Edit tour

Windows Analysis Report
scancopy shipping pdf.exe

Overview

General Information

Sample name:	scancopy shipping pdf.exe
Analysis ID:	1608113
MD5:	370347aba2b49870171c625a63759e96
SHA1:	662659b756079679b2f68da0a9da05dcbd4885ef
SHA256:	e9a1f5e4de3dfdf6cbd66863a6fa6a638cce8fa9555991756820b5af48682c79
Tags:	exeuser-abuse_ch
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Suricata IDS alerts for network traffic

System process connects to network (likely due to code injection or exploit)

Yara detected AntiVM3

Yara detected FormBook

.NET source code contains potential unpacker

Adds a directory exclusion to Windows Defender

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Found direct / indirect Syscall (likely to bypass EDR)

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Suspicious powershell command line found

Switches to a custom stack to bypass stack traces

Tries to detect virtualization through RDTSC time measurements

Uses schtasks.exe or at.exe to add and modify task schedules

Writes to foreign memory regions

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

scancopy shipping pdf.exe (PID: 7528 cmdline: "C:\Users\user\Desktop\scancopy shipping pdf.exe" MD5: 370347ABA2B49870171C625A63759E96)

powershell.exe (PID: 7724 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\scancopy shipping pdf.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7732 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7780 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\KwNfRtD.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7796 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 8104 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

schtasks.exe (PID: 7808 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KwNfRtD" /XML "C:\Users\user\AppData\Local\Temp\tmp79AA.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7864 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

RegSvcs.exe (PID: 7980 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

RegSvcs.exe (PID: 8000 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

RegSvcs.exe (PID: 8016 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

explorer.exe (PID: 3504 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)

autofmt.exe (PID: 6824 cmdline: "C:\Windows\SysWOW64\autofmt.exe" MD5: C72D80A976B7EB40534E8464957A979F)

raserver.exe (PID: 3868 cmdline: "C:\Windows\SysWOW64\raserver.exe" MD5: D1053D114847677185F248FF98C3F255)

raserver.exe (PID: 6868 cmdline: "C:\Windows\SysWOW64\raserver.exe" MD5: D1053D114847677185F248FF98C3F255)

cmd.exe (PID: 2720 cmdline: /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 1636 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

KwNfRtD.exe (PID: 8096 cmdline: C:\Users\user\AppData\Roaming\KwNfRtD.exe MD5: 370347ABA2B49870171C625A63759E96)

schtasks.exe (PID: 3664 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KwNfRtD" /XML "C:\Users\user\AppData\Local\Temp\tmp8DEE.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 2944 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

RegSvcs.exe (PID: 3440 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

RegSvcs.exe (PID: 6044 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.ubbs.xyz/b02a/"], "decoy": ["nnovate.host", "yrvo.shop", "obify.party", "55665.one", "vlisazouasiul.store", "arjohbs.shop", "mjsccc5716.shop", "nfluencer-marketing-86606.bond", "atellite-internet-74549.bond", "arehouse-inventory-82506.bond", "kanzaturf.net", "airbypatrickmcguire.net", "90880a15.buzz", "ancake888.info", "hopcroma.store", "usinessloanscanada524285.icu", "mdjr.world", "9kct.xyz", "ombrd.finance", "luratu.xyz", "commerce-97292.bond", "ovies4u-hd.online", "zmi.info", "ealth-insurance-63745.bond", "rypto-god.online", "ustdesk.email", "talezoom.asia", "haf.international", "heaterscm.net", "rejo.info", "nitedstatesofart.net", "ental-implants-29843.bond", "uzzleworld.xyz", "fg0m9c0lk.cyou", "emospin30.info", "ocejo.africa", "aqiwang.net", "vgtdvchvmdsvmdhbvgv.pro", "ymtech.digital", "ok-vi.sbs", "u5kt.net", "heoneglobal.store", "78158.legal", "argloscaremedia.info", "ailylife.pro", "nfotj.live", "obistores.online", "irofprague.net", "mpteamtoto88.today", "rmap.xyz", "zliving.xyz", "ubesafari.video", "aylee.blue", "ery.rocks", "udioevideo.store", "oneymachine.show", "885522a0.shop", "oodchoices.xyz", "ilano.shop", "vikadi.info", "ecoramay.store", "kit.run", "ookinguptolightup.net", "ndata.net"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
0000000C.00000002.3849826873.000000001011C000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_772cc62d	unknown	unknown	0xb92:$a2: pass 0xb98:$a3: email 0xb9f:$a4: login 0xba6:$a5: signin 0xbb7:$a6: persistent 0xd8a:$r1: C:\Users\user\AppData\Roaming\NP10CA2E\NP1log.ini
00000015.00000002.3832958745.00000000026F0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000015.00000002.3832958745.00000000026F0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000015.00000002.3832958745.00000000026F0000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cb80:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000015.00000002.3832958745.00000000026F0000.00000004.00000800.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b8e7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c8ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000015.00000002.3832958745.00000000026F0000.00000004.00000800.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18809:$sqlite3step: 68 34 1C 7B E1 0x1891c:$sqlite3step: 68 34 1C 7B E1 0x18838:$sqlite3text: 68 38 2A 90 C5 0x1895d:$sqlite3text: 68 38 2A 90 C5 0x1884b:$sqlite3blob: 68 53 D8 7F 8C 0x18973:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.1411100493.0000000004042000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000002.1411100493.0000000004042000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000000.00000002.1411100493.0000000004042000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x7069:$a1: 3C 30 50 4F 53 54 74 09 40 0x35489:$a1: 3C 30 50 4F 53 54 74 09 40 0x628a9:$a1: 3C 30 50 4F 53 54 74 09 40 0x1d998:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x4bdb8:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x791d8:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xb7d7:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x39bf7:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x67017:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x166bf:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83 0x44adf:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83 0x71eff:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000000.00000002.1411100493.0000000004042000.00000004.00000800.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0xa720:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xa98a:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x38b40:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x38daa:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x65f60:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x661ca:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x164bd:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x448dd:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x71cfd:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15fa9:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x443c9:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x717e9:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x165bf:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x449df:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x71dff:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x16737:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x44b57:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x71f77:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xb3a2:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x397c2:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x66be2:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
00000000.00000002.1411100493.0000000004042000.00000004.00000800.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x19621:$sqlite3step: 68 34 1C 7B E1 0x19734:$sqlite3step: 68 34 1C 7B E1 0x47a41:$sqlite3step: 68 34 1C 7B E1 0x47b54:$sqlite3step: 68 34 1C 7B E1 0x74e61:$sqlite3step: 68 34 1C 7B E1 0x74f74:$sqlite3step: 68 34 1C 7B E1 0x19650:$sqlite3text: 68 38 2A 90 C5 0x19775:$sqlite3text: 68 38 2A 90 C5 0x47a70:$sqlite3text: 68 38 2A 90 C5 0x47b95:$sqlite3text: 68 38 2A 90 C5 0x74e90:$sqlite3text: 68 38 2A 90 C5 0x74fb5:$sqlite3text: 68 38 2A 90 C5 0x19663:$sqlite3blob: 68 53 D8 7F 8C 0x1978b:$sqlite3blob: 68 53 D8 7F 8C 0x47a83:$sqlite3blob: 68 53 D8 7F 8C 0x47bab:$sqlite3blob: 68 53 D8 7F 8C 0x74ea3:$sqlite3blob: 68 53 D8 7F 8C 0x74fcb:$sqlite3blob: 68 53 D8 7F 8C
00000015.00000002.3832472273.0000000000430000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000015.00000002.3832472273.0000000000430000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000015.00000002.3832472273.0000000000430000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cb80:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000015.00000002.3832472273.0000000000430000.00000040.80000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b8e7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c8ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000015.00000002.3832472273.0000000000430000.00000040.80000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18809:$sqlite3step: 68 34 1C 7B E1 0x1891c:$sqlite3step: 68 34 1C 7B E1 0x18838:$sqlite3text: 68 38 2A 90 C5 0x1895d:$sqlite3text: 68 38 2A 90 C5 0x1884b:$sqlite3blob: 68 53 D8 7F 8C 0x18973:$sqlite3blob: 68 53 D8 7F 8C
0000000B.00000002.1465837719.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000B.00000002.1465837719.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000B.00000002.1465837719.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cb80:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
0000000B.00000002.1465837719.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b8e7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c8ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000B.00000002.1465837719.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18809:$sqlite3step: 68 34 1C 7B E1 0x1891c:$sqlite3step: 68 34 1C 7B E1 0x18838:$sqlite3text: 68 38 2A 90 C5 0x1895d:$sqlite3text: 68 38 2A 90 C5 0x1884b:$sqlite3blob: 68 53 D8 7F 8C 0x18973:$sqlite3blob: 68 53 D8 7F 8C
0000000D.00000002.1460869505.0000000004510000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000D.00000002.1460869505.0000000004510000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000D.00000002.1460869505.0000000004510000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x7119:$a1: 3C 30 50 4F 53 54 74 09 40 0x35539:$a1: 3C 30 50 4F 53 54 74 09 40 0x62959:$a1: 3C 30 50 4F 53 54 74 09 40 0x1da48:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x4be68:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x79288:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xb887:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x39ca7:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x670c7:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x1676f:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83 0x44b8f:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83 0x71faf:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
0000000D.00000002.1460869505.0000000004510000.00000004.00000800.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0xa7d0:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xaa3a:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x38bf0:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x38e5a:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x66010:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x6627a:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x1656d:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x4498d:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x71dad:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x16059:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x44479:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x71899:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x1666f:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x44a8f:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x71eaf:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x167e7:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x44c07:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x72027:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xb452:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x39872:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x66c92:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
0000000D.00000002.1460869505.0000000004510000.00000004.00000800.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x196d1:$sqlite3step: 68 34 1C 7B E1 0x197e4:$sqlite3step: 68 34 1C 7B E1 0x47af1:$sqlite3step: 68 34 1C 7B E1 0x47c04:$sqlite3step: 68 34 1C 7B E1 0x74f11:$sqlite3step: 68 34 1C 7B E1 0x75024:$sqlite3step: 68 34 1C 7B E1 0x19700:$sqlite3text: 68 38 2A 90 C5 0x19825:$sqlite3text: 68 38 2A 90 C5 0x47b20:$sqlite3text: 68 38 2A 90 C5 0x47c45:$sqlite3text: 68 38 2A 90 C5 0x74f40:$sqlite3text: 68 38 2A 90 C5 0x75065:$sqlite3text: 68 38 2A 90 C5 0x19713:$sqlite3blob: 68 53 D8 7F 8C 0x1983b:$sqlite3blob: 68 53 D8 7F 8C 0x47b33:$sqlite3blob: 68 53 D8 7F 8C 0x47c5b:$sqlite3blob: 68 53 D8 7F 8C 0x74f53:$sqlite3blob: 68 53 D8 7F 8C 0x7507b:$sqlite3blob: 68 53 D8 7F 8C
00000014.00000002.1476698839.0000000002C00000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000014.00000002.1476698839.0000000002C00000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000014.00000002.1476698839.0000000002C00000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cb80:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000014.00000002.1476698839.0000000002C00000.00000040.80000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b8e7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c8ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000014.00000002.1476698839.0000000002C00000.00000040.80000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18809:$sqlite3step: 68 34 1C 7B E1 0x1891c:$sqlite3step: 68 34 1C 7B E1 0x18838:$sqlite3text: 68 38 2A 90 C5 0x1895d:$sqlite3text: 68 38 2A 90 C5 0x1884b:$sqlite3blob: 68 53 D8 7F 8C 0x18973:$sqlite3blob: 68 53 D8 7F 8C
00000015.00000002.3832843029.00000000026C0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000015.00000002.3832843029.00000000026C0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000015.00000002.3832843029.00000000026C0000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cb80:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000015.00000002.3832843029.00000000026C0000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b8e7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c8ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000015.00000002.3832843029.00000000026C0000.00000040.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18809:$sqlite3step: 68 34 1C 7B E1 0x1891c:$sqlite3step: 68 34 1C 7B E1 0x18838:$sqlite3text: 68 38 2A 90 C5 0x1895d:$sqlite3text: 68 38 2A 90 C5 0x1884b:$sqlite3blob: 68 53 D8 7F 8C 0x18973:$sqlite3blob: 68 53 D8 7F 8C
Process Memory Space: scancopy shipping pdf.exe PID: 7528	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: scancopy shipping pdf.exe PID: 7528	Windows_Trojan_Formbook_1112e116	unknown	unknown	0xc280:$a1: 3C 30 50 4F 53 54 74 09 40
Process Memory Space: RegSvcs.exe PID: 8016	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x9d1f:$a1: 3C 30 50 4F 53 54 74 09 40
Process Memory Space: KwNfRtD.exe PID: 8096	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: KwNfRtD.exe PID: 8096	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6bf6:$a1: 3C 30 50 4F 53 54 74 09 40
Process Memory Space: raserver.exe PID: 3868	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x13081a:$a1: 3C 30 50 4F 53 54 74 09 40
Process Memory Space: raserver.exe PID: 6868	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x40fc:$a1: 3C 30 50 4F 53 54 74 09 40 0xacd18:$a1: 3C 30 50 4F 53 54 74 09 40 0x196d65:$a1: 3C 30 50 4F 53 54 74 09 40
Click to see the 38 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
11.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
11.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
11.2.RegSvcs.exe.400000.0.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x5451:$a1: 3C 30 50 4F 53 54 74 09 40 0x1bd80:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x9bbf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x14aa7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
11.2.RegSvcs.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8d72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x148a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x149a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x978a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1360c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa483:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1aae7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1baea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
11.2.RegSvcs.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17a09:$sqlite3step: 68 34 1C 7B E1 0x17b1c:$sqlite3step: 68 34 1C 7B E1 0x17a38:$sqlite3text: 68 38 2A 90 C5 0x17b5d:$sqlite3text: 68 38 2A 90 C5 0x17a4b:$sqlite3blob: 68 53 D8 7F 8C 0x17b73:$sqlite3blob: 68 53 D8 7F 8C
11.2.RegSvcs.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
11.2.RegSvcs.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
11.2.RegSvcs.exe.400000.0.raw.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cb80:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
11.2.RegSvcs.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b8e7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c8ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
11.2.RegSvcs.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18809:$sqlite3step: 68 34 1C 7B E1 0x1891c:$sqlite3step: 68 34 1C 7B E1 0x18838:$sqlite3text: 68 38 2A 90 C5 0x1895d:$sqlite3text: 68 38 2A 90 C5 0x1884b:$sqlite3blob: 68 53 D8 7F 8C 0x18973:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 5 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\scancopy shipping pdf.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\scancopy shipping pdf.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\scancopy shipping pdf.exe", ParentImage: C:\Users\user\Desktop\scancopy shipping pdf.exe, ParentProcessId: 7528, ParentProcessName: scancopy shipping pdf.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\scancopy shipping pdf.exe", ProcessId: 7724, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KwNfRtD" /XML "C:\Users\user\AppData\Local\Temp\tmp8DEE.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KwNfRtD" /XML "C:\Users\user\AppData\Local\Temp\tmp8DEE.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\KwNfRtD.exe, ParentImage: C:\Users\user\AppData\Roaming\KwNfRtD.exe, ParentProcessId: 8096, ParentProcessName: KwNfRtD.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KwNfRtD" /XML "C:\Users\user\AppData\Local\Temp\tmp8DEE.tmp", ProcessId: 3664, ProcessName: schtasks.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KwNfRtD" /XML "C:\Users\user\AppData\Local\Temp\tmp79AA.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KwNfRtD" /XML "C:\Users\user\AppData\Local\Temp\tmp79AA.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\scancopy shipping pdf.exe", ParentImage: C:\Users\user\Desktop\scancopy shipping pdf.exe, ParentProcessId: 7528, ParentProcessName: scancopy shipping pdf.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KwNfRtD" /XML "C:\Users\user\AppData\Local\Temp\tmp79AA.tmp", ProcessId: 7808, ProcessName: schtasks.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\scancopy shipping pdf.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\scancopy shipping pdf.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\scancopy shipping pdf.exe", ParentImage: C:\Users\user\Desktop\scancopy shipping pdf.exe, ParentProcessId: 7528, ParentProcessName: scancopy shipping pdf.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\scancopy shipping pdf.exe", ProcessId: 7724, ProcessName: powershell.exe

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KwNfRtD" /XML "C:\Users\user\AppData\Local\Temp\tmp79AA.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KwNfRtD" /XML "C:\Users\user\AppData\Local\Temp\tmp79AA.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\scancopy shipping pdf.exe", ParentImage: C:\Users\user\Desktop\scancopy shipping pdf.exe, ParentProcessId: 7528, ParentProcessName: scancopy shipping pdf.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KwNfRtD" /XML "C:\Users\user\AppData\Local\Temp\tmp79AA.tmp", ProcessId: 7808, ProcessName: schtasks.exe

Suricata Signatures

ET MALWARE FormBook CnC Checkin (GET)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-06T08:59:59.839302+0100	2031453	1	Malware Command and Control Activity Detected	192.168.2.9	49981	15.197.172.60	80	TCP
2025-02-06T09:01:06.934946+0100	2031453	1	Malware Command and Control Activity Detected	192.168.2.9	49980	47.100.232.83	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://www.zliving.xyz/b02a/	Avira URL Cloud: Label: malware
Source: http://www.arjohbs.shop/b02a/www.mdjr.world	Avira URL Cloud: Label: malware
Source: http://www.ubbs.xyz/b02a/	Avira URL Cloud: Label: malware
Source: http://www.airbypatrickmcguire.net/b02a/	Avira URL Cloud: Label: malware
Source: http://www.kit.run/b02a/	Avira URL Cloud: Label: malware
Source: http://www.luratu.xyz/b02a/www.vikadi.info	Avira URL Cloud: Label: malware
Source: http://www.ubbs.xyz/b02a/www.ustdesk.email	Avira URL Cloud: Label: malware
Source: http://www.irofprague.net/b02a/	Avira URL Cloud: Label: malware
Source: http://www.arjohbs.shop/b02a/	Avira URL Cloud: Label: malware
Source: http://www.luratu.xyz/b02a/	Avira URL Cloud: Label: malware
Source: http://www.airbypatrickmcguire.net/b02a/www.ndata.net	Avira URL Cloud: Label: malware
Source: http://www.kit.run/b02a/www.ubbs.xyz	Avira URL Cloud: Label: malware
Source: http://www.kit.run/b02a/?D6ApE=6qMArvLkSOzJ9Z0AF31v8ug1rh0WITwL5L7OM1cXeQ4QxYhuoRklIl+MKV9S3PFr56re&j8sLW=NrQLB2	Avira URL Cloud: Label: malware
Source: http://www.zliving.xyz/b02a/www.yrvo.shop	Avira URL Cloud: Label: malware
Source: http://www.luratu.xyz	Avira URL Cloud: Label: malware
Source: www.ubbs.xyz/b02a/	Avira URL Cloud: Label: malware
Source: http://www.irofprague.net/b02a/www.luratu.xyz	Avira URL Cloud: Label: malware

Found malware configuration

Source: 00000015.00000002.3832958745.00000000026F0000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.ubbs.xyz/b02a/"], "decoy": ["nnovate.host", "yrvo.shop", "obify.party", "55665.one", "vlisazouasiul.store", "arjohbs.shop", "mjsccc5716.shop", "nfluencer-marketing-86606.bond", "atellite-internet-74549.bond", "arehouse-inventory-82506.bond", "kanzaturf.net", "airbypatrickmcguire.net", "90880a15.buzz", "ancake888.info", "hopcroma.store", "usinessloanscanada524285.icu", "mdjr.world", "9kct.xyz", "ombrd.finance", "luratu.xyz", "commerce-97292.bond", "ovies4u-hd.online", "zmi.info", "ealth-insurance-63745.bond", "rypto-god.online", "ustdesk.email", "talezoom.asia", "haf.international", "heaterscm.net", "rejo.info", "nitedstatesofart.net", "ental-implants-29843.bond", "uzzleworld.xyz", "fg0m9c0lk.cyou", "emospin30.info", "ocejo.africa", "aqiwang.net", "vgtdvchvmdsvmdhbvgv.pro", "ymtech.digital", "ok-vi.sbs", "u5kt.net", "heoneglobal.store", "78158.legal", "argloscaremedia.info", "ailylife.pro", "nfotj.live", "obistores.online", "irofprague.net", "mpteamtoto88.today", "rmap.xyz", "zliving.xyz", "ubesafari.video", "aylee.blue", "ery.rocks", "udioevideo.store", "oneymachine.show", "885522a0.shop", "oodchoices.xyz", "ilano.shop", "vikadi.info", "ecoramay.store", "kit.run", "ookinguptolightup.net", "ndata.net"]}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\KwNfRtD.exe

