Play interactive tour

Edit tour

Windows Analysis Report Payment_Advice.exe

Overview

General Information

Sample Name:	Payment_Advice.exe
Analysis ID:	458954
MD5:	b5a3a16559c14a2db6837fb8792134ae
SHA1:	31280391b1a399a3bc1c8ea0f4fb27e2dc9e56a0
SHA256:	c8ff043caee4e9cc889d1b7f8149e5c59ec43d2d01edeb49cb40fe1fd09a233a
Tags:	exeFormbook
Infos:
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

System process connects to network (likely due to code injection or exploit)

Yara detected AntiVM3

Yara detected FormBook

.NET source code contains potential unpacker

.NET source code contains very large strings

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Writes to foreign memory regions

Antivirus or Machine Learning detection for unpacked file

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

Payment_Advice.exe (PID: 2648 cmdline: 'C:\Users\user\Desktop\Payment_Advice.exe' MD5: B5A3A16559C14A2DB6837FB8792134AE)

RegSvcs.exe (PID: 1156 cmdline: {path} MD5: 2867A3817C9245F7CF518524DFD18F28)

cmd.exe (PID: 2288 cmdline: /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 4000 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

RegSvcs.exe (PID: 5756 cmdline: {path} MD5: 2867A3817C9245F7CF518524DFD18F28)

RegSvcs.exe (PID: 2344 cmdline: {path} MD5: 2867A3817C9245F7CF518524DFD18F28)

explorer.exe (PID: 3388 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)

colorcpl.exe (PID: 1156 cmdline: C:\Windows\SysWOW64\colorcpl.exe MD5: 746F3B5E7652EA0766BA10414D317981)

cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.illoftapartments.com/uecu/"], "decoy": ["ishtarhotel.com", "woodstrends.icu", "jalenowens.com", "manno.expert", "ssg1asia.com", "telepathylaw.com", "quickoprintnv.com", "abrosnm3.com", "lumberjackcatering.com", "beachujamaica.com", "thomasjeffersonbyrd.com", "starryfinds.com", "shelavish2.com", "royalglamempirellc.com", "deixandomeuemprego.com", "alexgoestech.xyz", "opticamn.com", "fermanchevybrandon.com", "milbodegas.info", "adunarsrl.com", "dataatlus.com", "missabrams.com", "beaconservicesuk.com", "tvforpc.website", "dipmarketingagency.com", "milsontt.com", "londonsashwindowsservices.com", "feedmysheepdaily.com", "firsttimephysics.com", "hosefire.com", "southdocknj.com", "idfstool.com", "drelip.com", "decayette.com", "awakenedgodsofbeauty.com", "easttexasranch.com", "risinglanka.com", "meetingoffices.com", "vase-composition.com", "kupon.asia", "alltimeselfstorage.com", "gatorbrewcoffee.com", "api-pay-agent.com", "height-project.online", "flbtyc638.com", "psdmoravita.com", "highbrowhairstudio.com", "deepblueriver.com", "yh22022.com", "sts-100.com", "michaelfmoore.com", "alzheimers.computer", "produtos-servicos.website", "zyuyktlcu.icu", "ezewasser.com", "outstanding-palisade.com", "saioura.com", "core.run", "allaboutlifeblog.com", "foodolog.net", "somerderm.com", "scootrlv.com", "ahjjbxg.com", "gasworldchampionships.com"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
0000000C.00000002.355992168.0000000000A80000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000C.00000002.355992168.0000000000A80000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000C.00000002.355992168.0000000000A80000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166c9:$sqlite3step: 68 34 1C 7B E1 0x167dc:$sqlite3step: 68 34 1C 7B E1 0x166f8:$sqlite3text: 68 38 2A 90 C5 0x1681d:$sqlite3text: 68 38 2A 90 C5 0x1670b:$sqlite3blob: 68 53 D8 7F 8C 0x16833:$sqlite3blob: 68 53 D8 7F 8C
00000015.00000002.470886740.00000000025B0000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000015.00000002.470886740.00000000025B0000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000015.00000002.470886740.00000000025B0000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166c9:$sqlite3step: 68 34 1C 7B E1 0x167dc:$sqlite3step: 68 34 1C 7B E1 0x166f8:$sqlite3text: 68 38 2A 90 C5 0x1681d:$sqlite3text: 68 38 2A 90 C5 0x1670b:$sqlite3blob: 68 53 D8 7F 8C 0x16833:$sqlite3blob: 68 53 D8 7F 8C
0000000C.00000002.356268880.0000000000AB0000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000C.00000002.356268880.0000000000AB0000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000C.00000002.356268880.0000000000AB0000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166c9:$sqlite3step: 68 34 1C 7B E1 0x167dc:$sqlite3step: 68 34 1C 7B E1 0x166f8:$sqlite3text: 68 38 2A 90 C5 0x1681d:$sqlite3text: 68 38 2A 90 C5 0x1670b:$sqlite3blob: 68 53 D8 7F 8C 0x16833:$sqlite3blob: 68 53 D8 7F 8C
00000015.00000002.469653459.0000000000470000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000015.00000002.469653459.0000000000470000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000015.00000002.469653459.0000000000470000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166c9:$sqlite3step: 68 34 1C 7B E1 0x167dc:$sqlite3step: 68 34 1C 7B E1 0x166f8:$sqlite3text: 68 38 2A 90 C5 0x1681d:$sqlite3text: 68 38 2A 90 C5 0x1670b:$sqlite3blob: 68 53 D8 7F 8C 0x16833:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.292779519.000000000420A000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000002.292779519.000000000420A000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x99100:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9949a:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xa51ad:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0xa4c99:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0xa52af:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0xa5427:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x99eb2:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0xa3f14:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9ac2a:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0xaa29f:$sequence_8: 3C 54 74 04 3C 74 75 F4 0xab342:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000000.00000002.292779519.000000000420A000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0xa71d1:$sqlite3step: 68 34 1C 7B E1 0xa72e4:$sqlite3step: 68 34 1C 7B E1 0xa7200:$sqlite3text: 68 38 2A 90 C5 0xa7325:$sqlite3text: 68 38 2A 90 C5 0xa7213:$sqlite3blob: 68 53 D8 7F 8C 0xa733b:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.292646120.0000000004149000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000002.292646120.0000000004149000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x815b8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x81952:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8d665:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x8d151:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x8d767:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x8d8df:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x8236a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x8c3cc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x830e2:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x92757:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x937fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000000.00000002.292646120.0000000004149000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x8f689:$sqlite3step: 68 34 1C 7B E1 0x8f79c:$sqlite3step: 68 34 1C 7B E1 0x8f6b8:$sqlite3text: 68 38 2A 90 C5 0x8f7dd:$sqlite3text: 68 38 2A 90 C5 0x8f6cb:$sqlite3blob: 68 53 D8 7F 8C 0x8f7f3:$sqlite3blob: 68 53 D8 7F 8C
0000000C.00000002.355215445.0000000000400000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000C.00000002.355215445.0000000000400000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000C.00000002.355215445.0000000000400000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166c9:$sqlite3step: 68 34 1C 7B E1 0x167dc:$sqlite3step: 68 34 1C 7B E1 0x166f8:$sqlite3text: 68 38 2A 90 C5 0x1681d:$sqlite3text: 68 38 2A 90 C5 0x1670b:$sqlite3blob: 68 53 D8 7F 8C 0x16833:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.291281843.00000000031B1000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: Payment_Advice.exe PID: 2648	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 18 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
12.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
12.2.RegSvcs.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x77f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7b92:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x138a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x13391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x139a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x13b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x85aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1260c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9322:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x18997:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x19a3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
12.2.RegSvcs.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x158c9:$sqlite3step: 68 34 1C 7B E1 0x159dc:$sqlite3step: 68 34 1C 7B E1 0x158f8:$sqlite3text: 68 38 2A 90 C5 0x15a1d:$sqlite3text: 68 38 2A 90 C5 0x1590b:$sqlite3blob: 68 53 D8 7F 8C 0x15a33:$sqlite3blob: 68 53 D8 7F 8C
12.2.RegSvcs.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
12.2.RegSvcs.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
12.2.RegSvcs.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166c9:$sqlite3step: 68 34 1C 7B E1 0x167dc:$sqlite3step: 68 34 1C 7B E1 0x166f8:$sqlite3text: 68 38 2A 90 C5 0x1681d:$sqlite3text: 68 38 2A 90 C5 0x1670b:$sqlite3blob: 68 53 D8 7F 8C 0x16833:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 1 entries

Sigma Overview

System Summary:

Sigma detected: Possible Applocker Bypass

Show sources

Source: Process started

Author: juju4: Data: Command: /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe', CommandLine: /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe', CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: {path}, ParentImage: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ParentProcessId: 1156, ProcessCommandLine: /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe', ProcessId: 2288

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 0000000C.00000002.355992168.0000000000A80000.00000040.00000001.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.illoftapartments.com/uecu/"], "decoy": ["ishtarhotel.com", "woodstrends.icu", "jalenowens.com", "manno.expert", "ssg1asia.com", "telepathylaw.com", "quickoprintnv.com", "abrosnm3.com", "lumberjackcatering.com", "beachujamaica.com", "thomasjeffersonbyrd.com", "starryfinds.com", "shelavish2.com", "royalglamempirellc.com", "deixandomeuemprego.com", "alexgoestech.xyz", "opticamn.com", "fermanchevybrandon.com", "milbodegas.info", "adunarsrl.com", "dataatlus.com", "missabrams.com", "beaconservicesuk.com", "tvforpc.website", "dipmarketingagency.com", "milsontt.com", "londonsashwindowsservices.com", "feedmysheepdaily.com", "firsttimephysics.com", "hosefire.com", "southdocknj.com", "idfstool.com", "drelip.com", "decayette.com", "awakenedgodsofbeauty.com", "easttexasranch.com", "risinglanka.com", "meetingoffices.com", "vase-composition.com", "kupon.asia", "alltimeselfstorage.com", "gatorbrewcoffee.com", "api-pay-agent.com", "height-project.online", "flbtyc638.com", "psdmoravita.com", "highbrowhairstudio.com", "deepblueriver.com", "yh22022.com", "sts-100.com", "michaelfmoore.com", "alzheimers.computer", "produtos-servicos.website", "zyuyktlcu.icu", "ezewasser.com", "outstanding-palisade.com", "saioura.com", "core.run", "allaboutlifeblog.com", "foodolog.net", "somerderm.com", "scootrlv.com", "ahjjbxg.com", "gasworldchampionships.com"]}

Multi AV Scanner detection for submitted file

Show sources

Source: Payment_Advice.exe	Virustotal: Detection: 42%	Perma Link
Source: Payment_Advice.exe	Metadefender: Detection: 40%	Perma Link
Source: Payment_Advice.exe	ReversingLabs: Detection: 85%

Yara detected FormBook

Show sources

Source: Yara match	File source: 12.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.355992168.0000000000A80000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.470886740.00000000025B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.356268880.0000000000AB0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.469653459.0000000000470000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.292779519.000000000420A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.292646120.0000000004149000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.355215445.0000000000400000.00000040.00000001.sdmp, type: MEMORY

Machine Learning detection for sample

Show sources

Source: Payment_Advice.exe

Joe Sandbox ML: detected

Source: 12.2.RegSvcs.exe.400000.0.unpack

Avira: Label: TR/Crypt.ZPACK.Gen

Source: Payment_Advice.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: Payment_Advice.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: colorcpl.pdbGCTL source: RegSvcs.exe, 0000000C.00000002.356567151.0000000000B78000.00000004.00000020.sdmp
Source:	Binary string: colorcpl.pdb source: RegSvcs.exe, 0000000C.00000002.356567151.0000000000B78000.00000004.00000020.sdmp
Source:	Binary string: MusNotifyIcon.pdb source: explorer.exe, 00000010.00000000.328016428.000000000F6F8000.00000004.00000001.sdmp
Source:	Binary string: wscui.pdbUGP source: explorer.exe, 00000010.00000000.327085118.000000000EFC0000.00000002.00000001.sdmp
Source:	Binary string: RegSvcs.pdb, source: colorcpl.exe, 00000015.00000002.477075161.0000000004B67000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: RegSvcs.exe, 0000000C.00000002.357013841.0000000000FB0000.00000040.00000001.sdmp, colorcpl.exe, 00000015.00000002.471806591.0000000004630000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: RegSvcs.exe, colorcpl.exe
Source:	Binary string: MusNotifyIcon.pdbGCTL source: explorer.exe, 00000010.00000000.328016428.000000000F6F8000.00000004.00000001.sdmp
Source:	Binary string: RegSvcs.pdb source: colorcpl.exe, 00000015.00000002.477075161.0000000004B67000.00000004.00000001.sdmp
Source:	Binary string: wscui.pdb source: explorer.exe, 00000010.00000000.327085118.000000000EFC0000.00000002.00000001.sdmp

