Loading ...

Play interactive tourEdit tour

Analysis Report Proforma Invoice No. 14214.exe

Overview

General Information

Sample Name:Proforma Invoice No. 14214.exe
Analysis ID:433051
MD5:7c8ebff62083aaaa70e6ca8311776afa
SHA1:ae068ca1a02edd4f2e50657a1f223e86f1bbe499
SHA256:70840e5d766990e38d2a5e209106d19fb19e9c1b77fc2eb1b870f698da1f1a84
Tags:exe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains very large array initializations
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Modifies the hosts file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Suspicious Process Start Without DLL
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Antivirus or Machine Learning detection for unpacked file
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains strange resources
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • Proforma Invoice No. 14214.exe (PID: 6440 cmdline: 'C:\Users\user\Desktop\Proforma Invoice No. 14214.exe' MD5: 7C8EBFF62083AAAA70E6CA8311776AFA)
    • RegSvcs.exe (PID: 6564 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)
  • NXLun.exe (PID: 6048 cmdline: 'C:\Users\user\AppData\Roaming\NXLun\NXLun.exe' MD5: 2867A3817C9245F7CF518524DFD18F28)
    • conhost.exe (PID: 5116 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • NXLun.exe (PID: 5620 cmdline: 'C:\Users\user\AppData\Roaming\NXLun\NXLun.exe' MD5: 2867A3817C9245F7CF518524DFD18F28)
    • conhost.exe (PID: 6176 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "anando@citechco.net", "Password": "Webana@321#", "Host": "mail.citechco.net"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000000.344864623.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000002.00000000.344864623.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      00000002.00000002.603094924.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000002.00000002.603094924.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
          00000002.00000002.605727213.00000000032DB000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 8 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            2.2.RegSvcs.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              2.2.RegSvcs.exe.400000.0.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                2.0.RegSvcs.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  2.0.RegSvcs.exe.400000.0.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                    0.2.Proforma Invoice No. 14214.exe.3e01450.1.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 3 entries

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Suspicious Process Start Without DLLShow sources
                      Source: Process startedAuthor: Florian Roth: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ParentCommandLine: 'C:\Users\user\Desktop\Proforma Invoice No. 14214.exe' , ParentImage: C:\Users\user\Desktop\Proforma Invoice No. 14214.exe, ParentProcessId: 6440, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 6564
                      Sigma detected: Possible Applocker BypassShow sources
                      Source: Process startedAuthor: juju4: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ParentCommandLine: 'C:\Users\user\Desktop\Proforma Invoice No. 14214.exe' , ParentImage: C:\Users\user\Desktop\Proforma Invoice No. 14214.exe, ParentProcessId: 6440, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 6564