ReversingLabs: Detection: 44%

Multi AV Scanner detection for submitted file

Source: scancopy shipping pdf.exe	Virustotal: Detection: 37%			Perma Link
Source: scancopy shipping pdf.exe	ReversingLabs: Detection: 44%

Yara detected FormBook

Source: Yara match	File source: 11.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000015.00000002.3832958745.00000000026F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1411100493.0000000004042000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.3832472273.0000000000430000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1465837719.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.1460869505.0000000004510000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.1476698839.0000000002C00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.3832843029.00000000026C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\KwNfRtD.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: scancopy shipping pdf.exe

Joe Sandbox ML: detected

Source: scancopy shipping pdf.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: scancopy shipping pdf.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: RegSvcs.pdb, source: explorer.exe, 0000000C.00000002.3850151235.00000000108FF000.00000004.80000000.00040000.00000000.sdmp, raserver.exe, 00000015.00000002.3833128943.00000000027EC000.00000004.00000020.00020000.00000000.sdmp, raserver.exe, 00000015.00000002.3834914835.0000000004A6F000.00000004.10000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: RegSvcs.exe, 0000000B.00000002.1467559356.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, raserver.exe, 00000014.00000002.1483247428.0000000004C6E000.00000040.00001000.00020000.00000000.sdmp, raserver.exe, 00000014.00000002.1483247428.0000000004AD0000.00000040.00001000.00020000.00000000.sdmp, raserver.exe, 00000014.00000003.1472539324.0000000004928000.00000004.00000020.00020000.00000000.sdmp, raserver.exe, 00000014.00000003.1470326904.0000000004779000.00000004.00000020.00020000.00000000.sdmp, raserver.exe, 00000015.00000002.3833851400.0000000004520000.00000040.00001000.00020000.00000000.sdmp, raserver.exe, 00000015.00000003.1466256141.00000000041C9000.00000004.00000020.00020000.00000000.sdmp, raserver.exe, 00000015.00000003.1469044516.0000000004377000.00000004.00000020.00020000.00000000.sdmp, raserver.exe, 00000015.00000002.3833851400.00000000046BE000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: RegSvcs.exe, RegSvcs.exe, 0000000B.00000002.1467559356.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, raserver.exe, 00000014.00000002.1483247428.0000000004C6E000.00000040.00001000.00020000.00000000.sdmp, raserver.exe, 00000014.00000002.1483247428.0000000004AD0000.00000040.00001000.00020000.00000000.sdmp, raserver.exe, 00000014.00000003.1472539324.0000000004928000.00000004.00000020.00020000.00000000.sdmp, raserver.exe, 00000014.00000003.1470326904.0000000004779000.00000004.00000020.00020000.00000000.sdmp, raserver.exe, 00000015.00000002.3833851400.0000000004520000.00000040.00001000.00020000.00000000.sdmp, raserver.exe, 00000015.00000003.1466256141.00000000041C9000.00000004.00000020.00020000.00000000.sdmp, raserver.exe, 00000015.00000003.1469044516.0000000004377000.00000004.00000020.00020000.00000000.sdmp, raserver.exe, 00000015.00000002.3833851400.00000000046BE000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: RAServer.pdb source: RegSvcs.exe, 0000000B.00000002.1466896302.000000000116D000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1467368025.0000000001590000.00000040.10000000.00040000.00000000.sdmp, RegSvcs.exe, 00000012.00000002.1471011960.0000000000AB7000.00000004.00000020.00020000.00000000.sdmp, raserver.exe, 00000014.00000002.1474266751.00000000005B0000.00000040.80000000.00040000.00000000.sdmp, raserver.exe, 00000015.00000002.3832661172.00000000005B0000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: RegSvcs.pdb source: explorer.exe, 0000000C.00000002.3850151235.00000000108FF000.00000004.80000000.00040000.00000000.sdmp, raserver.exe, 00000015.00000002.3833128943.00000000027EC000.00000004.00000020.00020000.00000000.sdmp, raserver.exe, 00000015.00000002.3834914835.0000000004A6F000.00000004.10000000.00040000.00000000.sdmp
Source:	Binary string: RAServer.pdbGCTL source: RegSvcs.exe, 0000000B.00000002.1466896302.000000000116D000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1467368025.0000000001590000.00000040.10000000.00040000.00000000.sdmp, RegSvcs.exe, 00000012.00000002.1471011960.0000000000AB7000.00000004.00000020.00020000.00000000.sdmp, raserver.exe, 00000014.00000002.1474266751.00000000005B0000.00000040.80000000.00040000.00000000.sdmp, raserver.exe, 00000015.00000002.3832661172.00000000005B0000.00000040.80000000.00040000.00000000.sdmp

Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\NULL	Jump to behavior
Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe	Jump to behavior
Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx	Jump to behavior
Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	File opened: C:\Users\user\AppData\Local\Temp\acrocef_low\NULL	Jump to behavior
Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\NULL	Jump to behavior
Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\Acrobat	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then pop esi	11_2_004172CA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then pop ebx	11_2_00407B25
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then pop edi	11_2_00416CA9
Source: C:\Users\user\AppData\Roaming\KwNfRtD.exe	Code function: 4x nop then jmp 06D91594h	13_2_06D90FC1

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2031412 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.9:49980 -> 47.100.232.83:80
Source: Network traffic	Suricata IDS: 2031449 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.9:49980 -> 47.100.232.83:80
Source: Network traffic	Suricata IDS: 2031453 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.9:49980 -> 47.100.232.83:80
Source: Network traffic	Suricata IDS: 2031412 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.9:49981 -> 15.197.172.60:80
Source: Network traffic	Suricata IDS: 2031449 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.9:49981 -> 15.197.172.60:80
Source: Network traffic	Suricata IDS: 2031453 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.9:49981 -> 15.197.172.60:80

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe

Network Connect: 47.100.232.83 80

Jump to behavior

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.ubbs.xyz/b02a/

Performs DNS queries to domains with low reputation

Source:	DNS query: www.ubbs.xyz
Source:	DNS query: www.zliving.xyz

Source: global traffic

HTTP traffic detected: GET /b02a/?D6ApE=6qMArvLkSOzJ9Z0AF31v8ug1rh0WITwL5L7OM1cXeQ4QxYhuoRklIl+MKV9S3PFr56re&j8sLW=NrQLB2 HTTP/1.1Host: www.kit.runConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View

ASN Name: CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Windows\explorer.exe

Code function: 12_2_10104F82 getaddrinfo,setsockopt,recv,

12_2_10104F82

Source: global traffic

Source: global traffic	DNS traffic detected: DNS query: www.heoneglobal.store
Source: global traffic	DNS traffic detected: DNS query: www.kit.run
Source: global traffic	DNS traffic detected: DNS query: www.ubbs.xyz
Source: global traffic	DNS traffic detected: DNS query: www.ustdesk.email
Source: global traffic	DNS traffic detected: DNS query: www.irofprague.net
Source: global traffic	DNS traffic detected: DNS query: www.vikadi.info
Source: global traffic	DNS traffic detected: DNS query: www.haf.international
Source: global traffic	DNS traffic detected: DNS query: www.zliving.xyz
Source: global traffic	DNS traffic detected: DNS query: www.yrvo.shop
Source: global traffic	DNS traffic detected: DNS query: www.airbypatrickmcguire.net
Source: global traffic	DNS traffic detected: DNS query: www.ndata.net

Source: explorer.exe, 0000000C.00000003.2291814220.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3843250514.00000000087BB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3087491602.00000000087BB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.1409919237.00000000087BB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.1409919237.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2291814220.00000000087BB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3087491602.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3843250514.0000000008685000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: explorer.exe, 0000000C.00000003.2291814220.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3843250514.00000000087BB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3087491602.00000000087BB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.1409919237.00000000087BB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.1409919237.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2291814220.00000000087BB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3087491602.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3843250514.0000000008685000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: explorer.exe, 0000000C.00000003.2291814220.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3843250514.00000000087BB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3087491602.00000000087BB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.1409919237.00000000087BB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.1409919237.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2291814220.00000000087BB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3087491602.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3843250514.0000000008685000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: explorer.exe, 0000000C.00000003.2291814220.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3843250514.00000000087BB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3087491602.00000000087BB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.1409919237.00000000087BB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.1409919237.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2291814220.00000000087BB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3087491602.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3843250514.0000000008685000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: explorer.exe, 0000000C.00000002.3837724338.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.1395900938.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2294451641.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3084775802.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: explorer.exe, 0000000C.00000002.3842715709.00000000082D0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000C.00000000.1391732641.0000000002C60000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000C.00000002.3841719607.0000000007670000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: scancopy shipping pdf.exe, 00000000.00000002.1408509794.00000000026FA000.00000004.00000800.00020000.00000000.sdmp, KwNfRtD.exe, 0000000D.00000002.1457615122.0000000002BCA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: explorer.exe, 0000000C.00000003.2291269469.000000000C29D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3848757581.000000000C2AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.airbypatrickmcguire.net
Source: explorer.exe, 0000000C.00000003.2291269469.000000000C29D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3848757581.000000000C2AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.airbypatrickmcguire.net/b02a/
Source: explorer.exe, 0000000C.00000003.2291269469.000000000C29D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3848757581.000000000C2AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.airbypatrickmcguire.net/b02a/www.ndata.net
Source: explorer.exe, 0000000C.00000003.2291269469.000000000C29D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3848757581.000000000C2AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.airbypatrickmcguire.netReferer:
Source: explorer.exe, 0000000C.00000003.2291269469.000000000C29D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3848757581.000000000C2AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.arjohbs.shop
Source: explorer.exe, 0000000C.00000003.2291269469.000000000C29D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3848757581.000000000C2AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.arjohbs.shop/b02a/
Source: explorer.exe, 0000000C.00000003.2291269469.000000000C29D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3848757581.000000000C2AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.arjohbs.shop/b02a/www.mdjr.world
Source: explorer.exe, 0000000C.00000003.2291269469.000000000C29D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3848757581.000000000C2AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.arjohbs.shopReferer:
Source: explorer.exe, 0000000C.00000003.2291269469.000000000C29D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3848757581.000000000C2AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.haf.international
Source: explorer.exe, 0000000C.00000003.2291269469.000000000C29D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3848757581.000000000C2AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.haf.international/b02a/
Source: explorer.exe, 0000000C.00000003.2291269469.000000000C29D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3848757581.000000000C2AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.haf.international/b02a/www.zliving.xyz
Source: explorer.exe, 0000000C.00000003.2291269469.000000000C29D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3848757581.000000000C2AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.haf.internationalReferer:
Source: explorer.exe, 0000000C.00000003.2291269469.000000000C29D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3848757581.000000000C2AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.heoneglobal.store
Source: explorer.exe, 0000000C.00000003.2291269469.000000000C29D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3848757581.000000000C2AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.heoneglobal.store/b02a/
Source: explorer.exe, 0000000C.00000003.2291269469.000000000C29D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3848757581.000000000C2AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.heoneglobal.store/b02a/www.kit.run
Source: explorer.exe, 0000000C.00000003.2291269469.000000000C29D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3848757581.000000000C2AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.heoneglobal.storeReferer:
Source: explorer.exe, 0000000C.00000003.2291269469.000000000C29D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3848757581.000000000C2AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.irofprague.net
Source: explorer.exe, 0000000C.00000003.2291269469.000000000C29D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3848757581.000000000C2AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.irofprague.net/b02a/
Source: explorer.exe, 0000000C.00000003.2291269469.000000000C29D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3848757581.000000000C2AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.irofprague.net/b02a/www.luratu.xyz
Source: explorer.exe, 0000000C.00000003.2291269469.000000000C29D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3848757581.000000000C2AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.irofprague.netReferer:
Source: explorer.exe, 0000000C.00000003.2291269469.000000000C29D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3848757581.000000000C2AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.kit.run
Source: explorer.exe, 0000000C.00000003.2291269469.000000000C29D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3848757581.000000000C2AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.kit.run/b02a/
Source: explorer.exe, 0000000C.00000003.2291269469.000000000C29D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3848757581.000000000C2AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.kit.run/b02a/www.ubbs.xyz
Source: explorer.exe, 0000000C.00000003.2291269469.000000000C29D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3848757581.000000000C2AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.kit.runReferer:
Source: explorer.exe, 0000000C.00000003.2291269469.000000000C29D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3848757581.000000000C2AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.luratu.xyz
Source: explorer.exe, 0000000C.00000003.2291269469.000000000C29D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3848757581.000000000C2AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.luratu.xyz/b02a/
Source: explorer.exe, 0000000C.00000003.2291269469.000000000C29D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3848757581.000000000C2AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.luratu.xyz/b02a/www.vikadi.info
Source: explorer.exe, 0000000C.00000003.2291269469.000000000C29D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3848757581.000000000C2AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.luratu.xyzReferer:
Source: explorer.exe, 0000000C.00000003.2291269469.000000000C29D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3848757581.000000000C2AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.mdjr.world
Source: explorer.exe, 0000000C.00000003.2291269469.000000000C29D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3848757581.000000000C2AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.mdjr.world/b02a/
Source: explorer.exe, 0000000C.00000003.2291269469.000000000C29D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3848757581.000000000C2AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.mdjr.world/b02a/www.rmap.xyz
Source: explorer.exe, 0000000C.00000003.2291269469.000000000C29D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3848757581.000000000C2AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.mdjr.worldReferer:
Source: explorer.exe, 0000000C.00000003.2291269469.000000000C29D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3848757581.000000000C2AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ndata.net
Source: explorer.exe, 0000000C.00000003.2291269469.000000000C29D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3848757581.000000000C2AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ndata.net/b02a/
Source: explorer.exe, 0000000C.00000003.2291269469.000000000C29D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3848757581.000000000C2AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ndata.net/b02a/www.talezoom.asia
Source: explorer.exe, 0000000C.00000003.2291269469.000000000C29D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3848757581.000000000C2AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ndata.netReferer:
Source: explorer.exe, 0000000C.00000003.2291269469.000000000C29D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3848757581.000000000C2AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.rmap.xyz
Source: explorer.exe, 0000000C.00000003.2291269469.000000000C29D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3848757581.000000000C2AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.rmap.xyz/b02a/
Source: explorer.exe, 0000000C.00000003.2291269469.000000000C29D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3848757581.000000000C2AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.rmap.xyz/b02a/t
Source: explorer.exe, 0000000C.00000003.2291269469.000000000C29D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3848757581.000000000C2AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.rmap.xyzReferer:
Source: explorer.exe, 0000000C.00000003.2291269469.000000000C29D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3848757581.000000000C2AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.talezoom.asia
Source: explorer.exe, 0000000C.00000003.2291269469.000000000C29D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3848757581.000000000C2AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.talezoom.asia/b02a/
Source: explorer.exe, 0000000C.00000003.2291269469.000000000C29D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3848757581.000000000C2AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.talezoom.asia/b02a/www.arjohbs.shop
Source: explorer.exe, 0000000C.00000003.2291269469.000000000C29D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3848757581.000000000C2AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.talezoom.asiaReferer:
Source: explorer.exe, 0000000C.00000003.2291269469.000000000C29D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3848757581.000000000C2AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ubbs.xyz
Source: explorer.exe, 0000000C.00000003.2291269469.000000000C29D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3848757581.000000000C2AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ubbs.xyz/b02a/
Source: explorer.exe, 0000000C.00000003.2291269469.000000000C29D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3848757581.000000000C2AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ubbs.xyz/b02a/www.ustdesk.email
Source: explorer.exe, 0000000C.00000003.2291269469.000000000C29D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3848757581.000000000C2AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ubbs.xyzReferer:
Source: explorer.exe, 0000000C.00000003.2291269469.000000000C29D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3848757581.000000000C2AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ustdesk.email
Source: explorer.exe, 0000000C.00000003.2291269469.000000000C29D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3848757581.000000000C2AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ustdesk.email/b02a/
Source: explorer.exe, 0000000C.00000003.2291269469.000000000C29D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3848757581.000000000C2AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ustdesk.email/b02a/www.irofprague.net
Source: explorer.exe, 0000000C.00000003.2291269469.000000000C29D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3848757581.000000000C2AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ustdesk.emailReferer:
Source: explorer.exe, 0000000C.00000003.2291269469.000000000C29D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3848757581.000000000C2AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.vikadi.info
Source: explorer.exe, 0000000C.00000003.2291269469.000000000C29D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3848757581.000000000C2AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.vikadi.info/b02a/
Source: explorer.exe, 0000000C.00000003.2291269469.000000000C29D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3848757581.000000000C2AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.vikadi.info/b02a/www.haf.international
Source: explorer.exe, 0000000C.00000003.2291269469.000000000C29D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3848757581.000000000C2AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.vikadi.infoReferer:
Source: explorer.exe, 0000000C.00000003.2291269469.000000000C29D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3848757581.000000000C2AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.yrvo.shop
Source: explorer.exe, 0000000C.00000003.2291269469.000000000C29D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3848757581.000000000C2AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.yrvo.shop/b02a/
Source: explorer.exe, 0000000C.00000003.2291269469.000000000C29D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3848757581.000000000C2AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.yrvo.shop/b02a/www.airbypatrickmcguire.net
Source: explorer.exe, 0000000C.00000003.2291269469.000000000C29D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3848757581.000000000C2AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.yrvo.shopReferer:
Source: explorer.exe, 0000000C.00000003.2291269469.000000000C29D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3848757581.000000000C2AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.zliving.xyz
Source: explorer.exe, 0000000C.00000003.2291269469.000000000C29D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3848757581.000000000C2AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.zliving.xyz/b02a/
Source: explorer.exe, 0000000C.00000003.2291269469.000000000C29D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3848757581.000000000C2AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.zliving.xyz/b02a/www.yrvo.shop
Source: explorer.exe, 0000000C.00000003.2291269469.000000000C29D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3848757581.000000000C2AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.zliving.xyzReferer:
Source: explorer.exe, 0000000C.00000000.1416492246.000000000BD22000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2293396708.000000000BD22000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3847269390.000000000BD22000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp(
Source: explorer.exe, 0000000C.00000000.1416492246.000000000BDC8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2293396708.000000000BDC8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3847269390.000000000BDC8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 0000000C.00000000.1416492246.000000000BDC8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2293396708.000000000BDC8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3847269390.000000000BDC8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOSJM
Source: explorer.exe, 0000000C.00000000.1416492246.000000000BDC8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2293396708.000000000BDC8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3847269390.000000000BDC8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOSZM
Source: explorer.exe, 0000000C.00000000.1416492246.000000000BDC8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2293396708.000000000BDC8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3847269390.000000000BDC8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOSp
Source: explorer.exe, 0000000C.00000000.1409919237.000000000862F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3843250514.0000000008651000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3083294917.0000000008630000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3087491602.0000000008650000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2291814220.0000000008630000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 0000000C.00000002.3837724338.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.1395900938.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2294451641.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3084775802.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=A1668CA4549A443399161CE8D2237D12&timeOut=5000&oc
Source: explorer.exe, 0000000C.00000003.2291814220.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.1409919237.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3087491602.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3843250514.0000000008685000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?z$
Source: explorer.exe, 0000000C.00000002.3843250514.0000000008796000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3087491602.0000000008796000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.1409919237.0000000008796000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2291814220.0000000008796000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/~T
Source: explorer.exe, 0000000C.00000002.3837724338.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.1395900938.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2294451641.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3084775802.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
Source: explorer.exe, 0000000C.00000003.2291814220.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.1409919237.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3087491602.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3843250514.0000000008685000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.com
Source: explorer.exe, 0000000C.00000003.3084775802.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
Source: explorer.exe, 0000000C.00000003.3084775802.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/MostlyClearNight.svg
Source: explorer.exe, 0000000C.00000002.3837724338.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.1395900938.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2294451641.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3084775802.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/recordhigh.svg
Source: explorer.exe, 0000000C.00000002.3837724338.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.1395900938.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2294451641.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3084775802.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/taskbar/animation/WeatherInsights/WeatherInsi
Source: explorer.exe, 0000000C.00000003.3084775802.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
Source: explorer.exe, 0000000C.00000003.3084775802.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
Source: explorer.exe, 0000000C.00000002.3837724338.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.1395900938.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2294451641.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3084775802.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKhb
Source: explorer.exe, 0000000C.00000002.3837724338.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.1395900938.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2294451641.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3084775802.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKhb-dark
Source: explorer.exe, 0000000C.00000002.3837724338.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.1395900938.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2294451641.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3084775802.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gPfv
Source: explorer.exe, 0000000C.00000002.3837724338.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.1395900938.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2294451641.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3084775802.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gPfv-dark
Source: explorer.exe, 0000000C.00000002.3837724338.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.1395900938.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2294451641.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3084775802.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gPi8
Source: explorer.exe, 0000000C.00000002.3837724338.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.1395900938.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2294451641.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3084775802.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gPi8-dark
Source: explorer.exe, 0000000C.00000000.1416492246.000000000BDC8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2293396708.000000000BDC8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3847269390.000000000BDC8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://excel.office.com
Source: explorer.exe, 0000000C.00000002.3837724338.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.1395900938.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2294451641.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3084775802.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA11f7Wa.img
Source: explorer.exe, 0000000C.00000003.3084775802.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
Source: explorer.exe, 0000000C.00000002.3837724338.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.1395900938.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2294451641.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3084775802.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1bjET8.img
Source: explorer.exe, 0000000C.00000002.3837724338.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.1395900938.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2294451641.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3084775802.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1eBTmz.img
Source: explorer.exe, 0000000C.00000002.3837724338.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.1395900938.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2294451641.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3084775802.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1hGNsX.img
Source: explorer.exe, 0000000C.00000002.3837724338.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.1395900938.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2294451641.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3084775802.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAT0qC2.img
Source: explorer.exe, 0000000C.00000002.3837724338.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.1395900938.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2294451641.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3084775802.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AATs0AB.img
Source: explorer.exe, 0000000C.00000002.3837724338.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.1395900938.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2294451641.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3084775802.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1e6XdQ.img
Source: explorer.exe, 0000000C.00000000.1416492246.000000000BDC8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2293396708.000000000BDC8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3847269390.000000000BDC8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://outlook.com
Source: explorer.exe, 0000000C.00000002.3837724338.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.1395900938.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2294451641.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3084775802.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://parade.com/61481/toriavey/where-did-hamburgers-originate
Source: explorer.exe, 0000000C.00000000.1416492246.000000000BDC8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2293396708.000000000BDC8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3847269390.000000000BDC8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://powerpoint.office.com
Source: explorer.exe, 0000000C.00000002.3837724338.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.1395900938.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2294451641.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3084775802.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://upload.wikimedia.org/wikipedia/commons/thumb/8/84/Zealandia-Continent_map_en.svg/1870px-Zeal
Source: explorer.exe, 0000000C.00000002.3837724338.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.1395900938.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2294451641.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3084775802.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 0000000C.00000002.3837724338.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.1395900938.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2294451641.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3084775802.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 0000000C.00000003.2291814220.000000000899E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3082656540.000000000899E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.1409919237.000000000899E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://wns.windows.com/bat
Source: explorer.exe, 0000000C.00000000.1416492246.000000000BDC8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2293396708.000000000BDC8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3847269390.000000000BDC8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://word.office.com
Source: explorer.exe, 0000000C.00000002.3837724338.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.1395900938.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2294451641.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3084775802.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/foodanddrink/foodnews/the-best-burger-place-in-phoenix-plus-see-the-rest-o
Source: explorer.exe, 0000000C.00000002.3837724338.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.1395900938.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2294451641.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3084775802.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/lifestyle/lifestyle-buzz/what-to-do-if-a-worst-case-nuclear-scenario-actua
Source: explorer.exe, 0000000C.00000002.3837724338.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.1395900938.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2294451641.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3084775802.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/companies/kaiser-permanente-and-unions-for-75-000-striking-health-wo
Source: explorer.exe, 0000000C.00000002.3837724338.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.1395900938.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2294451641.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3084775802.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/money-matters-changing-institution-of-marriage/ar-AA
Source: explorer.exe, 0000000C.00000002.3837724338.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.1395900938.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2294451641.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3084775802.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/the-no-1-phrase-people-who-are-good-at-small-talk-al
Source: explorer.exe, 0000000C.00000002.3837724338.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.1395900938.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2294451641.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3084775802.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/crime/bar-fight-leaves-man-in-critical-condition-suspect-arrested-in-
Source: explorer.exe, 0000000C.00000002.3837724338.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.1395900938.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2294451641.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3084775802.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/here-s-what-house-rules-say-about-trump-serving-as-speaker-o
Source: explorer.exe, 0000000C.00000002.3837724338.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.1395900938.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2294451641.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3084775802.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/how-donald-trump-helped-kari-lake-become-arizona-s-and-ameri
Source: explorer.exe, 0000000C.00000002.3837724338.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.1395900938.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2294451641.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3084775802.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/kevin-mccarthy-s-ouster-as-house-speaker-could-cost-gop-its-
Source: explorer.exe, 0000000C.00000002.3837724338.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.1395900938.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2294451641.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3084775802.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/trump-whines-to-cameras-in-ny-fraud-case-before-fleeing-to-f
Source: explorer.exe, 0000000C.00000002.3837724338.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.1395900938.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2294451641.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3084775802.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/technology/a-federal-emergency-alert-will-be-sent-to-us-phones-nation
Source: explorer.exe, 0000000C.00000002.3837724338.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.1395900938.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2294451641.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3084775802.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/technology/prehistoric-comet-impacted-earth-and-triggered-the-switch-
Source: explorer.exe, 0000000C.00000002.3837724338.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.1395900938.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2294451641.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3084775802.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/biden-administration-waives-26-federal-laws-to-allow-border-wall-c
Source: explorer.exe, 0000000C.00000002.3837724338.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.1395900938.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2294451641.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3084775802.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-the
Source: explorer.exe, 0000000C.00000002.3837724338.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.1395900938.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2294451641.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3084775802.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/world/a-second-war-could-easily-erupt-in-europe-while-everyone-s-dist
Source: explorer.exe, 0000000C.00000002.3837724338.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.1395900938.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2294451641.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3084775802.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/world/england-considers-raising-smoking-age-until-cigarettes-are-bann
Source: explorer.exe, 0000000C.00000002.3837724338.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.1395900938.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2294451641.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3084775802.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/world/nobel-prize-in-literature-to-be-announced-in-stockholm/ar-AA1hI
Source: explorer.exe, 0000000C.00000002.3837724338.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.1395900938.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2294451641.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3084775802.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/world/ukraine-live-briefing-biden-expresses-worry-about-congressional
Source: explorer.exe, 0000000C.00000002.3837724338.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.1395900938.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2294451641.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3084775802.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/accuweather-el-ni
Source: explorer.exe, 0000000C.00000002.3837724338.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.1395900938.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2294451641.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3084775802.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/first-map-of-earth-s-lost-continent-has-been-published/
Source: explorer.exe, 0000000C.00000002.3837724338.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.1395900938.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2294451641.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3084775802.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/stop-planting-new-forests-scientists-say/ar-AA1hFI09
Source: explorer.exe, 0000000C.00000002.3837724338.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.1395900938.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2294451641.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3084775802.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com:443/en-us/feed
Source: explorer.exe, 0000000C.00000002.3837724338.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.1395900938.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2294451641.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3084775802.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.stacker.com/arizona/phoenix
Source: explorer.exe, 0000000C.00000002.3837724338.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.1395900938.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2294451641.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3084775802.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.starsinsider.com/n/154870?utm_source=msn.com&utm_medium=display&utm_campaign=referral_de
Source: explorer.exe, 0000000C.00000002.3837724338.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.1395900938.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2294451641.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3084775802.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.yelp.com