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49738 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49738 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49738 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49740 -> 154.23.83.67:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49740 -> 154.23.83.67:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49740 -> 154.23.83.67:80

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: www.illoftapartments.com/uecu/

Source: global traffic	HTTP traffic detected: GET /uecu/?fXJ=z64Txz&2d3pCdLh=s7j1QsnOxn4iRchbaINLVToxitdCMGa8G3lQ/6LX9JGbR/ScT5dxpPHG5+tB2xnbOyUI HTTP/1.1Host: www.dipmarketingagency.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /uecu/?2d3pCdLh=I+cFmvzvjfujRN3oltevYzRyUOJqDj5YxiqkJ4i7Zjmur1++tOYpTWGX3hXOvnB+KlCx&fXJ=z64Txz HTTP/1.1Host: www.illoftapartments.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /uecu/?fXJ=z64Txz&2d3pCdLh=u60vTBsF9oPaXHkJdoxCc4Kqv5IVcROu1QUUkePEY82yQrKo/wvecAMYDl3vDcEzgvnI HTTP/1.1Host: www.manno.expertConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /uecu/?2d3pCdLh=hr7+JRYyT1HVyDshWD8v/2ivT/o36mEBRVmbpvRN6jTQqfRWnpyet8LANEukLjLgYMOr&fXJ=z64Txz HTTP/1.1Host: www.firsttimephysics.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View

IP Address: 208.91.197.27 208.91.197.27

Source: Joe Sandbox View	ASN Name: CONFLUENCE-NETWORK-INCVG CONFLUENCE-NETWORK-INCVG
Source: Joe Sandbox View	ASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US

Source: global traffic	HTTP traffic detected: GET /uecu/?fXJ=z64Txz&2d3pCdLh=s7j1QsnOxn4iRchbaINLVToxitdCMGa8G3lQ/6LX9JGbR/ScT5dxpPHG5+tB2xnbOyUI HTTP/1.1Host: www.dipmarketingagency.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /uecu/?2d3pCdLh=I+cFmvzvjfujRN3oltevYzRyUOJqDj5YxiqkJ4i7Zjmur1++tOYpTWGX3hXOvnB+KlCx&fXJ=z64Txz HTTP/1.1Host: www.illoftapartments.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /uecu/?fXJ=z64Txz&2d3pCdLh=u60vTBsF9oPaXHkJdoxCc4Kqv5IVcROu1QUUkePEY82yQrKo/wvecAMYDl3vDcEzgvnI HTTP/1.1Host: www.manno.expertConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /uecu/?2d3pCdLh=hr7+JRYyT1HVyDshWD8v/2ivT/o36mEBRVmbpvRN6jTQqfRWnpyet8LANEukLjLgYMOr&fXJ=z64Txz HTTP/1.1Host: www.firsttimephysics.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: unknown

DNS traffic detected: queries for: www.dipmarketingagency.com

Source: explorer.exe, 00000010.00000000.320127365.0000000008907000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: Payment_Advice.exe, 00000000.00000002.297032677.0000000006100000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.320733081.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: Payment_Advice.exe, 00000000.00000002.297032677.0000000006100000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.320733081.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: colorcpl.exe, 00000015.00000002.477463431.0000000004CE2000.00000004.00000001.sdmp	String found in binary or memory: http://www.arifureta-shokugyou-de-sekai-saikyou.com?fXJ=z64Txz&2d3pCdLh=euCGN8RtrYk2s603FqWaeKSKafFu
Source: Payment_Advice.exe, 00000000.00000002.297032677.0000000006100000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.320733081.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: Payment_Advice.exe, 00000000.00000002.297032677.0000000006100000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.320733081.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000010.00000000.320733081.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: Payment_Advice.exe, 00000000.00000002.297032677.0000000006100000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.320733081.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: Payment_Advice.exe, 00000000.00000002.297032677.0000000006100000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.320733081.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: Payment_Advice.exe, 00000000.00000002.297032677.0000000006100000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.320733081.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: Payment_Advice.exe, 00000000.00000002.297032677.0000000006100000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.320733081.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: Payment_Advice.exe, 00000000.00000002.297032677.0000000006100000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.320733081.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: Payment_Advice.exe, 00000000.00000002.297032677.0000000006100000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.320733081.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: Payment_Advice.exe, 00000000.00000002.290884369.0000000001867000.00000004.00000040.sdmp	String found in binary or memory: http://www.fontbureau.comamM
Source: Payment_Advice.exe, 00000000.00000002.290884369.0000000001867000.00000004.00000040.sdmp	String found in binary or memory: http://www.fontbureau.comepko
Source: Payment_Advice.exe, 00000000.00000002.290884369.0000000001867000.00000004.00000040.sdmp	String found in binary or memory: http://www.fontbureau.comm%M
Source: Payment_Advice.exe, 00000000.00000002.297032677.0000000006100000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.320733081.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: Payment_Advice.exe, 00000000.00000002.297032677.0000000006100000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.320733081.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: Payment_Advice.exe, 00000000.00000002.297032677.0000000006100000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.320733081.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: Payment_Advice.exe, 00000000.00000002.297032677.0000000006100000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.320733081.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: Payment_Advice.exe, 00000000.00000002.297032677.0000000006100000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.320733081.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: Payment_Advice.exe, 00000000.00000002.297032677.0000000006100000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.320733081.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: Payment_Advice.exe, 00000000.00000002.297032677.0000000006100000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.320733081.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: Payment_Advice.exe, 00000000.00000002.297032677.0000000006100000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.320733081.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: Payment_Advice.exe, 00000000.00000002.297032677.0000000006100000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.320733081.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: Payment_Advice.exe, 00000000.00000002.297032677.0000000006100000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.320733081.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: Payment_Advice.exe, 00000000.00000002.297032677.0000000006100000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.320733081.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000010.00000000.320733081.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: Payment_Advice.exe, 00000000.00000002.297032677.0000000006100000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.320733081.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: Payment_Advice.exe, 00000000.00000002.297032677.0000000006100000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.320733081.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: Payment_Advice.exe, 00000000.00000002.297032677.0000000006100000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.320733081.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn

E-Banking Fraud:

Yara detected FormBook

Show sources

Source: Yara match	File source: 12.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.355992168.0000000000A80000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.470886740.00000000025B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.356268880.0000000000AB0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.469653459.0000000000470000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.292779519.000000000420A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.292646120.0000000004149000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.355215445.0000000000400000.00000040.00000001.sdmp, type: MEMORY

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 12.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 12.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 12.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 12.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000C.00000002.355992168.0000000000A80000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000C.00000002.355992168.0000000000A80000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000015.00000002.470886740.00000000025B0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000015.00000002.470886740.00000000025B0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000C.00000002.356268880.0000000000AB0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000C.00000002.356268880.0000000000AB0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000015.00000002.469653459.0000000000470000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000015.00000002.469653459.0000000000470000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.292779519.000000000420A000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.292779519.000000000420A000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.292646120.0000000004149000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.292646120.0000000004149000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000C.00000002.355215445.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000C.00000002.355215445.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

.NET source code contains very large strings

Show sources

Source: Payment_Advice.exe, ImageSilder/Transitions/Star.cs	Long String: Length: 24686
Source: 0.2.Payment_Advice.exe.d30000.0.unpack, ImageSilder/Transitions/Star.cs	Long String: Length: 24686
Source: 0.0.Payment_Advice.exe.d30000.0.unpack, ImageSilder/Transitions/Star.cs	Long String: Length: 24686

Initial sample is a PE file and has a suspicious name

Show sources

Source: initial sample

Static PE information: Filename: Payment_Advice.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_004181D0 NtCreateFile,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00418280 NtReadFile,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00418300 NtClose,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_004183B0 NtAllocateVirtualMemory,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_004181CA NtCreateFile,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_0041827A NtReadFile,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00418222 NtReadFile,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_004183AA NtAllocateVirtualMemory,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_01019910 NtAdjustPrivilegesToken,LdrInitializeThunk,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_010199A0 NtCreateSection,LdrInitializeThunk,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_01019840 NtDelayExecution,LdrInitializeThunk,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_01019860 NtQuerySystemInformation,LdrInitializeThunk,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_010198F0 NtReadVirtualMemory,LdrInitializeThunk,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_01019A00 NtProtectVirtualMemory,LdrInitializeThunk,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_01019A20 NtResumeThread,LdrInitializeThunk,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_01019A50 NtCreateFile,LdrInitializeThunk,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_01019540 NtReadFile,LdrInitializeThunk,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_010195D0 NtClose,LdrInitializeThunk,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_01019710 NtQueryInformationToken,LdrInitializeThunk,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_01019780 NtMapViewOfSection,LdrInitializeThunk,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_010197A0 NtUnmapViewOfSection,LdrInitializeThunk,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_01019FE0 NtCreateMutant,LdrInitializeThunk,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_01019660 NtAllocateVirtualMemory,LdrInitializeThunk,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_010196E0 NtFreeVirtualMemory,LdrInitializeThunk,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_01019950 NtQueueApcThread,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_010199D0 NtCreateProcessEx,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_01019820 NtEnumerateKey,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_0101B040 NtSuspendThread,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_010198A0 NtWriteVirtualMemory,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_01019B00 NtSetValueKey,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_0101A3B0 NtGetContextThread,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_01019A10 NtQuerySection,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_01019A80 NtOpenDirectoryObject,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_01019520 NtWaitForSingleObject,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_0101AD30 NtSetContextThread,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_01019560 NtWriteFile,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_010195F0 NtQueryInformationFile,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_0101A710 NtOpenProcessToken,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_01019730 NtQueryVirtualMemory,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_01019760 NtOpenProcess,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_01019770 NtSetInformationFile,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_0101A770 NtOpenThread,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_01019610 NtEnumerateValueKey,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_01019650 NtQueryValueKey,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_01019670 NtQueryInformationProcess,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_010196D0 NtCreateKey,
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_04699540 NtReadFile,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_046995D0 NtClose,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_04699660 NtAllocateVirtualMemory,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_04699650 NtQueryValueKey,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_046996E0 NtFreeVirtualMemory,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_046996D0 NtCreateKey,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_04699710 NtQueryInformationToken,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_04699FE0 NtCreateMutant,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_04699780 NtMapViewOfSection,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_04699860 NtQuerySystemInformation,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_04699840 NtDelayExecution,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_04699910 NtAdjustPrivilegesToken,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_046999A0 NtCreateSection,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_04699A50 NtCreateFile,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_04699560 NtWriteFile,
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_04699520 NtWaitForSingleObject,
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_0469AD30 NtSetContextThread,
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_046995F0 NtQueryInformationFile,
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_04699670 NtQueryInformationProcess,
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_04699610 NtEnumerateValueKey,
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_04699760 NtOpenProcess,
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_0469A770 NtOpenThread,
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_04699770 NtSetInformationFile,
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_04699730 NtQueryVirtualMemory,
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_0469A710 NtOpenProcessToken,
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_046997A0 NtUnmapViewOfSection,
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_0469B040 NtSuspendThread,
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_04699820 NtEnumerateKey,
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_046998F0 NtReadVirtualMemory,
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_046998A0 NtWriteVirtualMemory,
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_04699950 NtQueueApcThread,
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_046999D0 NtCreateProcessEx,
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_04699A20 NtResumeThread,
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_04699A00 NtProtectVirtualMemory,
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_04699A10 NtQuerySection,
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_04699A80 NtOpenDirectoryObject,
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_04699B00 NtSetValueKey,
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_0469A3B0 NtGetContextThread,
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_025C8280 NtReadFile,
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_025C8300 NtClose,
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_025C83B0 NtAllocateVirtualMemory,
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_025C81D0 NtCreateFile,
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_025C827A NtReadFile,
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_025C8222 NtReadFile,
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_025C83AA NtAllocateVirtualMemory,
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_025C81CA NtCreateFile,

Source: C:\Users\user\Desktop\Payment_Advice.exe	Code function: 0_2_00D36665
Source: C:\Users\user\Desktop\Payment_Advice.exe	Code function: 0_2_0300C1D4
Source: C:\Users\user\Desktop\Payment_Advice.exe	Code function: 0_2_0300E620
Source: C:\Users\user\Desktop\Payment_Advice.exe	Code function: 0_2_0300E630
Source: C:\Users\user\Desktop\Payment_Advice.exe	Code function: 0_2_078A2668
Source: C:\Users\user\Desktop\Payment_Advice.exe	Code function: 0_2_078A840E
Source: C:\Users\user\Desktop\Payment_Advice.exe	Code function: 0_2_078A3B40
Source: C:\Users\user\Desktop\Payment_Advice.exe	Code function: 0_2_078A9359
Source: C:\Users\user\Desktop\Payment_Advice.exe	Code function: 0_2_078A71A0
Source: C:\Users\user\Desktop\Payment_Advice.exe	Code function: 0_2_078A68B0
Source: C:\Users\user\Desktop\Payment_Advice.exe	Code function: 0_2_078A16B0
Source: C:\Users\user\Desktop\Payment_Advice.exe	Code function: 0_2_078A16C0
Source: C:\Users\user\Desktop\Payment_Advice.exe	Code function: 0_2_078A2667
Source: C:\Users\user\Desktop\Payment_Advice.exe	Code function: 0_2_078A25A8
Source: C:\Users\user\Desktop\Payment_Advice.exe	Code function: 0_2_078A0DB0
Source: C:\Users\user\Desktop\Payment_Advice.exe	Code function: 0_2_078A0DC0
Source: C:\Users\user\Desktop\Payment_Advice.exe	Code function: 0_2_078A4548
Source: C:\Users\user\Desktop\Payment_Advice.exe	Code function: 0_2_078A4558
Source: C:\Users\user\Desktop\Payment_Advice.exe	Code function: 0_2_078AAC91
Source: C:\Users\user\Desktop\Payment_Advice.exe	Code function: 0_2_078A740C
Source: C:\Users\user\Desktop\Payment_Advice.exe	Code function: 0_2_078A1459
Source: C:\Users\user\Desktop\Payment_Advice.exe	Code function: 0_2_078A1468
Source: C:\Users\user\Desktop\Payment_Advice.exe	Code function: 0_2_078A4BB9
Source: C:\Users\user\Desktop\Payment_Advice.exe	Code function: 0_2_078A73C0
Source: C:\Users\user\Desktop\Payment_Advice.exe	Code function: 0_2_078A4BD0
Source: C:\Users\user\Desktop\Payment_Advice.exe	Code function: 0_2_078A1B09
Source: C:\Users\user\Desktop\Payment_Advice.exe	Code function: 0_2_078A1B18
Source: C:\Users\user\Desktop\Payment_Advice.exe	Code function: 0_2_078A6B18
Source: C:\Users\user\Desktop\Payment_Advice.exe	Code function: 0_2_078A6B17
Source: C:\Users\user\Desktop\Payment_Advice.exe	Code function: 0_2_078A3B3F
Source: C:\Users\user\Desktop\Payment_Advice.exe	Code function: 0_2_078A3230
Source: C:\Users\user\Desktop\Payment_Advice.exe	Code function: 0_2_078A4268
Source: C:\Users\user\Desktop\Payment_Advice.exe	Code function: 0_2_078A4267
Source: C:\Users\user\Desktop\Payment_Advice.exe	Code function: 0_2_078A7192
Source: C:\Users\user\Desktop\Payment_Advice.exe	Code function: 0_2_078A31DD
Source: C:\Users\user\Desktop\Payment_Advice.exe	Code function: 0_2_078A01E0
Source: C:\Users\user\Desktop\Payment_Advice.exe	Code function: 0_2_078A01F0
Source: C:\Users\user\Desktop\Payment_Advice.exe	Code function: 0_2_078A1941
Source: C:\Users\user\Desktop\Payment_Advice.exe	Code function: 0_2_078A1950
Source: C:\Users\user\Desktop\Payment_Advice.exe	Code function: 0_2_078A68A0
Source: C:\Users\user\Desktop\Payment_Advice.exe	Code function: 0_2_078A10B0
Source: C:\Users\user\Desktop\Payment_Advice.exe	Code function: 0_2_078A10C0
Source: C:\Users\user\Desktop\Payment_Advice.exe	Code function: 0_2_078A6858
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00401030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_0041B9A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_0041CB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_0041CB43
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_0041C3DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00408C6B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00408C70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00402D88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00402D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_0041B67B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_0041C75A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00402FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00FEB090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00FFA830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_01091002
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_010AE824
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_010020A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_010A20A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00FF4120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_010A28EC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00FDF900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_010A2B28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_0100EBB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_010903DA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_0109DBD2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_0108FA2B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_010A22AE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00FFAB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_010A2D07
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_010A1D55
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_01002581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_010A25DD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00FE841F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00FED5E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_0109D466
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00FD0D20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_010ADFCE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00FF6E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_010A1FF1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_0109D616
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_010A2EF7
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_0467B477
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_0471D466
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_0466841F
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_04714496
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_04721D55
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_04650D20
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_04722D07
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_0466D5E0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_047225DD
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_04682581
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_04712D82
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_04676E30
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_0471D616
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_04722EF7
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_04721FF1
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_0472DFCE
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_0472E824
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_0467A830
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_04711002
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_047228EC
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_046820A0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_047220A8
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_0466B090
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_04674120
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_0465F900
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_046799BF
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_0467B236
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_0470FA2B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_04714AEF
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_047222AE
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_046FCB4F
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_0467AB40
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_04722B28
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_0467A309
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_047023E3
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_0471DBD2
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_047103DA
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_0468ABD8
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_0468EBB0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_0468138B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_025CCB40
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_025CCB43
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_025CB9A5
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_025CB67B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_025CC75A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_025B2FB0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_025B8C70
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_025B8C6B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_025B2D90
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_025B2D88

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 00FDB150 appears 54 times
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: String function: 0465B150 appears 136 times

Source: Payment_Advice.exe, 00000000.00000002.301380501.0000000007950000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameMajorRevision.exe< vs Payment_Advice.exe
Source: Payment_Advice.exe, 00000000.00000000.202669045.0000000000E0A000.00000002.00020000.sdmp	Binary or memory string: OriginalFilename0YuzGcFX.exe< vs Payment_Advice.exe
Source: Payment_Advice.exe, 00000000.00000002.301164733.0000000007600000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs Payment_Advice.exe
Source: Payment_Advice.exe	Binary or memory string: OriginalFilename0YuzGcFX.exe< vs Payment_Advice.exe

Source: Payment_Advice.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 12.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 12.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 12.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 12.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000C.00000002.355992168.0000000000A80000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000C.00000002.355992168.0000000000A80000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000015.00000002.470886740.00000000025B0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000015.00000002.470886740.00000000025B0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000C.00000002.356268880.0000000000AB0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000C.00000002.356268880.0000000000AB0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000015.00000002.469653459.0000000000470000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000015.00000002.469653459.0000000000470000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.292779519.000000000420A000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.292779519.000000000420A000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.292646120.0000000004149000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.292646120.0000000004149000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000C.00000002.355215445.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000C.00000002.355215445.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: Payment_Advice.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.evad.winEXE@11/1@6/3

Source: C:\Users\user\Desktop\Payment_Advice.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Payment_Advice.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\Payment_Advice.exe	Mutant created: \Sessions\1\BaseNamedObjects\edkKpgTlqBUpGZfY
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4000:120:WilError_01

Source: Payment_Advice.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Payment_Advice.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Source: C:\Users\user\Desktop\Payment_Advice.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: Payment_Advice.exe	Virustotal: Detection: 42%
Source: Payment_Advice.exe	Metadefender: Detection: 40%
Source: Payment_Advice.exe	ReversingLabs: Detection: 85%

Source: unknown	Process created: C:\Users\user\Desktop\Payment_Advice.exe 'C:\Users\user\Desktop\Payment_Advice.exe'
Source: C:\Users\user\Desktop\Payment_Advice.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}
Source: C:\Users\user\Desktop\Payment_Advice.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}
Source: C:\Users\user\Desktop\Payment_Advice.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\SysWOW64\colorcpl.exe
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Payment_Advice.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}
Source: C:\Users\user\Desktop\Payment_Advice.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}
Source: C:\Users\user\Desktop\Payment_Advice.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}
Source: C:\Windows\SysWOW64\colorcpl.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe'

Source: C:\Users\user\Desktop\Payment_Advice.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Source: Payment_Advice.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Payment_Advice.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: colorcpl.pdbGCTL source: RegSvcs.exe, 0000000C.00000002.356567151.0000000000B78000.00000004.00000020.sdmp
Source:	Binary string: colorcpl.pdb source: RegSvcs.exe, 0000000C.00000002.356567151.0000000000B78000.00000004.00000020.sdmp
Source:	Binary string: MusNotifyIcon.pdb source: explorer.exe, 00000010.00000000.328016428.000000000F6F8000.00000004.00000001.sdmp
Source:	Binary string: wscui.pdbUGP source: explorer.exe, 00000010.00000000.327085118.000000000EFC0000.00000002.00000001.sdmp
Source:	Binary string: RegSvcs.pdb, source: colorcpl.exe, 00000015.00000002.477075161.0000000004B67000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: RegSvcs.exe, 0000000C.00000002.357013841.0000000000FB0000.00000040.00000001.sdmp, colorcpl.exe, 00000015.00000002.471806591.0000000004630000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: RegSvcs.exe, colorcpl.exe
Source:	Binary string: MusNotifyIcon.pdbGCTL source: explorer.exe, 00000010.00000000.328016428.000000000F6F8000.00000004.00000001.sdmp
Source:	Binary string: RegSvcs.pdb source: colorcpl.exe, 00000015.00000002.477075161.0000000004B67000.00000004.00000001.sdmp
Source:	Binary string: wscui.pdb source: explorer.exe, 00000010.00000000.327085118.000000000EFC0000.00000002.00000001.sdmp

Data Obfuscation:

.NET source code contains potential unpacker

Show sources

Source: Payment_Advice.exe, Form2.cs	.Net Code: X_123123454363 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 0.2.Payment_Advice.exe.d30000.0.unpack, Form2.cs	.Net Code: X_123123454363 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 0.0.Payment_Advice.exe.d30000.0.unpack, Form2.cs	.Net Code: X_123123454363 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])

Source: C:\Users\user\Desktop\Payment_Advice.exe	Code function: 0_2_078A40A2 push 8BF88B66h; retf
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_0041B3C5 push eax; ret
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_0041B47C push eax; ret
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_0041B412 push eax; ret
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_0041B41B push eax; ret
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_0041A5D2 push edi; ret
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_0041563A push esi; retf
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_004157D6 pushfd ; ret
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_0041578A pushfd ; ret
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_0102D0D1 push ecx; ret
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_046AD0D1 push ecx; ret
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_025CB3C5 push eax; ret
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_025C563A push esi; retf
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_025C57D6 pushfd ; ret
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_025C578A pushfd ; ret
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_025CB47C push eax; ret
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_025CB41B push eax; ret
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_025CB412 push eax; ret
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_025CA5D2 push edi; ret

Source: initial sample

Static PE information: section name: .text entropy: 7.61652787362

Source: C:\Users\user\Desktop\Payment_Advice.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment_Advice.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment_Advice.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment_Advice.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment_Advice.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment_Advice.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment_Advice.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment_Advice.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment_Advice.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment_Advice.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment_Advice.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment_Advice.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment_Advice.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment_Advice.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment_Advice.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment_Advice.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment_Advice.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment_Advice.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment_Advice.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment_Advice.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment_Advice.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment_Advice.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment_Advice.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment_Advice.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment_Advice.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment_Advice.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment_Advice.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment_Advice.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment_Advice.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment_Advice.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment_Advice.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment_Advice.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment_Advice.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment_Advice.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment_Advice.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment_Advice.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\colorcpl.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Yara detected AntiVM3

Show sources

Source: Yara match	File source: 00000000.00000002.291281843.00000000031B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Payment_Advice.exe PID: 2648, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: Payment_Advice.exe, 00000000.00000002.291281843.00000000031B1000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: Payment_Advice.exe, 00000000.00000002.291281843.00000000031B1000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	RDTSC instruction interceptor: First address: 00000000004085F4 second address: 00000000004085FA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	RDTSC instruction interceptor: First address: 000000000040898E second address: 0000000000408994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\colorcpl.exe	RDTSC instruction interceptor: First address: 00000000025B85F4 second address: 00000000025B85FA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\colorcpl.exe	RDTSC instruction interceptor: First address: 00000000025B898E second address: 00000000025B8994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 12_2_004088C0 rdtsc

Source: C:\Users\user\Desktop\Payment_Advice.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\Payment_Advice.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\Payment_Advice.exe TID: 6036	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\Desktop\Payment_Advice.exe TID: 1320	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\colorcpl.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\Payment_Advice.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\Payment_Advice.exe	Thread delayed: delay time: 922337203685477

Source: explorer.exe, 00000010.00000000.317571295.000000000871F000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000010.00000000.317571295.000000000871F000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000:
Source: Payment_Advice.exe, 00000000.00000002.291281843.00000000031B1000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
Source: explorer.exe, 00000010.00000000.317013528.0000000008640000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000010.00000000.315930642.0000000008220000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: Payment_Advice.exe, 00000000.00000002.291281843.00000000031B1000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: Payment_Advice.exe, 00000000.00000002.291281843.00000000031B1000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: Payment_Advice.exe, 00000000.00000002.291281843.00000000031B1000.00000004.00000001.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: explorer.exe, 00000010.00000000.309380027.00000000055D0000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}V*(E
Source: Payment_Advice.exe, 00000000.00000002.291281843.00000000031B1000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: explorer.exe, 00000010.00000000.317571295.000000000871F000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}~
Source: explorer.exe, 00000010.00000000.317571295.000000000871F000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000010.00000000.317724481.00000000087D1000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00ices
Source: explorer.exe, 00000010.00000000.345833962.0000000005603000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
Source: Payment_Advice.exe, 00000000.00000002.291281843.00000000031B1000.00000004.00000001.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: explorer.exe, 00000010.00000000.315930642.0000000008220000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 00000010.00000000.315930642.0000000008220000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: Payment_Advice.exe, 00000000.00000002.291281843.00000000031B1000.00000004.00000001.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: Payment_Advice.exe, 00000000.00000002.291281843.00000000031B1000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: Payment_Advice.exe, 00000000.00000002.291281843.00000000031B1000.00000004.00000001.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: explorer.exe, 00000010.00000000.315930642.0000000008220000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\Payment_Advice.exe

Process information queried: ProcessInformation

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\colorcpl.exe	Process queried: DebugPort

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 12_2_004088C0 rdtsc

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 12_2_00409B30 LdrLoadDll,

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00FD58EC mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00FD40E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00FD40E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00FD40E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_0100513A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_0100513A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00FD9080 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_0100A185 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_01002990 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_010061A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_010061A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_010569A6 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_010949A4 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_010949A4 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_010949A4 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_010949A4 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00FF0050 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00FF0050 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_010551BE mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_010551BE mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_010551BE mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_010551BE mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00FFA830 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00FFA830 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00FFA830 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00FFA830 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00FEB02A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00FEB02A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00FEB02A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00FEB02A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_010641E8 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_01057016 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_01057016 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_01057016 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00FDB1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00FDB1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00FDB1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_010A4015 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_010A4015 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_0100002D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_0100002D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_0100002D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_0100002D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_0100002D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_01092073 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00FFC182 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_010A1074 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_01053884 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_01053884 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00FDB171 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00FDB171 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00FDC962 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_010020A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_010020A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_010020A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_010020A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_010020A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_010020A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_010190AF mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00FFB944 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00FFB944 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_0100F0BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_0100F0BF mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_0100F0BF mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_0106B8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_0106B8D0 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_0106B8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_0106B8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_0106B8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_0106B8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00FF4120 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00FF4120 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00FF4120 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00FF4120 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00FF4120 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00FD9100 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00FD9100 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00FD9100 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_0109131B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00FEAAB0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00FEAAB0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_010A8B58 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00FD52A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00FD52A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00FD52A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00FD52A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00FD52A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_01003B7A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_01003B7A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_0109138A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_0108D380 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_0100B390 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_01002397 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_01004BAD mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_01004BAD mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_01004BAD mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_010A5BA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00FD9240 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00FD9240 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00FD9240 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00FD9240 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_010553CA mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_010553CA mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00FFA229 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00FFA229 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00FFA229 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00FFA229 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00FFA229 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00FFA229 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00FFA229 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00FFA229 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00FFA229 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_010003E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_010003E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_010003E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_010003E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_010003E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_010003E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00FF3A1C mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00FDAA16 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00FDAA16 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00FD5210 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00FD5210 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00FD5210 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00FD5210 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00FE8A0A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00FFDBE9 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_0109AA16 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_0109AA16 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_01014A2C mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_01014A2C mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_01064257 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_0109EA55 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_0108B260 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_0108B260 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_010A8A62 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00FE1B8F mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00FE1B8F mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_0101927A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_0100D294 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_0100D294 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00FDDB60 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00FDF358 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_0100FAB0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00FDDB40 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_01002ACB mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_01002AE4 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_0109E539 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_0105A537 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_01004D3B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_01004D3B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_01004D3B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_010A8D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_01013D43 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_01053540 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_01083D40 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00FE849B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_01002581 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_01002581 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_01002581 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_01002581 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00FF746D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_0100FD9B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_0100FD9B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_010035A1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_010A05AC mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_010A05AC mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_01001DB5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_01001DB5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_01001DB5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_01056DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_01056DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_01056DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_01056DC9 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_01056DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_01056DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_0109FDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_0109FDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_0109FDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_0109FDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_01088DF1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_010A740D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_010A740D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_010A740D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_01091C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_01091C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_01091C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_01091C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_01091C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_01091C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_01091C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_01091C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_01091C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_01091C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_01091C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_01091C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_01091C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_01091C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_01056C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_01056C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_01056C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_01056C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00FED5E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00FED5E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_0100BC2C mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_0100A44B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_0106C450 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_0106C450 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00FD2D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00FD2D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00FD2D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00FD2D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00FD2D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00FFC577 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00FFC577 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00FF7D50 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00FE3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00FE3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00FE3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00FE3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00FE3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00FE3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00FE3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00FE3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00FE3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00FE3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00FE3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00FE3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00FE3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00FDAD30 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_010A8CD6 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_010914FB mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_01056CF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_01056CF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_01056CF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_010A070D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_010A070D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_0100A70E mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_0100A70E mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_0106FF10 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_0106FF10 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00FE76E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_0100E730 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_010A8F6A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00FFAE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00FFAE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00FFAE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00FFAE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00FFAE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_01057794 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_01057794 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_01057794 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00FE766D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00FE7E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00FE7E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00FE7E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00FE7E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00FE7E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00FE7E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00FDE620 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_010137F5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00FDC600 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00FDC600 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00FDC600 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_01008E00 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_01091608 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_0100A61C mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_0100A61C mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_0108FE3F mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_0109AE44 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_0109AE44 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00FE8794 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_0106FE87 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00FEFF60 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_010546A7 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_010A0EA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_010A0EA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_010A0EA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00FEEF40 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_01018EC7 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_0108FEC0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_010036CC mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00FD4F2E mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00FD4F2E mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_010A8ED6 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_010016E0 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00FFF716 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_0467746D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_0467B477 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_0467B477 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_0467B477 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_0467B477 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_0467B477 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_0467B477 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_0467B477 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_0467B477 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_0467B477 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_0467B477 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_0467B477 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_0467B477 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_0468AC7B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_0468AC7B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_0468AC7B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_0468AC7B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_0468AC7B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_0468AC7B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_0468AC7B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_0468AC7B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_0468AC7B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_0468AC7B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_0468AC7B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_0468A44B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_046EC450 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_046EC450 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_0468BC2C mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_046D6C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_046D6C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_046D6C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_046D6C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_04711C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_04711C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_04711C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_04711C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_04711C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_04711C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_04711C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_04711C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_04711C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_04711C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_04711C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_04711C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_04711C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_04711C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_0472740D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_0472740D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_0472740D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_047114FB mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_046D6CF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_046D6CF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_046D6CF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_04728CD6 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_04714496 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_04714496 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_04714496 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_04714496 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_04714496 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_04714496 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_04714496 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_04714496 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_04714496 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_04714496 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_04714496 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_04714496 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_04714496 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_0466849B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_0467C577 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_0467C577 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_04693D43 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_046D3540 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_04703D40 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_04677D50 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_04728D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_0471E539 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_0468F527 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_0468F527 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_0468F527 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_04663D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_04663D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_04663D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_04663D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_04663D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_04663D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_04663D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_04663D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_04663D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_04663D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_04663D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_04663D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_04663D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_04684D3B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_04684D3B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_04684D3B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_0465AD30 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_046DA537 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_04708DF1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_0466D5E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_0466D5E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_0471FDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_0471FDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_0471FDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_0471FDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_046D6DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_046D6DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_046D6DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_046D6DC9 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_046D6DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_046D6DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_046835A1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_04681DB5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_04681DB5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_04681DB5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_047205AC mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_047205AC mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_04682581 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_04682581 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_04682581 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_04682581 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_04652D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_04652D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_04652D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_04652D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_04652D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_0468FD9B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_0468FD9B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_04712D82 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_04712D82 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_04712D82 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_04712D82 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_04712D82 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_04712D82 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_04712D82 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_0466766D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_0467AE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_0467AE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_0467AE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_0467AE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_0467AE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_04667E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_04667E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_04667E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_04667E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_04667E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_04667E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_0471AE44 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_0471AE44 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_0465E620 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_0470FE3F mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_0465C600 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_0465C600 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_0465C600 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_04688E00 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_0468A61C mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_0468A61C mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_04711608 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_046676E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_046816E0 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_04728ED6 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_046836CC mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_04698EC7 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_0470FEC0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_046D46A7 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_04720EA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_04720EA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_04720EA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_046EFE87 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_0466FF60 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_04728F6A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_0466EF40 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_04654F2E mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_04654F2E mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_0468E730 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_0467B73D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_0467B73D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_0468A70E mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_0468A70E mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_0467F716 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_046EFF10 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_046EFF10 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_0472070D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_0472070D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_046937F5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_04668794 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_046D7794 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_046D7794 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_046D7794 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_04712073 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_04721074 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_04670050 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_04670050 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_0468002D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_0468002D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_0468002D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_0468002D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_0468002D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_0466B02A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_0466B02A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_0466B02A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_0466B02A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_0467A830 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_0467A830 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_0467A830 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_0467A830 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_04724015 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_04724015 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_046D7016 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_046D7016 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_046D7016 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_0467B8E4 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_0467B8E4 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_046540E1 mov eax, dword ptr fs:[00000030h]

Source: C:\Users\user\Desktop\Payment_Advice.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\colorcpl.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\Payment_Advice.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\explorer.exe	Domain query: www.dipmarketingagency.com
Source: C:\Windows\explorer.exe	Domain query: www.illoftapartments.com
Source: C:\Windows\explorer.exe	Network Connect: 208.91.197.27 80
Source: C:\Windows\explorer.exe	Domain query: www.firsttimephysics.com
Source: C:\Windows\explorer.exe	Domain query: www.manno.expert
Source: C:\Windows\explorer.exe	Network Connect: 34.102.136.180 80
Source: C:\Windows\explorer.exe	Network Connect: 173.254.28.149 80

Allocates memory in foreign processes

Show sources

Source: C:\Users\user\Desktop\Payment_Advice.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and write

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\Desktop\Payment_Advice.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A

Maps a DLL or memory area into another process

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: unknown target: C:\Windows\SysWOW64\colorcpl.exe protection: execute and read and write
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: unknown target: C:\Windows\SysWOW64\colorcpl.exe protection: execute and read and write
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write

Modifies the context of a thread in another process (thread injection)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread register set: target process: 3388
Source: C:\Windows\SysWOW64\colorcpl.exe	Thread register set: target process: 3388

Queues an APC in another process (thread injection)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Sample uses process hollowing technique

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Section unmapped: C:\Windows\SysWOW64\colorcpl.exe base address: 2C0000

Writes to foreign memory regions

Show sources

Source: C:\Users\user\Desktop\Payment_Advice.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000
Source: C:\Users\user\Desktop\Payment_Advice.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 401000
Source: C:\Users\user\Desktop\Payment_Advice.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 659008

Source: C:\Users\user\Desktop\Payment_Advice.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}
Source: C:\Users\user\Desktop\Payment_Advice.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}
Source: C:\Users\user\Desktop\Payment_Advice.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}
Source: C:\Windows\SysWOW64\colorcpl.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe'

Source: explorer.exe, 00000010.00000000.333930210.0000000001398000.00000004.00000020.sdmp	Binary or memory string: ProgmanamF
Source: explorer.exe, 00000010.00000000.296045888.0000000001980000.00000002.00000001.sdmp, colorcpl.exe, 00000015.00000002.471436439.0000000002EE0000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000010.00000000.317571295.000000000871F000.00000004.00000001.sdmp, colorcpl.exe, 00000015.00000002.471436439.0000000002EE0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000010.00000000.296045888.0000000001980000.00000002.00000001.sdmp, colorcpl.exe, 00000015.00000002.471436439.0000000002EE0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000010.00000000.296045888.0000000001980000.00000002.00000001.sdmp, colorcpl.exe, 00000015.00000002.471436439.0000000002EE0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Users\user\Desktop\Payment_Advice.exe VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation

Source: C:\Users\user\Desktop\Payment_Advice.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information:

Yara detected FormBook

Show sources

Source: Yara match	File source: 12.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.355992168.0000000000A80000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.470886740.00000000025B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.356268880.0000000000AB0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.469653459.0000000000470000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.292779519.000000000420A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.292646120.0000000004149000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.355215445.0000000000400000.00000040.00000001.sdmp, type: MEMORY

Remote Access Functionality:

Yara detected FormBook

Show sources

Source: Yara match	File source: 12.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.355992168.0000000000A80000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.470886740.00000000025B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.356268880.0000000000AB0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.469653459.0000000000470000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.292779519.000000000420A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.292646120.0000000004149000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.355215445.0000000000400000.00000040.00000001.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Shared Modules1	Path Interception	Process Injection812	Masquerading1	OS Credential Dumping	Security Software Discovery221	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Disable or Modify Tools1	LSASS Memory	Process Discovery2	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Ingress Tool Transfer1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Virtualization/Sandbox Evasion31	Security Account Manager	Virtualization/Sandbox Evasion31	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Process Injection812	NTDS	Remote System Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol12	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Deobfuscate/Decode Files or Information1	LSA Secrets	System Information Discovery112	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Obfuscated Files or Information3	Cached Domain Credentials	System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Software Packing13	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Payment_Advice.exe	43%	Virustotal		Browse
Payment_Advice.exe	46%	Metadefender		Browse
Payment_Advice.exe	86%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla
Payment_Advice.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
12.2.RegSvcs.exe.400000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen		Download File

Domains

Source	Detection	Scanner	Label	Link
illoftapartments.com	2%	Virustotal		Browse
www.missabrams.com	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://www.illoftapartments.com/uecu/?2d3pCdLh=I+cFmvzvjfujRN3oltevYzRyUOJqDj5YxiqkJ4i7Zjmur1++tOYpTWGX3hXOvnB+KlCx&fXJ=z64Txz	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.fontbureau.comamM	0%	Avira URL Cloud	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.fontbureau.comepko	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.fontbureau.comm%M	0%	Avira URL Cloud	safe
http://www.arifureta-shokugyou-de-sekai-saikyou.com?fXJ=z64Txz&2d3pCdLh=euCGN8RtrYk2s603FqWaeKSKafFu	0%	Avira URL Cloud	safe
http://www.firsttimephysics.com/uecu/?2d3pCdLh=hr7+JRYyT1HVyDshWD8v/2ivT/o36mEBRVmbpvRN6jTQqfRWnpyet8LANEukLjLgYMOr&fXJ=z64Txz	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
www.illoftapartments.com/uecu/	0%	Avira URL Cloud	safe
http://www.sakkal.com	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
www.dipmarketingagency.com	173.254.28.149	true	true		unknown
illoftapartments.com	34.102.136.180	true	false	2%, Virustotal, Browse	unknown
manno.expert	34.102.136.180	true	false		unknown
www.missabrams.com	45.197.108.106	true	false	0%, Virustotal, Browse	unknown
www.quickoprintnv.com	154.23.83.67	true	true		unknown
www.firsttimephysics.com	208.91.197.27	true	true		unknown
www.illoftapartments.com	unknown	unknown	true		unknown
www.manno.expert	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.illoftapartments.com/uecu/?2d3pCdLh=I+cFmvzvjfujRN3oltevYzRyUOJqDj5YxiqkJ4i7Zjmur1++tOYpTWGX3hXOvnB+KlCx&fXJ=z64Txz	false	Avira URL Cloud: safe	unknown
http://www.firsttimephysics.com/uecu/?2d3pCdLh=hr7+JRYyT1HVyDshWD8v/2ivT/o36mEBRVmbpvRN6jTQqfRWnpyet8LANEukLjLgYMOr&fXJ=z64Txz	true	Avira URL Cloud: safe	unknown
www.illoftapartments.com/uecu/	true	Avira URL Cloud: safe	low

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.apache.org/licenses/LICENSE-2.0	Payment_Advice.exe, 00000000.00000002.297032677.0000000006100000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.320733081.0000000008B40000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com	Payment_Advice.exe, 00000000.00000002.297032677.0000000006100000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.320733081.0000000008B40000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com/designersG	Payment_Advice.exe, 00000000.00000002.297032677.0000000006100000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.320733081.0000000008B40000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com/designers/?	Payment_Advice.exe, 00000000.00000002.297032677.0000000006100000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.320733081.0000000008B40000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn/bThe	Payment_Advice.exe, 00000000.00000002.297032677.0000000006100000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.320733081.0000000008B40000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	Payment_Advice.exe, 00000000.00000002.297032677.0000000006100000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.320733081.0000000008B40000.00000002.00000001.sdmp	false		high
http://www.fontbureau.comamM	Payment_Advice.exe, 00000000.00000002.290884369.0000000001867000.00000004.00000040.sdmp	false	Avira URL Cloud: safe	unknown
http://www.tiro.com	explorer.exe, 00000010.00000000.320733081.0000000008B40000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers	explorer.exe, 00000010.00000000.320733081.0000000008B40000.00000002.00000001.sdmp	false		high
http://www.fontbureau.comepko	Payment_Advice.exe, 00000000.00000002.290884369.0000000001867000.00000004.00000040.sdmp	false	URL Reputation: safe	unknown
http://www.goodfont.co.kr	Payment_Advice.exe, 00000000.00000002.297032677.0000000006100000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.320733081.0000000008B40000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.coml	Payment_Advice.exe, 00000000.00000002.297032677.0000000006100000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.320733081.0000000008B40000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.sajatypeworks.com	Payment_Advice.exe, 00000000.00000002.297032677.0000000006100000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.320733081.0000000008B40000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.typography.netD	Payment_Advice.exe, 00000000.00000002.297032677.0000000006100000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.320733081.0000000008B40000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	Payment_Advice.exe, 00000000.00000002.297032677.0000000006100000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.320733081.0000000008B40000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn/cThe	Payment_Advice.exe, 00000000.00000002.297032677.0000000006100000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.320733081.0000000008B40000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	Payment_Advice.exe, 00000000.00000002.297032677.0000000006100000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.320733081.0000000008B40000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://fontfabrik.com	Payment_Advice.exe, 00000000.00000002.297032677.0000000006100000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.320733081.0000000008B40000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn	Payment_Advice.exe, 00000000.00000002.297032677.0000000006100000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.320733081.0000000008B40000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	Payment_Advice.exe, 00000000.00000002.297032677.0000000006100000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.320733081.0000000008B40000.00000002.00000001.sdmp	false		high
http://www.fontbureau.comm%M	Payment_Advice.exe, 00000000.00000002.290884369.0000000001867000.00000004.00000040.sdmp	false	Avira URL Cloud: safe	low
http://www.arifureta-shokugyou-de-sekai-saikyou.com?fXJ=z64Txz&2d3pCdLh=euCGN8RtrYk2s603FqWaeKSKafFu	colorcpl.exe, 00000015.00000002.477463431.0000000004CE2000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/	Payment_Advice.exe, 00000000.00000002.297032677.0000000006100000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.320733081.0000000008B40000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	Payment_Advice.exe, 00000000.00000002.297032677.0000000006100000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.320733081.0000000008B40000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	Payment_Advice.exe, 00000000.00000002.297032677.0000000006100000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.320733081.0000000008B40000.00000002.00000001.sdmp	false		high
http://www.fonts.com	Payment_Advice.exe, 00000000.00000002.297032677.0000000006100000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.320733081.0000000008B40000.00000002.00000001.sdmp	false		high
http://www.sandoll.co.kr	Payment_Advice.exe, 00000000.00000002.297032677.0000000006100000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.320733081.0000000008B40000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.urwpp.deDPlease	Payment_Advice.exe, 00000000.00000002.297032677.0000000006100000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.320733081.0000000008B40000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	Payment_Advice.exe, 00000000.00000002.297032677.0000000006100000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.320733081.0000000008B40000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.sakkal.com	Payment_Advice.exe, 00000000.00000002.297032677.0000000006100000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.320733081.0000000008B40000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
34.102.136.180	illoftapartments.com	United States	15169	GOOGLEUS	false
208.91.197.27	www.firsttimephysics.com	Virgin Islands (BRITISH)	40034	CONFLUENCE-NETWORK-INCVG	true
173.254.28.149	www.dipmarketingagency.com	United States	46606	UNIFIEDLAYER-AS-1US	true

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	458954
Start date:	03.08.2021
Start time:	22:30:20
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 14s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	Payment_Advice.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	26
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@11/1@6/3
EGA Information:	Failed
HDC Information:	Successful, ratio: 34.8% (good quality ratio 31.9%) Quality average: 71.7% Quality standard deviation: 31.4%
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe Excluded IPs from analysis (whitelisted): 104.43.139.144, 13.88.21.125, 20.50.102.62, 23.211.4.86, 40.112.88.60, 80.67.82.211, 80.67.82.235 Excluded domains from analysis (whitelisted): fs.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, e1723.g.akamaiedge.net, skypedataprdcolcus16.cloudapp.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, ris.api.iris.microsoft.com, blobcollector.events.data.trafficmanager.net, arc.trafficmanager.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, skypedataprdcolwus15.cloudapp.net Not all processes where analyzed, report is missing behavior information Report size getting too big, too many NtAllocateVirtualMemory calls found.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
208.91.197.27	jnl3kWNWWS.exe	Get hash	malicious	Browse	www.certifiedlaywernj.com/uoe8/?lN94pX=KQL1U0jkwOK6bk9f0TEfGgpSk6NYazXrF0FfkI9y7fgaIWuwCAJ47CYWlNurQr1Y4rdS&k4b=_hSD
	2GuNlCn0X6.exe	Get hash	malicious	Browse	www.gmcworktrucksandvans.com/ushb/?5j5=I1O/uck6g9waIBnW5BVONfuZZqB0SN9ZqTQRctHuIhSHtr3ojOmVpygYbjT42+AiDZ+z&PjND=Mlr4_4Sx
	Order=bcm_28062021.exe	Get hash	malicious	Browse	www.researchinnovations.net/uqf5/?R2Jl=vPwqlu4x75djMEhpCHQA4gFf+95PxNUJ1qFGdpB6Q1QDKe6EVaB/Nk3rDLbvZfGP03YT&6lN=JfrLUXyhkZc
	0rder-bcm_23062021.exe	Get hash	malicious	Browse	www.researchinnovations.net/uqf5/?kRwl=vPwqlu4x75djMEhpCHQA4gFf+95PxNUJ1qFGdpB6Q1QDKe6EVaB/Nk3rDLbvZfGP03YT&5joHs0=8pFHanmpiBY0
	Purchase_Order.exe	Get hash	malicious	Browse	www.researchinnovations.net/uqf5/?6lU=cB64Yhz&oli=vPwqlu4x75djMEhpCHQA4gFf+95PxNUJ1qFGdpB6Q1QDKe6EVaB/Nk3rDI7VJOm3uQ5U
	CIh8xCD9fi.exe	Get hash	malicious	Browse	www.rentmystuff.info/sh2m/?o8bHpX=TSNWRgvJWBu1BreqPwc9vl9kVz+0+Hx/d5736XfHbnyatGnwwsv7zfxbAWBBdgyQ/d5H&RFQLz=3fQttPI8YNYDZ
	919780-920390.exe	Get hash	malicious	Browse	www.wheretheresaytheresaway.com/i3vu/?5j=c4V+ikE91G8kkdotqrW9bbIjBlPXHb2qceIJ/0ViGlJ3NVG8dy1ZG+wt654cEGlfVBc2&j4=SZLXJF7Pq6w8
	03062021.exe	Get hash	malicious	Browse	www.researchinnovations.net/uqf5/?6lzX=vPwqlu4x75djMEhpCHQA4gFf+95PxNUJ1qFGdpB6Q1QDKe6EVaB/Nk3rDLbvZfGP03YT&EJBD=f0GHX
	wire_confirmation.pdf.exe	Get hash	malicious	Browse	www.seniorliving100ig.com/m3rc/?2dG4=a/WbhIk1O3pNWs/fl0DnukaPSE5qtuU08n35/l03yzwKMXEJ+D24oHXDPuKusACIaWhK&W8L0b=6l68FPWpppFp
	CONTRACT SWIFT.exe	Get hash	malicious	Browse	www.rnrsans.com/s5cm/?IBZlYbB=56Wx/iK0XerXx9sRleo+Maj0Gmk9CoRfrFFa5e3vq65qm4nwUyEHtu+AOd1TMQjYkOCiNEfRCw==&7no=4hLljrWPCjYL
	SHIPPING DOCUMENT_7048555233PDF.exe	Get hash	malicious	Browse	www.rnrsans.com/s5cm/?jrTDmX=56Wx/iK0XerXx9sRleo+Maj0Gmk9CoRfrFFa5e3vq65qm4nwUyEHtu+AOd5TfAvb9eC0&p0G=ndfPKtxxGRrhJ
	PO_2021005.exe	Get hash	malicious	Browse	www.seniorliving100ig.com/m3rc/?tFQl=XPoLWrCp&kr74WFG=a/WbhIk1O3pNWs/fl0DnukaPSE5qtuU08n35/l03yzwKMXEJ+D24oHXDPuKEzwyIeUpK
	Pdf Scen Invoice 17INV06003.exe	Get hash	malicious	Browse	www.dfhgear.com/s5cm/?0bMpLRa=5u8mVReR2sf6Zr+bnzJEGrTMXUs6rQplQOF7eIj26SdfoaNehkvQkkmk6FvxoWrQXp5c&k2JxoV=fDKdgJeh5
	MT103 - Remittance.exe	Get hash	malicious	Browse	www.rnrsans.com/s5cm/?tZkPXV-=56Wx/iK0XerXx9sRleo+Maj0Gmk9CoRfrFFa5e3vq65qm4nwUyEHtu+AOd5TfAvb9eC0&U4ht=Ovpduruh8Z5tNNP
	RFQ Catalogues 00645.exe	Get hash	malicious	Browse	www.blowmei.net/bc9h/?rZyXur=zRPrWGkp8LYfW4P8bcsHO+/BMP9KI+2YDvoaSjg68eXWEE7ZaovsRiIw9IfCCD0rhYCx&Ezr47v=arITk8jHBbY8Nj
	RFQ Catalogues 00934.exe	Get hash	malicious	Browse	www.blowmei.net/bc9h/?DxoLn=zRPrWGkp8LYfW4P8bcsHO+/BMP9KI+2YDvoaSjg68eXWEE7ZaovsRiIw9LzSeyoQmtrg0oH+xA==&anM=TXFx4Prp_d9P
	PDF Purchase Order #RFQ7787HG00.exe	Get hash	malicious	Browse	www.rnrsans.com/s5cm/?jJE=56Wx/iK0XerXx9sRleo+Maj0Gmk9CoRfrFFa5e3vq65qm4nwUyEHtu+AOd1qThDbqYelNEfWRA==&wXO=O2Mtwpn
	O1E623TjjW.exe	Get hash	malicious	Browse	www.certifiedlaywernj.com/uoe8/?hL3=KQL1U0jkwOK6bk9f0TEfGgpSk6NYazXrF0FfkI9y7fgaIWuwCAJ47CYWlNirD75bh7dEhobd5A==&lN68=VTUTzPuXE25p9L
	krJF4BtzSv.exe	Get hash	malicious	Browse	www.irynazumba.com/oerg/?YL0=8pN4l4&r6A=xkxlBTP84BDqik+ZtVg23Y9Efr+3g0otXhZL96a2dhmKBXhQvXR65tW6hH0zY1naWy08
	y6f8O0kbEB.exe	Get hash	malicious	Browse	www.irynazumba.com/oerg/?ndndnZ=UtWlYrO0rhjH&mHLD_0=xkxlBTP84BDqik+ZtVg23Y9Efr+3g0otXhZL96a2dhmKBXhQvXR65tW6hEUJIkHiMVV7

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
UNIFIEDLAYER-AS-1US	RuVwYj2Jax.exe	Get hash	malicious	Browse	192.185.77.139
	KkPVouLuOx.exe	Get hash	malicious	Browse	67.20.76.71
	Nouveau bon de commande. 3007021_pdf.exe	Get hash	malicious	Browse	162.241.218.97
	wuxvGLNrxG.jar	Get hash	malicious	Browse	162.241.216.53
	Amaury.vanvinckenroye-AudioMessage_520498.htm	Get hash	malicious	Browse	192.185.138.88
	transferred $95,934.55 pdf.exe	Get hash	malicious	Browse	50.87.146.49
	rL3Wx4zKD4.exe	Get hash	malicious	Browse	74.220.199.6
	hD72Gd3THG.exe	Get hash	malicious	Browse	67.20.76.71
	Products Order38899999.exe	Get hash	malicious	Browse	50.87.146.199
	ORDER_0009_PDF.exe	Get hash	malicious	Browse	74.220.199.6
	WWTLJo3vxn.exe	Get hash	malicious	Browse	192.254.235.241
	INV. 736392 Scan pdf.exe	Get hash	malicious	Browse	192.185.164.148
	7nNtjBvhrm	Get hash	malicious	Browse	142.7.147.90
	Purchase Requirements.exe	Get hash	malicious	Browse	192.185.0.218
	#Ud83d#Udda8 FaxMail dir -INV 000087.html	Get hash	malicious	Browse	162.241.217.69
	Products Order.exe	Get hash	malicious	Browse	50.87.146.199
	zerYOlEkZR.exe	Get hash	malicious	Browse	192.254.235.241
	PO-K-128 IAN 340854.exe	Get hash	malicious	Browse	192.185.90.36
	csa customers.xlsx	Get hash	malicious	Browse	162.241.217.138
	ENXcmU1LzQ.exe	Get hash	malicious	Browse	108.167.158.96
CONFLUENCE-NETWORK-INCVG	INVOICE_0002_PDF.exe	Get hash	malicious	Browse	209.99.40.222
	Purchase Requirements.exe	Get hash	malicious	Browse	209.99.40.222
	SGKCM20217566748_Federighi Turkiye Oferta Term#U00e9k .exe	Get hash	malicious	Browse	208.91.197.39
	PO_0008.exe	Get hash	malicious	Browse	209.99.40.222
	QVwfduoULs.exe	Get hash	malicious	Browse	209.99.40.222
	csa customers.xlsx	Get hash	malicious	Browse	209.99.40.222
	altnp3zI5hfg3Eg.exe	Get hash	malicious	Browse	204.11.56.48
	0020072921_Swift_Payment_Details.xlsx	Get hash	malicious	Browse	209.99.40.222
	gqdJ6f9axq.exe	Get hash	malicious	Browse	209.99.40.222
	RFQ# 626669 .xlsx	Get hash	malicious	Browse	204.11.56.48
	Nsda7LTM1x.exe	Get hash	malicious	Browse	204.11.56.48
	367006.exe	Get hash	malicious	Browse	209.99.40.222
	REQUEST FOR QUOTATION.exe	Get hash	malicious	Browse	208.91.197.91
	i2Kzh5TEhc.exe	Get hash	malicious	Browse	209.99.40.222
	PURCHASE ORDER 72121.exe	Get hash	malicious	Browse	209.99.64.70
	MtYE4LZNQy.exe	Get hash	malicious	Browse	204.11.56.48
	Statement SKBMT 09818.jar	Get hash	malicious	Browse	204.11.56.48
	mal.exe	Get hash	malicious	Browse	209.99.64.55
	vjsBNwolo9.js	Get hash	malicious	Browse	204.11.56.48

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Payment_Advice.exe.log Download File
Process:	C:\Users\user\Desktop\Payment_Advice.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.355304211458859
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
MD5:	FED34146BF2F2FA59DCF8702FCC8232E
SHA1:	B03BFEA175989D989850CF06FE5E7BBF56EAA00A
SHA-256:	123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
SHA-512:	1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.607757014307062
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	Payment_Advice.exe
File size:	881664
MD5:	b5a3a16559c14a2db6837fb8792134ae
SHA1:	31280391b1a399a3bc1c8ea0f4fb27e2dc9e56a0
SHA256:	c8ff043caee4e9cc889d1b7f8149e5c59ec43d2d01edeb49cb40fe1fd09a233a
SHA512:	c4ab64e5b18825e5f499182855de4ebb937aec980544b9e5accc8c5a8513fe48c3fb3b317b80eff463c32ff2ff8a20825ad196bf22a21281149e14cde3234e89
SSDEEP:	24576:pWF05yIQeYdWmi3xn+3O/Q6l0gtdc/yrWKF9eNNIp:NsdVi3xn2O466gtnfrejIp
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a..............0..h............... ........@.. ....................................@................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x4d86d6
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x6101F213 [Thu Jul 29 00:10:59 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xd8684	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xda000	0x604	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xdc000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xd66dc	0xd6800	False	0.834330383159	COM executable for DOS	7.61652787362	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0xda000	0x604	0x800	False	0.3388671875	data	3.43614330066	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xdc000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0xda090	0x374	data
RT_MANIFEST	0xda414	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright 2015
Assembly Version	1.0.0.0
InternalName	0YuzGcFX.exe
FileVersion	1.0.0.0
CompanyName	smAbdullah.com
LegalTrademarks
Comments	Created By Sm.Abdullah
ProductName	ImageControls
ProductVersion	1.0.0.0
FileDescription	ImageControls
OriginalFilename	0YuzGcFX.exe

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
08/03/21-22:32:59.457711	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49737	34.102.136.180	192.168.2.3
08/03/21-22:33:04.541323	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49738	80	192.168.2.3	34.102.136.180
08/03/21-22:33:04.541323	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49738	80	192.168.2.3	34.102.136.180
08/03/21-22:33:04.541323	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49738	80	192.168.2.3	34.102.136.180
08/03/21-22:33:04.655507	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49738	34.102.136.180	192.168.2.3
08/03/21-22:33:15.937650	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49740	80	192.168.2.3	154.23.83.67
08/03/21-22:33:15.937650	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49740	80	192.168.2.3	154.23.83.67
08/03/21-22:33:15.937650	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49740	80	192.168.2.3	154.23.83.67

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 3, 2021 22:32:53.437089920 CEST	49736	80	192.168.2.3	173.254.28.149
Aug 3, 2021 22:32:53.592134953 CEST	80	49736	173.254.28.149	192.168.2.3
Aug 3, 2021 22:32:53.592355967 CEST	49736	80	192.168.2.3	173.254.28.149
Aug 3, 2021 22:32:53.592602015 CEST	49736	80	192.168.2.3	173.254.28.149
Aug 3, 2021 22:32:53.747421980 CEST	80	49736	173.254.28.149	192.168.2.3
Aug 3, 2021 22:32:54.088766098 CEST	49736	80	192.168.2.3	173.254.28.149
Aug 3, 2021 22:32:54.283866882 CEST	80	49736	173.254.28.149	192.168.2.3
Aug 3, 2021 22:32:54.633936882 CEST	80	49736	173.254.28.149	192.168.2.3
Aug 3, 2021 22:32:54.634041071 CEST	80	49736	173.254.28.149	192.168.2.3
Aug 3, 2021 22:32:54.634197950 CEST	49736	80	192.168.2.3	173.254.28.149
Aug 3, 2021 22:32:54.634274960 CEST	49736	80	192.168.2.3	173.254.28.149
Aug 3, 2021 22:32:59.321655989 CEST	49737	80	192.168.2.3	34.102.136.180
Aug 3, 2021 22:32:59.338752031 CEST	80	49737	34.102.136.180	192.168.2.3
Aug 3, 2021 22:32:59.339294910 CEST	49737	80	192.168.2.3	34.102.136.180
Aug 3, 2021 22:32:59.344643116 CEST	49737	80	192.168.2.3	34.102.136.180
Aug 3, 2021 22:32:59.361800909 CEST	80	49737	34.102.136.180	192.168.2.3
Aug 3, 2021 22:32:59.457710981 CEST	80	49737	34.102.136.180	192.168.2.3
Aug 3, 2021 22:32:59.457741022 CEST	80	49737	34.102.136.180	192.168.2.3
Aug 3, 2021 22:32:59.457931995 CEST	49737	80	192.168.2.3	34.102.136.180
Aug 3, 2021 22:32:59.476443052 CEST	49737	80	192.168.2.3	34.102.136.180
Aug 3, 2021 22:32:59.493740082 CEST	80	49737	34.102.136.180	192.168.2.3
Aug 3, 2021 22:33:04.523860931 CEST	49738	80	192.168.2.3	34.102.136.180
Aug 3, 2021 22:33:04.541029930 CEST	80	49738	34.102.136.180	192.168.2.3
Aug 3, 2021 22:33:04.541136980 CEST	49738	80	192.168.2.3	34.102.136.180
Aug 3, 2021 22:33:04.541322947 CEST	49738	80	192.168.2.3	34.102.136.180
Aug 3, 2021 22:33:04.558367968 CEST	80	49738	34.102.136.180	192.168.2.3
Aug 3, 2021 22:33:04.655507088 CEST	80	49738	34.102.136.180	192.168.2.3
Aug 3, 2021 22:33:04.655543089 CEST	80	49738	34.102.136.180	192.168.2.3
Aug 3, 2021 22:33:04.655735970 CEST	49738	80	192.168.2.3	34.102.136.180
Aug 3, 2021 22:33:04.655761957 CEST	49738	80	192.168.2.3	34.102.136.180
Aug 3, 2021 22:33:04.673230886 CEST	80	49738	34.102.136.180	192.168.2.3
Aug 3, 2021 22:33:09.850898981 CEST	49739	80	192.168.2.3	208.91.197.27
Aug 3, 2021 22:33:09.989118099 CEST	80	49739	208.91.197.27	192.168.2.3
Aug 3, 2021 22:33:09.989350080 CEST	49739	80	192.168.2.3	208.91.197.27
Aug 3, 2021 22:33:09.989584923 CEST	49739	80	192.168.2.3	208.91.197.27
Aug 3, 2021 22:33:10.128166914 CEST	80	49739	208.91.197.27	192.168.2.3
Aug 3, 2021 22:33:10.480674028 CEST	49739	80	192.168.2.3	208.91.197.27
Aug 3, 2021 22:33:10.564115047 CEST	80	49739	208.91.197.27	192.168.2.3
Aug 3, 2021 22:33:10.564165115 CEST	80	49739	208.91.197.27	192.168.2.3
Aug 3, 2021 22:33:10.564184904 CEST	80	49739	208.91.197.27	192.168.2.3
Aug 3, 2021 22:33:10.564208031 CEST	80	49739	208.91.197.27	192.168.2.3
Aug 3, 2021 22:33:10.564233065 CEST	80	49739	208.91.197.27	192.168.2.3
Aug 3, 2021 22:33:10.564256907 CEST	80	49739	208.91.197.27	192.168.2.3
Aug 3, 2021 22:33:10.564280033 CEST	80	49739	208.91.197.27	192.168.2.3
Aug 3, 2021 22:33:10.564359903 CEST	49739	80	192.168.2.3	208.91.197.27
Aug 3, 2021 22:33:10.564476967 CEST	49739	80	192.168.2.3	208.91.197.27
Aug 3, 2021 22:33:10.565057993 CEST	80	49739	208.91.197.27	192.168.2.3
Aug 3, 2021 22:33:10.565089941 CEST	80	49739	208.91.197.27	192.168.2.3
Aug 3, 2021 22:33:10.565114021 CEST	80	49739	208.91.197.27	192.168.2.3
Aug 3, 2021 22:33:10.565191984 CEST	49739	80	192.168.2.3	208.91.197.27
Aug 3, 2021 22:33:10.703389883 CEST	80	49739	208.91.197.27	192.168.2.3
Aug 3, 2021 22:33:10.703613997 CEST	49739	80	192.168.2.3	208.91.197.27

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 3, 2021 22:31:02.373922110 CEST	64938	53	192.168.2.3	8.8.8.8
Aug 3, 2021 22:31:02.399059057 CEST	53	64938	8.8.8.8	192.168.2.3
Aug 3, 2021 22:31:03.890588999 CEST	60152	53	192.168.2.3	8.8.8.8
Aug 3, 2021 22:31:03.915630102 CEST	53	60152	8.8.8.8	192.168.2.3
Aug 3, 2021 22:31:04.878268003 CEST	57544	53	192.168.2.3	8.8.8.8
Aug 3, 2021 22:31:04.905822992 CEST	53	57544	8.8.8.8	192.168.2.3
Aug 3, 2021 22:31:05.990259886 CEST	55984	53	192.168.2.3	8.8.8.8
Aug 3, 2021 22:31:06.022991896 CEST	53	55984	8.8.8.8	192.168.2.3
Aug 3, 2021 22:31:07.402029991 CEST	64185	53	192.168.2.3	8.8.8.8
Aug 3, 2021 22:31:07.435575008 CEST	53	64185	8.8.8.8	192.168.2.3
Aug 3, 2021 22:31:08.411187887 CEST	65110	53	192.168.2.3	8.8.8.8
Aug 3, 2021 22:31:08.443522930 CEST	53	65110	8.8.8.8	192.168.2.3
Aug 3, 2021 22:31:09.502444029 CEST	58361	53	192.168.2.3	8.8.8.8
Aug 3, 2021 22:31:09.531646967 CEST	53	58361	8.8.8.8	192.168.2.3
Aug 3, 2021 22:31:10.344248056 CEST	63492	53	192.168.2.3	8.8.8.8
Aug 3, 2021 22:31:10.371520042 CEST	53	63492	8.8.8.8	192.168.2.3
Aug 3, 2021 22:31:11.242574930 CEST	60831	53	192.168.2.3	8.8.8.8
Aug 3, 2021 22:31:11.267559052 CEST	53	60831	8.8.8.8	192.168.2.3
Aug 3, 2021 22:31:12.112929106 CEST	60100	53	192.168.2.3	8.8.8.8
Aug 3, 2021 22:31:12.145754099 CEST	53	60100	8.8.8.8	192.168.2.3
Aug 3, 2021 22:31:13.111468077 CEST	53195	53	192.168.2.3	8.8.8.8
Aug 3, 2021 22:31:13.137217999 CEST	53	53195	8.8.8.8	192.168.2.3
Aug 3, 2021 22:31:13.953990936 CEST	50141	53	192.168.2.3	8.8.8.8
Aug 3, 2021 22:31:13.981388092 CEST	53	50141	8.8.8.8	192.168.2.3
Aug 3, 2021 22:31:14.827033043 CEST	53023	53	192.168.2.3	8.8.8.8
Aug 3, 2021 22:31:14.858439922 CEST	53	53023	8.8.8.8	192.168.2.3
Aug 3, 2021 22:31:15.661231041 CEST	49563	53	192.168.2.3	8.8.8.8
Aug 3, 2021 22:31:15.688676119 CEST	53	49563	8.8.8.8	192.168.2.3
Aug 3, 2021 22:31:16.677999020 CEST	51352	53	192.168.2.3	8.8.8.8
Aug 3, 2021 22:31:16.705575943 CEST	53	51352	8.8.8.8	192.168.2.3
Aug 3, 2021 22:31:20.693350077 CEST	59349	53	192.168.2.3	8.8.8.8
Aug 3, 2021 22:31:20.719363928 CEST	53	59349	8.8.8.8	192.168.2.3
Aug 3, 2021 22:31:21.727226973 CEST	57084	53	192.168.2.3	8.8.8.8
Aug 3, 2021 22:31:21.759938955 CEST	53	57084	8.8.8.8	192.168.2.3
Aug 3, 2021 22:31:34.103061914 CEST	58823	53	192.168.2.3	8.8.8.8
Aug 3, 2021 22:31:34.153681993 CEST	53	58823	8.8.8.8	192.168.2.3
Aug 3, 2021 22:31:37.690828085 CEST	57568	53	192.168.2.3	8.8.8.8
Aug 3, 2021 22:31:37.727945089 CEST	53	57568	8.8.8.8	192.168.2.3
Aug 3, 2021 22:32:02.073709965 CEST	50540	53	192.168.2.3	8.8.8.8
Aug 3, 2021 22:32:02.126048088 CEST	53	50540	8.8.8.8	192.168.2.3
Aug 3, 2021 22:32:10.882425070 CEST	54366	53	192.168.2.3	8.8.8.8
Aug 3, 2021 22:32:10.922377110 CEST	53	54366	8.8.8.8	192.168.2.3
Aug 3, 2021 22:32:42.684437990 CEST	53034	53	192.168.2.3	8.8.8.8
Aug 3, 2021 22:32:42.732449055 CEST	53	53034	8.8.8.8	192.168.2.3
Aug 3, 2021 22:32:46.273271084 CEST	57762	53	192.168.2.3	8.8.8.8
Aug 3, 2021 22:32:46.309406996 CEST	53	57762	8.8.8.8	192.168.2.3
Aug 3, 2021 22:32:53.375864029 CEST	55435	53	192.168.2.3	8.8.8.8
Aug 3, 2021 22:32:53.415488005 CEST	53	55435	8.8.8.8	192.168.2.3
Aug 3, 2021 22:32:59.267330885 CEST	50713	53	192.168.2.3	8.8.8.8
Aug 3, 2021 22:32:59.311240911 CEST	53	50713	8.8.8.8	192.168.2.3
Aug 3, 2021 22:33:04.485091925 CEST	56132	53	192.168.2.3	8.8.8.8
Aug 3, 2021 22:33:04.522651911 CEST	53	56132	8.8.8.8	192.168.2.3
Aug 3, 2021 22:33:09.705560923 CEST	58987	53	192.168.2.3	8.8.8.8
Aug 3, 2021 22:33:09.849842072 CEST	53	58987	8.8.8.8	192.168.2.3
Aug 3, 2021 22:33:15.503002882 CEST	56579	53	192.168.2.3	8.8.8.8
Aug 3, 2021 22:33:15.699641943 CEST	53	56579	8.8.8.8	192.168.2.3
Aug 3, 2021 22:33:21.547020912 CEST	60633	53	192.168.2.3	8.8.8.8
Aug 3, 2021 22:33:21.727320910 CEST	53	60633	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Aug 3, 2021 22:32:53.375864029 CEST	192.168.2.3	8.8.8.8	0xe0c2	Standard query (0)	www.dipmarketingagency.com	A (IP address)	IN (0x0001)
Aug 3, 2021 22:32:59.267330885 CEST	192.168.2.3	8.8.8.8	0xa8f4	Standard query (0)	www.illoftapartments.com	A (IP address)	IN (0x0001)
Aug 3, 2021 22:33:04.485091925 CEST	192.168.2.3	8.8.8.8	0x6aaa	Standard query (0)	www.manno.expert	A (IP address)	IN (0x0001)
Aug 3, 2021 22:33:09.705560923 CEST	192.168.2.3	8.8.8.8	0xa2d4	Standard query (0)	www.firsttimephysics.com	A (IP address)	IN (0x0001)
Aug 3, 2021 22:33:15.503002882 CEST	192.168.2.3	8.8.8.8	0x2fd2	Standard query (0)	www.quickoprintnv.com	A (IP address)	IN (0x0001)
Aug 3, 2021 22:33:21.547020912 CEST	192.168.2.3	8.8.8.8	0xdb3a	Standard query (0)	www.missabrams.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Aug 3, 2021 22:32:53.415488005 CEST	8.8.8.8	192.168.2.3	0xe0c2	No error (0)	www.dipmarketingagency.com		173.254.28.149	A (IP address)	IN (0x0001)
Aug 3, 2021 22:32:59.311240911 CEST	8.8.8.8	192.168.2.3	0xa8f4	No error (0)	www.illoftapartments.com	illoftapartments.com		CNAME (Canonical name)	IN (0x0001)
Aug 3, 2021 22:32:59.311240911 CEST	8.8.8.8	192.168.2.3	0xa8f4	No error (0)	illoftapartments.com		34.102.136.180	A (IP address)	IN (0x0001)
Aug 3, 2021 22:33:04.522651911 CEST	8.8.8.8	192.168.2.3	0x6aaa	No error (0)	www.manno.expert	manno.expert		CNAME (Canonical name)	IN (0x0001)
Aug 3, 2021 22:33:04.522651911 CEST	8.8.8.8	192.168.2.3	0x6aaa	No error (0)	manno.expert		34.102.136.180	A (IP address)	IN (0x0001)
Aug 3, 2021 22:33:09.849842072 CEST	8.8.8.8	192.168.2.3	0xa2d4	No error (0)	www.firsttimephysics.com		208.91.197.27	A (IP address)	IN (0x0001)
Aug 3, 2021 22:33:15.699641943 CEST	8.8.8.8	192.168.2.3	0x2fd2	No error (0)	www.quickoprintnv.com		154.23.83.67	A (IP address)	IN (0x0001)
Aug 3, 2021 22:33:21.727320910 CEST	8.8.8.8	192.168.2.3	0xdb3a	No error (0)	www.missabrams.com		45.197.108.106	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

www.dipmarketingagency.com

www.illoftapartments.com

www.manno.expert

www.firsttimephysics.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49736	173.254.28.149	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Aug 3, 2021 22:32:53.592602015 CEST	4482	OUT	GET /uecu/?fXJ=z64Txz&2d3pCdLh=s7j1QsnOxn4iRchbaINLVToxitdCMGa8G3lQ/6LX9JGbR/ScT5dxpPHG5+tB2xnbOyUI HTTP/1.1 Host: www.dipmarketingagency.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Aug 3, 2021 22:32:54.633936882 CEST	4484	IN	HTTP/1.1 301 Moved Permanently Date: Tue, 03 Aug 2021 20:32:53 GMT Server: Apache Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 X-Redirect-By: WordPress Upgrade: h2,h2c Connection: Upgrade, close Location: http://dipmarketingagency.com/uecu/?fXJ=z64Txz&2d3pCdLh=s7j1QsnOxn4iRchbaINLVToxitdCMGa8G3lQ/6LX9JGbR/ScT5dxpPHG5+tB2xnbOyUI Content-Length: 0 Content-Type: text/html; charset=UTF-8

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.3	49737	34.102.136.180	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Aug 3, 2021 22:32:59.344643116 CEST	4485	OUT	GET /uecu/?2d3pCdLh=I+cFmvzvjfujRN3oltevYzRyUOJqDj5YxiqkJ4i7Zjmur1++tOYpTWGX3hXOvnB+KlCx&fXJ=z64Txz HTTP/1.1 Host: www.illoftapartments.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Aug 3, 2021 22:32:59.457710981 CEST	4486	IN	HTTP/1.1 403 Forbidden Server: openresty Date: Tue, 03 Aug 2021 20:32:59 GMT Content-Type: text/html Content-Length: 275 ETag: "6104856e-113" Via: 1.1 google Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.3	49738	34.102.136.180	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Aug 3, 2021 22:33:04.541322947 CEST	4487	OUT	GET /uecu/?fXJ=z64Txz&2d3pCdLh=u60vTBsF9oPaXHkJdoxCc4Kqv5IVcROu1QUUkePEY82yQrKo/wvecAMYDl3vDcEzgvnI HTTP/1.1 Host: www.manno.expert Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Aug 3, 2021 22:33:04.655507088 CEST	4487	IN	HTTP/1.1 403 Forbidden Server: openresty Date: Tue, 03 Aug 2021 20:33:04 GMT Content-Type: text/html Content-Length: 275 ETag: "61048812-113" Via: 1.1 google Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.3	49739	208.91.197.27	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Aug 3, 2021 22:33:09.989584923 CEST	4488	OUT	GET /uecu/?2d3pCdLh=hr7+JRYyT1HVyDshWD8v/2ivT/o36mEBRVmbpvRN6jTQqfRWnpyet8LANEukLjLgYMOr&fXJ=z64Txz HTTP/1.1 Host: www.firsttimephysics.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Aug 3, 2021 22:33:10.564115047 CEST	4490	IN	HTTP/1.1 200 OK Date: Tue, 03 Aug 2021 20:33:10 GMT Server: Apache Set-Cookie: vsid=928vr3755683901805043; expires=Sun, 02-Aug-2026 20:33:10 GMT; Max-Age=157680000; path=/; domain=www.firsttimephysics.com; HttpOnly X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKX74ixpzVyXbJprcLfbH4psP4+L2entqri0lzh6pkAaXLPIcclv6DQBeJJjGFWrBIF6QMyFwXT5CCRyjS2penECAwEAAQ==_UtSH/Dss0NKZhGcIqXH9OJsftz5HWN/7clY2DINsRw9aSkdX6t12uw/Ci8ieJf9OIyE2jhOASMSdcjGZJ8sWtw== Keep-Alive: timeout=5, max=80 Connection: Keep-Alive Transfer-Encoding: chunked Content-Type: text/html; charset=UTF-8 Data Raw: 34 61 63 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4b 58 37 34 69 78 70 7a 56 79 58 62 4a 70 72 63 4c 66 62 48 34 70 73 50 34 2b 4c 32 65 6e 74 71 72 69 30 6c 7a 68 36 70 6b 41 61 58 4c 50 49 63 63 6c 76 36 44 51 42 65 4a 4a 6a 47 46 57 72 42 49 46 36 51 4d 79 46 77 58 54 35 43 43 52 79 6a 53 32 70 65 6e 45 43 41 77 45 41 41 51 3d 3d 5f 55 74 53 48 2f 44 73 73 30 4e 4b 5a 68 47 63 49 71 58 48 39 4f 4a 73 66 74 7a 35 48 57 4e 2f 37 63 6c 59 32 44 49 4e 73 52 77 39 61 53 6b 64 58 36 74 31 32 75 77 2f 43 69 38 69 65 4a 66 39 4f 49 79 45 32 6a 68 4f 41 53 4d 53 64 63 6a 47 5a 4a 38 73 57 74 77 3d 3d 22 3e 0d 0a 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 76 61 72 20 61 62 70 3b 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 66 69 72 73 74 74 69 6d 65 70 68 79 73 69 63 73 2e 63 6f 6d 2f 70 78 2e 6a 73 3f 63 68 3d 31 22 3e 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 66 69 72 73 74 74 69 6d 65 70 68 79 73 69 63 73 2e 63 6f 6d 2f 70 78 2e 6a 73 3f 63 68 3d 32 22 3e 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 66 75 6e 63 74 69 6f 6e 20 68 61 6e 64 6c 65 41 42 50 44 65 74 65 63 74 28 29 7b 74 72 79 7b 69 66 28 21 61 62 70 29 20 72 65 74 75 72 6e 3b 76 61 72 20 69 6d 67 6c 6f 67 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 22 69 6d 67 22 29 3b 69 6d 67 6c 6f 67 2e 73 74 79 6c 65 2e 68 65 69 67 68 74 3d Data Ascii: 4acb<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKX74ixpzVyXbJprcLfbH4psP4+L2entqri0lzh6pkAaXLPIcclv6DQBeJJjGFWrBIF6QMyFwXT5CCRyjS2penECAwEAAQ==_UtSH/Dss0NKZhGcIqXH9OJsftz5HWN/7clY2DINsRw9aSkdX6t12uw/Ci8ieJf9OIyE2jhOASMSdcjGZJ8sWtw=="><head><script type="text/javascript">var abp;</script><script type="text/javascript" src="http://www.firsttimephysics.com/px.js?ch=1"></script><script type="text/javascript" src="http://www.firsttimephysics.com/px.js?ch=2"></script><script type="text/javascript">function handleABPDetect(){try{if(!abp) return;var imglog = document.createElement("img");imglog.style.height=

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: Payment_Advice.exe PID: 2648 Parent PID: 5724

General

Start time:	22:31:08
Start date:	03/08/2021
Path:	C:\Users\user\Desktop\Payment_Advice.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\Payment_Advice.exe'
Imagebase:	0xd30000
File size:	881664 bytes
MD5 hash:	B5A3A16559C14A2DB6837FB8792134AE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.292779519.000000000420A000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.292779519.000000000420A000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.292779519.000000000420A000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.292646120.0000000004149000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.292646120.0000000004149000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.292646120.0000000004149000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.291281843.00000000031B1000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Analysis Process: RegSvcs.exe PID: 1156 Parent PID: 2648

General

Start time:	22:31:47
Start date:	03/08/2021
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	false
Commandline:	{path}
Imagebase:	0xe0000
File size:	45152 bytes
MD5 hash:	2867A3817C9245F7CF518524DFD18F28
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: RegSvcs.exe PID: 5756 Parent PID: 2648

General

Start time:	22:31:48
Start date:	03/08/2021
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	false
Commandline:	{path}
Imagebase:	0x3b0000
File size:	45152 bytes
MD5 hash:	2867A3817C9245F7CF518524DFD18F28
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: RegSvcs.exe PID: 2344 Parent PID: 2648

General

Start time:	22:31:48
Start date:	03/08/2021
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	{path}
Imagebase:	0x440000
File size:	45152 bytes
MD5 hash:	2867A3817C9245F7CF518524DFD18F28
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000C.00000002.355992168.0000000000A80000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000C.00000002.355992168.0000000000A80000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000C.00000002.355992168.0000000000A80000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000C.00000002.356268880.0000000000AB0000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000C.00000002.356268880.0000000000AB0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000C.00000002.356268880.0000000000AB0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000C.00000002.355215445.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000C.00000002.355215445.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000C.00000002.355215445.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	high

Analysis Process: explorer.exe PID: 3388 Parent PID: 2344

General

Start time:	22:31:51
Start date:	03/08/2021
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff714890000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: colorcpl.exe PID: 1156 Parent PID: 3388

General

Start time:	22:32:15
Start date:	03/08/2021
Path:	C:\Windows\SysWOW64\colorcpl.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\colorcpl.exe
Imagebase:	0x2c0000
File size:	86528 bytes
MD5 hash:	746F3B5E7652EA0766BA10414D317981
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000015.00000002.470886740.00000000025B0000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000015.00000002.470886740.00000000025B0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000015.00000002.470886740.00000000025B0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000015.00000002.469653459.0000000000470000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000015.00000002.469653459.0000000000470000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000015.00000002.469653459.0000000000470000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	moderate

Analysis Process: cmd.exe PID: 2288 Parent PID: 1156

General

Start time:	22:32:20
Start date:	03/08/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe'
Imagebase:	0xbd0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: conhost.exe PID: 4000 Parent PID: 2288

General

Start time:	22:32:21
Start date:	03/08/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report Payment_Advice.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: FormBook

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Jbx Signature Overview

AV Detection:

Compliance:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph