ptr fs:[00000030h] 5_2_01450BCB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01450BCB mov eax, dword ptr fs:[00000030h] 5_2_01450BCB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01430BCD mov eax, dword ptr fs:[00000030h] 5_2_01430BCD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01430BCD mov eax, dword ptr fs:[00000030h] 5_2_01430BCD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01430BCD mov eax, dword ptr fs:[00000030h] 5_2_01430BCD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014DEBD0 mov eax, dword ptr fs:[00000030h] 5_2_014DEBD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01438BF0 mov eax, dword ptr fs:[00000030h] 5_2_01438BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01438BF0 mov eax, dword ptr fs:[00000030h] 5_2_01438BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01438BF0 mov eax, dword ptr fs:[00000030h] 5_2_01438BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_0145EBFC mov eax, dword ptr fs:[00000030h] 5_2_0145EBFC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014BCBF0 mov eax, dword ptr fs:[00000030h] 5_2_014BCBF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01440BBE mov eax, dword ptr fs:[00000030h] 5_2_01440BBE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01440BBE mov eax, dword ptr fs:[00000030h] 5_2_01440BBE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014E4BB0 mov eax, dword ptr fs:[00000030h] 5_2_014E4BB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014E4BB0 mov eax, dword ptr fs:[00000030h] 5_2_014E4BB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01436A50 mov eax, dword ptr fs:[00000030h] 5_2_01436A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01436A50 mov eax, dword ptr fs:[00000030h] 5_2_01436A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01436A50 mov eax, dword ptr fs:[00000030h] 5_2_01436A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01436A50 mov eax, dword ptr fs:[00000030h] 5_2_01436A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01436A50 mov eax, dword ptr fs:[00000030h] 5_2_01436A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01436A50 mov eax, dword ptr fs:[00000030h] 5_2_01436A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01436A50 mov eax, dword ptr fs:[00000030h] 5_2_01436A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01440A5B mov eax, dword ptr fs:[00000030h] 5_2_01440A5B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01440A5B mov eax, dword ptr fs:[00000030h] 5_2_01440A5B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_0146CA6F mov eax, dword ptr fs:[00000030h] 5_2_0146CA6F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_0146CA6F mov eax, dword ptr fs:[00000030h] 5_2_0146CA6F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_0146CA6F mov eax, dword ptr fs:[00000030h] 5_2_0146CA6F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014DEA60 mov eax, dword ptr fs:[00000030h] 5_2_014DEA60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014ACA72 mov eax, dword ptr fs:[00000030h] 5_2_014ACA72
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014ACA72 mov eax, dword ptr fs:[00000030h] 5_2_014ACA72
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_014BCA11 mov eax, dword ptr fs:[00000030h] 5_2_014BCA11
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_0146CA24 mov eax, dword ptr fs:[00000030h] 5_2_0146CA24
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_0145EA2E mov eax, dword ptr fs:[00000030h] 5_2_0145EA2E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01454A35 mov eax, dword ptr fs:[00000030h] 5_2_01454A35
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01454A35 mov eax, dword ptr fs:[00000030h] 5_2_01454A35
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_0146CA38 mov eax, dword ptr fs:[00000030h] 5_2_0146CA38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01486ACC mov eax, dword ptr fs:[00000030h] 5_2_01486ACC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01486ACC mov eax, dword ptr fs:[00000030h] 5_2_01486ACC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01486ACC mov eax, dword ptr fs:[00000030h] 5_2_01486ACC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01430AD0 mov eax, dword ptr fs:[00000030h] 5_2_01430AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01464AD0 mov eax, dword ptr fs:[00000030h] 5_2_01464AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01464AD0 mov eax, dword ptr fs:[00000030h] 5_2_01464AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_0146AAEE mov eax, dword ptr fs:[00000030h] 5_2_0146AAEE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_0146AAEE mov eax, dword ptr fs:[00000030h] 5_2_0146AAEE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_0143EA80 mov eax, dword ptr fs:[00000030h] 5_2_0143EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_0143EA80 mov eax, dword ptr fs:[00000030h] 5_2_0143EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_0143EA80 mov eax, dword ptr fs:[00000030h] 5_2_0143EA80
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_0006860F GetProcessHeap,HeapFree,memset, 7_2_0006860F
Enables debug privileges
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_000642F0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 7_2_000642F0
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_00064550 SetUnhandledExceptionFilter, 7_2_00064550
Source: C:\Users\user\Desktop\Pago pendiente.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 103.224.212.216 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 3.33.130.190 80 Jump to behavior
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\Desktop\Pago pendiente.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Pago pendiente.exe"
Source: C:\Users\user\Desktop\Pago pendiente.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Pago pendiente.exe" Jump to behavior
Allocates memory in foreign processes
Source: C:\Users\user\Desktop\Pago pendiente.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\Pago pendiente.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Section loaded: NULL target: C:\Windows\SysWOW64\control.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Section loaded: NULL target: C:\Windows\SysWOW64\control.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\control.exe Section loaded: NULL target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\control.exe Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread register set: target process: 1028 Jump to behavior
Source: C:\Windows\SysWOW64\control.exe Thread register set: target process: 1028 Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Sample uses process hollowing technique
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Section unmapped: C:\Windows\SysWOW64\control.exe base address: 60000 Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\Desktop\Pago pendiente.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\Pago pendiente.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 401000 Jump to behavior
Source: C:\Users\user\Desktop\Pago pendiente.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: A36008 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Pago pendiente.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Pago pendiente.exe" Jump to behavior
Source: C:\Users\user\Desktop\Pago pendiente.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" Jump to behavior
Source: C:\Windows\SysWOW64\control.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" Jump to behavior
Source: explorer.exe, 00000006.00000003.3097001927.0000000009BB1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4449891914.0000000009C22000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3097220261.0000000009C21000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Shell_TrayWnd=
Source: explorer.exe, 00000006.00000002.4443935876.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.2011719338.0000000001731000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Program Manager
Source: explorer.exe, 00000006.00000002.4443935876.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.2020151196.0000000004B00000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2011719338.0000000001731000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000006.00000002.4443935876.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.2011719338.0000000001731000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000006.00000002.4443935876.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.2011719338.0000000001731000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Source: explorer.exe, 00000006.00000002.4443289671.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2011068724.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: PProgman
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\Pago pendiente.exe Queries volume information: C:\Users\user\Desktop\Pago pendiente.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago pendiente.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago pendiente.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago pendiente.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago pendiente.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago pendiente.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago pendiente.exe Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago pendiente.exe Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago pendiente.exe Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago pendiente.exe Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pago pendiente.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_00064775 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 7_2_00064775
Source: C:\Users\user\Desktop\Pago pendiente.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected FormBook
Source: Yara match File source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Pago pendiente.exe.4f1f2f8.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Pago pendiente.exe.4eaf4d8.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000002.4443703751.0000000002C20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.4443748619.0000000002C50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2071471834.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2011441165.0000000004DCF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2011441165.00000000044AE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.4443338371.00000000025A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Remote Access Functionality
barindex
Yara detected FormBook
Source: Yara match File source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Pago pendiente.exe.4f1f2f8.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Pago pendiente.exe.4eaf4d8.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000002.4443703751.0000000002C20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.4443748619.0000000002C50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2071471834.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2011441165.0000000004DCF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2011441165.00000000044AE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.4443338371.00000000025A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1430321 Sample: Pago pendiente.exe Startdate: 23/04/2024 Architecture: WINDOWS Score: 100 32 www.zgcple.info 2->32 34 www.wonderdread.cloud 2->34 36 14 other IPs or domains 2->36 44 Found malware configuration 2->44 46 Malicious sample detected (through community Yara rule) 2->46 48 Antivirus detection for URL or domain 2->48 50 9 other signatures 2->50 11 Pago pendiente.exe 4 2->11         started        signatures3 process4 signatures5 60 Writes to foreign memory regions 11->60 62 Allocates memory in foreign processes 11->62 64 Adds a directory exclusion to Windows Defender 11->64 66 Injects a PE file into a foreign processes 11->66 14 RegSvcs.exe 11->14         started        17 powershell.exe 23 11->17         started        process6 signatures7 68 Modifies the context of a thread in another process (thread injection) 14->68 70 Maps a DLL or memory area into another process 14->70 72 Sample uses process hollowing technique 14->72 76 2 other signatures 14->76 19 explorer.exe 94 7 14->19 injected 74 Loading BitLocker PowerShell Module 17->74 23 conhost.exe 17->23         started        process8 dnsIp9 38 www.tronbank.club 103.224.212.216, 49717, 80 TRELLIAN-AS-APTrellianPtyLimitedAU Australia 19->38 40 k2securityhn.com 3.33.130.190, 49719, 49724, 80 AMAZONEXPANSIONGB United States 19->40 42 www.airzf.com 154.12.38.29, 49721, 80 UNMETEREDCA United States 19->42 52 System process connects to network (likely due to code injection or exploit) 19->52 25 control.exe 19->25         started        signatures10 process11 signatures12 54 Modifies the context of a thread in another process (thread injection) 25->54 56 Maps a DLL or memory area into another process 25->56 58 Tries to detect virtualization through RDTSC time measurements 25->58 28 cmd.exe 1 25->28         started        process13 process14 30 conhost.exe 28->30         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
154.12.38.29
 www.airzf.com United States
54133 UNMETEREDCA false
3.33.130.190
 signomo.com United States
8987 AMAZONEXPANSIONGB true
103.224.212.216
 www.tronbank.club Australia
133618 TRELLIAN-AS-APTrellianPtyLimitedAU true

Contacted Domains

Name IP Active
www.airzf.com 154.12.38.29 true
www.udin88b.us 154.83.2.141 true
parkingpage.namecheap.com 91.195.240.19 true
www.tronbank.club 103.224.212.216 true
signomo.com 3.33.130.190 true
k2securityhn.com 3.33.130.190 true
shops.myshopify.com 23.227.38.74 true
www.umastyle.club 103.224.212.210 true
www.actnowgreen.com unknown unknown
www.zgcple.info unknown unknown
www.wonderdread.cloud unknown unknown
www.urxetqt.com unknown unknown
www.signomo.com unknown unknown
www.k2securityhn.com unknown unknown
www.eternalknot1008.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://www.tronbank.club/gs12/?4h0=l5+ohMyXvfUY1BXURi/VBBPK89EwzQ1xmTW49ppdAXwminvYBxYYysXiCF4Xd1c73Byq&vT=LtxxLba true
  • Avira URL Cloud: safe
 unknown
www.lolabeautystudios.com/gs12/ true
  • Avira URL Cloud: safe
 low
http://www.k2securityhn.com/gs12/?4h0=q59tBajeIo68CyAO1CDG6iJlXnRVkR/RpgQvK7vE3BQj9j+5I7CNTMK9jJbO36qf2KSo&vT=LtxxLba true
  • Avira URL Cloud: safe
 unknown
http://www.airzf.com/gs12/?4h0=DR9+51q0CIrIDgcjStoZ4W0ewB14phJf97sbOZAiDLbqJph64OQ6FfPwpz0r/rXmCdIn&vT=LtxxLba false
  • Avira URL Cloud: safe
 unknown
http://www.signomo.com/gs12/?4h0=sKMZ9JWmyHzsFnuZp0fZtWbmtlVDzCM4ZbYLfRKv+HtPtGiIGUjdRyYwPYcfKf7QGcOF&vT=LtxxLba true
  • Avira URL Cloud: safe
 unknown