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 11.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000015.00000002.3832958745.00000000026F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1411100493.0000000004042000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.3832472273.0000000000430000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1465837719.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.1460869505.0000000004510000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.1476698839.0000000002C00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.3832843029.00000000026C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 11.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 11.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 11.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 11.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 11.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 11.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000C.00000002.3849826873.000000001011C000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_772cc62d Author: unknown
Source: 00000015.00000002.3832958745.00000000026F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000015.00000002.3832958745.00000000026F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000015.00000002.3832958745.00000000026F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.1411100493.0000000004042000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000000.00000002.1411100493.0000000004042000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.1411100493.0000000004042000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000015.00000002.3832472273.0000000000430000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000015.00000002.3832472273.0000000000430000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000015.00000002.3832472273.0000000000430000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.1465837719.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000B.00000002.1465837719.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000002.1465837719.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000002.1460869505.0000000004510000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000D.00000002.1460869505.0000000004510000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000D.00000002.1460869505.0000000004510000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000014.00000002.1476698839.0000000002C00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000014.00000002.1476698839.0000000002C00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000014.00000002.1476698839.0000000002C00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000015.00000002.3832843029.00000000026C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000015.00000002.3832843029.00000000026C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000015.00000002.3832843029.00000000026C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: scancopy shipping pdf.exe PID: 7528, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: RegSvcs.exe PID: 8016, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: KwNfRtD.exe PID: 8096, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: raserver.exe PID: 3868, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: raserver.exe PID: 6868, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0041A320 NtCreateFile,	11_2_0041A320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0041A3D0 NtReadFile,	11_2_0041A3D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0041A450 NtClose,	11_2_0041A450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0041A500 NtAllocateVirtualMemory,	11_2_0041A500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0041A31A NtCreateFile,	11_2_0041A31A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0041A3CB NtReadFile,	11_2_0041A3CB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0041A44C NtClose,	11_2_0041A44C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01632B60 NtClose,LdrInitializeThunk,	11_2_01632B60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01632BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	11_2_01632BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01632AD0 NtReadFile,LdrInitializeThunk,	11_2_01632AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01632D30 NtUnmapViewOfSection,LdrInitializeThunk,	11_2_01632D30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01632D10 NtMapViewOfSection,LdrInitializeThunk,	11_2_01632D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01632DF0 NtQuerySystemInformation,LdrInitializeThunk,	11_2_01632DF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01632DD0 NtDelayExecution,LdrInitializeThunk,	11_2_01632DD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01632C70 NtFreeVirtualMemory,LdrInitializeThunk,	11_2_01632C70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01632CA0 NtQueryInformationToken,LdrInitializeThunk,	11_2_01632CA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01632F30 NtCreateSection,LdrInitializeThunk,	11_2_01632F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01632FE0 NtCreateFile,LdrInitializeThunk,	11_2_01632FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01632FB0 NtResumeThread,LdrInitializeThunk,	11_2_01632FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01632F90 NtProtectVirtualMemory,LdrInitializeThunk,	11_2_01632F90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01632EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,	11_2_01632EA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01632E80 NtReadVirtualMemory,LdrInitializeThunk,	11_2_01632E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01634340 NtSetContextThread,	11_2_01634340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01634650 NtSuspendThread,	11_2_01634650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01632BE0 NtQueryValueKey,	11_2_01632BE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01632BA0 NtEnumerateValueKey,	11_2_01632BA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01632B80 NtQueryInformationFile,	11_2_01632B80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01632AF0 NtWriteFile,	11_2_01632AF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01632AB0 NtWaitForSingleObject,	11_2_01632AB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01632D00 NtSetInformationFile,	11_2_01632D00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01632DB0 NtEnumerateKey,	11_2_01632DB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01632C60 NtCreateKey,	11_2_01632C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01632C00 NtQueryInformationProcess,	11_2_01632C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01632CF0 NtOpenProcess,	11_2_01632CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01632CC0 NtQueryVirtualMemory,	11_2_01632CC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01632F60 NtCreateProcessEx,	11_2_01632F60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01632FA0 NtQuerySection,	11_2_01632FA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01632E30 NtWriteVirtualMemory,	11_2_01632E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01632EE0 NtQueueApcThread,	11_2_01632EE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01633010 NtOpenDirectoryObject,	11_2_01633010
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01633090 NtSetValueKey,	11_2_01633090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_016335C0 NtCreateMutant,	11_2_016335C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_016339B0 NtGetContextThread,	11_2_016339B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01633D70 NtOpenThread,	11_2_01633D70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01633D10 NtOpenProcessToken,	11_2_01633D10
Source: C:\Windows\explorer.exe	Code function: 12_2_10105E12 NtProtectVirtualMemory,	12_2_10105E12
Source: C:\Windows\explorer.exe	Code function: 12_2_10104232 NtCreateFile,	12_2_10104232
Source: C:\Windows\explorer.exe	Code function: 12_2_10105E0A NtProtectVirtualMemory,	12_2_10105E0A

Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	Code function: 0_2_0683C638	0_2_0683C638
Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	Code function: 0_2_0683B728	0_2_0683B728
Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	Code function: 0_2_0683A508	0_2_0683A508
Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	Code function: 0_2_06832E78	0_2_06832E78
Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	Code function: 0_2_0683AD28	0_2_0683AD28
Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	Code function: 0_2_06839619	0_2_06839619
Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	Code function: 0_2_06839628	0_2_06839628
Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	Code function: 0_2_0683C633	0_2_0683C633
Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	Code function: 0_2_0683E780	0_2_0683E780
Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	Code function: 0_2_0683B718	0_2_0683B718
Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	Code function: 0_2_0683E77F	0_2_0683E77F
Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	Code function: 0_2_0683A4F9	0_2_0683A4F9
Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	Code function: 0_2_068345A1	0_2_068345A1
Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	Code function: 0_2_0683D503	0_2_0683D503
Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	Code function: 0_2_0683D510	0_2_0683D510
Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	Code function: 0_2_0683E351	0_2_0683E351
Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	Code function: 0_2_0683E360	0_2_0683E360
Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	Code function: 0_2_0683AD1B	0_2_0683AD1B
Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	Code function: 0_2_0683EB80	0_2_0683EB80
Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	Code function: 0_2_0683EB11	0_2_0683EB11
Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	Code function: 0_2_0683EB70	0_2_0683EB70
Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	Code function: 0_2_0683E8E8	0_2_0683E8E8
Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	Code function: 0_2_0683E8F0	0_2_0683E8F0
Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	Code function: 0_2_06863198	0_2_06863198
Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	Code function: 0_2_06864B10	0_2_06864B10
Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	Code function: 0_2_06863680	0_2_06863680
Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	Code function: 0_2_06863670	0_2_06863670
Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	Code function: 0_2_06863420	0_2_06863420
Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	Code function: 0_2_06864420	0_2_06864420
Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	Code function: 0_2_06864430	0_2_06864430
Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	Code function: 0_2_06863430	0_2_06863430
Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	Code function: 0_2_06860007	0_2_06860007
Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	Code function: 0_2_06860040	0_2_06860040
Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	Code function: 0_2_06863118	0_2_06863118
Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	Code function: 0_2_0686313B	0_2_0686313B
Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	Code function: 0_2_0686BE28	0_2_0686BE28
Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	Code function: 0_2_06864FE1	0_2_06864FE1
Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	Code function: 0_2_06864FF0	0_2_06864FF0
Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	Code function: 0_2_0686DB00	0_2_0686DB00
Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	Code function: 0_2_06864B00	0_2_06864B00
Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	Code function: 0_2_068638C8	0_2_068638C8
Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	Code function: 0_2_068638D8	0_2_068638D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00401026	11_2_00401026
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00401030	11_2_00401030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0041E1C4	11_2_0041E1C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0041EA15	11_2_0041EA15
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0041E483	11_2_0041E483
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0041E48D	11_2_0041E48D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00402D87	11_2_00402D87
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00402D90	11_2_00402D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0041D645	11_2_0041D645
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00409E4B	11_2_00409E4B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00409E50	11_2_00409E50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0041D755	11_2_0041D755
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00402FB0	11_2_00402FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0041E7BF	11_2_0041E7BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01688158	11_2_01688158
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_015F0100	11_2_015F0100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0169A118	11_2_0169A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_016B81CC	11_2_016B81CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_016C01AA	11_2_016C01AA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_016B41A2	11_2_016B41A2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01692000	11_2_01692000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_016BA352	11_2_016BA352
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_016C03E6	11_2_016C03E6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0160E3F0	11_2_0160E3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_016A0274	11_2_016A0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_016802C0	11_2_016802C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01600535	11_2_01600535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_016C0591	11_2_016C0591
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_016B2446	11_2_016B2446
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_016A4420	11_2_016A4420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_016AE4F6	11_2_016AE4F6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01600770	11_2_01600770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01624750	11_2_01624750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_015FC7C0	11_2_015FC7C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0161C6E0	11_2_0161C6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01616962	11_2_01616962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_016029A0	11_2_016029A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_016CA9A6	11_2_016CA9A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0160A840	11_2_0160A840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01602840	11_2_01602840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0162E8F0	11_2_0162E8F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_015E68B8	11_2_015E68B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_016BAB40	11_2_016BAB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_016B6BD7	11_2_016B6BD7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_015FEA80	11_2_015FEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0160AD00	11_2_0160AD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0169CD1F	11_2_0169CD1F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_015FADE0	11_2_015FADE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01618DBF	11_2_01618DBF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01600C00	11_2_01600C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_015F0CF2	11_2_015F0CF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_016A0CB5	11_2_016A0CB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01674F40	11_2_01674F40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01642F28	11_2_01642F28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01620F30	11_2_01620F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_016A2F30	11_2_016A2F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0160CFE0	11_2_0160CFE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_015F2FC8	11_2_015F2FC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0167EFA0	11_2_0167EFA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01600E59	11_2_01600E59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_016BEE26	11_2_016BEE26
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_016BEEDB	11_2_016BEEDB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01612E90	11_2_01612E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_016BCE93	11_2_016BCE93
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_016CB16B	11_2_016CB16B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0163516C	11_2_0163516C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_015EF172	11_2_015EF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0160B1B0	11_2_0160B1B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_016B70E9	11_2_016B70E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_016BF0E0	11_2_016BF0E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_016070C0	11_2_016070C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_016AF0CC	11_2_016AF0CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_015ED34C	11_2_015ED34C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_016B132D	11_2_016B132D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0164739A	11_2_0164739A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_016A12ED	11_2_016A12ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0161B2C0	11_2_0161B2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_016052A0	11_2_016052A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_016B7571	11_2_016B7571
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_016C95C3	11_2_016C95C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0169D5B0	11_2_0169D5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_015F1460	11_2_015F1460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_016BF43F	11_2_016BF43F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_016BF7B0	11_2_016BF7B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01645630	11_2_01645630
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_016B16CC	11_2_016B16CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01609950	11_2_01609950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0161B950	11_2_0161B950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01695910	11_2_01695910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0166D800	11_2_0166D800
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_016038E0	11_2_016038E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_016BFB76	11_2_016BFB76
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01675BF0	11_2_01675BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0163DBF9	11_2_0163DBF9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0161FB80	11_2_0161FB80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01673A6C	11_2_01673A6C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_016BFA49	11_2_016BFA49
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_016B7A46	11_2_016B7A46
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_016ADAC6	11_2_016ADAC6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01645AA0	11_2_01645AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0169DAAC	11_2_0169DAAC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_016A1AA3	11_2_016A1AA3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_016B7D73	11_2_016B7D73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01603D40	11_2_01603D40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_016B1D5A	11_2_016B1D5A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0161FDC0	11_2_0161FDC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01679C32	11_2_01679C32
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_016BFCF2	11_2_016BFCF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_016BFF09	11_2_016BFF09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_015C3FD5	11_2_015C3FD5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_015C3FD2	11_2_015C3FD2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_016BFFB1	11_2_016BFFB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01601F92	11_2_01601F92
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01609EB0	11_2_01609EB0
Source: C:\Windows\explorer.exe	Code function: 12_2_0FF75B32	12_2_0FF75B32
Source: C:\Windows\explorer.exe	Code function: 12_2_0FF75B30	12_2_0FF75B30
Source: C:\Windows\explorer.exe	Code function: 12_2_0FF7B232	12_2_0FF7B232
Source: C:\Windows\explorer.exe	Code function: 12_2_0FF7E5CD	12_2_0FF7E5CD
Source: C:\Windows\explorer.exe	Code function: 12_2_0FF78912	12_2_0FF78912
Source: C:\Windows\explorer.exe	Code function: 12_2_0FF72D02	12_2_0FF72D02
Source: C:\Windows\explorer.exe	Code function: 12_2_0FF71082	12_2_0FF71082
Source: C:\Windows\explorer.exe	Code function: 12_2_0FF7A036	12_2_0FF7A036
Source: C:\Windows\explorer.exe	Code function: 12_2_10104232	12_2_10104232
Source: C:\Windows\explorer.exe	Code function: 12_2_10103036	12_2_10103036
Source: C:\Windows\explorer.exe	Code function: 12_2_100FA082	12_2_100FA082
Source: C:\Windows\explorer.exe	Code function: 12_2_10101912	12_2_10101912
Source: C:\Windows\explorer.exe	Code function: 12_2_100FBD02	12_2_100FBD02
Source: C:\Windows\explorer.exe	Code function: 12_2_100FEB32	12_2_100FEB32
Source: C:\Windows\explorer.exe	Code function: 12_2_100FEB30	12_2_100FEB30
Source: C:\Windows\explorer.exe	Code function: 12_2_101075CD	12_2_101075CD
Source: C:\Windows\explorer.exe	Code function: 12_2_1065B036	12_2_1065B036
Source: C:\Windows\explorer.exe	Code function: 12_2_10652082	12_2_10652082
Source: C:\Windows\explorer.exe	Code function: 12_2_10653D02	12_2_10653D02
Source: C:\Windows\explorer.exe	Code function: 12_2_10659912	12_2_10659912
Source: C:\Windows\explorer.exe	Code function: 12_2_1065F5CD	12_2_1065F5CD
Source: C:\Windows\explorer.exe	Code function: 12_2_1065C232	12_2_1065C232
Source: C:\Windows\explorer.exe	Code function: 12_2_10656B30	12_2_10656B30
Source: C:\Windows\explorer.exe	Code function: 12_2_10656B32	12_2_10656B32
Source: C:\Users\user\AppData\Roaming\KwNfRtD.exe	Code function: 13_2_04F603D8	13_2_04F603D8
Source: C:\Users\user\AppData\Roaming\KwNfRtD.exe	Code function: 13_2_04F60D98	13_2_04F60D98
Source: C:\Users\user\AppData\Roaming\KwNfRtD.exe	Code function: 13_2_04F60D88	13_2_04F60D88
Source: C:\Users\user\AppData\Roaming\KwNfRtD.exe	Code function: 13_2_06D62E78	13_2_06D62E78
Source: C:\Users\user\AppData\Roaming\KwNfRtD.exe	Code function: 13_2_06D6C638	13_2_06D6C638
Source: C:\Users\user\AppData\Roaming\KwNfRtD.exe	Code function: 13_2_06D6B728	13_2_06D6B728
Source: C:\Users\user\AppData\Roaming\KwNfRtD.exe	Code function: 13_2_06D6A508	13_2_06D6A508
Source: C:\Users\user\AppData\Roaming\KwNfRtD.exe	Code function: 13_2_06D6AD28	13_2_06D6AD28
Source: C:\Users\user\AppData\Roaming\KwNfRtD.exe	Code function: 13_2_06D69619	13_2_06D69619
Source: C:\Users\user\AppData\Roaming\KwNfRtD.exe	Code function: 13_2_06D6C60D	13_2_06D6C60D
Source: C:\Users\user\AppData\Roaming\KwNfRtD.exe	Code function: 13_2_06D69628	13_2_06D69628
Source: C:\Users\user\AppData\Roaming\KwNfRtD.exe	Code function: 13_2_06D6E780	13_2_06D6E780
Source: C:\Users\user\AppData\Roaming\KwNfRtD.exe	Code function: 13_2_06D6E77F	13_2_06D6E77F
Source: C:\Users\user\AppData\Roaming\KwNfRtD.exe	Code function: 13_2_06D6B718	13_2_06D6B718
Source: C:\Users\user\AppData\Roaming\KwNfRtD.exe	Code function: 13_2_06D6A4F7	13_2_06D6A4F7
Source: C:\Users\user\AppData\Roaming\KwNfRtD.exe	Code function: 13_2_06D645A1	13_2_06D645A1
Source: C:\Users\user\AppData\Roaming\KwNfRtD.exe	Code function: 13_2_06D6D510	13_2_06D6D510
Source: C:\Users\user\AppData\Roaming\KwNfRtD.exe	Code function: 13_2_06D6AD1A	13_2_06D6AD1A
Source: C:\Users\user\AppData\Roaming\KwNfRtD.exe	Code function: 13_2_06D6D502	13_2_06D6D502
Source: C:\Users\user\AppData\Roaming\KwNfRtD.exe	Code function: 13_2_06D6EB80	13_2_06D6EB80
Source: C:\Users\user\AppData\Roaming\KwNfRtD.exe	Code function: 13_2_06D6E351	13_2_06D6E351
Source: C:\Users\user\AppData\Roaming\KwNfRtD.exe	Code function: 13_2_06D6EB70	13_2_06D6EB70
Source: C:\Users\user\AppData\Roaming\KwNfRtD.exe	Code function: 13_2_06D6E360	13_2_06D6E360
Source: C:\Users\user\AppData\Roaming\KwNfRtD.exe	Code function: 13_2_06D6E8F0	13_2_06D6E8F0
Source: C:\Users\user\AppData\Roaming\KwNfRtD.exe	Code function: 13_2_06D6E8E8	13_2_06D6E8E8
Source: C:\Users\user\AppData\Roaming\KwNfRtD.exe	Code function: 13_2_06D92B68	13_2_06D92B68
Source: C:\Users\user\AppData\Roaming\KwNfRtD.exe	Code function: 13_2_095B4D70	13_2_095B4D70
Source: C:\Users\user\AppData\Roaming\KwNfRtD.exe	Code function: 13_2_095B33F8	13_2_095B33F8
Source: C:\Users\user\AppData\Roaming\KwNfRtD.exe	Code function: 13_2_095B38D0	13_2_095B38D0
Source: C:\Users\user\AppData\Roaming\KwNfRtD.exe	Code function: 13_2_095B38E0	13_2_095B38E0
Source: C:\Users\user\AppData\Roaming\KwNfRtD.exe	Code function: 13_2_095B3B38	13_2_095B3B38
Source: C:\Users\user\AppData\Roaming\KwNfRtD.exe	Code function: 13_2_095B3B28	13_2_095B3B28
Source: C:\Users\user\AppData\Roaming\KwNfRtD.exe	Code function: 13_2_095B4D60	13_2_095B4D60
Source: C:\Users\user\AppData\Roaming\KwNfRtD.exe	Code function: 13_2_095BDDC0	13_2_095BDDC0
Source: C:\Users\user\AppData\Roaming\KwNfRtD.exe	Code function: 13_2_095BBCF0	13_2_095BBCF0
Source: C:\Users\user\AppData\Roaming\KwNfRtD.exe	Code function: 13_2_095B0040	13_2_095B0040
Source: C:\Users\user\AppData\Roaming\KwNfRtD.exe	Code function: 13_2_095B0006	13_2_095B0006
Source: C:\Users\user\AppData\Roaming\KwNfRtD.exe	Code function: 13_2_095B5250	13_2_095B5250
Source: C:\Users\user\AppData\Roaming\KwNfRtD.exe	Code function: 13_2_095B5241	13_2_095B5241
Source: C:\Users\user\AppData\Roaming\KwNfRtD.exe	Code function: 13_2_095B77D8	13_2_095B77D8
Source: C:\Users\user\AppData\Roaming\KwNfRtD.exe	Code function: 13_2_095B3690	13_2_095B3690
Source: C:\Users\user\AppData\Roaming\KwNfRtD.exe	Code function: 13_2_095B4690	13_2_095B4690
Source: C:\Users\user\AppData\Roaming\KwNfRtD.exe	Code function: 13_2_095B3680	13_2_095B3680
Source: C:\Users\user\AppData\Roaming\KwNfRtD.exe	Code function: 13_2_095B4680	13_2_095B4680
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 18_2_00FA6000	18_2_00FA6000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 18_2_00F50100	18_2_00F50100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 18_2_00FE02C0	18_2_00FE02C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 18_2_00F6E3F0	18_2_00F6E3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 18_2_00FB65D0	18_2_00FB65D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 18_2_00FB65B2	18_2_00FB65B2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 18_2_00F60535	18_2_00F60535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 18_2_00F7C6E0	18_2_00F7C6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 18_2_00F60770	18_2_00F60770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 18_2_00F84750	18_2_00F84750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 18_2_00F528F0	18_2_00F528F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 18_2_00F468F1	18_2_00F468F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 18_2_00F8E8F0	18_2_00F8E8F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 18_2_00F98890	18_2_00F98890
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 18_2_00F6A840	18_2_00F6A840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 18_2_00F76962	18_2_00F76962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 18_2_00F5EA80	18_2_00F5EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 18_2_00F62A45	18_2_00F62A45
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 18_2_00F50CF2	18_2_00F50CF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 18_2_00F60C00	18_2_00F60C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 18_2_00F68DC0	18_2_00F68DC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 18_2_00F78DBF	18_2_00F78DBF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 18_2_00F6ED7A	18_2_00F6ED7A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 18_2_00F6AD00	18_2_00F6AD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 18_2_00F72ED9	18_2_00F72ED9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 18_2_00F60E59	18_2_00F60E59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 18_2_00F52FC8	18_2_00F52FC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 18_2_00FDEFA0	18_2_00FDEFA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 18_2_00FD4F40	18_2_00FD4F40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 18_2_00F80F30	18_2_00F80F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 18_2_00FA2F28	18_2_00FA2F28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 18_2_00F6B1B0	18_2_00F6B1B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 18_2_00F4F172	18_2_00F4F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 18_2_00F9516C	18_2_00F9516C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 18_2_00F7D2F0	18_2_00F7D2F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 18_2_00F652A0	18_2_00F652A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 18_2_00F633F3	18_2_00F633F3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 18_2_00FA74E0	18_2_00FA74E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 18_2_00F63497	18_2_00F63497
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 18_2_00F6B730	18_2_00F6B730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 18_2_00F638E0	18_2_00F638E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 18_2_00FCD800	18_2_00FCD800
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 18_2_00F659DA	18_2_00F659DA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 18_2_00F51979	18_2_00F51979
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 18_2_00F69950	18_2_00F69950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 18_2_00F7B950	18_2_00F7B950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 18_2_00FD3A6C	18_2_00FD3A6C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 18_2_00F9DBF9	18_2_00F9DBF9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 18_2_00FD5BF0	18_2_00FD5BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 18_2_00F7FB80	18_2_00F7FB80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 18_2_00FD9C32	18_2_00FD9C32
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 18_2_00F79C20	18_2_00F79C20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 18_2_00F7FDC0	18_2_00F7FDC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 18_2_00F63D40	18_2_00F63D40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 18_2_00F69EB0	18_2_00F69EB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 18_2_00F61F92	18_2_00F61F92

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 01635130 appears 58 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 0166EA12 appears 86 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 01647E54 appears 110 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 00FCEA12 appears 37 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 00FA7E54 appears 97 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 0167F290 appears 105 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 015EB970 appears 280 times

Source: scancopy shipping pdf.exe, 00000000.00000002.1405060208.00000000008FE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs scancopy shipping pdf.exe
Source: scancopy shipping pdf.exe, 00000000.00000002.1411100493.0000000003D41000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs scancopy shipping pdf.exe
Source: scancopy shipping pdf.exe, 00000000.00000000.1358687324.0000000000182000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameJvyI.exeD vs scancopy shipping pdf.exe
Source: scancopy shipping pdf.exe, 00000000.00000002.1417967762.0000000009C00000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs scancopy shipping pdf.exe
Source: scancopy shipping pdf.exe	Binary or memory string: OriginalFilenameJvyI.exeD vs scancopy shipping pdf.exe

Source: scancopy shipping pdf.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 11.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 11.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 11.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 11.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 11.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 11.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000C.00000002.3849826873.000000001011C000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_772cc62d os = windows, severity = x86, creation_date = 2022-05-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8343b5d02d74791ba2d5d52d19a759f761de2b5470d935000bc27ea6c0633f5, id = 772cc62d-345c-42d8-97ab-f67e447ddca4, last_modified = 2022-07-18
Source: 00000015.00000002.3832958745.00000000026F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000015.00000002.3832958745.00000000026F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000015.00000002.3832958745.00000000026F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.1411100493.0000000004042000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000000.00000002.1411100493.0000000004042000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.1411100493.0000000004042000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000015.00000002.3832472273.0000000000430000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000015.00000002.3832472273.0000000000430000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000015.00000002.3832472273.0000000000430000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000002.1465837719.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000B.00000002.1465837719.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000002.1465837719.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000002.1460869505.0000000004510000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000D.00000002.1460869505.0000000004510000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000D.00000002.1460869505.0000000004510000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000014.00000002.1476698839.0000000002C00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000014.00000002.1476698839.0000000002C00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000014.00000002.1476698839.0000000002C00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000015.00000002.3832843029.00000000026C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000015.00000002.3832843029.00000000026C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000015.00000002.3832843029.00000000026C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: scancopy shipping pdf.exe PID: 7528, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: RegSvcs.exe PID: 8016, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: KwNfRtD.exe PID: 8096, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: raserver.exe PID: 3868, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: raserver.exe PID: 6868, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: scancopy shipping pdf.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: KwNfRtD.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.scancopy shipping pdf.exe.9c00000.3.raw.unpack, j2VgUFvb5Nu0h8OElV.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.scancopy shipping pdf.exe.9c00000.3.raw.unpack, j2VgUFvb5Nu0h8OElV.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.scancopy shipping pdf.exe.3f1ce98.0.raw.unpack, j2VgUFvb5Nu0h8OElV.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.scancopy shipping pdf.exe.3f1ce98.0.raw.unpack, j2VgUFvb5Nu0h8OElV.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.scancopy shipping pdf.exe.3f1ce98.0.raw.unpack, D4j1ojLUy1g2SNtioE.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.scancopy shipping pdf.exe.3f1ce98.0.raw.unpack, D4j1ojLUy1g2SNtioE.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.scancopy shipping pdf.exe.3f1ce98.0.raw.unpack, D4j1ojLUy1g2SNtioE.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.2.scancopy shipping pdf.exe.9c00000.3.raw.unpack, D4j1ojLUy1g2SNtioE.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.scancopy shipping pdf.exe.9c00000.3.raw.unpack, D4j1ojLUy1g2SNtioE.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.scancopy shipping pdf.exe.9c00000.3.raw.unpack, D4j1ojLUy1g2SNtioE.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)

Source: classification engine

Classification label: mal100.troj.evad.winEXE@774/15@11/1

Source: C:\Users\user\Desktop\scancopy shipping pdf.exe

File created: C:\Users\user\AppData\Roaming\KwNfRtD.exe

Jump to behavior

Source: C:\Users\user\AppData\Roaming\KwNfRtD.exe	Mutant created: NULL
Source: C:\Users\user\AppData\Roaming\KwNfRtD.exe	Mutant created: \Sessions\1\BaseNamedObjects\bniuWOawa
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7732:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1636:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2944:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7864:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7796:120:WilError_03

Source: C:\Users\user\Desktop\scancopy shipping pdf.exe

File created: C:\Users\user\AppData\Local\Temp\tmp79AA.tmp

Jump to behavior

Source: scancopy shipping pdf.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: scancopy shipping pdf.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\scancopy shipping pdf.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\scancopy shipping pdf.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: scancopy shipping pdf.exe	Virustotal: Detection: 37%
Source: scancopy shipping pdf.exe	ReversingLabs: Detection: 44%

Source: C:\Users\user\Desktop\scancopy shipping pdf.exe

File read: C:\Users\user\Desktop\scancopy shipping pdf.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\scancopy shipping pdf.exe "C:\Users\user\Desktop\scancopy shipping pdf.exe"
Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\scancopy shipping pdf.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\KwNfRtD.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KwNfRtD" /XML "C:\Users\user\AppData\Local\Temp\tmp79AA.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\KwNfRtD.exe C:\Users\user\AppData\Roaming\KwNfRtD.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\KwNfRtD.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KwNfRtD" /XML "C:\Users\user\AppData\Local\Temp\tmp8DEE.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\KwNfRtD.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Users\user\AppData\Roaming\KwNfRtD.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\autofmt.exe "C:\Windows\SysWOW64\autofmt.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\raserver.exe "C:\Windows\SysWOW64\raserver.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\raserver.exe "C:\Windows\SysWOW64\raserver.exe"
Source: C:\Windows\SysWOW64\raserver.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\scancopy shipping pdf.exe"	Jump to behavior
Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\KwNfRtD.exe"	Jump to behavior
Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KwNfRtD" /XML "C:\Users\user\AppData\Local\Temp\tmp79AA.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\autofmt.exe "C:\Windows\SysWOW64\autofmt.exe"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\raserver.exe "C:\Windows\SysWOW64\raserver.exe"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\raserver.exe "C:\Windows\SysWOW64\raserver.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KwNfRtD.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KwNfRtD" /XML "C:\Users\user\AppData\Local\Temp\tmp8DEE.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KwNfRtD.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KwNfRtD.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: mfsrcsnk.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.internal.shell.broker.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: mfsrcsnk.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KwNfRtD.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KwNfRtD.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KwNfRtD.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KwNfRtD.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KwNfRtD.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KwNfRtD.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KwNfRtD.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KwNfRtD.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KwNfRtD.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KwNfRtD.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KwNfRtD.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KwNfRtD.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KwNfRtD.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KwNfRtD.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KwNfRtD.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KwNfRtD.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KwNfRtD.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KwNfRtD.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KwNfRtD.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KwNfRtD.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KwNfRtD.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KwNfRtD.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KwNfRtD.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KwNfRtD.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KwNfRtD.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KwNfRtD.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KwNfRtD.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KwNfRtD.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KwNfRtD.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KwNfRtD.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KwNfRtD.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KwNfRtD.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KwNfRtD.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KwNfRtD.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KwNfRtD.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KwNfRtD.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KwNfRtD.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\raserver.exe	Section loaded: wtsapi32.dll
Source: C:\Windows\SysWOW64\raserver.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\raserver.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\raserver.exe	Section loaded: wtsapi32.dll
Source: C:\Windows\SysWOW64\raserver.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\raserver.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\raserver.exe	Section loaded: wininet.dll

Source: C:\Users\user\Desktop\scancopy shipping pdf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\scancopy shipping pdf.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: scancopy shipping pdf.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: scancopy shipping pdf.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: RegSvcs.pdb, source: explorer.exe, 0000000C.00000002.3850151235.00000000108FF000.00000004.80000000.00040000.00000000.sdmp, raserver.exe, 00000015.00000002.3833128943.00000000027EC000.00000004.00000020.00020000.00000000.sdmp, raserver.exe, 00000015.00000002.3834914835.0000000004A6F000.00000004.10000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: RegSvcs.exe, 0000000B.00000002.1467559356.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, raserver.exe, 00000014.00000002.1483247428.0000000004C6E000.00000040.00001000.00020000.00000000.sdmp, raserver.exe, 00000014.00000002.1483247428.0000000004AD0000.00000040.00001000.00020000.00000000.sdmp, raserver.exe, 00000014.00000003.1472539324.0000000004928000.00000004.00000020.00020000.00000000.sdmp, raserver.exe, 00000014.00000003.1470326904.0000000004779000.00000004.00000020.00020000.00000000.sdmp, raserver.exe, 00000015.00000002.3833851400.0000000004520000.00000040.00001000.00020000.00000000.sdmp, raserver.exe, 00000015.00000003.1466256141.00000000041C9000.00000004.00000020.00020000.00000000.sdmp, raserver.exe, 00000015.00000003.1469044516.0000000004377000.00000004.00000020.00020000.00000000.sdmp, raserver.exe, 00000015.00000002.3833851400.00000000046BE000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: RegSvcs.exe, RegSvcs.exe, 0000000B.00000002.1467559356.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, raserver.exe, 00000014.00000002.1483247428.0000000004C6E000.00000040.00001000.00020000.00000000.sdmp, raserver.exe, 00000014.00000002.1483247428.0000000004AD0000.00000040.00001000.00020000.00000000.sdmp, raserver.exe, 00000014.00000003.1472539324.0000000004928000.00000004.00000020.00020000.00000000.sdmp, raserver.exe, 00000014.00000003.1470326904.0000000004779000.00000004.00000020.00020000.00000000.sdmp, raserver.exe, 00000015.00000002.3833851400.0000000004520000.00000040.00001000.00020000.00000000.sdmp, raserver.exe, 00000015.00000003.1466256141.00000000041C9000.00000004.00000020.00020000.00000000.sdmp, raserver.exe, 00000015.00000003.1469044516.0000000004377000.00000004.00000020.00020000.00000000.sdmp, raserver.exe, 00000015.00000002.3833851400.00000000046BE000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: RAServer.pdb source: RegSvcs.exe, 0000000B.00000002.1466896302.000000000116D000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1467368025.0000000001590000.00000040.10000000.00040000.00000000.sdmp, RegSvcs.exe, 00000012.00000002.1471011960.0000000000AB7000.00000004.00000020.00020000.00000000.sdmp, raserver.exe, 00000014.00000002.1474266751.00000000005B0000.00000040.80000000.00040000.00000000.sdmp, raserver.exe, 00000015.00000002.3832661172.00000000005B0000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: RegSvcs.pdb source: explorer.exe, 0000000C.00000002.3850151235.00000000108FF000.00000004.80000000.00040000.00000000.sdmp, raserver.exe, 00000015.00000002.3833128943.00000000027EC000.00000004.00000020.00020000.00000000.sdmp, raserver.exe, 00000015.00000002.3834914835.0000000004A6F000.00000004.10000000.00040000.00000000.sdmp
Source:	Binary string: RAServer.pdbGCTL source: RegSvcs.exe, 0000000B.00000002.1466896302.000000000116D000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.1467368025.0000000001590000.00000040.10000000.00040000.00000000.sdmp, RegSvcs.exe, 00000012.00000002.1471011960.0000000000AB7000.00000004.00000020.00020000.00000000.sdmp, raserver.exe, 00000014.00000002.1474266751.00000000005B0000.00000040.80000000.00040000.00000000.sdmp, raserver.exe, 00000015.00000002.3832661172.00000000005B0000.00000040.80000000.00040000.00000000.sdmp

Data Obfuscation

.NET source code contains potential unpacker

Source: 0.2.scancopy shipping pdf.exe.3529f78.1.raw.unpack, MainForm.cs	.Net Code: _200C_202A_200E_202D_202D_206E_202D_202E_202A_206A_200E_202D_206B_206B_206E_206A_202C_206E_202E_200D_206B_206E_202C_202C_202B_200E_200C_202B_202C_206E_200D_200E_206C_202A_202E_206C_202B_202D_206B_200C_202E System.Reflection.Assembly.Load(byte[])
Source: 0.2.scancopy shipping pdf.exe.9c00000.3.raw.unpack, D4j1ojLUy1g2SNtioE.cs	.Net Code: cw4kxqoiUOAPIxbsNlb System.Reflection.Assembly.Load(byte[])
Source: 0.2.scancopy shipping pdf.exe.3f1ce98.0.raw.unpack, D4j1ojLUy1g2SNtioE.cs	.Net Code: cw4kxqoiUOAPIxbsNlb System.Reflection.Assembly.Load(byte[])

Suspicious powershell command line found

Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\scancopy shipping pdf.exe"
Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\scancopy shipping pdf.exe"			Jump to behavior

Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	Code function: 0_2_0683C0D0 push cs; ret	0_2_0683C0D1
Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	Code function: 0_2_0683AC98 push eax; iretd	0_2_0683AC99
Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	Code function: 0_2_068626E5 push es; iretd	0_2_068626EC
Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	Code function: 0_2_068624D1 push es; retf	0_2_06862510
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0041A803 push esp; ret	11_2_0041A80B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00416A7B push ds; iretd	11_2_00416A86
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0040627B push ebx; ret	11_2_0040627C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00416457 push es; iretd	11_2_0041645F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0041D475 push eax; ret	11_2_0041D4C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0041A47A push esp; iretd	11_2_0041A47B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0041D4C2 push eax; ret	11_2_0041D4C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0041D4CB push eax; ret	11_2_0041D532
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0041E483 push dword ptr [2E339416h]; ret	11_2_0041E7BD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0041E48D push dword ptr [2E339416h]; ret	11_2_0041E7BD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0041D52C push eax; ret	11_2_0041D532
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_004175E5 push esp; retf	11_2_004176CA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0041765E push esp; retf	11_2_004176CA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_004176CD push esp; retf	11_2_004176CA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0041EF29 push ds; ret	11_2_0041EF2B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0041E7BF push dword ptr [2E339416h]; ret	11_2_0041E7BD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_015C225F pushad ; ret	11_2_015C27F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_015C27FA pushad ; ret	11_2_015C27F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_015F09AD push ecx; mov dword ptr [esp], ecx	11_2_015F09B6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_015C283D push eax; iretd	11_2_015C2858
Source: C:\Windows\explorer.exe	Code function: 12_2_0FF7EB1E push esp; retn 0000h	12_2_0FF7EB1F
Source: C:\Windows\explorer.exe	Code function: 12_2_0FF7EB02 push esp; retn 0000h	12_2_0FF7EB03
Source: C:\Windows\explorer.exe	Code function: 12_2_0FF7E9B5 push esp; retn 0000h	12_2_0FF7EAE7
Source: C:\Windows\explorer.exe	Code function: 12_2_10107B1E push esp; retn 0000h	12_2_10107B1F
Source: C:\Windows\explorer.exe	Code function: 12_2_10107B02 push esp; retn 0000h	12_2_10107B03
Source: C:\Windows\explorer.exe	Code function: 12_2_101079B5 push esp; retn 0000h	12_2_10107AE7
Source: C:\Windows\explorer.exe	Code function: 12_2_1065F9B5 push esp; retn 0000h	12_2_1065FAE7

Source: scancopy shipping pdf.exe	Static PE information: section name: .text entropy: 7.662383650527631
Source: KwNfRtD.exe.0.dr	Static PE information: section name: .text entropy: 7.662383650527631

Source: 0.2.scancopy shipping pdf.exe.9c00000.3.raw.unpack, GnFHSfzOsV62MU2PwA.cs	High entropy of concatenated method names: 'V1Rc8nGMpq', 'C6RcvbZvjI', 'R8pcnvCmFK', 'qIhcig8KvU', 'ftbcVj706X', 'ua4cUtbw14', 'amRcShZPRd', 'IFXc9ROPOR', 'SDRcf2w13O', 'RakcGejuXH'
Source: 0.2.scancopy shipping pdf.exe.9c00000.3.raw.unpack, PIeXXQKBujWIwR141j.cs	High entropy of concatenated method names: 'ak2dHsnCY', 'L1qY0wkRA', 'SmU8QepWW', 'AJ4kNuAyx', 'jCEnNx6YA', 'olRZ0oWNR', 'Adb4aSu46N15IrarY7', 'NU3LVNvE5yVaQmYynT', 'wiQt624cZ3HKAC9qjC', 'M6qrtW3hu'
Source: 0.2.scancopy shipping pdf.exe.9c00000.3.raw.unpack, lGdXun41BIqa4X2avWy.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'cftxCcW7ot', 'lMqxcvFqbG', 'fRCxNy5TDd', 'EnExxV9chI', 'PaJxukbHUa', 'yF7xFrLRWf', 'ELFx9hMUIV'
Source: 0.2.scancopy shipping pdf.exe.9c00000.3.raw.unpack, ruRQtI3rA8fOVqP6u2.cs	High entropy of concatenated method names: 'KCaayu5rvo', 'yIQaqTXU4m', 'A1MatTcJPD', 'IFAtJaDJJr', 'XOstzLVoWO', 'aBdaWntPu3', 'ILLa4JeK4q', 'ymUaK5VKnX', 'mufaeCH690', 'CJna15i1Ao'
Source: 0.2.scancopy shipping pdf.exe.9c00000.3.raw.unpack, TG9n5Q44JlX7pi0LLJw.cs	High entropy of concatenated method names: 'cEqcJEMajD', 'jAcczPORxg', 'RETNWTqCBp', 'q8bN4LWp0I', 'WL7NKNddFn', 'o2RNeX92R7', 'Pf2N14nWaA', 'rwjNmyqf20', 's3LNyYbGZ1', 'FMrNXBP5I1'
Source: 0.2.scancopy shipping pdf.exe.9c00000.3.raw.unpack, tdSGlLl6Uav8v6Xq3a.cs	High entropy of concatenated method names: 'L3eafrRfOx', 'b1BaGMD3qb', 'l7jadZPy6U', 'I98aYkd2Ra', 'nylahkhKNc', 'tfXa89QwQM', 'NyaakNtxol', 'Yfnavuytcj', 'nF0anCc51B', 's54aZLGTo6'
Source: 0.2.scancopy shipping pdf.exe.9c00000.3.raw.unpack, QXYkq5ELmdVFNnp2bW.cs	High entropy of concatenated method names: 'wKB6IRSxYQ', 'vxp6RRommV', 'ToString', 'Pvi6yof1IU', 'DLA6XRoaqW', 'OtT6qpI1Wf', 'yrB62IVkCF', 'GKM6tH0s58', 'D9L6aDlO7M', 'M4R6LvQ2ib'
Source: 0.2.scancopy shipping pdf.exe.9c00000.3.raw.unpack, CITjO0M3iEqUvSRFkk.cs	High entropy of concatenated method names: 'vTGCioGQim', 'AH7CVcfxm7', 'GApCgfg8ox', 'jyKCU28bVs', 'RZfCSv0CQA', 'tSMCOqD1rW', 'eTaC30MNOM', 'YXqCjd35H5', 'TITClJ4CrM', 'HRECoeDawE'
Source: 0.2.scancopy shipping pdf.exe.9c00000.3.raw.unpack, dETJeuw3ILmFCVxXcJ.cs	High entropy of concatenated method names: 'ToString', 'iJiH06wgSg', 'mBLHVA9KYw', 'gn2HghBxDn', 'wdFHUCLiVv', 'PmUHSC2i6B', 'IBkHOburIe', 'um9H3s6CjH', 'L9MHjlvBkC', 'Lw0Hl2KX51'
Source: 0.2.scancopy shipping pdf.exe.9c00000.3.raw.unpack, EEbLB6Z30P8Z92jSyy.cs	High entropy of concatenated method names: 'wLO2h5iawx', 'bIZ2kT5KTp', 'cflqggH238', 'kLrqU7qoA5', 'SOsqSor2pd', 'JOyqOa9t6X', 'Y9Fq3Hxal5', 'ONYqjYJuOU', 'aiAqlywODC', 'XJEqoXSrB0'
Source: 0.2.scancopy shipping pdf.exe.9c00000.3.raw.unpack, pOy1ExQ6eDUGSZue67.cs	High entropy of concatenated method names: 'X9CbveVKpH', 'dRqbnYmxWr', 'jbWbi40iEZ', 'ySXbVAWmKZ', 'G1UbUIHwEZ', 'xDvbSVJb7k', 'zujb3TFWZS', 'sXCbjVBT1B', 'zaNboimyGa', 'w8Qb0LLQ6y'
Source: 0.2.scancopy shipping pdf.exe.9c00000.3.raw.unpack, xIPMHg1umeVpQn6Q5Q.cs	High entropy of concatenated method names: 'FSa4a2VgUF', 'n5N4Lu0h8O', 'pIK4IVjxvB', 'AlP4R8nEbL', 'hjS47yypiC', 'WG94Hmmn2Q', 'oaPiXOFLTOyWSsd5ae', 'GvccjD1MAnoZaQsnZR', 'WZY44Z5CRy', 'Auf4eZyTVm'
Source: 0.2.scancopy shipping pdf.exe.9c00000.3.raw.unpack, ViCp2w585689Ur7CGJ.cs	High entropy of concatenated method names: 'dsmC7C95bS', 'DyMC6t8RMc', 'CvFCCg4Fmx', 'gRGCNJlpRG', 'jAMCuMBOLX', 'Hu8C9TJwtl', 'Dispose', 'JxYryABbMy', 'cwxrXixv62', 'V0jrq4bIyd'
Source: 0.2.scancopy shipping pdf.exe.9c00000.3.raw.unpack, uuDu3iTnYIOm92RraL.cs	High entropy of concatenated method names: 'Hab7oiLZj0', 'NQ87DfpkwP', 'fDk7TOAOxq', 'YE57P7XDHu', 'kYg7VM2WZV', 'ziq7g4BkPZ', 'TS67UOux7G', 'tpI7SCvOoI', 'gXy7OG78YX', 'GML734kEWj'
Source: 0.2.scancopy shipping pdf.exe.9c00000.3.raw.unpack, iIv8WnJtI6mh3HPRlh.cs	High entropy of concatenated method names: 'CfRcq1ohOw', 'Djjc2eWm0b', 'KINctr85Kv', 'iltcarhiCY', 'LRBcCNCG7R', 'WLMcLUgNSE', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.scancopy shipping pdf.exe.9c00000.3.raw.unpack, hYtBA0sBQ1PuMk1Aik.cs	High entropy of concatenated method names: 'e626A8YIH7', 'EuZ6J1yF0D', 'lEErW3r3tp', 'DXtr4GilMM', 'c0l60vkQti', 'DBt6DjgrRu', 'xF86QxB5wk', 'jr36TZZ2Xi', 'JwX6PjTGOG', 'ndP6wZkn2b'
Source: 0.2.scancopy shipping pdf.exe.9c00000.3.raw.unpack, K3PIoHnIKVjxvBhlP8.cs	High entropy of concatenated method names: 'pJeqYjPEnR', 'uBlq84bcc2', 'lejqv0t0lF', 'QBBqnFgnsS', 'npdq7nCqCh', 'hiPqHfVJVd', 'umkq668Fwg', 'uiqqrp4P0N', 'FokqCRBP7P', 'bTEqc8SIHY'
Source: 0.2.scancopy shipping pdf.exe.9c00000.3.raw.unpack, CD2bsZV1g2jBZ6LddO.cs	High entropy of concatenated method names: 'zJ8biy3dw7GYMJxjXVC', 'YnTvZI3LZcEtUM9QZma', 'TXxtrSQHis', 'heUtCmIddG', 'ixntcIQYlm', 'aMhpqf37SWEVB8waxB8', 'woXsQO3HkqRu0etKRps'
Source: 0.2.scancopy shipping pdf.exe.9c00000.3.raw.unpack, D4j1ojLUy1g2SNtioE.cs	High entropy of concatenated method names: 'nP2emA2Pq4', 'J3weyW57bj', 'WFteXCj1Nf', 'tx2eqLOrkK', 'xwQe2xBQWj', 'FjMetZZxBP', 'XxmeaTxSDb', 'IkleLIDiQ2', 'q2ceBaxJ3c', 'LESeIjjtM3'
Source: 0.2.scancopy shipping pdf.exe.9c00000.3.raw.unpack, j2VgUFvb5Nu0h8OElV.cs	High entropy of concatenated method names: 'Cl9XTkDIlk', 'cNvXP8wyAk', 'avFXwZVVXC', 'irDXEOQ3bO', 'UhNXpwA3Ww', 'Ax8XsH7Rva', 'b7wX50t5pC', 'SwVXA5v8rQ', 'j0nXMGEXhx', 'BSvXJRfdU6'
Source: 0.2.scancopy shipping pdf.exe.9c00000.3.raw.unpack, UiC5G9immn2QjKW5oM.cs	High entropy of concatenated method names: 'MZ2tmafD0q', 'gb4tX0jrg0', 'QYVt2YbfMa', 'LJCtacRxBH', 'bFKtLwYwve', 'Lgm2pNLIPQ', 'PVF2sKUCGH', 'Y2j25tKmHK', 'lQZ2ABS7Rn', 'LAh2MJE6mv'
Source: 0.2.scancopy shipping pdf.exe.9c00000.3.raw.unpack, jiLC6pX1jsQGL7ig3L.cs	High entropy of concatenated method names: 'Dispose', 'q894MUr7CG', 'NvsKVKSb0Q', 'io4B1QxgBw', 'YDg4JysZLP', 'sPE4zB238F', 'ProcessDialogKey', 'o0kKWITjO0', 'LiEK4qUvSR', 'wkkKKtIv8W'
Source: 0.2.scancopy shipping pdf.exe.3f1ce98.0.raw.unpack, GnFHSfzOsV62MU2PwA.cs	High entropy of concatenated method names: 'V1Rc8nGMpq', 'C6RcvbZvjI', 'R8pcnvCmFK', 'qIhcig8KvU', 'ftbcVj706X', 'ua4cUtbw14', 'amRcShZPRd', 'IFXc9ROPOR', 'SDRcf2w13O', 'RakcGejuXH'
Source: 0.2.scancopy shipping pdf.exe.3f1ce98.0.raw.unpack, PIeXXQKBujWIwR141j.cs	High entropy of concatenated method names: 'ak2dHsnCY', 'L1qY0wkRA', 'SmU8QepWW', 'AJ4kNuAyx', 'jCEnNx6YA', 'olRZ0oWNR', 'Adb4aSu46N15IrarY7', 'NU3LVNvE5yVaQmYynT', 'wiQt624cZ3HKAC9qjC', 'M6qrtW3hu'
Source: 0.2.scancopy shipping pdf.exe.3f1ce98.0.raw.unpack, lGdXun41BIqa4X2avWy.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'cftxCcW7ot', 'lMqxcvFqbG', 'fRCxNy5TDd', 'EnExxV9chI', 'PaJxukbHUa', 'yF7xFrLRWf', 'ELFx9hMUIV'
Source: 0.2.scancopy shipping pdf.exe.3f1ce98.0.raw.unpack, ruRQtI3rA8fOVqP6u2.cs	High entropy of concatenated method names: 'KCaayu5rvo', 'yIQaqTXU4m', 'A1MatTcJPD', 'IFAtJaDJJr', 'XOstzLVoWO', 'aBdaWntPu3', 'ILLa4JeK4q', 'ymUaK5VKnX', 'mufaeCH690', 'CJna15i1Ao'
Source: 0.2.scancopy shipping pdf.exe.3f1ce98.0.raw.unpack, TG9n5Q44JlX7pi0LLJw.cs	High entropy of concatenated method names: 'cEqcJEMajD', 'jAcczPORxg', 'RETNWTqCBp', 'q8bN4LWp0I', 'WL7NKNddFn', 'o2RNeX92R7', 'Pf2N14nWaA', 'rwjNmyqf20', 's3LNyYbGZ1', 'FMrNXBP5I1'
Source: 0.2.scancopy shipping pdf.exe.3f1ce98.0.raw.unpack, tdSGlLl6Uav8v6Xq3a.cs	High entropy of concatenated method names: 'L3eafrRfOx', 'b1BaGMD3qb', 'l7jadZPy6U', 'I98aYkd2Ra', 'nylahkhKNc', 'tfXa89QwQM', 'NyaakNtxol', 'Yfnavuytcj', 'nF0anCc51B', 's54aZLGTo6'
Source: 0.2.scancopy shipping pdf.exe.3f1ce98.0.raw.unpack, QXYkq5ELmdVFNnp2bW.cs	High entropy of concatenated method names: 'wKB6IRSxYQ', 'vxp6RRommV', 'ToString', 'Pvi6yof1IU', 'DLA6XRoaqW', 'OtT6qpI1Wf', 'yrB62IVkCF', 'GKM6tH0s58', 'D9L6aDlO7M', 'M4R6LvQ2ib'
Source: 0.2.scancopy shipping pdf.exe.3f1ce98.0.raw.unpack, CITjO0M3iEqUvSRFkk.cs	High entropy of concatenated method names: 'vTGCioGQim', 'AH7CVcfxm7', 'GApCgfg8ox', 'jyKCU28bVs', 'RZfCSv0CQA', 'tSMCOqD1rW', 'eTaC30MNOM', 'YXqCjd35H5', 'TITClJ4CrM', 'HRECoeDawE'
Source: 0.2.scancopy shipping pdf.exe.3f1ce98.0.raw.unpack, dETJeuw3ILmFCVxXcJ.cs	High entropy of concatenated method names: 'ToString', 'iJiH06wgSg', 'mBLHVA9KYw', 'gn2HghBxDn', 'wdFHUCLiVv', 'PmUHSC2i6B', 'IBkHOburIe', 'um9H3s6CjH', 'L9MHjlvBkC', 'Lw0Hl2KX51'
Source: 0.2.scancopy shipping pdf.exe.3f1ce98.0.raw.unpack, EEbLB6Z30P8Z92jSyy.cs	High entropy of concatenated method names: 'wLO2h5iawx', 'bIZ2kT5KTp', 'cflqggH238', 'kLrqU7qoA5', 'SOsqSor2pd', 'JOyqOa9t6X', 'Y9Fq3Hxal5', 'ONYqjYJuOU', 'aiAqlywODC', 'XJEqoXSrB0'
Source: 0.2.scancopy shipping pdf.exe.3f1ce98.0.raw.unpack, pOy1ExQ6eDUGSZue67.cs	High entropy of concatenated method names: 'X9CbveVKpH', 'dRqbnYmxWr', 'jbWbi40iEZ', 'ySXbVAWmKZ', 'G1UbUIHwEZ', 'xDvbSVJb7k', 'zujb3TFWZS', 'sXCbjVBT1B', 'zaNboimyGa', 'w8Qb0LLQ6y'
Source: 0.2.scancopy shipping pdf.exe.3f1ce98.0.raw.unpack, xIPMHg1umeVpQn6Q5Q.cs	High entropy of concatenated method names: 'FSa4a2VgUF', 'n5N4Lu0h8O', 'pIK4IVjxvB', 'AlP4R8nEbL', 'hjS47yypiC', 'WG94Hmmn2Q', 'oaPiXOFLTOyWSsd5ae', 'GvccjD1MAnoZaQsnZR', 'WZY44Z5CRy', 'Auf4eZyTVm'
Source: 0.2.scancopy shipping pdf.exe.3f1ce98.0.raw.unpack, ViCp2w585689Ur7CGJ.cs	High entropy of concatenated method names: 'dsmC7C95bS', 'DyMC6t8RMc', 'CvFCCg4Fmx', 'gRGCNJlpRG', 'jAMCuMBOLX', 'Hu8C9TJwtl', 'Dispose', 'JxYryABbMy', 'cwxrXixv62', 'V0jrq4bIyd'
Source: 0.2.scancopy shipping pdf.exe.3f1ce98.0.raw.unpack, uuDu3iTnYIOm92RraL.cs	High entropy of concatenated method names: 'Hab7oiLZj0', 'NQ87DfpkwP', 'fDk7TOAOxq', 'YE57P7XDHu', 'kYg7VM2WZV', 'ziq7g4BkPZ', 'TS67UOux7G', 'tpI7SCvOoI', 'gXy7OG78YX', 'GML734kEWj'
Source: 0.2.scancopy shipping pdf.exe.3f1ce98.0.raw.unpack, iIv8WnJtI6mh3HPRlh.cs	High entropy of concatenated method names: 'CfRcq1ohOw', 'Djjc2eWm0b', 'KINctr85Kv', 'iltcarhiCY', 'LRBcCNCG7R', 'WLMcLUgNSE', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.scancopy shipping pdf.exe.3f1ce98.0.raw.unpack, hYtBA0sBQ1PuMk1Aik.cs	High entropy of concatenated method names: 'e626A8YIH7', 'EuZ6J1yF0D', 'lEErW3r3tp', 'DXtr4GilMM', 'c0l60vkQti', 'DBt6DjgrRu', 'xF86QxB5wk', 'jr36TZZ2Xi', 'JwX6PjTGOG', 'ndP6wZkn2b'
Source: 0.2.scancopy shipping pdf.exe.3f1ce98.0.raw.unpack, K3PIoHnIKVjxvBhlP8.cs	High entropy of concatenated method names: 'pJeqYjPEnR', 'uBlq84bcc2', 'lejqv0t0lF', 'QBBqnFgnsS', 'npdq7nCqCh', 'hiPqHfVJVd', 'umkq668Fwg', 'uiqqrp4P0N', 'FokqCRBP7P', 'bTEqc8SIHY'
Source: 0.2.scancopy shipping pdf.exe.3f1ce98.0.raw.unpack, CD2bsZV1g2jBZ6LddO.cs	High entropy of concatenated method names: 'zJ8biy3dw7GYMJxjXVC', 'YnTvZI3LZcEtUM9QZma', 'TXxtrSQHis', 'heUtCmIddG', 'ixntcIQYlm', 'aMhpqf37SWEVB8waxB8', 'woXsQO3HkqRu0etKRps'
Source: 0.2.scancopy shipping pdf.exe.3f1ce98.0.raw.unpack, D4j1ojLUy1g2SNtioE.cs	High entropy of concatenated method names: 'nP2emA2Pq4', 'J3weyW57bj', 'WFteXCj1Nf', 'tx2eqLOrkK', 'xwQe2xBQWj', 'FjMetZZxBP', 'XxmeaTxSDb', 'IkleLIDiQ2', 'q2ceBaxJ3c', 'LESeIjjtM3'
Source: 0.2.scancopy shipping pdf.exe.3f1ce98.0.raw.unpack, j2VgUFvb5Nu0h8OElV.cs	High entropy of concatenated method names: 'Cl9XTkDIlk', 'cNvXP8wyAk', 'avFXwZVVXC', 'irDXEOQ3bO', 'UhNXpwA3Ww', 'Ax8XsH7Rva', 'b7wX50t5pC', 'SwVXA5v8rQ', 'j0nXMGEXhx', 'BSvXJRfdU6'
Source: 0.2.scancopy shipping pdf.exe.3f1ce98.0.raw.unpack, UiC5G9immn2QjKW5oM.cs	High entropy of concatenated method names: 'MZ2tmafD0q', 'gb4tX0jrg0', 'QYVt2YbfMa', 'LJCtacRxBH', 'bFKtLwYwve', 'Lgm2pNLIPQ', 'PVF2sKUCGH', 'Y2j25tKmHK', 'lQZ2ABS7Rn', 'LAh2MJE6mv'
Source: 0.2.scancopy shipping pdf.exe.3f1ce98.0.raw.unpack, jiLC6pX1jsQGL7ig3L.cs	High entropy of concatenated method names: 'Dispose', 'q894MUr7CG', 'NvsKVKSb0Q', 'io4B1QxgBw', 'YDg4JysZLP', 'sPE4zB238F', 'ProcessDialogKey', 'o0kKWITjO0', 'LiEK4qUvSR', 'wkkKKtIv8W'

Source: C:\Users\user\Desktop\scancopy shipping pdf.exe

File created: C:\Users\user\AppData\Roaming\KwNfRtD.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\scancopy shipping pdf.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KwNfRtD" /XML "C:\Users\user\AppData\Local\Temp\tmp79AA.tmp"

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KwNfRtD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KwNfRtD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KwNfRtD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KwNfRtD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KwNfRtD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KwNfRtD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KwNfRtD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KwNfRtD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KwNfRtD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KwNfRtD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KwNfRtD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KwNfRtD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KwNfRtD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KwNfRtD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KwNfRtD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KwNfRtD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KwNfRtD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KwNfRtD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KwNfRtD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KwNfRtD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KwNfRtD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KwNfRtD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KwNfRtD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KwNfRtD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KwNfRtD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KwNfRtD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KwNfRtD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KwNfRtD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KwNfRtD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KwNfRtD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KwNfRtD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KwNfRtD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KwNfRtD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KwNfRtD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KwNfRtD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KwNfRtD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KwNfRtD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KwNfRtD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KwNfRtD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KwNfRtD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KwNfRtD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KwNfRtD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KwNfRtD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KwNfRtD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KwNfRtD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KwNfRtD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: scancopy shipping pdf.exe PID: 7528, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: KwNfRtD.exe PID: 8096, type: MEMORYSTR

Switches to a custom stack to bypass stack traces

Source: C:\Windows\SysWOW64\raserver.exe	API/Special instruction interceptor: Address: 7FF90818D324
Source: C:\Windows\SysWOW64\raserver.exe	API/Special instruction interceptor: Address: 7FF908190774
Source: C:\Windows\SysWOW64\raserver.exe	API/Special instruction interceptor: Address: 7FF90818D944
Source: C:\Windows\SysWOW64\raserver.exe	API/Special instruction interceptor: Address: 7FF90818D504
Source: C:\Windows\SysWOW64\raserver.exe	API/Special instruction interceptor: Address: 7FF90818D544
Source: C:\Windows\SysWOW64\raserver.exe	API/Special instruction interceptor: Address: 7FF90818D1E4
Source: C:\Windows\SysWOW64\raserver.exe	API/Special instruction interceptor: Address: 7FF908190154
Source: C:\Windows\SysWOW64\raserver.exe	API/Special instruction interceptor: Address: 7FF90818D8A4
Source: C:\Windows\SysWOW64\raserver.exe	API/Special instruction interceptor: Address: 7FF90818DA44

Tries to detect virtualization through RDTSC time measurements

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	RDTSC instruction interceptor: First address: 409904 second address: 40990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	RDTSC instruction interceptor: First address: 409B6E second address: 409B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\raserver.exe	RDTSC instruction interceptor: First address: 439904 second address: 43990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\raserver.exe	RDTSC instruction interceptor: First address: 439B6E second address: 439B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\raserver.exe	RDTSC instruction interceptor: First address: 2C09904 second address: 2C0990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\raserver.exe	RDTSC instruction interceptor: First address: 2C09B6E second address: 2C09B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	Memory allocated: 2440000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	Memory allocated: 24E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	Memory allocated: 44E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	Memory allocated: 7120000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	Memory allocated: 8120000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	Memory allocated: 82C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	Memory allocated: 92C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	Memory allocated: 9C80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	Memory allocated: AC80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	Memory allocated: BC80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KwNfRtD.exe	Memory allocated: 2910000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KwNfRtD.exe	Memory allocated: 29B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KwNfRtD.exe	Memory allocated: 49B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KwNfRtD.exe	Memory allocated: 70A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KwNfRtD.exe	Memory allocated: 80A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KwNfRtD.exe	Memory allocated: 8230000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KwNfRtD.exe	Memory allocated: 9230000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KwNfRtD.exe	Memory allocated: 9C30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KwNfRtD.exe	Memory allocated: AC30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KwNfRtD.exe	Memory allocated: BC30000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 11_2_00409AA0 rdtsc

11_2_00409AA0

Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KwNfRtD.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3267	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 690	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4544	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 867	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 4055	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 5884	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 884	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 866	Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe	Window / User API: threadDelayed 9837

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	API coverage: 1.6 %
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	API coverage: 1.2 %

Source: C:\Users\user\Desktop\scancopy shipping pdf.exe TID: 7548	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8040	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7944	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8056	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8032	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 5656	Thread sleep count: 4055 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 5656	Thread sleep time: -8110000s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 5656	Thread sleep count: 5884 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 5656	Thread sleep time: -11768000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KwNfRtD.exe TID: 8160	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe TID: 1516	Thread sleep count: 135 > 30
Source: C:\Windows\SysWOW64\raserver.exe TID: 1516	Thread sleep time: -270000s >= -30000s
Source: C:\Windows\SysWOW64\raserver.exe TID: 1516	Thread sleep count: 9837 > 30
Source: C:\Windows\SysWOW64\raserver.exe TID: 1516	Thread sleep time: -19674000s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\raserver.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\raserver.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KwNfRtD.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\NULL	Jump to behavior
Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe	Jump to behavior
Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx	Jump to behavior
Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	File opened: C:\Users\user\AppData\Local\Temp\acrocef_low\NULL	Jump to behavior
Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\NULL	Jump to behavior
Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\Acrobat	Jump to behavior

Source: explorer.exe, 0000000C.00000003.2291814220.000000000888E000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: 2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}=
Source: explorer.exe, 0000000C.00000002.3843882502.0000000008979000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00`
Source: explorer.exe, 0000000C.00000003.3083294917.00000000087C0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NXTVMWare
Source: explorer.exe, 0000000C.00000002.3843250514.0000000008796000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3087491602.0000000008796000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.1409919237.0000000008796000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2291814220.0000000008796000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWe
Source: explorer.exe, 0000000C.00000003.2291814220.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.1409919237.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3843250514.00000000087C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.1409919237.00000000087C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3087491602.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3843250514.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2291814220.00000000087C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3087491602.00000000087C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3083294917.00000000087C0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 0000000C.00000000.1387821227.0000000000A44000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000^F1O
Source: explorer.exe, 0000000C.00000003.3083294917.00000000087C0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000d
Source: explorer.exe, 0000000C.00000003.3082656540.00000000088E6000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: explorer.exe, 0000000C.00000003.3082656540.00000000088E6000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}l
Source: explorer.exe, 0000000C.00000000.1387821227.0000000000A44000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: explorer.exe, 0000000C.00000003.3082656540.00000000088E6000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000C.00000000.1387821227.0000000000A44000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000C.00000003.3082656540.00000000088E6000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000

Source: C:\Users\user\Desktop\scancopy shipping pdf.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\raserver.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\raserver.exe	Process queried: DebugPort

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 11_2_00409AA0 rdtsc

11_2_00409AA0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 11_2_0040ACE0 LdrLoadDll,

11_2_0040ACE0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_015EC156 mov eax, dword ptr fs:[00000030h]	11_2_015EC156
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_016C4164 mov eax, dword ptr fs:[00000030h]	11_2_016C4164
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_016C4164 mov eax, dword ptr fs:[00000030h]	11_2_016C4164
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_015F6154 mov eax, dword ptr fs:[00000030h]	11_2_015F6154
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_015F6154 mov eax, dword ptr fs:[00000030h]	11_2_015F6154
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01684144 mov eax, dword ptr fs:[00000030h]	11_2_01684144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01684144 mov eax, dword ptr fs:[00000030h]	11_2_01684144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01684144 mov ecx, dword ptr fs:[00000030h]	11_2_01684144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01684144 mov eax, dword ptr fs:[00000030h]	11_2_01684144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01684144 mov eax, dword ptr fs:[00000030h]	11_2_01684144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01688158 mov eax, dword ptr fs:[00000030h]	11_2_01688158
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01620124 mov eax, dword ptr fs:[00000030h]	11_2_01620124
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0169E10E mov eax, dword ptr fs:[00000030h]	11_2_0169E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0169E10E mov ecx, dword ptr fs:[00000030h]	11_2_0169E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0169E10E mov eax, dword ptr fs:[00000030h]	11_2_0169E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0169E10E mov eax, dword ptr fs:[00000030h]	11_2_0169E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0169E10E mov ecx, dword ptr fs:[00000030h]	11_2_0169E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0169E10E mov eax, dword ptr fs:[00000030h]	11_2_0169E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0169E10E mov eax, dword ptr fs:[00000030h]	11_2_0169E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0169E10E mov ecx, dword ptr fs:[00000030h]	11_2_0169E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0169E10E mov eax, dword ptr fs:[00000030h]	11_2_0169E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0169E10E mov ecx, dword ptr fs:[00000030h]	11_2_0169E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0169A118 mov ecx, dword ptr fs:[00000030h]	11_2_0169A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0169A118 mov eax, dword ptr fs:[00000030h]	11_2_0169A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0169A118 mov eax, dword ptr fs:[00000030h]	11_2_0169A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0169A118 mov eax, dword ptr fs:[00000030h]	11_2_0169A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_016B0115 mov eax, dword ptr fs:[00000030h]	11_2_016B0115
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_016C61E5 mov eax, dword ptr fs:[00000030h]	11_2_016C61E5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_016201F8 mov eax, dword ptr fs:[00000030h]	11_2_016201F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_016B61C3 mov eax, dword ptr fs:[00000030h]	11_2_016B61C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_016B61C3 mov eax, dword ptr fs:[00000030h]	11_2_016B61C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0166E1D0 mov eax, dword ptr fs:[00000030h]	11_2_0166E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0166E1D0 mov eax, dword ptr fs:[00000030h]	11_2_0166E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0166E1D0 mov ecx, dword ptr fs:[00000030h]	11_2_0166E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0166E1D0 mov eax, dword ptr fs:[00000030h]	11_2_0166E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0166E1D0 mov eax, dword ptr fs:[00000030h]	11_2_0166E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_015EA197 mov eax, dword ptr fs:[00000030h]	11_2_015EA197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_015EA197 mov eax, dword ptr fs:[00000030h]	11_2_015EA197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_015EA197 mov eax, dword ptr fs:[00000030h]	11_2_015EA197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_016AC188 mov eax, dword ptr fs:[00000030h]	11_2_016AC188
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_016AC188 mov eax, dword ptr fs:[00000030h]	11_2_016AC188
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01630185 mov eax, dword ptr fs:[00000030h]	11_2_01630185
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01694180 mov eax, dword ptr fs:[00000030h]	11_2_01694180
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01694180 mov eax, dword ptr fs:[00000030h]	11_2_01694180
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0167019F mov eax, dword ptr fs:[00000030h]	11_2_0167019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0167019F mov eax, dword ptr fs:[00000030h]	11_2_0167019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0167019F mov eax, dword ptr fs:[00000030h]	11_2_0167019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0167019F mov eax, dword ptr fs:[00000030h]	11_2_0167019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_015F2050 mov eax, dword ptr fs:[00000030h]	11_2_015F2050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0161C073 mov eax, dword ptr fs:[00000030h]	11_2_0161C073
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01676050 mov eax, dword ptr fs:[00000030h]	11_2_01676050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01686030 mov eax, dword ptr fs:[00000030h]	11_2_01686030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01674000 mov ecx, dword ptr fs:[00000030h]	11_2_01674000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01692000 mov eax, dword ptr fs:[00000030h]	11_2_01692000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01692000 mov eax, dword ptr fs:[00000030h]	11_2_01692000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01692000 mov eax, dword ptr fs:[00000030h]	11_2_01692000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01692000 mov eax, dword ptr fs:[00000030h]	11_2_01692000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01692000 mov eax, dword ptr fs:[00000030h]	11_2_01692000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01692000 mov eax, dword ptr fs:[00000030h]	11_2_01692000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01692000 mov eax, dword ptr fs:[00000030h]	11_2_01692000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01692000 mov eax, dword ptr fs:[00000030h]	11_2_01692000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0160E016 mov eax, dword ptr fs:[00000030h]	11_2_0160E016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0160E016 mov eax, dword ptr fs:[00000030h]	11_2_0160E016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0160E016 mov eax, dword ptr fs:[00000030h]	11_2_0160E016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0160E016 mov eax, dword ptr fs:[00000030h]	11_2_0160E016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_015EA020 mov eax, dword ptr fs:[00000030h]	11_2_015EA020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_015EC020 mov eax, dword ptr fs:[00000030h]	11_2_015EC020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_016760E0 mov eax, dword ptr fs:[00000030h]	11_2_016760E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_016320F0 mov ecx, dword ptr fs:[00000030h]	11_2_016320F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_015EC0F0 mov eax, dword ptr fs:[00000030h]	11_2_015EC0F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_015F80E9 mov eax, dword ptr fs:[00000030h]	11_2_015F80E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_016720DE mov eax, dword ptr fs:[00000030h]	11_2_016720DE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_015EA0E3 mov ecx, dword ptr fs:[00000030h]	11_2_015EA0E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_016880A8 mov eax, dword ptr fs:[00000030h]	11_2_016880A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_016B60B8 mov eax, dword ptr fs:[00000030h]	11_2_016B60B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_016B60B8 mov ecx, dword ptr fs:[00000030h]	11_2_016B60B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_015F208A mov eax, dword ptr fs:[00000030h]	11_2_015F208A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_015E80A0 mov eax, dword ptr fs:[00000030h]	11_2_015E80A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0169437C mov eax, dword ptr fs:[00000030h]	11_2_0169437C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_016C634F mov eax, dword ptr fs:[00000030h]	11_2_016C634F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01672349 mov eax, dword ptr fs:[00000030h]	11_2_01672349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01672349 mov eax, dword ptr fs:[00000030h]	11_2_01672349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01672349 mov eax, dword ptr fs:[00000030h]	11_2_01672349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01672349 mov eax, dword ptr fs:[00000030h]	11_2_01672349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01672349 mov eax, dword ptr fs:[00000030h]	11_2_01672349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01672349 mov eax, dword ptr fs:[00000030h]	11_2_01672349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01672349 mov eax, dword ptr fs:[00000030h]	11_2_01672349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01672349 mov eax, dword ptr fs:[00000030h]	11_2_01672349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01672349 mov eax, dword ptr fs:[00000030h]	11_2_01672349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01672349 mov eax, dword ptr fs:[00000030h]	11_2_01672349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01672349 mov eax, dword ptr fs:[00000030h]	11_2_01672349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01672349 mov eax, dword ptr fs:[00000030h]	11_2_01672349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01672349 mov eax, dword ptr fs:[00000030h]	11_2_01672349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01672349 mov eax, dword ptr fs:[00000030h]	11_2_01672349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01672349 mov eax, dword ptr fs:[00000030h]	11_2_01672349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_016BA352 mov eax, dword ptr fs:[00000030h]	11_2_016BA352
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01698350 mov ecx, dword ptr fs:[00000030h]	11_2_01698350
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0167035C mov eax, dword ptr fs:[00000030h]	11_2_0167035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0167035C mov eax, dword ptr fs:[00000030h]	11_2_0167035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0167035C mov eax, dword ptr fs:[00000030h]	11_2_0167035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0167035C mov ecx, dword ptr fs:[00000030h]	11_2_0167035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0167035C mov eax, dword ptr fs:[00000030h]	11_2_0167035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0167035C mov eax, dword ptr fs:[00000030h]	11_2_0167035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_016C8324 mov eax, dword ptr fs:[00000030h]	11_2_016C8324
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_016C8324 mov ecx, dword ptr fs:[00000030h]	11_2_016C8324
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_016C8324 mov eax, dword ptr fs:[00000030h]	11_2_016C8324
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_016C8324 mov eax, dword ptr fs:[00000030h]	11_2_016C8324
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_015EC310 mov ecx, dword ptr fs:[00000030h]	11_2_015EC310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0162A30B mov eax, dword ptr fs:[00000030h]	11_2_0162A30B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0162A30B mov eax, dword ptr fs:[00000030h]	11_2_0162A30B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0162A30B mov eax, dword ptr fs:[00000030h]	11_2_0162A30B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01610310 mov ecx, dword ptr fs:[00000030h]	11_2_01610310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_016003E9 mov eax, dword ptr fs:[00000030h]	11_2_016003E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_016003E9 mov eax, dword ptr fs:[00000030h]	11_2_016003E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_016003E9 mov eax, dword ptr fs:[00000030h]	11_2_016003E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_016003E9 mov eax, dword ptr fs:[00000030h]	11_2_016003E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_016003E9 mov eax, dword ptr fs:[00000030h]	11_2_016003E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_016003E9 mov eax, dword ptr fs:[00000030h]	11_2_016003E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_016003E9 mov eax, dword ptr fs:[00000030h]	11_2_016003E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_016003E9 mov eax, dword ptr fs:[00000030h]	11_2_016003E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0160E3F0 mov eax, dword ptr fs:[00000030h]	11_2_0160E3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0160E3F0 mov eax, dword ptr fs:[00000030h]	11_2_0160E3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0160E3F0 mov eax, dword ptr fs:[00000030h]	11_2_0160E3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_016263FF mov eax, dword ptr fs:[00000030h]	11_2_016263FF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_015F83C0 mov eax, dword ptr fs:[00000030h]	11_2_015F83C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_015F83C0 mov eax, dword ptr fs:[00000030h]	11_2_015F83C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_015F83C0 mov eax, dword ptr fs:[00000030h]	11_2_015F83C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_015F83C0 mov eax, dword ptr fs:[00000030h]	11_2_015F83C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_015FA3C0 mov eax, dword ptr fs:[00000030h]	11_2_015FA3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_015FA3C0 mov eax, dword ptr fs:[00000030h]	11_2_015FA3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_015FA3C0 mov eax, dword ptr fs:[00000030h]	11_2_015FA3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_015FA3C0 mov eax, dword ptr fs:[00000030h]	11_2_015FA3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_015FA3C0 mov eax, dword ptr fs:[00000030h]	11_2_015FA3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_015FA3C0 mov eax, dword ptr fs:[00000030h]	11_2_015FA3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_016AC3CD mov eax, dword ptr fs:[00000030h]	11_2_016AC3CD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_016763C0 mov eax, dword ptr fs:[00000030h]	11_2_016763C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0169E3DB mov eax, dword ptr fs:[00000030h]	11_2_0169E3DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0169E3DB mov eax, dword ptr fs:[00000030h]	11_2_0169E3DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0169E3DB mov ecx, dword ptr fs:[00000030h]	11_2_0169E3DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0169E3DB mov eax, dword ptr fs:[00000030h]	11_2_0169E3DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_016943D4 mov eax, dword ptr fs:[00000030h]	11_2_016943D4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_016943D4 mov eax, dword ptr fs:[00000030h]	11_2_016943D4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_015E8397 mov eax, dword ptr fs:[00000030h]	11_2_015E8397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_015E8397 mov eax, dword ptr fs:[00000030h]	11_2_015E8397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_015E8397 mov eax, dword ptr fs:[00000030h]	11_2_015E8397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_015EE388 mov eax, dword ptr fs:[00000030h]	11_2_015EE388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_015EE388 mov eax, dword ptr fs:[00000030h]	11_2_015EE388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_015EE388 mov eax, dword ptr fs:[00000030h]	11_2_015EE388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0161438F mov eax, dword ptr fs:[00000030h]	11_2_0161438F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0161438F mov eax, dword ptr fs:[00000030h]	11_2_0161438F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_015F6259 mov eax, dword ptr fs:[00000030h]	11_2_015F6259
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_015EA250 mov eax, dword ptr fs:[00000030h]	11_2_015EA250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_016A0274 mov eax, dword ptr fs:[00000030h]	11_2_016A0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_016A0274 mov eax, dword ptr fs:[00000030h]	11_2_016A0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_016A0274 mov eax, dword ptr fs:[00000030h]	11_2_016A0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_016A0274 mov eax, dword ptr fs:[00000030h]	11_2_016A0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_016A0274 mov eax, dword ptr fs:[00000030h]	11_2_016A0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_016A0274 mov eax, dword ptr fs:[00000030h]	11_2_016A0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_016A0274 mov eax, dword ptr fs:[00000030h]	11_2_016A0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_016A0274 mov eax, dword ptr fs:[00000030h]	11_2_016A0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_016A0274 mov eax, dword ptr fs:[00000030h]	11_2_016A0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_016A0274 mov eax, dword ptr fs:[00000030h]	11_2_016A0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_016A0274 mov eax, dword ptr fs:[00000030h]	11_2_016A0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_016A0274 mov eax, dword ptr fs:[00000030h]	11_2_016A0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01678243 mov eax, dword ptr fs:[00000030h]	11_2_01678243
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01678243 mov ecx, dword ptr fs:[00000030h]	11_2_01678243
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_016C625D mov eax, dword ptr fs:[00000030h]	11_2_016C625D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_015E826B mov eax, dword ptr fs:[00000030h]	11_2_015E826B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_016AA250 mov eax, dword ptr fs:[00000030h]	11_2_016AA250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_016AA250 mov eax, dword ptr fs:[00000030h]	11_2_016AA250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_015F4260 mov eax, dword ptr fs:[00000030h]	11_2_015F4260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_015F4260 mov eax, dword ptr fs:[00000030h]	11_2_015F4260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_015F4260 mov eax, dword ptr fs:[00000030h]	11_2_015F4260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_015E823B mov eax, dword ptr fs:[00000030h]	11_2_015E823B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_016002E1 mov eax, dword ptr fs:[00000030h]	11_2_016002E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_016002E1 mov eax, dword ptr fs:[00000030h]	11_2_016002E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_016002E1 mov eax, dword ptr fs:[00000030h]	11_2_016002E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_015FA2C3 mov eax, dword ptr fs:[00000030h]	11_2_015FA2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_015FA2C3 mov eax, dword ptr fs:[00000030h]	11_2_015FA2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_015FA2C3 mov eax, dword ptr fs:[00000030h]	11_2_015FA2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_015FA2C3 mov eax, dword ptr fs:[00000030h]	11_2_015FA2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_015FA2C3 mov eax, dword ptr fs:[00000030h]	11_2_015FA2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_016C62D6 mov eax, dword ptr fs:[00000030h]	11_2_016C62D6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_016002A0 mov eax, dword ptr fs:[00000030h]	11_2_016002A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_016002A0 mov eax, dword ptr fs:[00000030h]	11_2_016002A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_016862A0 mov eax, dword ptr fs:[00000030h]	11_2_016862A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_016862A0 mov ecx, dword ptr fs:[00000030h]	11_2_016862A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_016862A0 mov eax, dword ptr fs:[00000030h]	11_2_016862A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_016862A0 mov eax, dword ptr fs:[00000030h]	11_2_016862A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_016862A0 mov eax, dword ptr fs:[00000030h]	11_2_016862A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_016862A0 mov eax, dword ptr fs:[00000030h]	11_2_016862A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01670283 mov eax, dword ptr fs:[00000030h]	11_2_01670283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01670283 mov eax, dword ptr fs:[00000030h]	11_2_01670283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01670283 mov eax, dword ptr fs:[00000030h]	11_2_01670283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0162E284 mov eax, dword ptr fs:[00000030h]	11_2_0162E284
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0162E284 mov eax, dword ptr fs:[00000030h]	11_2_0162E284
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0162656A mov eax, dword ptr fs:[00000030h]	11_2_0162656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0162656A mov eax, dword ptr fs:[00000030h]	11_2_0162656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0162656A mov eax, dword ptr fs:[00000030h]	11_2_0162656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_015F8550 mov eax, dword ptr fs:[00000030h]	11_2_015F8550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_015F8550 mov eax, dword ptr fs:[00000030h]	11_2_015F8550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01600535 mov eax, dword ptr fs:[00000030h]	11_2_01600535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01600535 mov eax, dword ptr fs:[00000030h]	11_2_01600535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01600535 mov eax, dword ptr fs:[00000030h]	11_2_01600535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01600535 mov eax, dword ptr fs:[00000030h]	11_2_01600535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01600535 mov eax, dword ptr fs:[00000030h]	11_2_01600535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01600535 mov eax, dword ptr fs:[00000030h]	11_2_01600535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0161E53E mov eax, dword ptr fs:[00000030h]	11_2_0161E53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0161E53E mov eax, dword ptr fs:[00000030h]	11_2_0161E53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0161E53E mov eax, dword ptr fs:[00000030h]	11_2_0161E53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0161E53E mov eax, dword ptr fs:[00000030h]	11_2_0161E53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0161E53E mov eax, dword ptr fs:[00000030h]	11_2_0161E53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01686500 mov eax, dword ptr fs:[00000030h]	11_2_01686500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_016C4500 mov eax, dword ptr fs:[00000030h]	11_2_016C4500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_016C4500 mov eax, dword ptr fs:[00000030h]	11_2_016C4500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_016C4500 mov eax, dword ptr fs:[00000030h]	11_2_016C4500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_016C4500 mov eax, dword ptr fs:[00000030h]	11_2_016C4500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_016C4500 mov eax, dword ptr fs:[00000030h]	11_2_016C4500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_016C4500 mov eax, dword ptr fs:[00000030h]	11_2_016C4500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_016C4500 mov eax, dword ptr fs:[00000030h]	11_2_016C4500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0161E5E7 mov eax, dword ptr fs:[00000030h]	11_2_0161E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0161E5E7 mov eax, dword ptr fs:[00000030h]	11_2_0161E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0161E5E7 mov eax, dword ptr fs:[00000030h]	11_2_0161E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0161E5E7 mov eax, dword ptr fs:[00000030h]	11_2_0161E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0161E5E7 mov eax, dword ptr fs:[00000030h]	11_2_0161E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0161E5E7 mov eax, dword ptr fs:[00000030h]	11_2_0161E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0161E5E7 mov eax, dword ptr fs:[00000030h]	11_2_0161E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0161E5E7 mov eax, dword ptr fs:[00000030h]	11_2_0161E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_015F65D0 mov eax, dword ptr fs:[00000030h]	11_2_015F65D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0162C5ED mov eax, dword ptr fs:[00000030h]	11_2_0162C5ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0162C5ED mov eax, dword ptr fs:[00000030h]	11_2_0162C5ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0162E5CF mov eax, dword ptr fs:[00000030h]	11_2_0162E5CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0162E5CF mov eax, dword ptr fs:[00000030h]	11_2_0162E5CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0162A5D0 mov eax, dword ptr fs:[00000030h]	11_2_0162A5D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0162A5D0 mov eax, dword ptr fs:[00000030h]	11_2_0162A5D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_015F25E0 mov eax, dword ptr fs:[00000030h]	11_2_015F25E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_016705A7 mov eax, dword ptr fs:[00000030h]	11_2_016705A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_016705A7 mov eax, dword ptr fs:[00000030h]	11_2_016705A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_016705A7 mov eax, dword ptr fs:[00000030h]	11_2_016705A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_016145B1 mov eax, dword ptr fs:[00000030h]	11_2_016145B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_016145B1 mov eax, dword ptr fs:[00000030h]	11_2_016145B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_015F2582 mov eax, dword ptr fs:[00000030h]	11_2_015F2582
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_015F2582 mov ecx, dword ptr fs:[00000030h]	11_2_015F2582
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01624588 mov eax, dword ptr fs:[00000030h]	11_2_01624588
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0162E59C mov eax, dword ptr fs:[00000030h]	11_2_0162E59C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_015E645D mov eax, dword ptr fs:[00000030h]	11_2_015E645D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0167C460 mov ecx, dword ptr fs:[00000030h]	11_2_0167C460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0161A470 mov eax, dword ptr fs:[00000030h]	11_2_0161A470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0161A470 mov eax, dword ptr fs:[00000030h]	11_2_0161A470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0161A470 mov eax, dword ptr fs:[00000030h]	11_2_0161A470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0162E443 mov eax, dword ptr fs:[00000030h]	11_2_0162E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0162E443 mov eax, dword ptr fs:[00000030h]	11_2_0162E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0162E443 mov eax, dword ptr fs:[00000030h]	11_2_0162E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0162E443 mov eax, dword ptr fs:[00000030h]	11_2_0162E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0162E443 mov eax, dword ptr fs:[00000030h]	11_2_0162E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0162E443 mov eax, dword ptr fs:[00000030h]	11_2_0162E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0162E443 mov eax, dword ptr fs:[00000030h]	11_2_0162E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0162E443 mov eax, dword ptr fs:[00000030h]	11_2_0162E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0161245A mov eax, dword ptr fs:[00000030h]	11_2_0161245A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_016AA456 mov eax, dword ptr fs:[00000030h]	11_2_016AA456
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01676420 mov eax, dword ptr fs:[00000030h]	11_2_01676420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01676420 mov eax, dword ptr fs:[00000030h]	11_2_01676420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01676420 mov eax, dword ptr fs:[00000030h]	11_2_01676420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01676420 mov eax, dword ptr fs:[00000030h]	11_2_01676420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01676420 mov eax, dword ptr fs:[00000030h]	11_2_01676420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01676420 mov eax, dword ptr fs:[00000030h]	11_2_01676420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01676420 mov eax, dword ptr fs:[00000030h]	11_2_01676420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0162A430 mov eax, dword ptr fs:[00000030h]	11_2_0162A430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01628402 mov eax, dword ptr fs:[00000030h]	11_2_01628402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01628402 mov eax, dword ptr fs:[00000030h]	11_2_01628402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01628402 mov eax, dword ptr fs:[00000030h]	11_2_01628402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_015EC427 mov eax, dword ptr fs:[00000030h]	11_2_015EC427
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_015EE420 mov eax, dword ptr fs:[00000030h]	11_2_015EE420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_015EE420 mov eax, dword ptr fs:[00000030h]	11_2_015EE420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_015EE420 mov eax, dword ptr fs:[00000030h]	11_2_015EE420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_015F04E5 mov ecx, dword ptr fs:[00000030h]	11_2_015F04E5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_016244B0 mov ecx, dword ptr fs:[00000030h]	11_2_016244B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0167A4B0 mov eax, dword ptr fs:[00000030h]	11_2_0167A4B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_016AA49A mov eax, dword ptr fs:[00000030h]	11_2_016AA49A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_015F64AB mov eax, dword ptr fs:[00000030h]	11_2_015F64AB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_015F0750 mov eax, dword ptr fs:[00000030h]	11_2_015F0750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01600770 mov eax, dword ptr fs:[00000030h]	11_2_01600770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01600770 mov eax, dword ptr fs:[00000030h]	11_2_01600770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01600770 mov eax, dword ptr fs:[00000030h]	11_2_01600770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01600770 mov eax, dword ptr fs:[00000030h]	11_2_01600770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01600770 mov eax, dword ptr fs:[00000030h]	11_2_01600770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01600770 mov eax, dword ptr fs:[00000030h]	11_2_01600770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01600770 mov eax, dword ptr fs:[00000030h]	11_2_01600770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01600770 mov eax, dword ptr fs:[00000030h]	11_2_01600770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01600770 mov eax, dword ptr fs:[00000030h]	11_2_01600770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01600770 mov eax, dword ptr fs:[00000030h]	11_2_01600770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01600770 mov eax, dword ptr fs:[00000030h]	11_2_01600770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01600770 mov eax, dword ptr fs:[00000030h]	11_2_01600770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_015F8770 mov eax, dword ptr fs:[00000030h]	11_2_015F8770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0162674D mov esi, dword ptr fs:[00000030h]	11_2_0162674D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0162674D mov eax, dword ptr fs:[00000030h]	11_2_0162674D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0162674D mov eax, dword ptr fs:[00000030h]	11_2_0162674D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01674755 mov eax, dword ptr fs:[00000030h]	11_2_01674755
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01632750 mov eax, dword ptr fs:[00000030h]	11_2_01632750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01632750 mov eax, dword ptr fs:[00000030h]	11_2_01632750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0167E75D mov eax, dword ptr fs:[00000030h]	11_2_0167E75D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0162C720 mov eax, dword ptr fs:[00000030h]	11_2_0162C720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0162C720 mov eax, dword ptr fs:[00000030h]	11_2_0162C720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_015F0710 mov eax, dword ptr fs:[00000030h]	11_2_015F0710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0166C730 mov eax, dword ptr fs:[00000030h]	11_2_0166C730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0162273C mov eax, dword ptr fs:[00000030h]	11_2_0162273C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0162273C mov ecx, dword ptr fs:[00000030h]	11_2_0162273C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0162273C mov eax, dword ptr fs:[00000030h]	11_2_0162273C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0162C700 mov eax, dword ptr fs:[00000030h]	11_2_0162C700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01620710 mov eax, dword ptr fs:[00000030h]	11_2_01620710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0167E7E1 mov eax, dword ptr fs:[00000030h]	11_2_0167E7E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_016127ED mov eax, dword ptr fs:[00000030h]	11_2_016127ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_016127ED mov eax, dword ptr fs:[00000030h]	11_2_016127ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_016127ED mov eax, dword ptr fs:[00000030h]	11_2_016127ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_015FC7C0 mov eax, dword ptr fs:[00000030h]	11_2_015FC7C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_015F47FB mov eax, dword ptr fs:[00000030h]	11_2_015F47FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_015F47FB mov eax, dword ptr fs:[00000030h]	11_2_015F47FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_016707C3 mov eax, dword ptr fs:[00000030h]	11_2_016707C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_016A47A0 mov eax, dword ptr fs:[00000030h]	11_2_016A47A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0169678E mov eax, dword ptr fs:[00000030h]	11_2_0169678E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_015F07AF mov eax, dword ptr fs:[00000030h]	11_2_015F07AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0162A660 mov eax, dword ptr fs:[00000030h]	11_2_0162A660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0162A660 mov eax, dword ptr fs:[00000030h]	11_2_0162A660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_016B866E mov eax, dword ptr fs:[00000030h]	11_2_016B866E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_016B866E mov eax, dword ptr fs:[00000030h]	11_2_016B866E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01622674 mov eax, dword ptr fs:[00000030h]	11_2_01622674
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0160C640 mov eax, dword ptr fs:[00000030h]	11_2_0160C640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01626620 mov eax, dword ptr fs:[00000030h]	11_2_01626620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01628620 mov eax, dword ptr fs:[00000030h]	11_2_01628620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0160E627 mov eax, dword ptr fs:[00000030h]	11_2_0160E627
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0160260B mov eax, dword ptr fs:[00000030h]	11_2_0160260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0160260B mov eax, dword ptr fs:[00000030h]	11_2_0160260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0160260B mov eax, dword ptr fs:[00000030h]	11_2_0160260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0160260B mov eax, dword ptr fs:[00000030h]	11_2_0160260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0160260B mov eax, dword ptr fs:[00000030h]	11_2_0160260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0160260B mov eax, dword ptr fs:[00000030h]	11_2_0160260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0160260B mov eax, dword ptr fs:[00000030h]	11_2_0160260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0166E609 mov eax, dword ptr fs:[00000030h]	11_2_0166E609
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_015F262C mov eax, dword ptr fs:[00000030h]	11_2_015F262C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01632619 mov eax, dword ptr fs:[00000030h]	11_2_01632619
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0166E6F2 mov eax, dword ptr fs:[00000030h]	11_2_0166E6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0166E6F2 mov eax, dword ptr fs:[00000030h]	11_2_0166E6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0166E6F2 mov eax, dword ptr fs:[00000030h]	11_2_0166E6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0166E6F2 mov eax, dword ptr fs:[00000030h]	11_2_0166E6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_016706F1 mov eax, dword ptr fs:[00000030h]	11_2_016706F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_016706F1 mov eax, dword ptr fs:[00000030h]	11_2_016706F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0162A6C7 mov ebx, dword ptr fs:[00000030h]	11_2_0162A6C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0162A6C7 mov eax, dword ptr fs:[00000030h]	11_2_0162A6C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0162C6A6 mov eax, dword ptr fs:[00000030h]	11_2_0162C6A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_015F4690 mov eax, dword ptr fs:[00000030h]	11_2_015F4690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_015F4690 mov eax, dword ptr fs:[00000030h]	11_2_015F4690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_016266B0 mov eax, dword ptr fs:[00000030h]	11_2_016266B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01616962 mov eax, dword ptr fs:[00000030h]	11_2_01616962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01616962 mov eax, dword ptr fs:[00000030h]	11_2_01616962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01616962 mov eax, dword ptr fs:[00000030h]	11_2_01616962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0163096E mov eax, dword ptr fs:[00000030h]	11_2_0163096E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0163096E mov edx, dword ptr fs:[00000030h]	11_2_0163096E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0163096E mov eax, dword ptr fs:[00000030h]	11_2_0163096E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01694978 mov eax, dword ptr fs:[00000030h]	11_2_01694978
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01694978 mov eax, dword ptr fs:[00000030h]	11_2_01694978
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0167C97C mov eax, dword ptr fs:[00000030h]	11_2_0167C97C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01670946 mov eax, dword ptr fs:[00000030h]	11_2_01670946
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_016C4940 mov eax, dword ptr fs:[00000030h]	11_2_016C4940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0168892B mov eax, dword ptr fs:[00000030h]	11_2_0168892B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_015E8918 mov eax, dword ptr fs:[00000030h]	11_2_015E8918
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_015E8918 mov eax, dword ptr fs:[00000030h]	11_2_015E8918
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0167892A mov eax, dword ptr fs:[00000030h]	11_2_0167892A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0166E908 mov eax, dword ptr fs:[00000030h]	11_2_0166E908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0166E908 mov eax, dword ptr fs:[00000030h]	11_2_0166E908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0167C912 mov eax, dword ptr fs:[00000030h]	11_2_0167C912
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0167E9E0 mov eax, dword ptr fs:[00000030h]	11_2_0167E9E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_015FA9D0 mov eax, dword ptr fs:[00000030h]	11_2_015FA9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_015FA9D0 mov eax, dword ptr fs:[00000030h]	11_2_015FA9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_015FA9D0 mov eax, dword ptr fs:[00000030h]	11_2_015FA9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_015FA9D0 mov eax, dword ptr fs:[00000030h]	11_2_015FA9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_015FA9D0 mov eax, dword ptr fs:[00000030h]	11_2_015FA9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_015FA9D0 mov eax, dword ptr fs:[00000030h]	11_2_015FA9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_016229F9 mov eax, dword ptr fs:[00000030h]	11_2_016229F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_016229F9 mov eax, dword ptr fs:[00000030h]	11_2_016229F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_016869C0 mov eax, dword ptr fs:[00000030h]	11_2_016869C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_016249D0 mov eax, dword ptr fs:[00000030h]	11_2_016249D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_016BA9D3 mov eax, dword ptr fs:[00000030h]	11_2_016BA9D3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_016029A0 mov eax, dword ptr fs:[00000030h]	11_2_016029A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_016029A0 mov eax, dword ptr fs:[00000030h]	11_2_016029A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_016029A0 mov eax, dword ptr fs:[00000030h]	11_2_016029A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_016029A0 mov eax, dword ptr fs:[00000030h]	11_2_016029A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_016029A0 mov eax, dword ptr fs:[00000030h]	11_2_016029A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_016029A0 mov eax, dword ptr fs:[00000030h]	11_2_016029A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_016029A0 mov eax, dword ptr fs:[00000030h]	11_2_016029A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_016029A0 mov eax, dword ptr fs:[00000030h]	11_2_016029A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_016029A0 mov eax, dword ptr fs:[00000030h]	11_2_016029A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_016029A0 mov eax, dword ptr fs:[00000030h]	11_2_016029A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_016029A0 mov eax, dword ptr fs:[00000030h]	11_2_016029A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_016029A0 mov eax, dword ptr fs:[00000030h]	11_2_016029A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_016029A0 mov eax, dword ptr fs:[00000030h]	11_2_016029A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_016789B3 mov esi, dword ptr fs:[00000030h]	11_2_016789B3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_016789B3 mov eax, dword ptr fs:[00000030h]	11_2_016789B3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_016789B3 mov eax, dword ptr fs:[00000030h]	11_2_016789B3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_015F09AD mov eax, dword ptr fs:[00000030h]	11_2_015F09AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_015F09AD mov eax, dword ptr fs:[00000030h]	11_2_015F09AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_015F4859 mov eax, dword ptr fs:[00000030h]	11_2_015F4859
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_015F4859 mov eax, dword ptr fs:[00000030h]	11_2_015F4859
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0167E872 mov eax, dword ptr fs:[00000030h]	11_2_0167E872
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0167E872 mov eax, dword ptr fs:[00000030h]	11_2_0167E872
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01686870 mov eax, dword ptr fs:[00000030h]	11_2_01686870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01686870 mov eax, dword ptr fs:[00000030h]	11_2_01686870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01602840 mov ecx, dword ptr fs:[00000030h]	11_2_01602840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01620854 mov eax, dword ptr fs:[00000030h]	11_2_01620854
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0162A830 mov eax, dword ptr fs:[00000030h]	11_2_0162A830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0169483A mov eax, dword ptr fs:[00000030h]	11_2_0169483A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0169483A mov eax, dword ptr fs:[00000030h]	11_2_0169483A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01612835 mov eax, dword ptr fs:[00000030h]	11_2_01612835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01612835 mov eax, dword ptr fs:[00000030h]	11_2_01612835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01612835 mov eax, dword ptr fs:[00000030h]	11_2_01612835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01612835 mov ecx, dword ptr fs:[00000030h]	11_2_01612835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01612835 mov eax, dword ptr fs:[00000030h]	11_2_01612835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01612835 mov eax, dword ptr fs:[00000030h]	11_2_01612835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0167C810 mov eax, dword ptr fs:[00000030h]	11_2_0167C810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_016BA8E4 mov eax, dword ptr fs:[00000030h]	11_2_016BA8E4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0162C8F9 mov eax, dword ptr fs:[00000030h]	11_2_0162C8F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0162C8F9 mov eax, dword ptr fs:[00000030h]	11_2_0162C8F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0161E8C0 mov eax, dword ptr fs:[00000030h]	11_2_0161E8C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_016C08C0 mov eax, dword ptr fs:[00000030h]	11_2_016C08C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_015F0887 mov eax, dword ptr fs:[00000030h]	11_2_015F0887
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0167C89D mov eax, dword ptr fs:[00000030h]	11_2_0167C89D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_015E8B50 mov eax, dword ptr fs:[00000030h]	11_2_015E8B50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_015ECB7E mov eax, dword ptr fs:[00000030h]	11_2_015ECB7E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_016A4B4B mov eax, dword ptr fs:[00000030h]	11_2_016A4B4B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_016A4B4B mov eax, dword ptr fs:[00000030h]	11_2_016A4B4B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01686B40 mov eax, dword ptr fs:[00000030h]	11_2_01686B40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01686B40 mov eax, dword ptr fs:[00000030h]	11_2_01686B40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_016BAB40 mov eax, dword ptr fs:[00000030h]	11_2_016BAB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01698B42 mov eax, dword ptr fs:[00000030h]	11_2_01698B42
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0169EB50 mov eax, dword ptr fs:[00000030h]	11_2_0169EB50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_016C2B57 mov eax, dword ptr fs:[00000030h]	11_2_016C2B57
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_016C2B57 mov eax, dword ptr fs:[00000030h]	11_2_016C2B57
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_016C2B57 mov eax, dword ptr fs:[00000030h]	11_2_016C2B57
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_016C2B57 mov eax, dword ptr fs:[00000030h]	11_2_016C2B57
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0161EB20 mov eax, dword ptr fs:[00000030h]	11_2_0161EB20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0161EB20 mov eax, dword ptr fs:[00000030h]	11_2_0161EB20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_016B8B28 mov eax, dword ptr fs:[00000030h]	11_2_016B8B28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_016B8B28 mov eax, dword ptr fs:[00000030h]	11_2_016B8B28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_016C4B00 mov eax, dword ptr fs:[00000030h]	11_2_016C4B00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0166EB1D mov eax, dword ptr fs:[00000030h]	11_2_0166EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0166EB1D mov eax, dword ptr fs:[00000030h]	11_2_0166EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0166EB1D mov eax, dword ptr fs:[00000030h]	11_2_0166EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0166EB1D mov eax, dword ptr fs:[00000030h]	11_2_0166EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0166EB1D mov eax, dword ptr fs:[00000030h]	11_2_0166EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0166EB1D mov eax, dword ptr fs:[00000030h]	11_2_0166EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0166EB1D mov eax, dword ptr fs:[00000030h]	11_2_0166EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0166EB1D mov eax, dword ptr fs:[00000030h]	11_2_0166EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0166EB1D mov eax, dword ptr fs:[00000030h]	11_2_0166EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_015F0BCD mov eax, dword ptr fs:[00000030h]	11_2_015F0BCD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_015F0BCD mov eax, dword ptr fs:[00000030h]	11_2_015F0BCD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_015F0BCD mov eax, dword ptr fs:[00000030h]	11_2_015F0BCD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0167CBF0 mov eax, dword ptr fs:[00000030h]	11_2_0167CBF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0161EBFC mov eax, dword ptr fs:[00000030h]	11_2_0161EBFC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01610BCB mov eax, dword ptr fs:[00000030h]	11_2_01610BCB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01610BCB mov eax, dword ptr fs:[00000030h]	11_2_01610BCB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01610BCB mov eax, dword ptr fs:[00000030h]	11_2_01610BCB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_015F8BF0 mov eax, dword ptr fs:[00000030h]	11_2_015F8BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_015F8BF0 mov eax, dword ptr fs:[00000030h]	11_2_015F8BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_015F8BF0 mov eax, dword ptr fs:[00000030h]	11_2_015F8BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0169EBD0 mov eax, dword ptr fs:[00000030h]	11_2_0169EBD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_016A4BB0 mov eax, dword ptr fs:[00000030h]	11_2_016A4BB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_016A4BB0 mov eax, dword ptr fs:[00000030h]	11_2_016A4BB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01600BBE mov eax, dword ptr fs:[00000030h]	11_2_01600BBE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01600BBE mov eax, dword ptr fs:[00000030h]	11_2_01600BBE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0169EA60 mov eax, dword ptr fs:[00000030h]	11_2_0169EA60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0162CA6F mov eax, dword ptr fs:[00000030h]	11_2_0162CA6F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0162CA6F mov eax, dword ptr fs:[00000030h]	11_2_0162CA6F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0162CA6F mov eax, dword ptr fs:[00000030h]	11_2_0162CA6F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_015F6A50 mov eax, dword ptr fs:[00000030h]	11_2_015F6A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_015F6A50 mov eax, dword ptr fs:[00000030h]	11_2_015F6A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_015F6A50 mov eax, dword ptr fs:[00000030h]	11_2_015F6A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_015F6A50 mov eax, dword ptr fs:[00000030h]	11_2_015F6A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_015F6A50 mov eax, dword ptr fs:[00000030h]	11_2_015F6A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_015F6A50 mov eax, dword ptr fs:[00000030h]	11_2_015F6A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_015F6A50 mov eax, dword ptr fs:[00000030h]	11_2_015F6A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0166CA72 mov eax, dword ptr fs:[00000030h]	11_2_0166CA72
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0166CA72 mov eax, dword ptr fs:[00000030h]	11_2_0166CA72
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01600A5B mov eax, dword ptr fs:[00000030h]	11_2_01600A5B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01600A5B mov eax, dword ptr fs:[00000030h]	11_2_01600A5B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0162CA24 mov eax, dword ptr fs:[00000030h]	11_2_0162CA24
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0161EA2E mov eax, dword ptr fs:[00000030h]	11_2_0161EA2E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01614A35 mov eax, dword ptr fs:[00000030h]	11_2_01614A35
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01614A35 mov eax, dword ptr fs:[00000030h]	11_2_01614A35
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0162CA38 mov eax, dword ptr fs:[00000030h]	11_2_0162CA38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0167CA11 mov eax, dword ptr fs:[00000030h]	11_2_0167CA11
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0162AAEE mov eax, dword ptr fs:[00000030h]	11_2_0162AAEE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0162AAEE mov eax, dword ptr fs:[00000030h]	11_2_0162AAEE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_015F0AD0 mov eax, dword ptr fs:[00000030h]	11_2_015F0AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01646ACC mov eax, dword ptr fs:[00000030h]	11_2_01646ACC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01646ACC mov eax, dword ptr fs:[00000030h]	11_2_01646ACC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01646ACC mov eax, dword ptr fs:[00000030h]	11_2_01646ACC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01624AD0 mov eax, dword ptr fs:[00000030h]	11_2_01624AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01624AD0 mov eax, dword ptr fs:[00000030h]	11_2_01624AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01646AA4 mov eax, dword ptr fs:[00000030h]	11_2_01646AA4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_015FEA80 mov eax, dword ptr fs:[00000030h]	11_2_015FEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_015FEA80 mov eax, dword ptr fs:[00000030h]	11_2_015FEA80

Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\scancopy shipping pdf.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe

Network Connect: 47.100.232.83 80

Jump to behavior

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\scancopy shipping pdf.exe"
Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\KwNfRtD.exe"
Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\scancopy shipping pdf.exe"	Jump to behavior
Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\KwNfRtD.exe"	Jump to behavior

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and write			Jump to behavior
Source: C:\Users\user\AppData\Roaming\KwNfRtD.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and write			Jump to behavior

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	NtQueueApcThread: Indirect: 0x1A0A4F2	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	NtClose: Indirect: 0xE7A56C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	NtQueueApcThread: Indirect: 0xE7A4F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	NtClose: Indirect: 0x1A0A56C

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\KwNfRtD.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A			Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: NULL target: C:\Windows\SysWOW64\raserver.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: NULL target: C:\Windows\SysWOW64\raserver.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: NULL target: C:\Windows\SysWOW64\raserver.exe protection: execute and read and write
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: NULL target: C:\Windows\SysWOW64\raserver.exe protection: execute and read and write
Source: C:\Windows\SysWOW64\raserver.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write
Source: C:\Windows\SysWOW64\raserver.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread register set: target process: 3504	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread register set: target process: 3504
Source: C:\Windows\SysWOW64\raserver.exe	Thread register set: target process: 3504

Queues an APC in another process (thread injection)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Sample uses process hollowing technique

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section unmapped: C:\Windows\SysWOW64\raserver.exe base address: 5B0000			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section unmapped: C:\Windows\SysWOW64\raserver.exe base address: 5B0000

Writes to foreign memory regions

Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: CD7008	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KwNfRtD.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KwNfRtD.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 401000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KwNfRtD.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 7F0008	Jump to behavior

Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\scancopy shipping pdf.exe"	Jump to behavior
Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\KwNfRtD.exe"	Jump to behavior
Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KwNfRtD" /XML "C:\Users\user\AppData\Local\Temp\tmp79AA.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KwNfRtD.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KwNfRtD" /XML "C:\Users\user\AppData\Local\Temp\tmp8DEE.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KwNfRtD.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KwNfRtD.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

Source: explorer.exe, 0000000C.00000000.1389730863.0000000001071000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000C.00000002.3833565874.0000000001071000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 0000000C.00000002.3843250514.00000000087E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.1394420037.0000000004480000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.1389730863.0000000001071000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 0000000C.00000000.1389730863.0000000001071000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000C.00000002.3833565874.0000000001071000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 0000000C.00000000.1389730863.0000000001071000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000C.00000002.3833565874.0000000001071000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 0000000C.00000002.3832797593.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.1387821227.0000000000A44000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Progmanq

Source: C:\Users\user\Desktop\scancopy shipping pdf.exe

Code function: 0_2_068330C8 cpuid

0_2_068330C8

Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	Queries volume information: C:\Users\user\Desktop\scancopy shipping pdf.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\scancopy shipping pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KwNfRtD.exe	Queries volume information: C:\Users\user\AppData\Roaming\KwNfRtD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KwNfRtD.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KwNfRtD.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KwNfRtD.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KwNfRtD.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\scancopy shipping pdf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 11.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000015.00000002.3832958745.00000000026F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1411100493.0000000004042000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.3832472273.0000000000430000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1465837719.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.1460869505.0000000004510000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.1476698839.0000000002C00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.3832843029.00000000026C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 11.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000015.00000002.3832958745.00000000026F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1411100493.0000000004042000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.3832472273.0000000000430000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1465837719.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.1460869505.0000000004510000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.1476698839.0000000002C00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.3832843029.00000000026C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	812 Process Injection	1 Masquerading	OS Credential Dumping	321 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Shared Modules	1 DLL Side-Loading	1 Scheduled Task/Job	11 Disable or Modify Tools	LSASS Memory	2 Process Discovery	Remote Desktop Protocol	Data from Removable Media	2 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 PowerShell	Logon Script (Windows)	1 Abuse Elevation Control Mechanism	41 Virtualization/Sandbox Evasion	Security Account Manager	41 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 DLL Side-Loading	812 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	12 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	2 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Abuse Elevation Control Mechanism	Cached Domain Credentials	222 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	4 Obfuscated Files or Information	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	12 Software Packing	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 DLL Side-Loading	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report scancopy shipping pdf.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: FormBook

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
scancopy shipping pdf.exe