Analysis Report nova narud#U017eba pdf rvP6N.exe

Overview

General Information

Sample Name: nova narud#U017eba pdf rvP6N.exe
Analysis ID: 383924
MD5: 35076f942b11f79d1156069e55ab132d
SHA1: edad117505f1a87b7512a6c85cac30d691d2ff0a
SHA256: 56e676fae09b69a9eae221e0590776815f7fa38e7cc90822cd3060ea289d7547
Tags: exeFormbookgeoHRV
Infos:

Most interesting Screenshot:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM3
Yara detected FormBook
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses netsh to modify the Windows network and firewall settings
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection:

barindex
Antivirus detection for URL or domain
Source: www.lovetarot.online/sqxs/ Avira URL Cloud: Label: malware
Found malware configuration
Source: 00000003.00000002.292611883.0000000001160000.00000040.00000001.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.lovetarot.online/sqxs/"], "decoy": ["creid-network.com", "dinningatcastlehill.com", "fundadilla.com", "fashionmdeasy.com", "magentos6.com", "pushpartybdp.com", "streamingnetwork.xyz", "sevenredwalls.com", "hsuehsun.space", "leanbirthdaycake.com", "rocketmortgagedeceit.com", "cashflowdb.com", "smilebringerdesign.com", "naomicoleclinic.com", "wingsforklift.com", "newsounding.com", "48hrbusinessrescue.pro", "101osthoff456.com", "attleticgreens.com", "xx233.xyz", "niziuantena.com", "photosbyamandajdaniels.com", "udharworld.com", "astrolmass.com", "wzht88.com", "victoriasessionsheroes.com", "thefuture101.com", "sihe08.com", "webingnar.com", "influentialgood.com", "jobdoctorplacements.com", "bankrotstvostavropol.pro", "gracefulfari.com", "bluevistainvestments.com", "poopertroopersct.com", "link-glue.com", "barbequeterie.com", "ajbkscw.com", "janek-sales-training.net", "salesjump.xyz", "whatthefountain.com", "centre-pour-formation.com", "aiocoin.net", "thefreemaskstore.com", "localwow.net", "steven-ross.com", "perennialhh.com", "luxebeautylash.com", "aswahorganic.com", "businesshouse5asidejm.com", "zowjain.com", "mediatraining-toronto.com", "ashtangaway.com", "solutiirecentedemarketing.club", "zgzuqw.com", "timerma.com", "aguaalcalinamexico.com", "tacostio1.com", "karitaz.com", "bismillahbodyoil.com", "c2p.life", "kacgt.com", "fastcincincinnatioffer.com", "michaels.house"]}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\kPDOHsyqKitj.exe ReversingLabs: Detection: 14%
Multi AV Scanner detection for submitted file
Source: nova narud#U017eba pdf rvP6N.exe Virustotal: Detection: 22% Perma Link
Source: nova narud#U017eba pdf rvP6N.exe ReversingLabs: Detection: 14%
Yara detected FormBook
Source: Yara match File source: 00000003.00000002.292611883.0000000001160000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.499334545.0000000000B10000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.292487107.0000000000D20000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.500645379.0000000001110000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.500697070.0000000001140000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.247681962.0000000003C1C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.292295280.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\kPDOHsyqKitj.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: nova narud#U017eba pdf rvP6N.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 3.2.RegSvcs.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen

Compliance:

barindex
Uses 32bit PE files
Source: nova narud#U017eba pdf rvP6N.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: nova narud#U017eba pdf rvP6N.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: netsh.pdb source: RegSvcs.exe, 00000003.00000002.292530659.0000000000D81000.00000004.00000020.sdmp
Source: Binary string: RegSvcs.pdb, source: netsh.exe, 0000000F.00000002.503721845.0000000003ABF000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdbUGP source: RegSvcs.exe, 00000003.00000002.292653801.00000000011A0000.00000040.00000001.sdmp, netsh.exe, 0000000F.00000002.501734799.0000000003590000.00000040.00000001.sdmp
Source: Binary string: netsh.pdbGCTL source: RegSvcs.exe, 00000003.00000002.292530659.0000000000D81000.00000004.00000020.sdmp
Source: Binary string: wntdll.pdb source: RegSvcs.exe, netsh.exe
Source: Binary string: RegSvcs.pdb source: netsh.exe, 0000000F.00000002.503721845.0000000003ABF000.00000004.00000001.sdmp

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h 0_2_02A5A3A8
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h 0_2_02A5A398
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h 0_2_02A5A45C
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h 0_2_02A5B8BB
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h 0_2_02A5B8C8

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.lovetarot.online/sqxs/
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /sqxs/?9r=MRpl8UDFdJqnpJCoHCjX+0bMpbzGGukG+UMXxre6C1KfRpZnCXnM0uJ6ixOsqKWJKMs9S6HgiQ==&sZRd=1bYDYvm0JHdHoLj HTTP/1.1Host: www.magentos6.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /sqxs/?9r=vISvmTlEiopKSz7sbFBAxkFCF8r7k2dJAG7u5uLq0h9VZPMRNv+QYXnwEIKYsgNdKjl1RWh6mQ==&sZRd=1bYDYvm0JHdHoLj HTTP/1.1Host: www.businesshouse5asidejm.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: NAMECHEAP-NETUS NAMECHEAP-NETUS
Source: Joe Sandbox View ASN Name: DXTL-HKDXTLTseungKwanOServiceHK DXTL-HKDXTLTseungKwanOServiceHK
Source: global traffic HTTP traffic detected: GET /sqxs/?9r=MRpl8UDFdJqnpJCoHCjX+0bMpbzGGukG+UMXxre6C1KfRpZnCXnM0uJ6ixOsqKWJKMs9S6HgiQ==&sZRd=1bYDYvm0JHdHoLj HTTP/1.1Host: www.magentos6.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /sqxs/?9r=vISvmTlEiopKSz7sbFBAxkFCF8r7k2dJAG7u5uLq0h9VZPMRNv+QYXnwEIKYsgNdKjl1RWh6mQ==&sZRd=1bYDYvm0JHdHoLj HTTP/1.1Host: www.businesshouse5asidejm.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: unknown DNS traffic detected: queries for: www.magentos6.com
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 08 Apr 2021 10:34:41 GMTServer: Apache/2.4.29 (Ubuntu)Content-Length: 328Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 73 71 78 73 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /sqxs/ was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: nova narud#U017eba pdf rvP6N.exe, 00000000.00000002.252607725.0000000006E52000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.275434330.000000000BE70000.00000002.00000001.sdmp String found in binary or memory: http://fontfabrik.com
Source: nova narud#U017eba pdf rvP6N.exe, 00000000.00000002.247095559.0000000002C11000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: nova narud#U017eba pdf rvP6N.exe, 00000000.00000002.247192769.0000000002C60000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name4
Source: nova narud#U017eba pdf rvP6N.exe, 00000000.00000002.252607725.0000000006E52000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.275434330.000000000BE70000.00000002.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000004.00000000.269916835.0000000006870000.00000004.00000001.sdmp String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: nova narud#U017eba pdf rvP6N.exe, 00000000.00000003.235105401.0000000005C49000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.comadi
Source: nova narud#U017eba pdf rvP6N.exe, 00000000.00000003.235105401.0000000005C49000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.comefa
Source: nova narud#U017eba pdf rvP6N.exe, 00000000.00000002.252607725.0000000006E52000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.275434330.000000000BE70000.00000002.00000001.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: nova narud#U017eba pdf rvP6N.exe, 00000000.00000003.234005594.0000000005C54000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.comva
Source: nova narud#U017eba pdf rvP6N.exe, 00000000.00000003.235975130.0000000005C4A000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.275434330.000000000BE70000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000004.00000000.275434330.000000000BE70000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: nova narud#U017eba pdf rvP6N.exe, 00000000.00000002.252607725.0000000006E52000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.275434330.000000000BE70000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: nova narud#U017eba pdf rvP6N.exe, 00000000.00000002.252607725.0000000006E52000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.275434330.000000000BE70000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: nova narud#U017eba pdf rvP6N.exe, 00000000.00000002.252607725.0000000006E52000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.275434330.000000000BE70000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: nova narud#U017eba pdf rvP6N.exe, 00000000.00000002.252607725.0000000006E52000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.275434330.000000000BE70000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: nova narud#U017eba pdf rvP6N.exe, 00000000.00000002.252607725.0000000006E52000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.275434330.000000000BE70000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: nova narud#U017eba pdf rvP6N.exe, 00000000.00000002.252607725.0000000006E52000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.275434330.000000000BE70000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: nova narud#U017eba pdf rvP6N.exe, 00000000.00000003.235975130.0000000005C4A000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com=
Source: nova narud#U017eba pdf rvP6N.exe, 00000000.00000003.235975130.0000000005C4A000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comE.TTF
Source: nova narud#U017eba pdf rvP6N.exe, 00000000.00000003.235975130.0000000005C4A000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comF
Source: nova narud#U017eba pdf rvP6N.exe, 00000000.00000003.235975130.0000000005C4A000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comFt
Source: nova narud#U017eba pdf rvP6N.exe, 00000000.00000003.235975130.0000000005C4A000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comrsivr
Source: nova narud#U017eba pdf rvP6N.exe, 00000000.00000002.252607725.0000000006E52000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.275434330.000000000BE70000.00000002.00000001.sdmp String found in binary or memory: http://www.fonts.com
Source: nova narud#U017eba pdf rvP6N.exe, 00000000.00000002.252607725.0000000006E52000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.275434330.000000000BE70000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: nova narud#U017eba pdf rvP6N.exe, 00000000.00000002.252607725.0000000006E52000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.275434330.000000000BE70000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: nova narud#U017eba pdf rvP6N.exe, 00000000.00000002.252607725.0000000006E52000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.275434330.000000000BE70000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: nova narud#U017eba pdf rvP6N.exe, 00000000.00000003.233746796.0000000005C51000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/tm
Source: nova narud#U017eba pdf rvP6N.exe, 00000000.00000002.252607725.0000000006E52000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.275434330.000000000BE70000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: nova narud#U017eba pdf rvP6N.exe, 00000000.00000002.252607725.0000000006E52000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.275434330.000000000BE70000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: nova narud#U017eba pdf rvP6N.exe, 00000000.00000002.252607725.0000000006E52000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.275434330.000000000BE70000.00000002.00000001.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: nova narud#U017eba pdf rvP6N.exe, 00000000.00000003.235105401.0000000005C49000.00000004.00000001.sdmp, nova narud#U017eba pdf rvP6N.exe, 00000000.00000003.235359346.0000000005C4A000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.275434330.000000000BE70000.00000002.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: nova narud#U017eba pdf rvP6N.exe, 00000000.00000003.235105401.0000000005C49000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/5
Source: nova narud#U017eba pdf rvP6N.exe, 00000000.00000003.235105401.0000000005C49000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/Ian
Source: nova narud#U017eba pdf rvP6N.exe, 00000000.00000003.235105401.0000000005C49000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/S
Source: nova narud#U017eba pdf rvP6N.exe, 00000000.00000003.234872250.0000000005C46000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/Sue
Source: nova narud#U017eba pdf rvP6N.exe, 00000000.00000003.235105401.0000000005C49000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/Y0
Source: nova narud#U017eba pdf rvP6N.exe, 00000000.00000003.235105401.0000000005C49000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/Y0bd
Source: nova narud#U017eba pdf rvP6N.exe, 00000000.00000003.235359346.0000000005C4A000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/Y0y
Source: nova narud#U017eba pdf rvP6N.exe, 00000000.00000003.235105401.0000000005C49000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/j
Source: nova narud#U017eba pdf rvP6N.exe, 00000000.00000003.235105401.0000000005C49000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: nova narud#U017eba pdf rvP6N.exe, 00000000.00000003.235198791.0000000005C4A000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/S
Source: nova narud#U017eba pdf rvP6N.exe, 00000000.00000003.235105401.0000000005C49000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/roso
Source: nova narud#U017eba pdf rvP6N.exe, 00000000.00000003.235105401.0000000005C49000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/s_tr
Source: nova narud#U017eba pdf rvP6N.exe, 00000000.00000003.234872250.0000000005C46000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/vv
Source: nova narud#U017eba pdf rvP6N.exe, 00000000.00000002.252607725.0000000006E52000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.275434330.000000000BE70000.00000002.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: nova narud#U017eba pdf rvP6N.exe, 00000000.00000002.252607725.0000000006E52000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.275434330.000000000BE70000.00000002.00000001.sdmp String found in binary or memory: http://www.sakkal.com
Source: nova narud#U017eba pdf rvP6N.exe, 00000000.00000002.252607725.0000000006E52000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.275434330.000000000BE70000.00000002.00000001.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000004.00000000.275434330.000000000BE70000.00000002.00000001.sdmp String found in binary or memory: http://www.tiro.com
Source: nova narud#U017eba pdf rvP6N.exe, 00000000.00000002.252607725.0000000006E52000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.275434330.000000000BE70000.00000002.00000001.sdmp String found in binary or memory: http://www.typography.netD
Source: nova narud#U017eba pdf rvP6N.exe, 00000000.00000002.252607725.0000000006E52000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.275434330.000000000BE70000.00000002.00000001.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: nova narud#U017eba pdf rvP6N.exe, 00000000.00000002.252607725.0000000006E52000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.275434330.000000000BE70000.00000002.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: nova narud#U017eba pdf rvP6N.exe String found in binary or memory: https://dist.nuget.org/win-x86-commandline/latest/nuget.exe
Source: nova narud#U017eba pdf rvP6N.exe String found in binary or memory: https://github.com/Spegeli/Pokemon-Go-Rocket-API/archive/master.zip
Source: nova narud#U017eba pdf rvP6N.exe String found in binary or memory: https://github.com/d-haxton/HaxtonBot/archive/master.zip
Source: nova narud#U017eba pdf rvP6N.exe, 00000000.00000002.247192769.0000000002C60000.00000004.00000001.sdmp String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css

E-Banking Fraud:

barindex
Yara detected FormBook
Source: Yara match File source: 00000003.00000002.292611883.0000000001160000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.499334545.0000000000B10000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.292487107.0000000000D20000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.500645379.0000000001110000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.500697070.0000000001140000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.247681962.0000000003C1C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.292295280.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 00000003.00000002.292611883.0000000001160000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.292611883.0000000001160000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000002.499334545.0000000000B10000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000F.00000002.499334545.0000000000B10000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.292487107.0000000000D20000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.292487107.0000000000D20000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000002.500645379.0000000001110000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000F.00000002.500645379.0000000001110000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000002.500697070.0000000001140000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000F.00000002.500697070.0000000001140000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.247681962.0000000003C1C000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.247681962.0000000003C1C000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.292295280.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.292295280.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 3.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Contains functionality to call native functions
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0041A070 NtClose, 3_2_0041A070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0041A120 NtAllocateVirtualMemory, 3_2_0041A120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00419F40 NtCreateFile, 3_2_00419F40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00419FF0 NtReadFile, 3_2_00419FF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0041A09A NtReadFile, 3_2_0041A09A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0041A11A NtAllocateVirtualMemory, 3_2_0041A11A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00419F3A NtCreateFile, 3_2_00419F3A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00419FEB NtReadFile, 3_2_00419FEB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01209910 NtAdjustPrivilegesToken,LdrInitializeThunk, 3_2_01209910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_012099A0 NtCreateSection,LdrInitializeThunk, 3_2_012099A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01209860 NtQuerySystemInformation,LdrInitializeThunk, 3_2_01209860
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01209840 NtDelayExecution,LdrInitializeThunk, 3_2_01209840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_012098F0 NtReadVirtualMemory,LdrInitializeThunk, 3_2_012098F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01209A20 NtResumeThread,LdrInitializeThunk, 3_2_01209A20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01209A00 NtProtectVirtualMemory,LdrInitializeThunk, 3_2_01209A00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01209A50 NtCreateFile,LdrInitializeThunk, 3_2_01209A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01209540 NtReadFile,LdrInitializeThunk, 3_2_01209540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_012095D0 NtClose,LdrInitializeThunk, 3_2_012095D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01209710 NtQueryInformationToken,LdrInitializeThunk, 3_2_01209710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_012097A0 NtUnmapViewOfSection,LdrInitializeThunk, 3_2_012097A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01209780 NtMapViewOfSection,LdrInitializeThunk, 3_2_01209780
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01209660 NtAllocateVirtualMemory,LdrInitializeThunk, 3_2_01209660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_012096E0 NtFreeVirtualMemory,LdrInitializeThunk, 3_2_012096E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01209950 NtQueueApcThread, 3_2_01209950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_012099D0 NtCreateProcessEx, 3_2_012099D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01209820 NtEnumerateKey, 3_2_01209820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0120B040 NtSuspendThread, 3_2_0120B040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_012098A0 NtWriteVirtualMemory, 3_2_012098A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01209B00 NtSetValueKey, 3_2_01209B00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0120A3B0 NtGetContextThread, 3_2_0120A3B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01209A10 NtQuerySection, 3_2_01209A10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01209A80 NtOpenDirectoryObject, 3_2_01209A80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01209520 NtWaitForSingleObject, 3_2_01209520
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0120AD30 NtSetContextThread, 3_2_0120AD30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01209560 NtWriteFile, 3_2_01209560
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_012095F0 NtQueryInformationFile, 3_2_012095F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01209730 NtQueryVirtualMemory, 3_2_01209730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0120A710 NtOpenProcessToken, 3_2_0120A710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01209760 NtOpenProcess, 3_2_01209760
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01209770 NtSetInformationFile, 3_2_01209770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0120A770 NtOpenThread, 3_2_0120A770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01209FE0 NtCreateMutant, 3_2_01209FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01209610 NtEnumerateValueKey, 3_2_01209610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01209670 NtQueryInformationProcess, 3_2_01209670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01209650 NtQueryValueKey, 3_2_01209650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_012096D0 NtCreateKey, 3_2_012096D0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035F9710 NtQueryInformationToken,LdrInitializeThunk, 15_2_035F9710
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035F9FE0 NtCreateMutant,LdrInitializeThunk, 15_2_035F9FE0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035F9780 NtMapViewOfSection,LdrInitializeThunk, 15_2_035F9780
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035F9A50 NtCreateFile,LdrInitializeThunk, 15_2_035F9A50
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035F96D0 NtCreateKey,LdrInitializeThunk, 15_2_035F96D0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035F96E0 NtFreeVirtualMemory,LdrInitializeThunk, 15_2_035F96E0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035F9540 NtReadFile,LdrInitializeThunk, 15_2_035F9540
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035F9910 NtAdjustPrivilegesToken,LdrInitializeThunk, 15_2_035F9910
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035F95D0 NtClose,LdrInitializeThunk, 15_2_035F95D0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035F99A0 NtCreateSection,LdrInitializeThunk, 15_2_035F99A0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035F9840 NtDelayExecution,LdrInitializeThunk, 15_2_035F9840
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035F9860 NtQuerySystemInformation,LdrInitializeThunk, 15_2_035F9860
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035F9770 NtSetInformationFile, 15_2_035F9770
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035FA770 NtOpenThread, 15_2_035FA770
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035F9760 NtOpenProcess, 15_2_035F9760
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035FA710 NtOpenProcessToken, 15_2_035FA710
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035F9B00 NtSetValueKey, 15_2_035F9B00
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035F9730 NtQueryVirtualMemory, 15_2_035F9730
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035FA3B0 NtGetContextThread, 15_2_035FA3B0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035F97A0 NtUnmapViewOfSection, 15_2_035F97A0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035F9650 NtQueryValueKey, 15_2_035F9650
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035F9670 NtQueryInformationProcess, 15_2_035F9670
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035F9660 NtAllocateVirtualMemory, 15_2_035F9660
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035F9610 NtEnumerateValueKey, 15_2_035F9610
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035F9A10 NtQuerySection, 15_2_035F9A10
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035F9A00 NtProtectVirtualMemory, 15_2_035F9A00
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035F9A20 NtResumeThread, 15_2_035F9A20
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035F9A80 NtOpenDirectoryObject, 15_2_035F9A80
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035F9950 NtQueueApcThread, 15_2_035F9950
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035F9560 NtWriteFile, 15_2_035F9560
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035FAD30 NtSetContextThread, 15_2_035FAD30
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035F9520 NtWaitForSingleObject, 15_2_035F9520
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035F99D0 NtCreateProcessEx, 15_2_035F99D0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035F95F0 NtQueryInformationFile, 15_2_035F95F0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035FB040 NtSuspendThread, 15_2_035FB040
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035F9820 NtEnumerateKey, 15_2_035F9820
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035F98F0 NtReadVirtualMemory, 15_2_035F98F0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035F98A0 NtWriteVirtualMemory, 15_2_035F98A0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_00B2A070 NtClose, 15_2_00B2A070
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_00B29FF0 NtReadFile, 15_2_00B29FF0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_00B29F40 NtCreateFile, 15_2_00B29F40
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_00B2A09A NtReadFile, 15_2_00B2A09A
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_00B29FEB NtReadFile, 15_2_00B29FEB
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_00B29F3A NtCreateFile, 15_2_00B29F3A
Detected potential crypto function
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Code function: 0_2_007A2050 0_2_007A2050
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Code function: 0_2_0110DCF4 0_2_0110DCF4
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Code function: 0_2_0110C148 0_2_0110C148
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Code function: 0_2_0110E218 0_2_0110E218
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Code function: 0_2_0110A748 0_2_0110A748
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Code function: 0_2_02A553F0 0_2_02A553F0
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Code function: 0_2_02A55728 0_2_02A55728
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Code function: 0_2_02A56458 0_2_02A56458
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Code function: 0_2_02A57510 0_2_02A57510
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Code function: 0_2_02A50940 0_2_02A50940
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Code function: 0_2_02A58CB9 0_2_02A58CB9
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Code function: 0_2_02A572F3 0_2_02A572F3
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Code function: 0_2_02A553E1 0_2_02A553E1
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Code function: 0_2_02A57300 0_2_02A57300
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Code function: 0_2_02A55721 0_2_02A55721
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Code function: 0_2_02A5348B 0_2_02A5348B
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Code function: 0_2_02A53498 0_2_02A53498
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Code function: 0_2_02A574F1 0_2_02A574F1
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Code function: 0_2_02A56456 0_2_02A56456
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Code function: 0_2_02A51548 0_2_02A51548
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Code function: 0_2_02A51558 0_2_02A51558
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Code function: 0_2_02A51A28 0_2_02A51A28
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Code function: 0_2_02A51A17 0_2_02A51A17
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Code function: 0_2_02A5ABA8 0_2_02A5ABA8
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Code function: 0_2_02A508E0 0_2_02A508E0
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Code function: 0_2_02A56EE0 0_2_02A56EE0
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Code function: 0_2_02A56ED0 0_2_02A56ED0
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Code function: 0_2_02A50FF0 0_2_02A50FF0
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Code function: 0_2_02A51CA0 0_2_02A51CA0
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Code function: 0_2_02A51CB0 0_2_02A51CB0
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Code function: 0_2_051343DC 0_2_051343DC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00401030 3_2_00401030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0041E1F9 3_2_0041E1F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0041D183 3_2_0041D183
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0041D186 3_2_0041D186
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0041E45A 3_2_0041E45A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0041DDD1 3_2_0041DDD1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00402D90 3_2_00402D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00409E40 3_2_00409E40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00409E3C 3_2_00409E3C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00402FB0 3_2_00402FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011CF900 3_2_011CF900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011E4120 3_2_011E4120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0129E824 3_2_0129E824
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01281002 3_2_01281002
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_012920A8 3_2_012920A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011DB090 3_2_011DB090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011F20A0 3_2_011F20A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_012928EC 3_2_012928EC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01292B28 3_2_01292B28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011FEBB0 3_2_011FEBB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_012803DA 3_2_012803DA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0128DBD2 3_2_0128DBD2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_012922AE 3_2_012922AE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01292D07 3_2_01292D07
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011C0D20 3_2_011C0D20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01291D55 3_2_01291D55
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011F2581 3_2_011F2581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_012925DD 3_2_012925DD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011DD5E0 3_2_011DD5E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011D841F 3_2_011D841F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0128D466 3_2_0128D466
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01291FF1 3_2_01291FF1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0129DFCE 3_2_0129DFCE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011E6E30 3_2_011E6E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0128D616 3_2_0128D616
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01292EF7 3_2_01292EF7
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_03682B28 15_2_03682B28
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_03681FF1 15_2_03681FF1
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_0367DBD2 15_2_0367DBD2
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035EEBB0 15_2_035EEBB0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035D6E30 15_2_035D6E30
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_03682EF7 15_2_03682EF7
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_036822AE 15_2_036822AE
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_03681D55 15_2_03681D55
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035BF900 15_2_035BF900
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_03682D07 15_2_03682D07
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035B0D20 15_2_035B0D20
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035D4120 15_2_035D4120
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035CD5E0 15_2_035CD5E0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035E2581 15_2_035E2581
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035C841F 15_2_035C841F
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_03671002 15_2_03671002
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_036820A8 15_2_036820A8
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035CB090 15_2_035CB090
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035E20A0 15_2_035E20A0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_00B2D183 15_2_00B2D183
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_00B2D186 15_2_00B2D186
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_00B2E1F9 15_2_00B2E1F9
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_00B2E45A 15_2_00B2E45A
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_00B12D90 15_2_00B12D90
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_00B2DDD1 15_2_00B2DDD1
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_00B19E3C 15_2_00B19E3C
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_00B19E40 15_2_00B19E40
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_00B12FB0 15_2_00B12FB0
Found potential string decryption / allocating functions
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: String function: 011CB150 appears 45 times
Source: C:\Windows\SysWOW64\netsh.exe Code function: String function: 035BB150 appears 35 times
PE file contains strange resources
Source: nova narud#U017eba pdf rvP6N.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: kPDOHsyqKitj.exe.0.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version info
Source: nova narud#U017eba pdf rvP6N.exe, 00000000.00000002.255050160.000000000EB00000.00000002.00000001.sdmp Binary or memory string: originalfilename vs nova narud#U017eba pdf rvP6N.exe
Source: nova narud#U017eba pdf rvP6N.exe, 00000000.00000002.255050160.000000000EB00000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs nova narud#U017eba pdf rvP6N.exe
Source: nova narud#U017eba pdf rvP6N.exe, 00000000.00000002.245810469.000000000084E000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameCallingConvention.exeD vs nova narud#U017eba pdf rvP6N.exe
Source: nova narud#U017eba pdf rvP6N.exe, 00000000.00000002.253429722.0000000008AC0000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameSimpleUI.dll2 vs nova narud#U017eba pdf rvP6N.exe
Source: nova narud#U017eba pdf rvP6N.exe, 00000000.00000002.253604413.0000000008D70000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameDSASignature.dll" vs nova narud#U017eba pdf rvP6N.exe
Source: nova narud#U017eba pdf rvP6N.exe, 00000000.00000002.254213963.000000000EA10000.00000002.00000001.sdmp Binary or memory string: System.OriginalFileName vs nova narud#U017eba pdf rvP6N.exe
Source: nova narud#U017eba pdf rvP6N.exe Binary or memory string: OriginalFilenameCallingConvention.exeD vs nova narud#U017eba pdf rvP6N.exe
Uses 32bit PE files
Source: nova narud#U017eba pdf rvP6N.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Yara signature match
Source: 00000003.00000002.292611883.0000000001160000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.292611883.0000000001160000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000002.499334545.0000000000B10000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000F.00000002.499334545.0000000000B10000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.292487107.0000000000D20000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.292487107.0000000000D20000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000002.500645379.0000000001110000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000F.00000002.500645379.0000000001110000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000002.500697070.0000000001140000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000F.00000002.500697070.0000000001140000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.247681962.0000000003C1C000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.247681962.0000000003C1C000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.292295280.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.292295280.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 3.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: nova narud#U017eba pdf rvP6N.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: kPDOHsyqKitj.exe.0.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: classification engine Classification label: mal100.troj.evad.winEXE@10/4@3/2
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe File created: C:\Users\user\AppData\Roaming\kPDOHsyqKitj.exe Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6264:120:WilError_01
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Mutant created: \Sessions\1\BaseNamedObjects\DHpUjcrtpqLWTngwgQpOKc
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5484:120:WilError_01
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe File created: C:\Users\user\AppData\Local\Temp\tmp59AC.tmp Jump to behavior
Source: nova narud#U017eba pdf rvP6N.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: nova narud#U017eba pdf rvP6N.exe, 00000000.00000002.247192769.0000000002C60000.00000004.00000001.sdmp Binary or memory string: Select * from UnmanagedMemoryStreamWrapper WHERE modelo=@modelo;?
Source: nova narud#U017eba pdf rvP6N.exe, 00000000.00000002.247192769.0000000002C60000.00000004.00000001.sdmp Binary or memory string: Select * from Clientes WHERE id=@id;;
Source: nova narud#U017eba pdf rvP6N.exe, 00000000.00000002.247192769.0000000002C60000.00000004.00000001.sdmp Binary or memory string: Select * from Aluguel5Erro ao listar Banco sql-UnmanagedMemoryStreamWrapper.INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: nova narud#U017eba pdf rvP6N.exe, 00000000.00000002.247192769.0000000002C60000.00000004.00000001.sdmp Binary or memory string: INSERT INTO UnmanagedMemoryStreamWrapper VALUES(@modelo, @fabricante, @ano, @cor);
Source: nova narud#U017eba pdf rvP6N.exe, 00000000.00000002.247192769.0000000002C60000.00000004.00000001.sdmp Binary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
Source: nova narud#U017eba pdf rvP6N.exe, 00000000.00000002.247192769.0000000002C60000.00000004.00000001.sdmp Binary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
Source: nova narud#U017eba pdf rvP6N.exe, 00000000.00000002.247192769.0000000002C60000.00000004.00000001.sdmp Binary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: nova narud#U017eba pdf rvP6N.exe Virustotal: Detection: 22%
Source: nova narud#U017eba pdf rvP6N.exe ReversingLabs: Detection: 14%
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe File read: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe 'C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe'
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kPDOHsyqKitj' /XML 'C:\Users\user\AppData\Local\Temp\tmp59AC.tmp'
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\netsh.exe C:\Windows\SysWOW64\netsh.exe
Source: C:\Windows\SysWOW64\netsh.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe'
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kPDOHsyqKitj' /XML 'C:\Users\user\AppData\Local\Temp\tmp59AC.tmp' Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe' Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: nova narud#U017eba pdf rvP6N.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: nova narud#U017eba pdf rvP6N.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: netsh.pdb source: RegSvcs.exe, 00000003.00000002.292530659.0000000000D81000.00000004.00000020.sdmp
Source: Binary string: RegSvcs.pdb, source: netsh.exe, 0000000F.00000002.503721845.0000000003ABF000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdbUGP source: RegSvcs.exe, 00000003.00000002.292653801.00000000011A0000.00000040.00000001.sdmp, netsh.exe, 0000000F.00000002.501734799.0000000003590000.00000040.00000001.sdmp
Source: Binary string: netsh.pdbGCTL source: RegSvcs.exe, 00000003.00000002.292530659.0000000000D81000.00000004.00000020.sdmp
Source: Binary string: wntdll.pdb source: RegSvcs.exe, netsh.exe
Source: Binary string: RegSvcs.pdb source: netsh.exe, 0000000F.00000002.503721845.0000000003ABF000.00000004.00000001.sdmp

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Code function: 0_2_007A5683 push es; retf 0_2_007A5684
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0041D0E2 push eax; ret 3_2_0041D0E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0041D0EB push eax; ret 3_2_0041D152
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0041D095 push eax; ret 3_2_0041D0E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0041D14C push eax; ret 3_2_0041D152
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00407924 push es; ret 3_2_00407925
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0041EA86 push cs; iretd 3_2_0041EA87
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00416C31 push ebp; iretd 3_2_00416C41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00417D4A pushfd ; ret 3_2_00417D4B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0041651B push ebp; ret 3_2_0041651D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0121D0D1 push ecx; ret 3_2_0121D0E4
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_0360D0D1 push ecx; ret 15_2_0360D0E4
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_00B2D095 push eax; ret 15_2_00B2D0E8
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_00B2D0E2 push eax; ret 15_2_00B2D0E8
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_00B2D0EB push eax; ret 15_2_00B2D152
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_00B17924 push es; ret 15_2_00B17925
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_00B2D14C push eax; ret 15_2_00B2D152
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_00B2EA86 push cs; iretd 15_2_00B2EA87
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_00B26C31 push ebp; iretd 15_2_00B26C41
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_00B2651B push ebp; ret 15_2_00B2651D
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_00B27D4A pushfd ; ret 15_2_00B27D4B
Source: initial sample Static PE information: section name: .text entropy: 7.57616433715
Source: initial sample Static PE information: section name: .text entropy: 7.57616433715