                      Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 2.2.RegSvcs.exe.400000.0.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "anando@citechco.net", "Password": "Webana@321#", "Host": "mail.citechco.net"}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: Proforma Invoice No. 14214.exeVirustotal: Detection: 37%Perma Link
                      Source: Proforma Invoice No. 14214.exeReversingLabs: Detection: 28%
                      Machine Learning detection for sampleShow sources
                      Source: Proforma Invoice No. 14214.exeJoe Sandbox ML: detected
                      Source: 2.2.RegSvcs.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: 2.0.RegSvcs.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: Proforma Invoice No. 14214.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                      Source: Proforma Invoice No. 14214.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: Binary string: ITypeLib.pdbh source: Proforma Invoice No. 14214.exe
                      Source: Binary string: RegSvcs.pdb, source: NXLun.exe, 0000000A.00000002.418746456.0000000000692000.00000002.00020000.sdmp, NXLun.exe, 0000000D.00000002.440030386.00000000003E2000.00000002.00020000.sdmp, NXLun.exe.2.dr
                      Source: Binary string: ITypeLib.pdb source: Proforma Invoice No. 14214.exe
                      Source: Binary string: System.EnterpriseServices.Wrapper.pdb source: NXLun.exe, 0000000A.00000002.419412855.0000000002B40000.00000002.00000001.sdmp, NXLun.exe, 0000000D.00000002.440906669.0000000004BE0000.00000002.00000001.sdmp
                      Source: Binary string: RegSvcs.pdb source: NXLun.exe, NXLun.exe.2.dr
                      Source: global trafficTCP traffic: 192.168.2.6:49742 -> 203.191.33.181:587
                      Source: global trafficTCP traffic: 192.168.2.6:49742 -> 203.191.33.181:587
                      Source: unknownDNS traffic detected: queries for: mail.citechco.net
                      Source: RegSvcs.exe, 00000002.00000002.604865648.0000000002FC1000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                      Source: RegSvcs.exe, 00000002.00000002.604865648.0000000002FC1000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                      Source: RegSvcs.exe, 00000002.00000002.605727213.00000000032DB000.00000004.00000001.sdmp, RegSvcs.exe, 00000002.00000002.604865648.0000000002FC1000.00000004.00000001.sdmp, RegSvcs.exe, 00000002.00000002.606044540.0000000003355000.00000004.00000001.sdmpString found in binary or memory: http://Ustq4cbAUDG33rrxc.org
                      Source: RegSvcs.exe, 00000002.00000002.605929038.000000000332A000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
                      Source: RegSvcs.exe, 00000002.00000002.610640634.000000000638F000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
                      Source: RegSvcs.exe, 00000002.00000002.605929038.000000000332A000.00000004.00000001.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
                      Source: RegSvcs.exe, 00000002.00000002.604865648.0000000002FC1000.00000004.00000001.sdmpString found in binary or memory: http://kRGqzl.com
                      Source: RegSvcs.exe, 00000002.00000002.605929038.000000000332A000.00000004.00000001.sdmpString found in binary or memory: http://mail.citechco.net
                      Source: RegSvcs.exe, 00000002.00000002.605929038.000000000332A000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                      Source: RegSvcs.exe, 00000002.00000002.605929038.000000000332A000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.sectigo.com0
                      Source: Proforma Invoice No. 14214.exe, 00000000.00000002.352422358.0000000002D41000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: RegSvcs.exe, 00000002.00000002.604865648.0000000002FC1000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%$
                      Source: RegSvcs.exe, 00000002.00000002.604865648.0000000002FC1000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%GETMozilla/5.0
                      Source: RegSvcs.exe, 00000002.00000002.605929038.000000000332A000.00000004.00000001.sdmpString found in binary or memory: https://sectigo.com/CPS0
                      Source: Proforma Invoice No. 14214.exe, 00000000.00000002.352826103.0000000002D7F000.00000004.00000001.sdmpString found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
                      Source: Proforma Invoice No. 14214.exe, 00000000.00000002.353706824.0000000003D49000.00000004.00000001.sdmp, RegSvcs.exe, 00000002.00000000.344864623.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: RegSvcs.exe, 00000002.00000002.604865648.0000000002FC1000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

                      Spam, unwanted Advertisements and Ransom Demands:

                      barindex
                      Modifies the hosts fileShow sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior

                      System Summary:

                      barindex
                      .NET source code contains very large array initializationsShow sources
                      Source: 2.2.RegSvcs.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007bEB1FE0F0u002dD3F7u002d4CA7u002dA6E6u002d30D966CA64F5u007d/u0035A9A7DD3u002dC878u002d49AAu002dA3CCu002d93748952BFF0.csLarge array initialization: .cctor: array initializer size 11946
                      Source: 2.0.RegSvcs.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007bEB1FE0F0u002dD3F7u002d4CA7u002dA6E6u002d30D966CA64F5u007d/u0035A9A7DD3u002dC878u002d49AAu002dA3CCu002d93748952BFF0.csLarge array initialization: .cctor: array initializer size 11946
                      Initial sample is a PE file and has a suspicious nameShow sources
                      Source: initial sampleStatic PE information: Filename: Proforma Invoice No. 14214.exe
                      Source: C:\Users\user\Desktop\Proforma Invoice No. 14214.exeCode function: 0_2_006D80240_2_006D8024
                      Source: C:\Users\user\Desktop\Proforma Invoice No. 14214.exeCode function: 0_2_006D26960_2_006D2696
                      Source: C:\Users\user\Desktop\Proforma Invoice No. 14214.exeCode function: 0_2_0122C7880_2_0122C788
                      Source: C:\Users\user\Desktop\Proforma Invoice No. 14214.exeCode function: 0_2_0122AD880_2_0122AD88
                      Source: C:\Users\user\Desktop\Proforma Invoice No. 14214.exeCode function: 0_2_02A302810_2_02A30281
                      Source: C:\Users\user\Desktop\Proforma Invoice No. 14214.exeCode function: 0_2_02A319450_2_02A31945
                      Source: C:\Users\user\Desktop\Proforma Invoice No. 14214.exeCode function: 0_2_02A302390_2_02A30239
                      Source: C:\Users\user\Desktop\Proforma Invoice No. 14214.exeCode function: 0_2_02A302680_2_02A30268
                      Source: C:\Users\user\Desktop\Proforma Invoice No. 14214.exeCode function: 0_2_02A300070_2_02A30007
                      Source: C:\Users\user\Desktop\Proforma Invoice No. 14214.exeCode function: 0_2_02A300400_2_02A30040
                      Source: C:\Users\user\Desktop\Proforma Invoice No. 14214.exeCode function: 0_2_02D1A1300_2_02D1A130
                      Source: C:\Users\user\Desktop\Proforma Invoice No. 14214.exeCode function: 0_2_02D1A1200_2_02D1A120
                      Source: C:\Users\user\Desktop\Proforma Invoice No. 14214.exeCode function: 0_2_02D19EC00_2_02D19EC0
                      Source: C:\Users\user\Desktop\Proforma Invoice No. 14214.exeCode function: 0_2_02D19EBF0_2_02D19EBF
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0162BD702_2_0162BD70
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_016205EF2_2_016205EF
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_01624B802_2_01624B80
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_016296F82_2_016296F8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_01628E802_2_01628E80
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_016253C82_2_016253C8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_016252CA2_2_016252CA
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_016B47A02_2_016B47A0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_016B47302_2_016B4730
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_016B47902_2_016B4790
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_016B46B02_2_016B46B0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_016BD6702_2_016BD670
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_065465082_2_06546508
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_065468502_2_06546850
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_065490D82_2_065490D8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_065471202_2_06547120
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_068956902_2_06895690
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0689A2082_2_0689A208
                      Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe 43026DCFF238F20CFF0419924486DEE45178119CFDD0D366B79D67D950A9BF50
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 0654BEC0 appears 48 times
                      Source: Proforma Invoice No. 14214.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: Proforma Invoice No. 14214.exe, 00000000.00000002.350087012.00000000007AE000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameITypeLib.exe< vs Proforma Invoice No. 14214.exe
                      Source: Proforma Invoice No. 14214.exe, 00000000.00000002.352422358.0000000002D41000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamefIuXDFbZUwhAPkOKPtFUUkLyKIoWxpLX.exe4 vs Proforma Invoice No. 14214.exe
                      Source: Proforma Invoice No. 14214.exe, 00000000.00000002.353965910.0000000003EBE000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameDSASignature.dll@ vs Proforma Invoice No. 14214.exe
                      Source: Proforma Invoice No. 14214.exe, 00000000.00000002.353706824.0000000003D49000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameKygo.dll* vs Proforma Invoice No. 14214.exe
                      Source: Proforma Invoice No. 14214.exeBinary or memory string: OriginalFilenameITypeLib.exe< vs Proforma Invoice No. 14214.exe
                      Source: Proforma Invoice No. 14214.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                      Source: Proforma Invoice No. 14214.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: Proforma Invoice No. 14214.exe, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.csCryptographic APIs: 'CreateDecryptor'
                      Source: Proforma Invoice No. 14214.exe, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.csCryptographic APIs: 'CreateDecryptor'
                      Source: 0.2.Proforma Invoice No. 14214.exe.6d0000.0.unpack, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.csCryptographic APIs: 'CreateDecryptor'
                      Source: 0.2.Proforma Invoice No. 14214.exe.6d0000.0.unpack, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.csCryptographic APIs: 'CreateDecryptor'
                      Source: 0.0.Proforma Invoice No. 14214.exe.6d0000.0.unpack, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.csCryptographic APIs: 'CreateDecryptor'
                      Source: 0.0.Proforma Invoice No. 14214.exe.6d0000.0.unpack, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.csCryptographic APIs: 'CreateDecryptor'
                      Source: 2.2.RegSvcs.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 2.2.RegSvcs.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 2.0.RegSvcs.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 2.0.RegSvcs.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: classification engineClassification label: mal100.troj.adwa.spyw.evad.winEXE@7/6@2/1
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0654CC4C UserClientDllInitialize,KiUserExceptionDispatcher,GetFirmwareType,GetDateFormatAWorker,ClientThreadSetup,SendMessageTimeoutW,GetMessageW,CreateToolhelp32Snapshot,SetThreadDpiAwarenessContext,SetClipboardData,KiUserExceptionDispatcher,CreateActCtxWWorker,KiUserExceptionDispatcher,SetXStateFeaturesMask,LdrInitializeThunk,2_2_0654CC4C
                      Source: C:\Users\user\Desktop\Proforma Invoice No. 14214.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Proforma Invoice No. 14214.exe.logJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice No. 14214.exeMutant created: \Sessions\1\BaseNamedObjects\XxuFpYNIkvOt
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6176:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5116:120:WilError_01
                      Source: Proforma Invoice No. 14214.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\Proforma Invoice No. 14214.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\Proforma Invoice No. 14214.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: Proforma Invoice No. 14214.exe, 00000000.00000002.352826103.0000000002D7F000.00000004.00000001.sdmpBinary or memory string: Select * from Clientes WHERE id=@id;;
                      Source: Proforma Invoice No. 14214.exe, 00000000.00000002.352826103.0000000002D7F000.00000004.00000001.sdmpBinary or memory string: Select * from Aluguel Erro ao listar Banco sql-Aluguel.INSERT INTO Aluguel VALUES(@clienteID, @data);
                      Source: Proforma Invoice No. 14214.exe, 00000000.00000002.352826103.0000000002D7F000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType WHERE id=@id;
                      Source: Proforma Invoice No. 14214.exe, 00000000.00000002.352826103.0000000002D7F000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType WHERE modelo=@modelo;
                      Source: Proforma Invoice No. 14214.exe, 00000000.00000002.352826103.0000000002D7F000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
                      Source: Proforma Invoice No. 14214.exe, 00000000.00000002.352826103.0000000002D7F000.00000004.00000001.sdmpBinary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
                      Source: Proforma Invoice No. 14214.exe, 00000000.00000002.352826103.0000000002D7F000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
                      Source: Proforma Invoice No. 14214.exe, 00000000.00000002.352826103.0000000002D7F000.00000004.00000001.sdmpBinary or memory string: INSERT INTO SecurityLogonType VALUES(@modelo, @fabricante, @ano, @cor);
                      Source: Proforma Invoice No. 14214.exe, 00000000.00000002.352826103.0000000002D7F000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType*Erro ao listar Banco sql-SecurityLogonType,Select * from SecurityLogonType WHERE id=@id;Select * from SecurityLogonType WHERE (modelo LIKE @modelo)
                      Source: Proforma Invoice No. 14214.exeVirustotal: Detection: 37%
                      Source: Proforma Invoice No. 14214.exeReversingLabs: Detection: 28%
                      Source: unknownProcess created: C:\Users\user\Desktop\Proforma Invoice No. 14214.exe 'C:\Users\user\Desktop\Proforma Invoice No. 14214.exe'
                      Source: C:\Users\user\Desktop\Proforma Invoice No. 14214.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe 'C:\Users\user\AppData\Roaming\NXLun\NXLun.exe'
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe 'C:\Users\user\AppData\Roaming\NXLun\NXLun.exe'
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\Proforma Invoice No. 14214.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32Jump to behavior
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Users\user\Desktop\Proforma Invoice No. 14214.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                      Source: Proforma Invoice No. 14214.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: Proforma Invoice No. 14214.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: Proforma Invoice No. 14214.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: Binary string: ITypeLib.pdbh source: Proforma Invoice No. 14214.exe
                      Source: Binary string: RegSvcs.pdb, source: NXLun.exe, 0000000A.00000002.418746456.0000000000692000.00000002.00020000.sdmp, NXLun.exe, 0000000D.00000002.440030386.00000000003E2000.00000002.00020000.sdmp, NXLun.exe.2.dr
                      Source: Binary string: ITypeLib.pdb source: Proforma Invoice No. 14214.exe
                      Source: Binary string: System.EnterpriseServices.Wrapper.pdb source: NXLun.exe, 0000000A.00000002.419412855.0000000002B40000.00000002.00000001.sdmp, NXLun.exe, 0000000D.00000002.440906669.0000000004BE0000.00000002.00000001.sdmp
                      Source: Binary string: RegSvcs.pdb source: NXLun.exe, NXLun.exe.2.dr

                      Data Obfuscation:

                      barindex
                      .NET source code contains method to dynamically call methods (often used by packers)Show sources
                      Source: Proforma Invoice No. 14214.exe, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs.Net Code: stackVariable5.GetMethod("GetDelegateForFunctionPointer", V_0)
                      Source: 0.2.Proforma Invoice No. 14214.exe.6d0000.0.unpack, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs.Net Code: stackVariable5.GetMethod("GetDelegateForFunctionPointer", V_0)
                      Source: 0.0.Proforma Invoice No. 14214.exe.6d0000.0.unpack, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs.Net Code: stackVariable5.GetMethod("GetDelegateForFunctionPointer", V_0)
                      Source: C:\Users\user\Desktop\Proforma Invoice No. 14214.exeCode function: 0_2_0122EC7A push eax; ret 0_2_0122EC81
                      Source: C:\Users\user\Desktop\Proforma Invoice No. 14214.exeCode function: 0_2_02D18351 pushad ; retf 0_2_02D18352
                      Source: C:\Users\user\Desktop\Proforma Invoice No. 14214.exeCode function: 0_2_02D18369 pushad ; retf 0_2_02D1836A
                      Source: C:\Users\user\Desktop\Proforma Invoice No. 14214.exeCode function: 0_2_02D181ED pushad ; retf 0_2_02D181EF
                      Source: C:\Users\user\Desktop\Proforma Invoice No. 14214.exeCode function: 0_2_02D186A8 pushad ; retf 0_2_02D186A9
                      Source: C:\Users\user\Desktop\Proforma Invoice No. 14214.exeCode function: 0_2_02D1F613 push cs; ret 0_2_02D1F621
                      Source: C:\Users\user\Desktop\Proforma Invoice No. 14214.exeCode function: 0_2_02D137B8 push edx; retf 0_2_02D13896
                      Source: C:\Users\user\Desktop\Proforma Invoice No. 14214.exeCode function: 0_2_02D1F707 push edx; ret 0_2_02D1F70D
                      Source: C:\Users\user\Desktop\Proforma Invoice No. 14214.exeCode function: 0_2_02D18444 pushad ; retf 0_2_02D18445
                      Source: C:\Users\user\Desktop\Proforma Invoice No. 14214.exeCode function: 0_2_02D1846F pushad ; retf 0_2_02D18471
                      Source: C:\Users\user\Desktop\Proforma Invoice No. 14214.exeCode function: 0_2_02D12428 push edx; retf 0_2_02D1243A
                      Source: C:\Users\user\Desktop\Proforma Invoice No. 14214.exeCode function: 0_2_02D1842C pushad ; retf 0_2_02D1842D
                      Source: C:\Users\user\Desktop\Proforma Invoice No. 14214.exeCode function: 0_2_02D16547 pushad ; retf 0_2_02D16556
                      Source: C:\Users\user\Desktop\Proforma Invoice No. 14214.exeCode function: 0_2_02D17AD8 pushad ; retf 0_2_02D17AD9
                      Source: C:\Users\user\Desktop\Proforma Invoice No. 14214.exeCode function: 0_2_02D14AF0 pushad ; retf 0_2_02D14AFE
                      Source: C:\Users\user\Desktop\Proforma Invoice No. 14214.exeCode function: 0_2_02D17AB4 pushad ; retf 0_2_02D17AB5
                      Source: C:\Users\user\Desktop\Proforma Invoice No. 14214.exeCode function: 0_2_02D129EF pushad ; ret 0_2_02D12A03
                      Source: C:\Users\user\Desktop\Proforma Invoice No. 14214.exeCode function: 0_2_02D17E56 pushad ; retf 0_2_02D17E57
                      Source: C:\Users\user\Desktop\Proforma Invoice No. 14214.exeCode function: 0_2_02D17E44 pushad ; retf 0_2_02D17E46
                      Source: C:\Users\user\Desktop\Proforma Invoice No. 14214.exeCode function: 0_2_02D17E7A pushad ; retf 0_2_02D17E7C
                      Source: C:\Users\user\Desktop\Proforma Invoice No. 14214.exeCode function: 0_2_02D17E6E pushad ; retf 0_2_02D17E6F
                      Source: C:\Users\user\Desktop\Proforma Invoice No. 14214.exeCode function: 0_2_02D17E13 pushad ; retf 0_2_02D17E14
                      Source: C:\Users\user\Desktop\Proforma Invoice No. 14214.exeCode function: 0_2_02D17F38 pushad ; retf 0_2_02D17F39
                      Source: C:\Users\user\Desktop\Proforma Invoice No. 14214.exeCode function: 0_2_02D17F26 pushad ; retf 0_2_02D17F28
                      Source: C:\Users\user\Desktop\Proforma Invoice No. 14214.exeCode function: 0_2_02D17CBA pushad ; retf 0_2_02D17CBB
                      Source: C:\Users\user\Desktop\Proforma Invoice No. 14214.exeCode function: 0_2_02D17D80 pushad ; retf 0_2_02D17D81
                      Source: C:\Users\user\Desktop\Proforma Invoice No. 14214.exeCode function: 0_2_02D17DAB pushad ; retf 0_2_02D17DAD
                      Source: C:\Users\user\Desktop\Proforma Invoice No. 14214.exeCode function: 0_2_02D17D57 pushad ; retf 0_2_02D17D58
                      Source: C:\Users\user\Desktop\Proforma Invoice No. 14214.exeCode function: 0_2_02D17D68 pushad ; retf 0_2_02D17D69
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_016234EC push eax; retf 2_2_016234ED
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0162ECF1 push es; ret 2_2_0162ED00
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.85165302364
                      Source: Proforma Invoice No. 14214.exe, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.csHigh entropy of concatenated method names: '.cctor', 'jPJmt4', 'creoiNvd7', 'jZiU8kt7k', 'yIEeUuogE', 'HNMMnrD0K', 'U6ZIpjiMV', 'TYIaeXNeW', 'rI3lmZ9FL', 'SuhhReBcy'
                      Source: 0.2.Proforma Invoice No. 14214.exe.6d0000.0.unpack, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.csHigh entropy of concatenated method names: '.cctor', 'jPJmt4', 'creoiNvd7', 'jZiU8kt7k', 'yIEeUuogE', 'HNMMnrD0K', 'U6ZIpjiMV', 'TYIaeXNeW', 'rI3lmZ9FL', 'SuhhReBcy'
                      Source: 0.0.Proforma Invoice No. 14214.exe.6d0000.0.unpack, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.csHigh entropy of concatenated method names: '.cctor', 'jPJmt4', 'creoiNvd7', 'jZiU8kt7k', 'yIEeUuogE', 'HNMMnrD0K', 'U6ZIpjiMV', 'TYIaeXNeW', 'rI3lmZ9FL', 'SuhhReBcy'
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile created: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run NXLunJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run NXLunJump to behavior

                      Hooking and other Techniques for Hiding and Protection:

                      barindex
                      Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe:Zone.Identifier read attributes | deleteJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice No. 14214.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice No. 14214.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice No. 14214.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice No. 14214.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice No. 14214.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice No. 14214.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice No. 14214.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice No. 14214.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice No. 14214.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice No. 14214.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice No. 14214.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice No. 14214.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice No. 14214.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice No. 14214.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice No. 14214.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice No. 14214.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice No. 14214.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice No. 14214.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice No. 14214.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice No. 14214.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice No. 14214.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice No. 14214.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice No. 14214.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice No. 14214.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice No. 14214.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice No. 14214.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice No. 14214.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice No. 14214.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice No. 14214.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX