Loading ...

Play interactive tourEdit tour

Analysis Report Purchase_Order.exe

Overview

General Information

Sample Name:Purchase_Order.exe
Analysis ID:433266
MD5:4aa8159742becd97f9ecdda33798b065
SHA1:775aee28c33102de8c4bdd45dd09821b717b8678
SHA256:65c6621762bb1bb1589a4a58d4ab2d3fa7c02e581b217b86ed2ff51227d7565b
Tags:exeFormbook
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM3
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Suspicious Process Start Without DLL
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Purchase_Order.exe (PID: 1528 cmdline: 'C:\Users\user\Desktop\Purchase_Order.exe' MD5: 4AA8159742BECD97F9ECDDA33798B065)
    • RegSvcs.exe (PID: 3608 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)
      • explorer.exe (PID: 3292 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • systray.exe (PID: 1752 cmdline: C:\Windows\SysWOW64\systray.exe MD5: 1373D481BE4C8A6E5F5030D2FB0A0C68)
          • cmd.exe (PID: 1200 cmdline: /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 5552 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.culturalinterface.net/uqf5/"], "decoy": ["paolograssino.com", "hammockcoastproperty.net", "blinbins.com", "financierapoorvenirsas.com", "mattruddle.com", "wighumanhair.com", "tvdajiang14.com", "theblackharvest.com", "tylerrucarean.com", "a-prime-india-demataccount.zone", "amboselisafarigallery.info", "toolbnbapp.com", "scientificindustrial.com", "trainup-wall.com", "pocosmo.com", "thebluepottingtable.com", "leavelogs.com", "verbalfreedom.com", "qa4i.com", "kiiikoo.com", "glossedbythebrat.com", "gorditasdemaiz.com", "healthystartswithin.com", "homeanddesignstudio.com", "skalewide.com", "bestdispatchtowitnesstoday.info", "cineconhisense.com", "mahibhardwaj.com", "imperatrizacam.com", "bezoekburen.com", "qbakan.com", "ansalapishagunrealestate.com", "crow94723.com", "kosova.one", "chhhju.com", "cominghomestead.com", "ingenious.care", "unclesamsoftware.com", "xn--cfe12fhb.com", "tradinglantern.com", "wwwthedrudgereport.com", "researchinnovations.net", "to-cs.com", "sandia.info", "tachibana-fukushima.com", "pzzfw.com", "flockuplabs.com", "stays.travel", "itertempora.net", "murrietayoga.com", "plus5tocrafting.com", "ovidrelprefilledsyringe.com", "prltoday.com", "l24consultants.net", "mexicobeachselfstorage.com", "bnvjufj.icu", "schulze.media", "thewinebarrel.info", "blesst.tech", "newtec.life", "acmarketinghacks.com", "elitevillaholidays.com", "pr-daily.com", "cgjanvier.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.259691374.0000000002B20000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
    00000000.00000002.259944230.0000000003AD1000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000000.00000002.259944230.0000000003AD1000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0xb44d0:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0xb486a:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0xdb8f0:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0xdbc8a:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0xc057d:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0xe799d:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0xc0069:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0xe7489:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0xc067f:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0xe7a9f:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0xc07f7:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xe7c17:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xb5282:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0xdc6a2:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0xbf2e4:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xe6704:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb5ffa:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0xdd41a:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0xc566f:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0xeca8f:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0xc6712:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      00000000.00000002.259944230.0000000003AD1000.00000004.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
      • 0xc25a1:$sqlite3step: 68 34 1C 7B E1
      • 0xc26b4:$sqlite3step: 68 34 1C 7B E1
      • 0xe99c1:$sqlite3step: 68 34 1C 7B E1
      • 0xe9ad4:$sqlite3step: 68 34 1C 7B E1
      • 0xc25d0:$sqlite3text: 68 38 2A 90 C5
      • 0xc26f5:$sqlite3text: 68 38 2A 90 C5
      • 0xe99f0:$sqlite3text: 68 38 2A 90 C5
      • 0xe9b15:$sqlite3text: 68 38 2A 90 C5
      • 0xc25e3:$sqlite3blob: 68 53 D8 7F 8C
      • 0xc270b:$sqlite3blob: 68 53 D8 7F 8C
      • 0xe9a03:$sqlite3blob: 68 53 D8 7F 8C
      • 0xe9b2b:$sqlite3blob: 68 53 D8 7F 8C
      00000004.00000002.320741403.0000000001210000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
        Click to see the 21 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        4.2.RegSvcs.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          4.2.RegSvcs.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x77e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x7b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x13895:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x13381:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x13997:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x13b0f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x859a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x125fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0x9312:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x18987:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x19a2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          4.2.RegSvcs.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
          • 0x158b9:$sqlite3step: 68 34 1C 7B E1
          • 0x159cc:$sqlite3step: 68 34 1C 7B E1
          • 0x158e8:$sqlite3text: 68 38 2A 90 C5
          • 0x15a0d:$sqlite3text: 68 38 2A 90 C5
          • 0x158fb:$sqlite3blob: 68 53 D8 7F 8C
          • 0x15a23:$sqlite3blob: 68 53 D8 7F 8C
          4.0.RegSvcs.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
            4.0.RegSvcs.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
            • 0x77e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
            • 0x7b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
            • 0x13895:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
            • 0x13381:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
            • 0x13997:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
            • 0x13b0f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
            • 0x859a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
            • 0x125fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
            • 0x9312:$sequence_7: 66 89 0C 02 5B 8B E5 5D
            • 0x18987:$sequence_8: 3C 54 74 04 3C 74 75 F4
            • 0x19a2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
            Click to see the 7 entries

            Sigma Overview

            System Summary:

            barindex
            Sigma detected: Suspicious Process Start Without DLLShow sources
            Source: Process startedAuthor: Florian Roth: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ParentCommandLine: 'C:\Users\user\Desktop\Purchase_Order.exe' , ParentImage: C:\Users\user\Desktop\Purchase_Order.exe, ParentProcessId: 1528, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 3608
            Sigma detected: Possible Applocker BypassShow sources
            Source: Process startedAuthor: juju4: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ParentCommandLine: 'C:\Users\user\Desktop\Purchase_Order.exe' , ParentImage: C:\Users\user\Desktop\Purchase_Order.exe, ParentProcessId: 1528, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 3608

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Found malware configurationShow sources
            Source: 00000000.00000002.259944230.0000000003AD1000.00000004.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.culturalinterface.net/uqf5/"], "decoy": ["paolograssino.com", "hammockcoastproperty.net", "blinbins.com", "financierapoorvenirsas.com", "mattruddle.com", "wighumanhair.com", "tvdajiang14.com", "theblackharvest.com", "tylerrucarean.com", "a-prime-india-demataccount.zone", "amboselisafarigallery.info", "toolbnbapp.com", "scientificindustrial.com", "trainup-wall.com", "pocosmo.com", "thebluepottingtable.com", "leavelogs.com", "verbalfreedom.com", "qa4i.com", "kiiikoo.com", "glossedbythebrat.com", "gorditasdemaiz.com", "healthystartswithin.com", "homeanddesignstudio.com", "skalewide.com", "bestdispatchtowitnesstoday.info", "cineconhisense.com", "mahibhardwaj.com", "imperatrizacam.com", "bezoekburen.com", "qbakan.com", "ansalapishagunrealestate.com", "crow94723.com", "kosova.one", "chhhju.com", "cominghomestead.com", "ingenious.care", "unclesamsoftware.com", "xn--cfe12fhb.com", "tradinglantern.com", "wwwthedrudgereport.com", "researchinnovations.net", "to-cs.com", "sandia.info", "tachibana-fukushima.com", "pzzfw.com", "flockuplabs.com", "stays.travel", "itertempora.net", "murrietayoga.com", "plus5tocrafting.com", "ovidrelprefilledsyringe.com", "prltoday.com", "l24consultants.net", "mexicobeachselfstorage.com", "bnvjufj.icu", "schulze.media", "thewinebarrel.info", "blesst.tech", "newtec.life", "acmarketinghacks.com", "elitevillaholidays.com", "pr-daily.com", "cgjanvier.com"]}
            Multi AV Scanner detection for submitted fileShow sources
            Source: Purchase_Order.exeVirustotal: Detection: 20%Perma Link
            Source: Purchase_Order.exeReversingLabs: Detection: 15%
            Yara detected FormBookShow sources
            Source: Yara matchFile source: 00000000.00000002.259944230.0000000003AD1000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.320741403.0000000001210000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.504805498.0000000004D80000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.501363256.00000000010C0000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.505034491.0000000004DB0000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.321348253.0000000001580000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000000.257791048.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.320281190.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: 4.2.RegSvcs.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
            Source: 4.0.RegSvcs.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
            Source: Purchase_Order.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
            Source: Purchase_Order.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
            Source: Binary string: systray.pdb source: RegSvcs.exe, 00000004.00000002.320790980.0000000001240000.00000040.00000001.sdmp
            Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000007.00000000.291292827.000000000E140000.00000002.00000001.sdmp
            Source: Binary string: systray.pdbGCTL source: RegSvcs.exe, 00000004.00000002.320790980.0000000001240000.00000040.00000001.sdmp
            Source: Binary string: RegSvcs.pdb, source: systray.exe, 00000010.00000002.507122760.0000000005477000.00000004.00000001.sdmp
            Source: Binary string: C:\Users\Administrator\Desktop\Client\Temp\LQmcYtPAJD\src\obj\Debug\AsAnyMarshaler.pdb source: Purchase_Order.exe
            Source: Binary string: wntdll.pdbUGP source: RegSvcs.exe, 00000004.00000002.321048424.000000000136F000.00000040.00000001.sdmp, systray.exe, 00000010.00000002.505423938.0000000004F40000.00000040.00000001.sdmp
            Source: Binary string: wntdll.pdb source: RegSvcs.exe, systray.exe
            Source: Binary string: RegSvcs.pdb source: systray.exe, 00000010.00000002.507122760.0000000005477000.00000004.00000001.sdmp
            Source: Binary string: wscui.pdb source: explorer.exe, 00000007.00000000.291292827.000000000E140000.00000002.00000001.sdmp
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then pop esi4_2_00415837
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then pop ebx4_2_00406A94
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then pop edi4_2_004162BB
            Source: C:\Windows\SysWOW64\systray.exeCode function: 4x nop then pop esi16_2_010D5837
            Source: C:\Windows\SysWOW64\systray.exeCode function: 4x nop then pop ebx16_2_010C6A95
            Source: C:\Windows\SysWOW64\systray.exeCode function: 4x nop then pop edi16_2_010D62BB

            Networking:

            barindex
            Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
            Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49730 -> 162.241.253.69:80
            Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49730 -> 162.241.253.69:80
            Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49730 -> 162.241.253.69:80
            Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49736 -> 34.102.136.180:80
            Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49736 -> 34.102.136.180:80
            Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49736 -> 34.102.136.180:80
            Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49737 -> 156.241.53.127:80
            Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49737 -> 156.241.53.127:80
            Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49737 -> 156.241.53.127:80
            Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49752 -> 45.140.167.161:80
            Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49752 -> 45.140.167.161:80
            Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49752 -> 45.140.167.161:80
            Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49755 -> 35.246.6.109:80
            Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49755 -> 35.246.6.109:80
            Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49755 -> 35.246.6.109:80
            C2 URLs / IPs found in malware configurationShow sources
            Source: Malware configuration extractorURLs: www.culturalinterface.net/uqf5/
            Source: global trafficHTTP traffic detected: GET /uqf5/?7nBTylox=F/Xh9v+g7Cdwl5upkcpMZ8e4b+3WpLzzeVKIM3R3duzbf3evtWksiEg580T900Haqnq5nepxFw==&x2J86x=b0DT HTTP/1.1Host: www.prltoday.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /uqf5/?7nBTylox=RIGbPleGLKfxQTAe4w4l83Ie2Cv1rNcMEGxhR3mrD7G7p1l+kx0Gi9Gk7nXoQ0ETWUCd/ihSFA==&x2J86x=b0DT HTTP/1.1Host: www.gorditasdemaiz.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /uqf5/?7nBTylox=Da4K3sj86vB0DiXWDS0M3B9qaJwAtTAx24xw0Tll3v3x/H7Mq6Ed11VjNseOa8Aw4v8GgidMYQ==&x2J86x=b0DT HTTP/1.1Host: www.mexicobeachselfstorage.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /uqf5/?7nBTylox=OWFfPnC7AN8R77spBBTPEjKTeS6t/Yq1T4r8C76EKqDZAgRBJ/M7pX2IcLDFGki/UVfODSOMWA==&x2J86x=b0DT HTTP/1.1Host: www.tylerrucarean.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /uqf5/?7nBTylox=G6aWL4dGCeTaDQvTN0iTmiC4rQ5Mm02kgONc9W0Ihpzmf26Z6y5bJWrOsZ7s6rQ8mSLn4IOSJg==&x2J86x=b0DT HTTP/1.1Host: www.cgjanvier.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /uqf5/?7nBTylox=kpO7L1Lkp8iY+ON3mW6Oq8CK0aWMRalGagQzJa0PwjziroypQJ68geE/Aoh82zgIKZtO8rNXLQ==&x2J86x=b0DT HTTP/1.1Host: www.flockuplabs.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /uqf5/?7nBTylox=0mO7J7bxUTMGF+cl/VKrKxzRBdjnePXE0BEJzt+odUfuolHzSnSh7sdQNpsCsCcZdtFb7j3ZKA==&x2J86x=b0DT HTTP/1.1Host: www.culturalinterface.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /uqf5/?7nBTylox=pmtBAvifUG/ctnoihxxVo+fAjsCiy+wOZZJ542i91rLFt0/MLgCG4nudrW9V9JXQ/3W4T2ttkA==&x2J86x=b0DT HTTP/1.1Host: www.toolbnbapp.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /uqf5/?7nBTylox=kfF6JYR62xx/HO09iSVcnhFTUCCMKaRIkXBWym1Qtkj7XLCdUz5OHH2iCIaFDs/mVibljY8vwA==&x2J86x=b0DT HTTP/1.1Host: www.trainup-wall.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /uqf5/?7nBTylox=bDjqt1XeIDnHqlCDx4UVtMOGyZAgv2iIcL7KLwBfVGeKSjMBDNU7E4Z2+8mD2QoqovVkCTqMJw==&x2J86x=b0DT HTTP/1.1Host: www.paolograssino.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /uqf5/?7nBTylox=RQXRa0j10XdpS+WphiMG79Lf9dki4UzLVajXOJjWNMbn24QJDQJAUPqvADWkiraA7rP5UEZeUQ==&x2J86x=b0DT HTTP/1.1Host: www.a-prime-india-demataccount.zoneConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: Joe Sandbox ViewIP Address: 213.186.33.5 213.186.33.5
            Source: Joe Sandbox ViewASN Name: XIAOZHIYUN1-AS-APICIDCNETWORKUS XIAOZHIYUN1-AS-APICIDCNETWORKUS
            Source: Joe Sandbox ViewASN Name: OVHFR OVHFR
            Source: global trafficHTTP traffic detected: GET /uqf5/?7nBTylox=F/Xh9v+g7Cdwl5upkcpMZ8e4b+3WpLzzeVKIM3R3duzbf3evtWksiEg580T900Haqnq5nepxFw==&x2J86x=b0DT HTTP/1.1Host: www.prltoday.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /uqf5/?7nBTylox=RIGbPleGLKfxQTAe4w4l83Ie2Cv1rNcMEGxhR3mrD7G7p1l+kx0Gi9Gk7nXoQ0ETWUCd/ihSFA==&x2J86x=b0DT HTTP/1.1Host: www.gorditasdemaiz.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /uqf5/?7nBTylox=Da4K3sj86vB0DiXWDS0M3B9qaJwAtTAx24xw0Tll3v3x/H7Mq6Ed11VjNseOa8Aw4v8GgidMYQ==&x2J86x=b0DT HTTP/1.1Host: www.mexicobeachselfstorage.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /uqf5/?7nBTylox=OWFfPnC7AN8R77spBBTPEjKTeS6t/Yq1T4r8C76EKqDZAgRBJ/M7pX2IcLDFGki/UVfODSOMWA==&x2J86x=b0DT HTTP/1.1Host: www.tylerrucarean.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /uqf5/?7nBTylox=G6aWL4dGCeTaDQvTN0iTmiC4rQ5Mm02kgONc9W0Ihpzmf26Z6y5bJWrOsZ7s6rQ8mSLn4IOSJg==&x2J86x=b0DT HTTP/1.1Host: www.cgjanvier.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /uqf5/?7nBTylox=kpO7L1Lkp8iY+ON3mW6Oq8CK0aWMRalGagQzJa0PwjziroypQJ68geE/Aoh82zgIKZtO8rNXLQ==&x2J86x=b0DT HTTP/1.1Host: www.flockuplabs.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /uqf5/?7nBTylox=0mO7J7bxUTMGF+cl/VKrKxzRBdjnePXE0BEJzt+odUfuolHzSnSh7sdQNpsCsCcZdtFb7j3ZKA==&x2J86x=b0DT HTTP/1.1Host: www.culturalinterface.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /uqf5/?7nBTylox=pmtBAvifUG/ctnoihxxVo+fAjsCiy+wOZZJ542i91rLFt0/MLgCG4nudrW9V9JXQ/3W4T2ttkA==&x2J86x=b0DT HTTP/1.1Host: www.toolbnbapp.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /uqf5/?7nBTylox=kfF6JYR62xx/HO09iSVcnhFTUCCMKaRIkXBWym1Qtkj7XLCdUz5OHH2iCIaFDs/mVibljY8vwA==&x2J86x=b0DT HTTP/1.1Host: www.trainup-wall.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /uqf5/?7nBTylox=bDjqt1XeIDnHqlCDx4UVtMOGyZAgv2iIcL7KLwBfVGeKSjMBDNU7E4Z2+8mD2QoqovVkCTqMJw==&x2J86x=b0DT HTTP/1.1Host: www.paolograssino.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /uqf5/?7nBTylox=RQXRa0j10XdpS+WphiMG79Lf9dki4UzLVajXOJjWNMbn24QJDQJAUPqvADWkiraA7rP5UEZeUQ==&x2J86x=b0DT HTTP/1.1Host: www.a-prime-india-demataccount.zoneConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: unknownDNS traffic detected: queries for: www.prltoday.com
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 11 Jun 2021 13:02:33 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: Purchase_Order.exe, 00000000.00000003.241548215.00000000061F2000.00000004.00000001.sdmpString found in binary or memory: http://en.w
            Source: Purchase_Order.exe, 00000000.00000002.270075465.00000000073D2000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.289352994.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
            Source: explorer.exe, 00000007.00000000.291833894.000000000EBF8000.00000004.00000001.sdmpString found in binary or memory: http://schemas.mi
            Source: explorer.exe, 00000007.00000000.291833894.000000000EBF8000.00000004.00000001.sdmpString found in binary or memory: http://schemas.micr
            Source: Purchase_Order.exe, 00000000.00000002.259634056.0000000002AD1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: Purchase_Order.exe, 00000000.00000003.245364083.00000000061EE000.00000004.00000001.sdmpString found in binary or memory: http://www.agfamonotype.
            Source: Purchase_Order.exe, 00000000.00000002.270075465.00000000073D2000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.289352994.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
            Source: explorer.exe, 00000007.00000000.282669456.0000000006840000.00000004.00000001.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
            Source: Purchase_Order.exe, 00000000.00000003.242501601.00000000061CD000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
            Source: Purchase_Order.exe, 00000000.00000003.242455042.00000000061CD000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coma
            Source: Purchase_Order.exe, 00000000.00000003.242501601.00000000061CD000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comen
            Source: Purchase_Order.exe, 00000000.00000002.270075465.00000000073D2000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.289352994.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
            Source: Purchase_Order.exe, 00000000.00000003.242501601.00000000061CD000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.commd
            Source: Purchase_Order.exe, 00000000.00000002.269184385.00000000061CE000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.289352994.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
            Source: explorer.exe, 00000007.00000000.289352994.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
            Source: Purchase_Order.exe, 00000000.00000003.245036335.00000000061EE000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/
            Source: Purchase_Order.exe, 00000000.00000002.270075465.00000000073D2000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.289352994.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
            Source: Purchase_Order.exe, 00000000.00000002.270075465.00000000073D2000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.289352994.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
            Source: Purchase_Order.exe, 00000000.00000002.270075465.00000000073D2000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.289352994.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
            Source: Purchase_Order.exe, 00000000.00000002.270075465.00000000073D2000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.289352994.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
            Source: Purchase_Order.exe, 00000000.00000002.270075465.00000000073D2000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.289352994.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
            Source: Purchase_Order.exe, 00000000.00000002.270075465.00000000073D2000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.289352994.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
            Source: Purchase_Order.exe, 00000000.00000002.270075465.00000000073D2000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.289352994.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
            Source: Purchase_Order.exe, 00000000.00000002.270075465.00000000073D2000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.289352994.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
            Source: Purchase_Order.exe, 00000000.00000002.270075465.00000000073D2000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.289352994.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
            Source: Purchase_Order.exe, 00000000.00000002.270075465.00000000073D2000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.289352994.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
            Source: Purchase_Order.exe, 00000000.00000003.248726624.00000000061EE000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/
            Source: Purchase_Order.exe, 00000000.00000002.270075465.00000000073D2000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.289352994.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
            Source: Purchase_Order.exe, 00000000.00000002.270075465.00000000073D2000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.289352994.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
            Source: Purchase_Order.exe, 00000000.00000002.270075465.00000000073D2000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.289352994.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
            Source: Purchase_Order.exeString found in binary or memory: http://www.google.com
            Source: Purchase_Order.exe, 00000000.00000003.243319388.00000000061C8000.00000004.00000001.sdmp, Purchase_Order.exe, 00000000.00000003.243172768.00000000061CA000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.289352994.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
            Source: Purchase_Order.exe, 00000000.00000003.243525864.00000000061C8000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/=
            Source: Purchase_Order.exe, 00000000.00000003.243172768.00000000061CA000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/N
            Source: Purchase_Order.exe, 00000000.00000003.243319388.00000000061C8000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Q
            Source: Purchase_Order.exe, 00000000.00000003.243525864.00000000061C8000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/X
            Source: Purchase_Order.exe, 00000000.00000003.243319388.00000000061C8000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/b
            Source: Purchase_Order.exe, 00000000.00000003.243525864.00000000061C8000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
            Source: Purchase_Order.exe, 00000000.00000003.243319388.00000000061C8000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/N
            Source: Purchase_Order.exe, 00000000.00000003.243525864.00000000061C8000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/Q
            Source: Purchase_Order.exe, 00000000.00000003.243047372.00000000061C3000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/oi
            Source: Purchase_Order.exe, 00000000.00000003.243319388.00000000061C8000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/u
            Source: Purchase_Order.exe, 00000000.00000003.250232182.00000000061ED000.00000004.00000001.sdmp, Purchase_Order.exe, 00000000.00000003.245076408.00000000061EE000.00000004.00000001.sdmpString found in binary or memory: http://www.monotype.
            Source: Purchase_Order.exe, 00000000.00000002.270075465.00000000073D2000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.289352994.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
            Source: Purchase_Order.exe, 00000000.00000002.270075465.00000000073D2000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.289352994.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
            Source: Purchase_Order.exe, 00000000.00000003.243758051.00000000061F1000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com-u
            Source: Purchase_Order.exe, 00000000.00000002.270075465.00000000073D2000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.289352994.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
            Source: explorer.exe, 00000007.00000000.289352994.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
            Source: Purchase_Order.exe, 00000000.00000002.270075465.00000000073D2000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.289352994.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
            Source: Purchase_Order.exe, 00000000.00000002.270075465.00000000073D2000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.289352994.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
            Source: Purchase_Order.exe, 00000000.00000002.270075465.00000000073D2000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.289352994.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
            Source: Purchase_Order.exe, 00000000.00000002.259691374.0000000002B20000.00000004.00000001.sdmpString found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css

            E-Banking Fraud:

            barindex
            Yara detected FormBookShow sources
            Source: Yara matchFile source: 00000000.00000002.259944230.0000000003AD1000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.320741403.0000000001210000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.504805498.0000000004D80000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.501363256.00000000010C0000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.505034491.0000000004DB0000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.321348253.0000000001580000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000000.257791048.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.320281190.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE

            System Summary:

            barindex
            Malicious sample detected (through community Yara rule)Show sources
            Source: 00000000.00000002.259944230.0000000003AD1000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000000.00000002.259944230.0000000003AD1000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000004.00000002.320741403.0000000001210000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000004.00000002.320741403.0000000001210000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000010.00000002.504805498.0000000004D80000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000010.00000002.504805498.0000000004D80000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000010.00000002.501363256.00000000010C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000010.00000002.501363256.00000000010C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000010.00000002.505034491.0000000004DB0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000010.00000002.505034491.0000000004DB0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000004.00000002.321348253.0000000001580000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000004.00000002.321348253.0000000001580000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000004.00000000.257791048.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000004.00000000.257791048.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000004.00000002.320281190.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000004.00000002.320281190.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 4.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 4.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 4.0.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 4.0.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 4.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 4.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Initial sample is a PE file and has a suspicious nameShow sources
            Source: initial sampleStatic PE information: Filename: Purchase_Order.exe
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_004181C0 NtCreateFile,4_2_004181C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_00418270 NtReadFile,4_2_00418270
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_004182F0 NtClose,4_2_004182F0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_004183A0 NtAllocateVirtualMemory,4_2_004183A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0041826A NtReadFile,4_2_0041826A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_004182EE NtClose,4_2_004182EE
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0041839A NtAllocateVirtualMemory,4_2_0041839A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012B9910 NtAdjustPrivilegesToken,LdrInitializeThunk,4_2_012B9910
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012B99A0 NtCreateSection,LdrInitializeThunk,4_2_012B99A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012B9860 NtQuerySystemInformation,LdrInitializeThunk,4_2_012B9860
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012B9840 NtDelayExecution,LdrInitializeThunk,4_2_012B9840
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012B98F0 NtReadVirtualMemory,LdrInitializeThunk,4_2_012B98F0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012B9A20 NtResumeThread,LdrInitializeThunk,4_2_012B9A20
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012B9A00 NtProtectVirtualMemory,LdrInitializeThunk,4_2_012B9A00
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012B9A50 NtCreateFile,LdrInitializeThunk,4_2_012B9A50
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012B9540 NtReadFile,LdrInitializeThunk,4_2_012B9540
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012B95D0 NtClose,LdrInitializeThunk,4_2_012B95D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012B9710 NtQueryInformationToken,LdrInitializeThunk,4_2_012B9710
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012B97A0 NtUnmapViewOfSection,LdrInitializeThunk,4_2_012B97A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012B9780 NtMapViewOfSection,LdrInitializeThunk,4_2_012B9780
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012B9FE0 NtCreateMutant,LdrInitializeThunk,4_2_012B9FE0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012B9660 NtAllocateVirtualMemory,LdrInitializeThunk,4_2_012B9660
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012B96E0 NtFreeVirtualMemory,LdrInitializeThunk,4_2_012B96E0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012B9950 NtQueueApcThread,4_2_012B9950
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012B99D0 NtCreateProcessEx,4_2_012B99D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012B9820 NtEnumerateKey,4_2_012B9820
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012BB040 NtSuspendThread,4_2_012BB040
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012B98A0 NtWriteVirtualMemory,4_2_012B98A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012B9B00 NtSetValueKey,4_2_012B9B00
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012BA3B0 NtGetContextThread,4_2_012BA3B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012B9A10 NtQuerySection,4_2_012B9A10
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012B9A80 NtOpenDirectoryObject,4_2_012B9A80
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012B9520 NtWaitForSingleObject,4_2_012B9520
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012BAD30 NtSetContextThread,4_2_012BAD30
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012B9560 NtWriteFile,4_2_012B9560
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012B95F0 NtQueryInformationFile,4_2_012B95F0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012B9730 NtQueryVirtualMemory,4_2_012B9730
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012BA710 NtOpenProcessToken,4_2_012BA710
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012B9760 NtOpenProcess,4_2_012B9760
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012B9770 NtSetInformationFile,4_2_012B9770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012BA770 NtOpenThread,4_2_012BA770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012B9610 NtEnumerateValueKey,4_2_012B9610
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012B9670 NtQueryInformationProcess,4_2_012B9670
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012B9650 NtQueryValueKey,4_2_012B9650
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012B96D0 NtCreateKey,4_2_012B96D0
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04FA95D0 NtClose,LdrInitializeThunk,16_2_04FA95D0
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04FA9540 NtReadFile,LdrInitializeThunk,16_2_04FA9540
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04FA96E0 NtFreeVirtualMemory,LdrInitializeThunk,16_2_04FA96E0
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04FA96D0 NtCreateKey,LdrInitializeThunk,16_2_04FA96D0
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04FA9660 NtAllocateVirtualMemory,LdrInitializeThunk,16_2_04FA9660
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04FA9650 NtQueryValueKey,LdrInitializeThunk,16_2_04FA9650
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04FA9FE0 NtCreateMutant,LdrInitializeThunk,16_2_04FA9FE0
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04FA9780 NtMapViewOfSection,LdrInitializeThunk,16_2_04FA9780
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04FA9710 NtQueryInformationToken,LdrInitializeThunk,16_2_04FA9710
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04FA9860 NtQuerySystemInformation,LdrInitializeThunk,16_2_04FA9860
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04FA9840 NtDelayExecution,LdrInitializeThunk,16_2_04FA9840
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04FA99A0 NtCreateSection,LdrInitializeThunk,16_2_04FA99A0
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04FA9910 NtAdjustPrivilegesToken,LdrInitializeThunk,16_2_04FA9910
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04FA9A50 NtCreateFile,LdrInitializeThunk,16_2_04FA9A50
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04FA95F0 NtQueryInformationFile,16_2_04FA95F0
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04FA9560 NtWriteFile,16_2_04FA9560
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04FAAD30 NtSetContextThread,16_2_04FAAD30
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04FA9520 NtWaitForSingleObject,16_2_04FA9520
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04FA9670 NtQueryInformationProcess,16_2_04FA9670
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04FA9610 NtEnumerateValueKey,16_2_04FA9610
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04FA97A0 NtUnmapViewOfSection,16_2_04FA97A0
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04FAA770 NtOpenThread,16_2_04FAA770
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04FA9770 NtSetInformationFile,16_2_04FA9770
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04FA9760 NtOpenProcess,16_2_04FA9760
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04FA9730 NtQueryVirtualMemory,16_2_04FA9730
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04FAA710 NtOpenProcessToken,16_2_04FAA710
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04FA98F0 NtReadVirtualMemory,16_2_04FA98F0
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04FA98A0 NtWriteVirtualMemory,16_2_04FA98A0
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04FAB040 NtSuspendThread,16_2_04FAB040
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04FA9820 NtEnumerateKey,16_2_04FA9820
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04FA99D0 NtCreateProcessEx,16_2_04FA99D0
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04FA9950 NtQueueApcThread,16_2_04FA9950
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04FA9A80 NtOpenDirectoryObject,16_2_04FA9A80
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04FA9A20 NtResumeThread,16_2_04FA9A20
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04FA9A10 NtQuerySection,16_2_04FA9A10
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04FA9A00 NtProtectVirtualMemory,16_2_04FA9A00
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04FAA3B0 NtGetContextThread,16_2_04FAA3B0
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04FA9B00 NtSetValueKey,16_2_04FA9B00
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_010D81C0 NtCreateFile,16_2_010D81C0
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_010D83A0 NtAllocateVirtualMemory,16_2_010D83A0
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_010D8270 NtReadFile,16_2_010D8270
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_010D82F0 NtClose,16_2_010D82F0
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_010D839A NtAllocateVirtualMemory,16_2_010D839A
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_010D826A NtReadFile,16_2_010D826A
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_010D82EE NtClose,16_2_010D82EE
            Source: C:\Users\user\Desktop\Purchase_Order.exeCode function: 0_2_0291C2B00_2_0291C2B0
            Source: C:\Users\user\Desktop\Purchase_Order.exeCode function: 0_2_029199A00_2_029199A0
            Source: C:\Users\user\Desktop\Purchase_Order.exeCode function: 0_2_05E600400_2_05E60040
            Source: C:\Users\user\Desktop\Purchase_Order.exeCode function: 0_2_05E667F90_2_05E667F9
            Source: C:\Users\user\Desktop\Purchase_Order.exeCode function: 0_2_05E668080_2_05E66808
            Source: C:\Users\user\Desktop\Purchase_Order.exeCode function: 0_2_004F20500_2_004F2050
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_004010304_2_00401030
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0041B8F64_2_0041B8F6
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_004011754_2_00401175
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_00408C5C4_2_00408C5C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_00408C604_2_00408C60
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0041C40A4_2_0041C40A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_00408C1A4_2_00408C1A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_00402D8D4_2_00402D8D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_00402D904_2_00402D90
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_00402FB04_2_00402FB0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012941204_2_01294120
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0127F9004_2_0127F900
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012999BF4_2_012999BF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0134E8244_2_0134E824
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0129A8304_2_0129A830
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013310024_2_01331002
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012A20A04_2_012A20A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013420A84_2_013420A8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0128B0904_2_0128B090
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013428EC4_2_013428EC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01342B284_2_01342B28
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0129AB404_2_0129AB40
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012AEBB04_2_012AEBB0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0133DBD24_2_0133DBD2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013303DA4_2_013303DA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0132FA2B4_2_0132FA2B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013422AE4_2_013422AE
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01270D204_2_01270D20
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01342D074_2_01342D07
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01341D554_2_01341D55
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012A25814_2_012A2581
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0128D5E04_2_0128D5E0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013425DD4_2_013425DD
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0128841F4_2_0128841F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0133D4664_2_0133D466
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01341FF14_2_01341FF1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0134DFCE4_2_0134DFCE
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01296E304_2_01296E30
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0133D6164_2_0133D616
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01342EF74_2_01342EF7
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_05032D0716_2_05032D07
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_05031D5516_2_05031D55
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_05022D8216_2_05022D82
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04F8B47716_2_04F8B477
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_050325DD16_2_050325DD
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04F7841F16_2_04F7841F
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04F7D5E016_2_04F7D5E0
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_0502D46616_2_0502D466
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04F9258116_2_04F92581
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_0502449616_2_05024496
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04F60D2016_2_04F60D20
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04F86E3016_2_04F86E30
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_0503DFCE16_2_0503DFCE
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_05031FF116_2_05031FF1
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_0502D61616_2_0502D616
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_05032EF716_2_05032EF7
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04F920A016_2_04F920A0
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04F7B09016_2_04F7B090
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04F8A83016_2_04F8A830
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_0502100216_2_05021002
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_0503E82416_2_0503E824
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04F899BF16_2_04F899BF
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_050320A816_2_050320A8
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04F8412016_2_04F84120
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_050328EC16_2_050328EC
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04F6F90016_2_04F6F900
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_05032B2816_2_05032B28
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_0500CB4F16_2_0500CB4F
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_0502DBD216_2_0502DBD2
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_050203DA16_2_050203DA
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_050123E316_2_050123E3
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04F9ABD816_2_04F9ABD8
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_0501FA2B16_2_0501FA2B
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04F9EBB016_2_04F9EBB0
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_050322AE16_2_050322AE
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04F8AB4016_2_04F8AB40
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_05024AEF16_2_05024AEF
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04F8A30916_2_04F8A309
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_010C2D8D16_2_010C2D8D
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_010C2D9016_2_010C2D90
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_010DC40A16_2_010DC40A