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe File created: C:\Users\user\AppData\Roaming\kPDOHsyqKitj.exe Jump to dropped file

Boot Survival:

barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kPDOHsyqKitj' /XML 'C:\Users\user\AppData\Local\Temp\tmp59AC.tmp'

Hooking and other Techniques for Hiding and Protection:

barindex
Modifies the prolog of user mode functions (user mode inline hooks)
Source: explorer.exe User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x80 0x0E 0xE4
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Yara detected AntiVM3
Source: Yara match File source: 00000000.00000002.247192769.0000000002C60000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: nova narud#U017eba pdf rvP6N.exe PID: 4844, type: MEMORY
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: nova narud#U017eba pdf rvP6N.exe, 00000000.00000002.247192769.0000000002C60000.00000004.00000001.sdmp Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: nova narud#U017eba pdf rvP6N.exe, 00000000.00000002.247192769.0000000002C60000.00000004.00000001.sdmp Binary or memory string: SBIEDLL.DLL
Tries to detect virtualization through RDTSC time measurements
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe RDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe RDTSC instruction interceptor: First address: 0000000000409B5E second address: 0000000000409B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\netsh.exe RDTSC instruction interceptor: First address: 0000000000B198E4 second address: 0000000000B198EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\netsh.exe RDTSC instruction interceptor: First address: 0000000000B19B5E second address: 0000000000B19B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Contains capabilities to detect virtual machines
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00409A90 rdtsc 3_2_00409A90
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Thread delayed: delay time: 922337203685477 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe TID: 5772 Thread sleep time: -103927s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe TID: 6148 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 6476 Thread sleep count: 35 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 6476 Thread sleep time: -70000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe TID: 5756 Thread sleep time: -44000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\netsh.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\netsh.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Thread delayed: delay time: 103927 Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: explorer.exe, 00000004.00000000.274445378.0000000008A32000.00000004.00000001.sdmp Binary or memory string: VMware SATA CD00dRom0
Source: explorer.exe, 00000004.00000000.274445378.0000000008A32000.00000004.00000001.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000004.00000000.274617478.0000000008B88000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000004.00000000.266513383.00000000059C0000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: nova narud#U017eba pdf rvP6N.exe, 00000000.00000002.247192769.0000000002C60000.00000004.00000001.sdmp Binary or memory string: vmware
Source: explorer.exe, 00000004.00000000.274617478.0000000008B88000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}e
Source: nova narud#U017eba pdf rvP6N.exe, 00000000.00000002.247192769.0000000002C60000.00000004.00000001.sdmp Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: nova narud#U017eba pdf rvP6N.exe, 00000000.00000002.247192769.0000000002C60000.00000004.00000001.sdmp Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: explorer.exe, 00000004.00000002.513073004.00000000048E0000.00000004.00000001.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: nova narud#U017eba pdf rvP6N.exe, 00000000.00000002.247192769.0000000002C60000.00000004.00000001.sdmp Binary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
Source: explorer.exe, 00000004.00000000.274617478.0000000008B88000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}C
Source: explorer.exe, 00000004.00000000.274514270.0000000008ACF000.00000004.00000001.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000Datc
Source: nova narud#U017eba pdf rvP6N.exe, 00000000.00000002.247192769.0000000002C60000.00000004.00000001.sdmp Binary or memory string: VMWARE
Source: explorer.exe, 00000004.00000000.274514270.0000000008ACF000.00000004.00000001.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000004.00000000.270098997.00000000069DA000.00000004.00000001.sdmp Binary or memory string: VMware SATA CD002
Source: nova narud#U017eba pdf rvP6N.exe, 00000000.00000002.247192769.0000000002C60000.00000004.00000001.sdmp Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: explorer.exe, 00000004.00000000.266513383.00000000059C0000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 00000004.00000000.266513383.00000000059C0000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: nova narud#U017eba pdf rvP6N.exe, 00000000.00000002.247192769.0000000002C60000.00000004.00000001.sdmp Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: nova narud#U017eba pdf rvP6N.exe, 00000000.00000002.247192769.0000000002C60000.00000004.00000001.sdmp Binary or memory string: VMware SVGA II
Source: nova narud#U017eba pdf rvP6N.exe, 00000000.00000003.245146979.0000000008B04000.00000004.00000001.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{e6e9dfd8-98f2-11e9-90ce-806e6f6e6963}\DosDevices\D:)
Source: nova narud#U017eba pdf rvP6N.exe, 00000000.00000002.247192769.0000000002C60000.00000004.00000001.sdmp Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: explorer.exe, 00000004.00000000.266513383.00000000059C0000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Checks if the current process is being debugged
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00409A90 rdtsc 3_2_00409A90
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0040ACD0 LdrLoadDll, 3_2_0040ACD0
Contains functionality to read the PEB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011C9100 mov eax, dword ptr fs:[00000030h] 3_2_011C9100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011C9100 mov eax, dword ptr fs:[00000030h] 3_2_011C9100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011C9100 mov eax, dword ptr fs:[00000030h] 3_2_011C9100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011F513A mov eax, dword ptr fs:[00000030h] 3_2_011F513A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011F513A mov eax, dword ptr fs:[00000030h] 3_2_011F513A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011E4120 mov eax, dword ptr fs:[00000030h] 3_2_011E4120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011E4120 mov eax, dword ptr fs:[00000030h] 3_2_011E4120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011E4120 mov eax, dword ptr fs:[00000030h] 3_2_011E4120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011E4120 mov eax, dword ptr fs:[00000030h] 3_2_011E4120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011E4120 mov ecx, dword ptr fs:[00000030h] 3_2_011E4120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011EB944 mov eax, dword ptr fs:[00000030h] 3_2_011EB944
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011EB944 mov eax, dword ptr fs:[00000030h] 3_2_011EB944
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011CB171 mov eax, dword ptr fs:[00000030h] 3_2_011CB171
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011CB171 mov eax, dword ptr fs:[00000030h] 3_2_011CB171
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011CC962 mov eax, dword ptr fs:[00000030h] 3_2_011CC962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_012469A6 mov eax, dword ptr fs:[00000030h] 3_2_012469A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_012849A4 mov eax, dword ptr fs:[00000030h] 3_2_012849A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_012849A4 mov eax, dword ptr fs:[00000030h] 3_2_012849A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_012849A4 mov eax, dword ptr fs:[00000030h] 3_2_012849A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_012849A4 mov eax, dword ptr fs:[00000030h] 3_2_012849A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011F2990 mov eax, dword ptr fs:[00000030h] 3_2_011F2990
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011FA185 mov eax, dword ptr fs:[00000030h] 3_2_011FA185
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_012451BE mov eax, dword ptr fs:[00000030h] 3_2_012451BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_012451BE mov eax, dword ptr fs:[00000030h] 3_2_012451BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_012451BE mov eax, dword ptr fs:[00000030h] 3_2_012451BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_012451BE mov eax, dword ptr fs:[00000030h] 3_2_012451BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011EC182 mov eax, dword ptr fs:[00000030h] 3_2_011EC182
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011F61A0 mov eax, dword ptr fs:[00000030h] 3_2_011F61A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011F61A0 mov eax, dword ptr fs:[00000030h] 3_2_011F61A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_012541E8 mov eax, dword ptr fs:[00000030h] 3_2_012541E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011CB1E1 mov eax, dword ptr fs:[00000030h] 3_2_011CB1E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011CB1E1 mov eax, dword ptr fs:[00000030h] 3_2_011CB1E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011CB1E1 mov eax, dword ptr fs:[00000030h] 3_2_011CB1E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01247016 mov eax, dword ptr fs:[00000030h] 3_2_01247016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01247016 mov eax, dword ptr fs:[00000030h] 3_2_01247016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01247016 mov eax, dword ptr fs:[00000030h] 3_2_01247016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011F002D mov eax, dword ptr fs:[00000030h] 3_2_011F002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011F002D mov eax, dword ptr fs:[00000030h] 3_2_011F002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011F002D mov eax, dword ptr fs:[00000030h] 3_2_011F002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011F002D mov eax, dword ptr fs:[00000030h] 3_2_011F002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011F002D mov eax, dword ptr fs:[00000030h] 3_2_011F002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011DB02A mov eax, dword ptr fs:[00000030h] 3_2_011DB02A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011DB02A mov eax, dword ptr fs:[00000030h] 3_2_011DB02A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011DB02A mov eax, dword ptr fs:[00000030h] 3_2_011DB02A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011DB02A mov eax, dword ptr fs:[00000030h] 3_2_011DB02A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01294015 mov eax, dword ptr fs:[00000030h] 3_2_01294015
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01294015 mov eax, dword ptr fs:[00000030h] 3_2_01294015
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011E0050 mov eax, dword ptr fs:[00000030h] 3_2_011E0050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011E0050 mov eax, dword ptr fs:[00000030h] 3_2_011E0050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01282073 mov eax, dword ptr fs:[00000030h] 3_2_01282073
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01291074 mov eax, dword ptr fs:[00000030h] 3_2_01291074
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_012090AF mov eax, dword ptr fs:[00000030h] 3_2_012090AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011C9080 mov eax, dword ptr fs:[00000030h] 3_2_011C9080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011FF0BF mov ecx, dword ptr fs:[00000030h] 3_2_011FF0BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011FF0BF mov eax, dword ptr fs:[00000030h] 3_2_011FF0BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011FF0BF mov eax, dword ptr fs:[00000030h] 3_2_011FF0BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01243884 mov eax, dword ptr fs:[00000030h] 3_2_01243884
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01243884 mov eax, dword ptr fs:[00000030h] 3_2_01243884
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011F20A0 mov eax, dword ptr fs:[00000030h] 3_2_011F20A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011F20A0 mov eax, dword ptr fs:[00000030h] 3_2_011F20A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011F20A0 mov eax, dword ptr fs:[00000030h] 3_2_011F20A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011F20A0 mov eax, dword ptr fs:[00000030h] 3_2_011F20A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011F20A0 mov eax, dword ptr fs:[00000030h] 3_2_011F20A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011F20A0 mov eax, dword ptr fs:[00000030h] 3_2_011F20A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011C58EC mov eax, dword ptr fs:[00000030h] 3_2_011C58EC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0125B8D0 mov eax, dword ptr fs:[00000030h] 3_2_0125B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0125B8D0 mov ecx, dword ptr fs:[00000030h] 3_2_0125B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0125B8D0 mov eax, dword ptr fs:[00000030h] 3_2_0125B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0125B8D0 mov eax, dword ptr fs:[00000030h] 3_2_0125B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0125B8D0 mov eax, dword ptr fs:[00000030h] 3_2_0125B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0125B8D0 mov eax, dword ptr fs:[00000030h] 3_2_0125B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011C40E1 mov eax, dword ptr fs:[00000030h] 3_2_011C40E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011C40E1 mov eax, dword ptr fs:[00000030h] 3_2_011C40E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011C40E1 mov eax, dword ptr fs:[00000030h] 3_2_011C40E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0128131B mov eax, dword ptr fs:[00000030h] 3_2_0128131B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011CF358 mov eax, dword ptr fs:[00000030h] 3_2_011CF358
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011CDB40 mov eax, dword ptr fs:[00000030h] 3_2_011CDB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011F3B7A mov eax, dword ptr fs:[00000030h] 3_2_011F3B7A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011F3B7A mov eax, dword ptr fs:[00000030h] 3_2_011F3B7A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01298B58 mov eax, dword ptr fs:[00000030h] 3_2_01298B58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011CDB60 mov ecx, dword ptr fs:[00000030h] 3_2_011CDB60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011F2397 mov eax, dword ptr fs:[00000030h] 3_2_011F2397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01295BA5 mov eax, dword ptr fs:[00000030h] 3_2_01295BA5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011FB390 mov eax, dword ptr fs:[00000030h] 3_2_011FB390
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011D1B8F mov eax, dword ptr fs:[00000030h] 3_2_011D1B8F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011D1B8F mov eax, dword ptr fs:[00000030h] 3_2_011D1B8F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0128138A mov eax, dword ptr fs:[00000030h] 3_2_0128138A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0127D380 mov ecx, dword ptr fs:[00000030h] 3_2_0127D380
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011F4BAD mov eax, dword ptr fs:[00000030h] 3_2_011F4BAD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011F4BAD mov eax, dword ptr fs:[00000030h] 3_2_011F4BAD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011F4BAD mov eax, dword ptr fs:[00000030h] 3_2_011F4BAD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_012453CA mov eax, dword ptr fs:[00000030h] 3_2_012453CA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_012453CA mov eax, dword ptr fs:[00000030h] 3_2_012453CA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011EDBE9 mov eax, dword ptr fs:[00000030h] 3_2_011EDBE9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011F03E2 mov eax, dword ptr fs:[00000030h] 3_2_011F03E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011F03E2 mov eax, dword ptr fs:[00000030h] 3_2_011F03E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011F03E2 mov eax, dword ptr fs:[00000030h] 3_2_011F03E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011F03E2 mov eax, dword ptr fs:[00000030h] 3_2_011F03E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011F03E2 mov eax, dword ptr fs:[00000030h] 3_2_011F03E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011F03E2 mov eax, dword ptr fs:[00000030h] 3_2_011F03E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011E3A1C mov eax, dword ptr fs:[00000030h] 3_2_011E3A1C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011CAA16 mov eax, dword ptr fs:[00000030h] 3_2_011CAA16
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011CAA16 mov eax, dword ptr fs:[00000030h] 3_2_011CAA16
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01204A2C mov eax, dword ptr fs:[00000030h] 3_2_01204A2C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01204A2C mov eax, dword ptr fs:[00000030h] 3_2_01204A2C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011C5210 mov eax, dword ptr fs:[00000030h] 3_2_011C5210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011C5210 mov ecx, dword ptr fs:[00000030h] 3_2_011C5210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011C5210 mov eax, dword ptr fs:[00000030h] 3_2_011C5210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011C5210 mov eax, dword ptr fs:[00000030h] 3_2_011C5210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011D8A0A mov eax, dword ptr fs:[00000030h] 3_2_011D8A0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0128AA16 mov eax, dword ptr fs:[00000030h] 3_2_0128AA16
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0128AA16 mov eax, dword ptr fs:[00000030h] 3_2_0128AA16
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0127B260 mov eax, dword ptr fs:[00000030h] 3_2_0127B260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0127B260 mov eax, dword ptr fs:[00000030h] 3_2_0127B260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01298A62 mov eax, dword ptr fs:[00000030h] 3_2_01298A62
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0120927A mov eax, dword ptr fs:[00000030h] 3_2_0120927A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011C9240 mov eax, dword ptr fs:[00000030h] 3_2_011C9240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011C9240 mov eax, dword ptr fs:[00000030h] 3_2_011C9240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011C9240 mov eax, dword ptr fs:[00000030h] 3_2_011C9240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011C9240 mov eax, dword ptr fs:[00000030h] 3_2_011C9240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01254257 mov eax, dword ptr fs:[00000030h] 3_2_01254257
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0128EA55 mov eax, dword ptr fs:[00000030h] 3_2_0128EA55
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011FD294 mov eax, dword ptr fs:[00000030h] 3_2_011FD294
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011FD294 mov eax, dword ptr fs:[00000030h] 3_2_011FD294
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011DAAB0 mov eax, dword ptr fs:[00000030h] 3_2_011DAAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011DAAB0 mov eax, dword ptr fs:[00000030h] 3_2_011DAAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011FFAB0 mov eax, dword ptr fs:[00000030h] 3_2_011FFAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011C52A5 mov eax, dword ptr fs:[00000030h] 3_2_011C52A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011C52A5 mov eax, dword ptr fs:[00000030h] 3_2_011C52A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011C52A5 mov eax, dword ptr fs:[00000030h] 3_2_011C52A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011C52A5 mov eax, dword ptr fs:[00000030h] 3_2_011C52A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011C52A5 mov eax, dword ptr fs:[00000030h] 3_2_011C52A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011F2ACB mov eax, dword ptr fs:[00000030h] 3_2_011F2ACB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011F2AE4 mov eax, dword ptr fs:[00000030h] 3_2_011F2AE4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0128E539 mov eax, dword ptr fs:[00000030h] 3_2_0128E539
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0124A537 mov eax, dword ptr fs:[00000030h] 3_2_0124A537
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01298D34 mov eax, dword ptr fs:[00000030h] 3_2_01298D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011F4D3B mov eax, dword ptr fs:[00000030h] 3_2_011F4D3B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011F4D3B mov eax, dword ptr fs:[00000030h] 3_2_011F4D3B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011F4D3B mov eax, dword ptr fs:[00000030h] 3_2_011F4D3B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011D3D34 mov eax, dword ptr fs:[00000030h] 3_2_011D3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011D3D34 mov eax, dword ptr fs:[00000030h] 3_2_011D3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011D3D34 mov eax, dword ptr fs:[00000030h] 3_2_011D3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011D3D34 mov eax, dword ptr fs:[00000030h] 3_2_011D3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011D3D34 mov eax, dword ptr fs:[00000030h] 3_2_011D3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011D3D34 mov eax, dword ptr fs:[00000030h] 3_2_011D3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011D3D34 mov eax, dword ptr fs:[00000030h] 3_2_011D3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011D3D34 mov eax, dword ptr fs:[00000030h] 3_2_011D3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011D3D34 mov eax, dword ptr fs:[00000030h] 3_2_011D3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011D3D34 mov eax, dword ptr fs:[00000030h] 3_2_011D3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011D3D34 mov eax, dword ptr fs:[00000030h] 3_2_011D3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011D3D34 mov eax, dword ptr fs:[00000030h] 3_2_011D3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011D3D34 mov eax, dword ptr fs:[00000030h] 3_2_011D3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011CAD30 mov eax, dword ptr fs:[00000030h] 3_2_011CAD30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011E7D50 mov eax, dword ptr fs:[00000030h] 3_2_011E7D50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01203D43 mov eax, dword ptr fs:[00000030h] 3_2_01203D43
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01243540 mov eax, dword ptr fs:[00000030h] 3_2_01243540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01273D40 mov eax, dword ptr fs:[00000030h] 3_2_01273D40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011EC577 mov eax, dword ptr fs:[00000030h] 3_2_011EC577
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011EC577 mov eax, dword ptr fs:[00000030h] 3_2_011EC577
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011FFD9B mov eax, dword ptr fs:[00000030h] 3_2_011FFD9B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011FFD9B mov eax, dword ptr fs:[00000030h] 3_2_011FFD9B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_012905AC mov eax, dword ptr fs:[00000030h] 3_2_012905AC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_012905AC mov eax, dword ptr fs:[00000030h] 3_2_012905AC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011C2D8A mov eax, dword ptr fs:[00000030h] 3_2_011C2D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011C2D8A mov eax, dword ptr fs:[00000030h] 3_2_011C2D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011C2D8A mov eax, dword ptr fs:[00000030h] 3_2_011C2D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011C2D8A mov eax, dword ptr fs:[00000030h] 3_2_011C2D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011C2D8A mov eax, dword ptr fs:[00000030h] 3_2_011C2D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011F2581 mov eax, dword ptr fs:[00000030h] 3_2_011F2581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011F2581 mov eax, dword ptr fs:[00000030h] 3_2_011F2581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011F2581 mov eax, dword ptr fs:[00000030h] 3_2_011F2581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011F2581 mov eax, dword ptr fs:[00000030h] 3_2_011F2581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011F1DB5 mov eax, dword ptr fs:[00000030h] 3_2_011F1DB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011F1DB5 mov eax, dword ptr fs:[00000030h] 3_2_011F1DB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011F1DB5 mov eax, dword ptr fs:[00000030h] 3_2_011F1DB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011F35A1 mov eax, dword ptr fs:[00000030h] 3_2_011F35A1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0128FDE2 mov eax, dword ptr fs:[00000030h] 3_2_0128FDE2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0128FDE2 mov eax, dword ptr fs:[00000030h] 3_2_0128FDE2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0128FDE2 mov eax, dword ptr fs:[00000030h] 3_2_0128FDE2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0128FDE2 mov eax, dword ptr fs:[00000030h] 3_2_0128FDE2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01278DF1 mov eax, dword ptr fs:[00000030h] 3_2_01278DF1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01246DC9 mov eax, dword ptr fs:[00000030h] 3_2_01246DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01246DC9 mov eax, dword ptr fs:[00000030h] 3_2_01246DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01246DC9 mov eax, dword ptr fs:[00000030h] 3_2_01246DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01246DC9 mov ecx, dword ptr fs:[00000030h] 3_2_01246DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01246DC9 mov eax, dword ptr fs:[00000030h] 3_2_01246DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01246DC9 mov eax, dword ptr fs:[00000030h] 3_2_01246DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011DD5E0 mov eax, dword ptr fs:[00000030h] 3_2_011DD5E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011DD5E0 mov eax, dword ptr fs:[00000030h] 3_2_011DD5E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0129740D mov eax, dword ptr fs:[00000030h] 3_2_0129740D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0129740D mov eax, dword ptr fs:[00000030h] 3_2_0129740D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0129740D mov eax, dword ptr fs:[00000030h] 3_2_0129740D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01281C06 mov eax, dword ptr fs:[00000030h] 3_2_01281C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01281C06 mov eax, dword ptr fs:[00000030h] 3_2_01281C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01281C06 mov eax, dword ptr fs:[00000030h] 3_2_01281C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01281C06 mov eax, dword ptr fs:[00000030h] 3_2_01281C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01281C06 mov eax, dword ptr fs:[00000030h] 3_2_01281C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01281C06 mov eax, dword ptr fs:[00000030h] 3_2_01281C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01281C06 mov eax, dword ptr fs:[00000030h] 3_2_01281C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01281C06 mov eax, dword ptr fs:[00000030h] 3_2_01281C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01281C06 mov eax, dword ptr fs:[00000030h] 3_2_01281C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01281C06 mov eax, dword ptr fs:[00000030h] 3_2_01281C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01281C06 mov eax, dword ptr fs:[00000030h] 3_2_01281C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01281C06 mov eax, dword ptr fs:[00000030h] 3_2_01281C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01281C06 mov eax, dword ptr fs:[00000030h] 3_2_01281C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01281C06 mov eax, dword ptr fs:[00000030h] 3_2_01281C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01246C0A mov eax, dword ptr fs:[00000030h] 3_2_01246C0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01246C0A mov eax, dword ptr fs:[00000030h] 3_2_01246C0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01246C0A mov eax, dword ptr fs:[00000030h] 3_2_01246C0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01246C0A mov eax, dword ptr fs:[00000030h] 3_2_01246C0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011FBC2C mov eax, dword ptr fs:[00000030h] 3_2_011FBC2C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011FA44B mov eax, dword ptr fs:[00000030h] 3_2_011FA44B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011E746D mov eax, dword ptr fs:[00000030h] 3_2_011E746D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0125C450 mov eax, dword ptr fs:[00000030h] 3_2_0125C450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0125C450 mov eax, dword ptr fs:[00000030h] 3_2_0125C450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011D849B mov eax, dword ptr fs:[00000030h] 3_2_011D849B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_012814FB mov eax, dword ptr fs:[00000030h] 3_2_012814FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01246CF0 mov eax, dword ptr fs:[00000030h] 3_2_01246CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01246CF0 mov eax, dword ptr fs:[00000030h] 3_2_01246CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01246CF0 mov eax, dword ptr fs:[00000030h] 3_2_01246CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01298CD6 mov eax, dword ptr fs:[00000030h] 3_2_01298CD6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011EF716 mov eax, dword ptr fs:[00000030h] 3_2_011EF716
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011FA70E mov eax, dword ptr fs:[00000030h] 3_2_011FA70E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011FA70E mov eax, dword ptr fs:[00000030h] 3_2_011FA70E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0129070D mov eax, dword ptr fs:[00000030h] 3_2_0129070D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0129070D mov eax, dword ptr fs:[00000030h] 3_2_0129070D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011FE730 mov eax, dword ptr fs:[00000030h] 3_2_011FE730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011C4F2E mov eax, dword ptr fs:[00000030h] 3_2_011C4F2E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011C4F2E mov eax, dword ptr fs:[00000030h] 3_2_011C4F2E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0125FF10 mov eax, dword ptr fs:[00000030h] 3_2_0125FF10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0125FF10 mov eax, dword ptr fs:[00000030h] 3_2_0125FF10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01298F6A mov eax, dword ptr fs:[00000030h] 3_2_01298F6A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011DEF40 mov eax, dword ptr fs:[00000030h] 3_2_011DEF40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011DFF60 mov eax, dword ptr fs:[00000030h] 3_2_011DFF60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011D8794 mov eax, dword ptr fs:[00000030h] 3_2_011D8794
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01247794 mov eax, dword ptr fs:[00000030h] 3_2_01247794
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01247794 mov eax, dword ptr fs:[00000030h] 3_2_01247794
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01247794 mov eax, dword ptr fs:[00000030h] 3_2_01247794
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_012037F5 mov eax, dword ptr fs:[00000030h] 3_2_012037F5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011FA61C mov eax, dword ptr fs:[00000030h] 3_2_011FA61C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011FA61C mov eax, dword ptr fs:[00000030h] 3_2_011FA61C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0127FE3F mov eax, dword ptr fs:[00000030h] 3_2_0127FE3F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011CC600 mov eax, dword ptr fs:[00000030h] 3_2_011CC600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011CC600 mov eax, dword ptr fs:[00000030h] 3_2_011CC600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011CC600 mov eax, dword ptr fs:[00000030h] 3_2_011CC600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011F8E00 mov eax, dword ptr fs:[00000030h] 3_2_011F8E00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01281608 mov eax, dword ptr fs:[00000030h] 3_2_01281608
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011CE620 mov eax, dword ptr fs:[00000030h] 3_2_011CE620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011D7E41 mov eax, dword ptr fs:[00000030h] 3_2_011D7E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011D7E41 mov eax, dword ptr fs:[00000030h] 3_2_011D7E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011D7E41 mov eax, dword ptr fs:[00000030h] 3_2_011D7E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011D7E41 mov eax, dword ptr fs:[00000030h] 3_2_011D7E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011D7E41 mov eax, dword ptr fs:[00000030h] 3_2_011D7E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011D7E41 mov eax, dword ptr fs:[00000030h] 3_2_011D7E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0128AE44 mov eax, dword ptr fs:[00000030h] 3_2_0128AE44
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0128AE44 mov eax, dword ptr fs:[00000030h] 3_2_0128AE44
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011EAE73 mov eax, dword ptr fs:[00000030h] 3_2_011EAE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011EAE73 mov eax, dword ptr fs:[00000030h] 3_2_011EAE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011EAE73 mov eax, dword ptr fs:[00000030h] 3_2_011EAE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011EAE73 mov eax, dword ptr fs:[00000030h] 3_2_011EAE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011EAE73 mov eax, dword ptr fs:[00000030h] 3_2_011EAE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011D766D mov eax, dword ptr fs:[00000030h] 3_2_011D766D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_012446A7 mov eax, dword ptr fs:[00000030h] 3_2_012446A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01290EA5 mov eax, dword ptr fs:[00000030h] 3_2_01290EA5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01290EA5 mov eax, dword ptr fs:[00000030h] 3_2_01290EA5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01290EA5 mov eax, dword ptr fs:[00000030h] 3_2_01290EA5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0125FE87 mov eax, dword ptr fs:[00000030h] 3_2_0125FE87
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011F36CC mov eax, dword ptr fs:[00000030h] 3_2_011F36CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0127FEC0 mov eax, dword ptr fs:[00000030h] 3_2_0127FEC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01208EC7 mov eax, dword ptr fs:[00000030h] 3_2_01208EC7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011F16E0 mov ecx, dword ptr fs:[00000030h] 3_2_011F16E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01298ED6 mov eax, dword ptr fs:[00000030h] 3_2_01298ED6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011D76E2 mov eax, dword ptr fs:[00000030h] 3_2_011D76E2
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_03688F6A mov eax, dword ptr fs:[00000030h] 15_2_03688F6A
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035BF358 mov eax, dword ptr fs:[00000030h] 15_2_035BF358
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035BDB40 mov eax, dword ptr fs:[00000030h] 15_2_035BDB40
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035CEF40 mov eax, dword ptr fs:[00000030h] 15_2_035CEF40
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035E3B7A mov eax, dword ptr fs:[00000030h] 15_2_035E3B7A
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035E3B7A mov eax, dword ptr fs:[00000030h] 15_2_035E3B7A
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_03688B58 mov eax, dword ptr fs:[00000030h] 15_2_03688B58
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035BDB60 mov ecx, dword ptr fs:[00000030h] 15_2_035BDB60
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035CFF60 mov eax, dword ptr fs:[00000030h] 15_2_035CFF60
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035DF716 mov eax, dword ptr fs:[00000030h] 15_2_035DF716
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035EA70E mov eax, dword ptr fs:[00000030h] 15_2_035EA70E
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035EA70E mov eax, dword ptr fs:[00000030h] 15_2_035EA70E
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_0368070D mov eax, dword ptr fs:[00000030h] 15_2_0368070D
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_0368070D mov eax, dword ptr fs:[00000030h] 15_2_0368070D
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035EE730 mov eax, dword ptr fs:[00000030h] 15_2_035EE730
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_0364FF10 mov eax, dword ptr fs:[00000030h] 15_2_0364FF10
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_0364FF10 mov eax, dword ptr fs:[00000030h] 15_2_0364FF10
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035B4F2E mov eax, dword ptr fs:[00000030h] 15_2_035B4F2E
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035B4F2E mov eax, dword ptr fs:[00000030h] 15_2_035B4F2E
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_0367131B mov eax, dword ptr fs:[00000030h] 15_2_0367131B
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_036353CA mov eax, dword ptr fs:[00000030h] 15_2_036353CA
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_036353CA mov eax, dword ptr fs:[00000030h] 15_2_036353CA
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035F37F5 mov eax, dword ptr fs:[00000030h] 15_2_035F37F5
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035DDBE9 mov eax, dword ptr fs:[00000030h] 15_2_035DDBE9
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035E03E2 mov eax, dword ptr fs:[00000030h] 15_2_035E03E2
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035E03E2 mov eax, dword ptr fs:[00000030h] 15_2_035E03E2
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035E03E2 mov eax, dword ptr fs:[00000030h] 15_2_035E03E2
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035E03E2 mov eax, dword ptr fs:[00000030h] 15_2_035E03E2
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035E03E2 mov eax, dword ptr fs:[00000030h] 15_2_035E03E2
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035E03E2 mov eax, dword ptr fs:[00000030h] 15_2_035E03E2
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035C8794 mov eax, dword ptr fs:[00000030h] 15_2_035C8794
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035E2397 mov eax, dword ptr fs:[00000030h] 15_2_035E2397
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_03685BA5 mov eax, dword ptr fs:[00000030h] 15_2_03685BA5
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035EB390 mov eax, dword ptr fs:[00000030h] 15_2_035EB390
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035C1B8F mov eax, dword ptr fs:[00000030h] 15_2_035C1B8F
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035C1B8F mov eax, dword ptr fs:[00000030h] 15_2_035C1B8F
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_0366D380 mov ecx, dword ptr fs:[00000030h] 15_2_0366D380
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_0367138A mov eax, dword ptr fs:[00000030h] 15_2_0367138A
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035E4BAD mov eax, dword ptr fs:[00000030h] 15_2_035E4BAD
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035E4BAD mov eax, dword ptr fs:[00000030h] 15_2_035E4BAD
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035E4BAD mov eax, dword ptr fs:[00000030h] 15_2_035E4BAD
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_03637794 mov eax, dword ptr fs:[00000030h] 15_2_03637794
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_03637794 mov eax, dword ptr fs:[00000030h] 15_2_03637794
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_03637794 mov eax, dword ptr fs:[00000030h] 15_2_03637794
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_0366B260 mov eax, dword ptr fs:[00000030h] 15_2_0366B260
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_0366B260 mov eax, dword ptr fs:[00000030h] 15_2_0366B260
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_03688A62 mov eax, dword ptr fs:[00000030h] 15_2_03688A62
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035B9240 mov eax, dword ptr fs:[00000030h] 15_2_035B9240
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035B9240 mov eax, dword ptr fs:[00000030h] 15_2_035B9240
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035B9240 mov eax, dword ptr fs:[00000030h] 15_2_035B9240
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035B9240 mov eax, dword ptr fs:[00000030h] 15_2_035B9240
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035C7E41 mov eax, dword ptr fs:[00000030h] 15_2_035C7E41
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035C7E41 mov eax, dword ptr fs:[00000030h] 15_2_035C7E41
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035C7E41 mov eax, dword ptr fs:[00000030h] 15_2_035C7E41
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035C7E41 mov eax, dword ptr fs:[00000030h] 15_2_035C7E41
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035C7E41 mov eax, dword ptr fs:[00000030h] 15_2_035C7E41
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035C7E41 mov eax, dword ptr fs:[00000030h] 15_2_035C7E41
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_0367AE44 mov eax, dword ptr fs:[00000030h] 15_2_0367AE44
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_0367AE44 mov eax, dword ptr fs:[00000030h] 15_2_0367AE44
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035F927A mov eax, dword ptr fs:[00000030h] 15_2_035F927A
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035DAE73 mov eax, dword ptr fs:[00000030h] 15_2_035DAE73
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035DAE73 mov eax, dword ptr fs:[00000030h] 15_2_035DAE73
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035DAE73 mov eax, dword ptr fs:[00000030h] 15_2_035DAE73
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035DAE73 mov eax, dword ptr fs:[00000030h] 15_2_035DAE73
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035DAE73 mov eax, dword ptr fs:[00000030h] 15_2_035DAE73
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035C766D mov eax, dword ptr fs:[00000030h] 15_2_035C766D
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_0367EA55 mov eax, dword ptr fs:[00000030h] 15_2_0367EA55
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_03644257 mov eax, dword ptr fs:[00000030h] 15_2_03644257
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035D3A1C mov eax, dword ptr fs:[00000030h] 15_2_035D3A1C
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035EA61C mov eax, dword ptr fs:[00000030h] 15_2_035EA61C
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035EA61C mov eax, dword ptr fs:[00000030h] 15_2_035EA61C
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035B5210 mov eax, dword ptr fs:[00000030h] 15_2_035B5210
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035B5210 mov ecx, dword ptr fs:[00000030h] 15_2_035B5210
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035B5210 mov eax, dword ptr fs:[00000030h] 15_2_035B5210
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035B5210 mov eax, dword ptr fs:[00000030h] 15_2_035B5210
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035BAA16 mov eax, dword ptr fs:[00000030h] 15_2_035BAA16
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035BAA16 mov eax, dword ptr fs:[00000030h] 15_2_035BAA16
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035C8A0A mov eax, dword ptr fs:[00000030h] 15_2_035C8A0A
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_0366FE3F mov eax, dword ptr fs:[00000030h] 15_2_0366FE3F
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035BC600 mov eax, dword ptr fs:[00000030h] 15_2_035BC600
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035BC600 mov eax, dword ptr fs:[00000030h] 15_2_035BC600
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035BC600 mov eax, dword ptr fs:[00000030h] 15_2_035BC600
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035E8E00 mov eax, dword ptr fs:[00000030h] 15_2_035E8E00
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_03671608 mov eax, dword ptr fs:[00000030h] 15_2_03671608
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035F4A2C mov eax, dword ptr fs:[00000030h] 15_2_035F4A2C
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035F4A2C mov eax, dword ptr fs:[00000030h] 15_2_035F4A2C
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035BE620 mov eax, dword ptr fs:[00000030h] 15_2_035BE620
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035E36CC mov eax, dword ptr fs:[00000030h] 15_2_035E36CC
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035E2ACB mov eax, dword ptr fs:[00000030h] 15_2_035E2ACB
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035F8EC7 mov eax, dword ptr fs:[00000030h] 15_2_035F8EC7
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_0366FEC0 mov eax, dword ptr fs:[00000030h] 15_2_0366FEC0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035E2AE4 mov eax, dword ptr fs:[00000030h] 15_2_035E2AE4
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035E16E0 mov ecx, dword ptr fs:[00000030h] 15_2_035E16E0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_03688ED6 mov eax, dword ptr fs:[00000030h] 15_2_03688ED6
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035C76E2 mov eax, dword ptr fs:[00000030h] 15_2_035C76E2
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_036346A7 mov eax, dword ptr fs:[00000030h] 15_2_036346A7
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035ED294 mov eax, dword ptr fs:[00000030h] 15_2_035ED294
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035ED294 mov eax, dword ptr fs:[00000030h] 15_2_035ED294
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_03680EA5 mov eax, dword ptr fs:[00000030h] 15_2_03680EA5
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_03680EA5 mov eax, dword ptr fs:[00000030h] 15_2_03680EA5
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_03680EA5 mov eax, dword ptr fs:[00000030h] 15_2_03680EA5
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_0364FE87 mov eax, dword ptr fs:[00000030h] 15_2_0364FE87
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035CAAB0 mov eax, dword ptr fs:[00000030h] 15_2_035CAAB0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035CAAB0 mov eax, dword ptr fs:[00000030h] 15_2_035CAAB0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035EFAB0 mov eax, dword ptr fs:[00000030h] 15_2_035EFAB0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035B52A5 mov eax, dword ptr fs:[00000030h] 15_2_035B52A5
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035B52A5 mov eax, dword ptr fs:[00000030h] 15_2_035B52A5
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035B52A5 mov eax, dword ptr fs:[00000030h] 15_2_035B52A5
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035B52A5 mov eax, dword ptr fs:[00000030h] 15_2_035B52A5
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035B52A5 mov eax, dword ptr fs:[00000030h] 15_2_035B52A5
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035D7D50 mov eax, dword ptr fs:[00000030h] 15_2_035D7D50
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035DB944 mov eax, dword ptr fs:[00000030h] 15_2_035DB944
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035DB944 mov eax, dword ptr fs:[00000030h] 15_2_035DB944
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035F3D43 mov eax, dword ptr fs:[00000030h] 15_2_035F3D43
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_03633540 mov eax, dword ptr fs:[00000030h] 15_2_03633540
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035BB171 mov eax, dword ptr fs:[00000030h] 15_2_035BB171
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035BB171 mov eax, dword ptr fs:[00000030h] 15_2_035BB171
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035DC577 mov eax, dword ptr fs:[00000030h] 15_2_035DC577
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035DC577 mov eax, dword ptr fs:[00000030h] 15_2_035DC577
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035BC962 mov eax, dword ptr fs:[00000030h] 15_2_035BC962
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_0363A537 mov eax, dword ptr fs:[00000030h] 15_2_0363A537
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035B9100 mov eax, dword ptr fs:[00000030h] 15_2_035B9100
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035B9100 mov eax, dword ptr fs:[00000030h] 15_2_035B9100
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035B9100 mov eax, dword ptr fs:[00000030h] 15_2_035B9100
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_03688D34 mov eax, dword ptr fs:[00000030h] 15_2_03688D34
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_0367E539 mov eax, dword ptr fs:[00000030h] 15_2_0367E539
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035E513A mov eax, dword ptr fs:[00000030h] 15_2_035E513A
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035E513A mov eax, dword ptr fs:[00000030h] 15_2_035E513A
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035E4D3B mov eax, dword ptr fs:[00000030h] 15_2_035E4D3B
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035E4D3B mov eax, dword ptr fs:[00000030h] 15_2_035E4D3B
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035E4D3B mov eax, dword ptr fs:[00000030h] 15_2_035E4D3B
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035C3D34 mov eax, dword ptr fs:[00000030h] 15_2_035C3D34
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035C3D34 mov eax, dword ptr fs:[00000030h] 15_2_035C3D34
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035C3D34 mov eax, dword ptr fs:[00000030h] 15_2_035C3D34
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035C3D34 mov eax, dword ptr fs:[00000030h] 15_2_035C3D34
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035C3D34 mov eax, dword ptr fs:[00000030h] 15_2_035C3D34
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035C3D34 mov eax, dword ptr fs:[00000030h] 15_2_035C3D34
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035C3D34 mov eax, dword ptr fs:[00000030h] 15_2_035C3D34
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035C3D34 mov eax, dword ptr fs:[00000030h] 15_2_035C3D34
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035C3D34 mov eax, dword ptr fs:[00000030h] 15_2_035C3D34
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035C3D34 mov eax, dword ptr fs:[00000030h] 15_2_035C3D34
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035C3D34 mov eax, dword ptr fs:[00000030h] 15_2_035C3D34
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035C3D34 mov eax, dword ptr fs:[00000030h] 15_2_035C3D34
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035C3D34 mov eax, dword ptr fs:[00000030h] 15_2_035C3D34
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035BAD30 mov eax, dword ptr fs:[00000030h] 15_2_035BAD30
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035D4120 mov eax, dword ptr fs:[00000030h] 15_2_035D4120
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035D4120 mov eax, dword ptr fs:[00000030h] 15_2_035D4120
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035D4120 mov eax, dword ptr fs:[00000030h] 15_2_035D4120
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035D4120 mov eax, dword ptr fs:[00000030h] 15_2_035D4120
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035D4120 mov ecx, dword ptr fs:[00000030h] 15_2_035D4120
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_0367FDE2 mov eax, dword ptr fs:[00000030h] 15_2_0367FDE2
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_0367FDE2 mov eax, dword ptr fs:[00000030h] 15_2_0367FDE2
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_0367FDE2 mov eax, dword ptr fs:[00000030h] 15_2_0367FDE2
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_0367FDE2 mov eax, dword ptr fs:[00000030h] 15_2_0367FDE2
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_036441E8 mov eax, dword ptr fs:[00000030h] 15_2_036441E8
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_03668DF1 mov eax, dword ptr fs:[00000030h] 15_2_03668DF1
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_03636DC9 mov eax, dword ptr fs:[00000030h] 15_2_03636DC9
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_03636DC9 mov eax, dword ptr fs:[00000030h] 15_2_03636DC9
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_03636DC9 mov eax, dword ptr fs:[00000030h] 15_2_03636DC9
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_03636DC9 mov ecx, dword ptr fs:[00000030h] 15_2_03636DC9
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_03636DC9 mov eax, dword ptr fs:[00000030h] 15_2_03636DC9
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_03636DC9 mov eax, dword ptr fs:[00000030h] 15_2_03636DC9
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035BB1E1 mov eax, dword ptr fs:[00000030h] 15_2_035BB1E1
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035BB1E1 mov eax, dword ptr fs:[00000030h] 15_2_035BB1E1
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035BB1E1 mov eax, dword ptr fs:[00000030h] 15_2_035BB1E1
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035CD5E0 mov eax, dword ptr fs:[00000030h] 15_2_035CD5E0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035CD5E0 mov eax, dword ptr fs:[00000030h] 15_2_035CD5E0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_036805AC mov eax, dword ptr fs:[00000030h] 15_2_036805AC
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_036805AC mov eax, dword ptr fs:[00000030h] 15_2_036805AC
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035EFD9B mov eax, dword ptr fs:[00000030h] 15_2_035EFD9B
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035EFD9B mov eax, dword ptr fs:[00000030h] 15_2_035EFD9B
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_036369A6 mov eax, dword ptr fs:[00000030h] 15_2_036369A6
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035E2990 mov eax, dword ptr fs:[00000030h] 15_2_035E2990
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035B2D8A mov eax, dword ptr fs:[00000030h] 15_2_035B2D8A
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035B2D8A mov eax, dword ptr fs:[00000030h] 15_2_035B2D8A
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035B2D8A mov eax, dword ptr fs:[00000030h] 15_2_035B2D8A
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035B2D8A mov eax, dword ptr fs:[00000030h] 15_2_035B2D8A
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035B2D8A mov eax, dword ptr fs:[00000030h] 15_2_035B2D8A
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035EA185 mov eax, dword ptr fs:[00000030h] 15_2_035EA185
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_036351BE mov eax, dword ptr fs:[00000030h] 15_2_036351BE
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_036351BE mov eax, dword ptr fs:[00000030h] 15_2_036351BE
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_036351BE mov eax, dword ptr fs:[00000030h] 15_2_036351BE
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_036351BE mov eax, dword ptr fs:[00000030h] 15_2_036351BE
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035DC182 mov eax, dword ptr fs:[00000030h] 15_2_035DC182
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035E2581 mov eax, dword ptr fs:[00000030h] 15_2_035E2581
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035E2581 mov eax, dword ptr fs:[00000030h] 15_2_035E2581
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035E2581 mov eax, dword ptr fs:[00000030h] 15_2_035E2581
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035E2581 mov eax, dword ptr fs:[00000030h] 15_2_035E2581
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035E1DB5 mov eax, dword ptr fs:[00000030h] 15_2_035E1DB5
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035E1DB5 mov eax, dword ptr fs:[00000030h] 15_2_035E1DB5
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035E1DB5 mov eax, dword ptr fs:[00000030h] 15_2_035E1DB5
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035E61A0 mov eax, dword ptr fs:[00000030h] 15_2_035E61A0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035E61A0 mov eax, dword ptr fs:[00000030h] 15_2_035E61A0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035E35A1 mov eax, dword ptr fs:[00000030h] 15_2_035E35A1
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035D0050 mov eax, dword ptr fs:[00000030h] 15_2_035D0050
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035D0050 mov eax, dword ptr fs:[00000030h] 15_2_035D0050
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_03672073 mov eax, dword ptr fs:[00000030h] 15_2_03672073
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035EA44B mov eax, dword ptr fs:[00000030h] 15_2_035EA44B
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_03681074 mov eax, dword ptr fs:[00000030h] 15_2_03681074
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035D746D mov eax, dword ptr fs:[00000030h] 15_2_035D746D
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_0364C450 mov eax, dword ptr fs:[00000030h] 15_2_0364C450
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_0364C450 mov eax, dword ptr fs:[00000030h] 15_2_0364C450
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_03671C06 mov eax, dword ptr fs:[00000030h] 15_2_03671C06
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_03671C06 mov eax, dword ptr fs:[00000030h] 15_2_03671C06
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_03671C06 mov eax, dword ptr fs:[00000030h] 15_2_03671C06
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_03671C06 mov eax, dword ptr fs:[00000030h] 15_2_03671C06
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_03671C06 mov eax, dword ptr fs:[00000030h] 15_2_03671C06
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_03671C06 mov eax, dword ptr fs:[00000030h] 15_2_03671C06
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_03671C06 mov eax, dword ptr fs:[00000030h] 15_2_03671C06
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_03671C06 mov eax, dword ptr fs:[00000030h] 15_2_03671C06
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_03671C06 mov eax, dword ptr fs:[00000030h] 15_2_03671C06
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_03671C06 mov eax, dword ptr fs:[00000030h] 15_2_03671C06
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_03671C06 mov eax, dword ptr fs:[00000030h] 15_2_03671C06
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_03671C06 mov eax, dword ptr fs:[00000030h] 15_2_03671C06
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_03671C06 mov eax, dword ptr fs:[00000030h] 15_2_03671C06
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_03671C06 mov eax, dword ptr fs:[00000030h] 15_2_03671C06
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_0368740D mov eax, dword ptr fs:[00000030h] 15_2_0368740D
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_0368740D mov eax, dword ptr fs:[00000030h] 15_2_0368740D
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_0368740D mov eax, dword ptr fs:[00000030h] 15_2_0368740D
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_03636C0A mov eax, dword ptr fs:[00000030h] 15_2_03636C0A
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_03636C0A mov eax, dword ptr fs:[00000030h] 15_2_03636C0A
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_03636C0A mov eax, dword ptr fs:[00000030h] 15_2_03636C0A
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_03636C0A mov eax, dword ptr fs:[00000030h] 15_2_03636C0A
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035EBC2C mov eax, dword ptr fs:[00000030h] 15_2_035EBC2C
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035E002D mov eax, dword ptr fs:[00000030h] 15_2_035E002D
Source: C:\Windows\SysWOW64\netsh.exe Code function: 15_2_035E002D mov eax, dword ptr fs:[00000030h] 15_2_035E002D
Enables debug privileges
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Domain query: www.businesshouse5asidejm.com
Source: C:\Windows\explorer.exe Network Connect: 63.250.37.200 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.magentos6.com
Source: C:\Windows\explorer.exe Network Connect: 156.235.148.136 80 Jump to behavior
Allocates memory in foreign processes
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Section loaded: unknown target: C:\Windows\SysWOW64\netsh.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Section loaded: unknown target: C:\Windows\SysWOW64\netsh.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread register set: target process: 3292 Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Thread register set: target process: 3292 Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Sample uses process hollowing technique
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Section unmapped: C:\Windows\SysWOW64\netsh.exe base address: 1570000 Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 401000 Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 969008 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kPDOHsyqKitj' /XML 'C:\Users\user\AppData\Local\Temp\tmp59AC.tmp' Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe' Jump to behavior
Source: explorer.exe, 00000004.00000002.501147995.0000000001400000.00000002.00000001.sdmp, netsh.exe, 0000000F.00000002.504010783.0000000004920000.00000002.00000001.sdmp Binary or memory string: uProgram Manager
Source: explorer.exe, 00000004.00000002.501147995.0000000001400000.00000002.00000001.sdmp, netsh.exe, 0000000F.00000002.504010783.0000000004920000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000004.00000002.501147995.0000000001400000.00000002.00000001.sdmp, netsh.exe, 0000000F.00000002.504010783.0000000004920000.00000002.00000001.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000004.00000002.501147995.0000000001400000.00000002.00000001.sdmp, netsh.exe, 0000000F.00000002.504010783.0000000004920000.00000002.00000001.sdmp Binary or memory string: Progmanlock
Source: explorer.exe, 00000004.00000000.249889738.0000000000EB8000.00000004.00000020.sdmp Binary or memory string: ProgmanX
Source: explorer.exe, 00000004.00000000.274514270.0000000008ACF000.00000004.00000001.sdmp Binary or memory string: Shell_TrayWndAj

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Uses netsh to modify the Windows network and firewall settings
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\netsh.exe C:\Windows\SysWOW64\netsh.exe

Stealing of Sensitive Information:

barindex
Yara detected FormBook
Source: Yara match File source: 00000003.00000002.292611883.0000000001160000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.499334545.0000000000B10000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.292487107.0000000000D20000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.500645379.0000000001110000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.500697070.0000000001140000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.247681962.0000000003C1C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.292295280.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

barindex
Yara detected FormBook
Source: Yara match File source: 00000003.00000002.292611883.0000000001160000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.499334545.0000000000B10000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.292487107.0000000000D20000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.500645379.0000000001110000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.500697070.0000000001140000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.247681962.0000000003C1C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.292295280.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 383924 Sample: nova narud#U017eba pdf rvP6N.exe Startdate: 08/04/2021 Architecture: WINDOWS Score: 100 41 www.lovetarot.online 2->41 47 Found malware configuration 2->47 49 Malicious sample detected (through community Yara rule) 2->49 51 Antivirus detection for URL or domain 2->51 53 11 other signatures 2->53 11 nova narud#U017eba pdf rvP6N.exe 7 2->11         started        signatures3 process4 file5 33 C:\Users\user\AppData\...\kPDOHsyqKitj.exe, PE32 11->33 dropped 35 C:\Users\...\kPDOHsyqKitj.exe:Zone.Identifier, ASCII 11->35 dropped 37 C:\Users\user\AppData\Local\...\tmp59AC.tmp, XML 11->37 dropped 39 C:\...\nova narud#U017eba pdf rvP6N.exe.log, ASCII 11->39 dropped 65 Writes to foreign memory regions 11->65 67 Allocates memory in foreign processes 11->67 69 Injects a PE file into a foreign processes 11->69 15 RegSvcs.exe 11->15         started        18 schtasks.exe 1 11->18         started        signatures6 process7 signatures8 71 Modifies the context of a thread in another process (thread injection) 15->71 73 Maps a DLL or memory area into another process 15->73 75 Sample uses process hollowing technique 15->75 77 2 other signatures 15->77 20 explorer.exe 15->20 injected 24 conhost.exe 18->24         started        process9 dnsIp10 43 www.magentos6.com 63.250.37.200, 49717, 80 NAMECHEAP-NETUS United States 20->43 45 www.businesshouse5asidejm.com 156.235.148.136, 49729, 80 DXTL-HKDXTLTseungKwanOServiceHK Seychelles 20->45 55 System process connects to network (likely due to code injection or exploit) 20->55 57 Uses netsh to modify the Windows network and firewall settings 20->57 26 netsh.exe 20->26         started        signatures11 process12 signatures13 59 Modifies the context of a thread in another process (thread injection) 26->59 61 Maps a DLL or memory area into another process 26->61 63 Tries to detect virtualization through RDTSC time measurements 26->63 29 cmd.exe 1 26->29         started        process14 process15 31 conhost.exe 29->31         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
63.250.37.200
 www.magentos6.com United States
22612 NAMECHEAP-NETUS true
156.235.148.136
 www.businesshouse5asidejm.com Seychelles
134548 DXTL-HKDXTLTseungKwanOServiceHK true

Contacted Domains

Name IP Active
www.magentos6.com 63.250.37.200 true
www.businesshouse5asidejm.com 156.235.148.136 true
www.lovetarot.online unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://www.businesshouse5asidejm.com/sqxs/?9r=vISvmTlEiopKSz7sbFBAxkFCF8r7k2dJAG7u5uLq0h9VZPMRNv+QYXnwEIKYsgNdKjl1RWh6mQ==&sZRd=1bYDYvm0JHdHoLj true
  • Avira URL Cloud: safe
 unknown
www.lovetarot.online/sqxs/ true
  • Avira URL Cloud: malware
 low
http://www.magentos6.com/sqxs/?9r=MRpl8UDFdJqnpJCoHCjX+0bMpbzGGukG+UMXxre6C1KfRpZnCXnM0uJ6ixOsqKWJKMs9S6HgiQ==&sZRd=1bYDYvm0JHdHoLj true
  • Avira URL Cloud: safe
 unknown