Windows Analysis Report SUPPLY_PRICE_ORDER_9978484DF.exe

Overview

General Information

Sample Name: SUPPLY_PRICE_ORDER_9978484DF.exe
Analysis ID: 491551
MD5: 42346ae289e050d44fe9c0bcfb5e84b0
SHA1: 8409c01d25748b3665cbaf119293d2c778cae1cd
SHA256: ee3ae7c76f41fab122d32494212625226a1784fb209b46b657272f0f3f0158b9
Tags: exeFormbook
Infos:

Most interesting Screenshot:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
System process connects to network (likely due to code injection or exploit)
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Initial sample is a PE file and has a suspicious name
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Performs DNS queries to domains with low reputation
.NET source code contains potential unpacker
Queues an APC in another process (thread injection)
.NET source code contains very large strings
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Contains functionality to read the PEB
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection:

barindex
Found malware configuration
Source: 0000000E.00000002.509955285.00000000025A0000.00000040.00020000.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.nudesalon.digital/rgoe/"], "decoy": ["iamstevekelsey.com", "homesofchaparralcountryclub.com", "voiceyupcom.com", "searchengineeye.com", "charsantosart.com", "baila.madrid", "yota.store", "halloweenbaldhills.net", "futurodr.com", "centercodebase.com", "666b20.xyz", "4-6-2.com", "gspotworld.com", "rbb78.com", "1kingbet.com", "hzhongon.com", "dossierinc.com", "sustainablefoodfactory.com", "golfsol.art", "socialenterprisestudio.com", "sec-app.pro", "mrcsclass.com", "apseymarine.com", "restate.club", "thenewtocsin.com", "mingwotech.com", "llesman.com", "limiteditionft.com", "ff4c3dgsp.xyz", "travuleaf.com", "whatsaauction.com", "iktbn-c01.com", "dpcqkw.xyz", "mahoyaku-exhibition.com", "bimcell-tlyuklemezamani.com", "thejegroupllc.com", "limponomefacil.com", "bordandoartes.com", "parsvivid.com", "lowkeymastery.com", "missionsafegame.com", "estanciasanpablo.online", "overlandshare.com", "thevillageplumbers.com", "newhollandpurpose.com", "eastmillnorthandover.com", "patrickandmaxine.com", "appleluis.host", "immerseinagro.com", "vapkey.net", "babeshotnud.com", "rap8b55d.com", "afro-occidentstyle.com", "shahjahantravel.com", "toptaxxi.store", "adronesview.com", "kinesio-leman.com", "teelandcompany.com", "bycracky.com", "sehatbersama.store", "snackithalal.com", "nailsestetic.space", "vanmetrecco.com", "pondokbali.store"]}
Multi AV Scanner detection for submitted file
Source: SUPPLY_PRICE_ORDER_9978484DF.exe Virustotal: Detection: 28% Perma Link
Source: SUPPLY_PRICE_ORDER_9978484DF.exe ReversingLabs: Detection: 28%
Yara detected FormBook
Source: Yara match File source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000E.00000002.509955285.00000000025A0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.330815984.0000000000B40000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.330932008.0000000000C60000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.510129850.00000000025D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.300246548.000000000E040000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.330534936.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.509697209.00000000024A0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.269111767.0000000004251000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.320533115.000000000E040000.00000040.00020000.sdmp, type: MEMORY
Antivirus or Machine Learning detection for unpacked file
Source: 3.2.RegSvcs.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen

Compliance:

barindex
Uses 32bit PE files
Source: SUPPLY_PRICE_ORDER_9978484DF.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: SUPPLY_PRICE_ORDER_9978484DF.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: RegSvcs.pdb, source: colorcpl.exe, 0000000E.00000002.514451797.0000000004B47000.00000004.00020000.sdmp
Source: Binary string: wntdll.pdbUGP source: RegSvcs.exe, 00000003.00000002.331292284.0000000001150000.00000040.00000001.sdmp, colorcpl.exe, 0000000E.00000002.513603550.000000000472F000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdb source: RegSvcs.exe, colorcpl.exe
Source: Binary string: RegSvcs.pdb source: colorcpl.exe, 0000000E.00000002.514451797.0000000004B47000.00000004.00020000.sdmp

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49685 -> 52.58.78.16:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49685 -> 52.58.78.16:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49685 -> 52.58.78.16:80
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49686 -> 23.225.139.107:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49686 -> 23.225.139.107:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49686 -> 23.225.139.107:80
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49687 -> 64.91.246.51:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49687 -> 64.91.246.51:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49687 -> 64.91.246.51:80
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 52.58.78.16 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 64.91.246.51 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 91.195.240.94 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.iamstevekelsey.com
Source: C:\Windows\explorer.exe Domain query: www.gspotworld.com
Source: C:\Windows\explorer.exe Domain query: www.yota.store
Source: C:\Windows\explorer.exe Domain query: www.ff4c3dgsp.xyz
Source: C:\Windows\explorer.exe Domain query: www.newhollandpurpose.com
Source: C:\Windows\explorer.exe Network Connect: 23.225.139.107 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.appleluis.host
Source: C:\Windows\explorer.exe Network Connect: 34.102.136.180 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.adronesview.com
Source: C:\Windows\explorer.exe Domain query: www.teelandcompany.com
Source: C:\Windows\explorer.exe Network Connect: 35.215.165.29 80 Jump to behavior
Performs DNS queries to domains with low reputation
Source: C:\Windows\explorer.exe DNS query: www.ff4c3dgsp.xyz
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.nudesalon.digital/rgoe/
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: AMAZON-02US AMAZON-02US
Source: Joe Sandbox View ASN Name: LIQUIDWEBUS LIQUIDWEBUS
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /rgoe/?n0DhB=j0DpGx9XxT-Tnhk&0N9=KdEc5zFmuggnLXnkala38KeRZUwGYpsmBda5bvOgbVa5jGbFYEbNRXOiQtYTCsFpD8+WwfyYDA== HTTP/1.1Host: www.gspotworld.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /rgoe/?n0DhB=j0DpGx9XxT-Tnhk&0N9=vDEbv8rrDmkkiTshm4h8UJjCBA7dTpqpRs2jUd027mZ5NPASlMJS8wDm2zEWwRi0VbXM0fP6PA== HTTP/1.1Host: www.yota.storeConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /rgoe/?n0DhB=j0DpGx9XxT-Tnhk&0N9=sgGY6EHrU2/sPlFv65T/Wb7gB3GGagfeDoLJsp77UP3iiMN1AZE/7XMT6P9bXkgBT15arvy1nw== HTTP/1.1Host: www.ff4c3dgsp.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /rgoe/?0N9=p62UTdjvvun5m4F6E/NDs8CkSXewz0Mmd3OAmKShvilGuUBo5ij0sMfMI9B7yPSR/U/saD/cPg==&n0DhB=j0DpGx9XxT-Tnhk HTTP/1.1Host: www.newhollandpurpose.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /rgoe/?0N9=/t1+ewTNvP58zbN/GTmlHuihgocL7TvwecIdqR1o1yMMHUTs/zxhPcif7gHrks2EHupuL2PvCA==&n0DhB=j0DpGx9XxT-Tnhk HTTP/1.1Host: www.adronesview.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /rgoe/?n0DhB=j0DpGx9XxT-Tnhk&0N9=mDrA6fi9xoCJEIFZWb9JZI5ban60MroB6V8+OTFSy0K1Nt6g1YYxY5Is4mBDlN3bRVBdzT2BPw== HTTP/1.1Host: www.teelandcompany.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 52.58.78.16 52.58.78.16
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 27 Sep 2021 15:40:09 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: SUPPLY_PRICE_ORDER_9978484DF.exe, 00000000.00000002.270901531.0000000007432000.00000004.00000001.sdmp String found in binary or memory: http://fontfabrik.com
Source: SUPPLY_PRICE_ORDER_9978484DF.exe, 00000000.00000002.270901531.0000000007432000.00000004.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000004.00000000.310611628.0000000006840000.00000004.00000001.sdmp String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: SUPPLY_PRICE_ORDER_9978484DF.exe, 00000000.00000002.270901531.0000000007432000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: colorcpl.exe, 0000000E.00000002.514490454.0000000004CC2000.00000004.00020000.sdmp String found in binary or memory: http://www.dondominio.com/13/
Source: colorcpl.exe, 0000000E.00000002.514490454.0000000004CC2000.00000004.00020000.sdmp String found in binary or memory: http://www.dondominio.com/13/buscar/baila.madrid/
Source: colorcpl.exe, 0000000E.00000002.514490454.0000000004CC2000.00000004.00020000.sdmp String found in binary or memory: http://www.dondominio.com/13/products/domains/
Source: colorcpl.exe, 0000000E.00000002.514490454.0000000004CC2000.00000004.00020000.sdmp String found in binary or memory: http://www.dondominio.com/13/products/services/
Source: colorcpl.exe, 0000000E.00000002.514490454.0000000004CC2000.00000004.00020000.sdmp String found in binary or memory: http://www.dondominio.com/13/products/ssl/
Source: SUPPLY_PRICE_ORDER_9978484DF.exe, 00000000.00000002.270901531.0000000007432000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com
Source: SUPPLY_PRICE_ORDER_9978484DF.exe, 00000000.00000002.270901531.0000000007432000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: SUPPLY_PRICE_ORDER_9978484DF.exe, 00000000.00000002.270901531.0000000007432000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: SUPPLY_PRICE_ORDER_9978484DF.exe, 00000000.00000002.270901531.0000000007432000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: SUPPLY_PRICE_ORDER_9978484DF.exe, 00000000.00000002.270901531.0000000007432000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: SUPPLY_PRICE_ORDER_9978484DF.exe, 00000000.00000002.270901531.0000000007432000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: SUPPLY_PRICE_ORDER_9978484DF.exe, 00000000.00000002.270901531.0000000007432000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: SUPPLY_PRICE_ORDER_9978484DF.exe, 00000000.00000002.270901531.0000000007432000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: SUPPLY_PRICE_ORDER_9978484DF.exe, 00000000.00000002.267907043.0000000001967000.00000004.00000040.sdmp String found in binary or memory: http://www.fontbureau.com:
Source: SUPPLY_PRICE_ORDER_9978484DF.exe, 00000000.00000002.267907043.0000000001967000.00000004.00000040.sdmp String found in binary or memory: http://www.fontbureau.comm
Source: SUPPLY_PRICE_ORDER_9978484DF.exe, 00000000.00000002.270901531.0000000007432000.00000004.00000001.sdmp String found in binary or memory: http://www.fonts.com
Source: SUPPLY_PRICE_ORDER_9978484DF.exe, 00000000.00000002.270901531.0000000007432000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: SUPPLY_PRICE_ORDER_9978484DF.exe, 00000000.00000002.270901531.0000000007432000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: SUPPLY_PRICE_ORDER_9978484DF.exe, 00000000.00000002.270901531.0000000007432000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: SUPPLY_PRICE_ORDER_9978484DF.exe, 00000000.00000002.270901531.0000000007432000.00000004.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: SUPPLY_PRICE_ORDER_9978484DF.exe, 00000000.00000002.270901531.0000000007432000.00000004.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: SUPPLY_PRICE_ORDER_9978484DF.exe, 00000000.00000002.270901531.0000000007432000.00000004.00000001.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: SUPPLY_PRICE_ORDER_9978484DF.exe, 00000000.00000002.270901531.0000000007432000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: SUPPLY_PRICE_ORDER_9978484DF.exe String found in binary or memory: http://www.rspb.org.uk/wildlife/birdguide/name/
Source: SUPPLY_PRICE_ORDER_9978484DF.exe, 00000000.00000002.270901531.0000000007432000.00000004.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: SUPPLY_PRICE_ORDER_9978484DF.exe, 00000000.00000002.270901531.0000000007432000.00000004.00000001.sdmp String found in binary or memory: http://www.sakkal.com
Source: SUPPLY_PRICE_ORDER_9978484DF.exe, 00000000.00000002.270901531.0000000007432000.00000004.00000001.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: SUPPLY_PRICE_ORDER_9978484DF.exe, 00000000.00000002.270901531.0000000007432000.00000004.00000001.sdmp String found in binary or memory: http://www.tiro.com
Source: SUPPLY_PRICE_ORDER_9978484DF.exe, 00000000.00000002.270901531.0000000007432000.00000004.00000001.sdmp String found in binary or memory: http://www.typography.netD
Source: SUPPLY_PRICE_ORDER_9978484DF.exe, 00000000.00000002.270901531.0000000007432000.00000004.00000001.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: SUPPLY_PRICE_ORDER_9978484DF.exe, 00000000.00000002.270901531.0000000007432000.00000004.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: unknown DNS traffic detected: queries for: www.gspotworld.com
Source: global traffic HTTP traffic detected: GET /rgoe/?n0DhB=j0DpGx9XxT-Tnhk&0N9=KdEc5zFmuggnLXnkala38KeRZUwGYpsmBda5bvOgbVa5jGbFYEbNRXOiQtYTCsFpD8+WwfyYDA== HTTP/1.1Host: www.gspotworld.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /rgoe/?n0DhB=j0DpGx9XxT-Tnhk&0N9=vDEbv8rrDmkkiTshm4h8UJjCBA7dTpqpRs2jUd027mZ5NPASlMJS8wDm2zEWwRi0VbXM0fP6PA== HTTP/1.1Host: www.yota.storeConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /rgoe/?n0DhB=j0DpGx9XxT-Tnhk&0N9=sgGY6EHrU2/sPlFv65T/Wb7gB3GGagfeDoLJsp77UP3iiMN1AZE/7XMT6P9bXkgBT15arvy1nw== HTTP/1.1Host: www.ff4c3dgsp.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /rgoe/?0N9=p62UTdjvvun5m4F6E/NDs8CkSXewz0Mmd3OAmKShvilGuUBo5ij0sMfMI9B7yPSR/U/saD/cPg==&n0DhB=j0DpGx9XxT-Tnhk HTTP/1.1Host: www.newhollandpurpose.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /rgoe/?0N9=/t1+ewTNvP58zbN/GTmlHuihgocL7TvwecIdqR1o1yMMHUTs/zxhPcif7gHrks2EHupuL2PvCA==&n0DhB=j0DpGx9XxT-Tnhk HTTP/1.1Host: www.adronesview.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /rgoe/?n0DhB=j0DpGx9XxT-Tnhk&0N9=mDrA6fi9xoCJEIFZWb9JZI5ban60MroB6V8+OTFSy0K1Nt6g1YYxY5Is4mBDlN3bRVBdzT2BPw== HTTP/1.1Host: www.teelandcompany.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)
Source: SUPPLY_PRICE_ORDER_9978484DF.exe, 00000000.00000002.267392729.000000000169B000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

barindex
Yara detected FormBook
Source: Yara match File source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000E.00000002.509955285.00000000025A0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.330815984.0000000000B40000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.330932008.0000000000C60000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.510129850.00000000025D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.300246548.000000000E040000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.330534936.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.509697209.00000000024A0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.269111767.0000000004251000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.320533115.000000000E040000.00000040.00020000.sdmp, type: MEMORY

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 3.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000E.00000002.509955285.00000000025A0000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000E.00000002.509955285.00000000025A0000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.330815984.0000000000B40000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.330815984.0000000000B40000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.330932008.0000000000C60000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.330932008.0000000000C60000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000E.00000002.510129850.00000000025D0000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000E.00000002.510129850.00000000025D0000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000000.300246548.000000000E040000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000000.300246548.000000000E040000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.330534936.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.330534936.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000E.00000002.509697209.00000000024A0000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000E.00000002.509697209.00000000024A0000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.269111767.0000000004251000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.269111767.0000000004251000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000000.320533115.000000000E040000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000000.320533115.000000000E040000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: SUPPLY_PRICE_ORDER_9978484DF.exe
.NET source code contains very large strings
Source: SUPPLY_PRICE_ORDER_9978484DF.exe, Darwin.WindowsForm/SearchResults.cs Long String: Length: 34816
Uses 32bit PE files
Source: SUPPLY_PRICE_ORDER_9978484DF.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Yara signature match
Source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 3.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000E.00000002.509955285.00000000025A0000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000E.00000002.509955285.00000000025A0000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.330815984.0000000000B40000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.330815984.0000000000B40000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.330932008.0000000000C60000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.330932008.0000000000C60000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000E.00000002.510129850.00000000025D0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000E.00000002.510129850.00000000025D0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000000.300246548.000000000E040000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000000.300246548.000000000E040000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.330534936.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.330534936.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000E.00000002.509697209.00000000024A0000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000E.00000002.509697209.00000000024A0000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.269111767.0000000004251000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.269111767.0000000004251000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000000.320533115.000000000E040000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000000.320533115.000000000E040000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Detected potential crypto function
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Code function: 0_2_0167C194 0_2_0167C194
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Code function: 0_2_0167E5E0 0_2_0167E5E0
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Code function: 0_2_0167E5F0 0_2_0167E5F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00401027 3_2_00401027
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00401030 3_2_00401030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0041C966 3_2_0041C966
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0041B931 3_2_0041B931
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00401208 3_2_00401208
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0041BB7C 3_2_0041BB7C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0041CBD9 3_2_0041CBD9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00408C8B 3_2_00408C8B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00408C90 3_2_00408C90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0041C5D1 3_2_0041C5D1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00402D90 3_2_00402D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0041A6B6 3_2_0041A6B6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00402FB0 3_2_00402FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0117F900 3_2_0117F900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01194120 3_2_01194120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01231002 3_2_01231002
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0118B090 3_2_0118B090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011AEBB0 3_2_011AEBB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01170D20 3_2_01170D20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01241D55 3_2_01241D55
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011A2581 3_2_011A2581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0118D5E0 3_2_0118D5E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0118841F 3_2_0118841F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01196E30 3_2_01196E30
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_046F1002 14_2_046F1002
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_0464841F 14_2_0464841F
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_0464B090 14_2_0464B090
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04701D55 14_2_04701D55
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04630D20 14_2_04630D20
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04654120 14_2_04654120
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_0463F900 14_2_0463F900
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_0464D5E0 14_2_0464D5E0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04662581 14_2_04662581
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04656E30 14_2_04656E30
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_0466EBB0 14_2_0466EBB0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_025BBB7C 14_2_025BBB7C
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_025BCBD9 14_2_025BCBD9
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_025BC966 14_2_025BC966
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_025BB931 14_2_025BB931
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_025BA6B6 14_2_025BA6B6
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_025A2FB0 14_2_025A2FB0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_025A8C90 14_2_025A8C90
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_025A8C8B 14_2_025A8C8B
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_025A2D90 14_2_025A2D90
Found potential string decryption / allocating functions
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: String function: 0117B150 appears 32 times
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: String function: 0463B150 appears 32 times
Contains functionality to call native functions
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_004185D0 NtCreateFile, 3_2_004185D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00418680 NtReadFile, 3_2_00418680
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00418700 NtClose, 3_2_00418700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_004187B0 NtAllocateVirtualMemory, 3_2_004187B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_004185CB NtCreateFile, 3_2_004185CB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0041867A NtReadFile, 3_2_0041867A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_004186FB NtClose, 3_2_004186FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0041872A NtClose, 3_2_0041872A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_004187AA NtAllocateVirtualMemory, 3_2_004187AA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011B9910 NtAdjustPrivilegesToken,LdrInitializeThunk, 3_2_011B9910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011B99A0 NtCreateSection,LdrInitializeThunk, 3_2_011B99A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011B9840 NtDelayExecution,LdrInitializeThunk, 3_2_011B9840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011B9860 NtQuerySystemInformation,LdrInitializeThunk, 3_2_011B9860
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011B98F0 NtReadVirtualMemory,LdrInitializeThunk, 3_2_011B98F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011B9A00 NtProtectVirtualMemory,LdrInitializeThunk, 3_2_011B9A00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011B9A20 NtResumeThread,LdrInitializeThunk, 3_2_011B9A20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011B9A50 NtCreateFile,LdrInitializeThunk, 3_2_011B9A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011B9540 NtReadFile,LdrInitializeThunk, 3_2_011B9540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011B95D0 NtClose,LdrInitializeThunk, 3_2_011B95D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011B9710 NtQueryInformationToken,LdrInitializeThunk, 3_2_011B9710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011B9780 NtMapViewOfSection,LdrInitializeThunk, 3_2_011B9780
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011B97A0 NtUnmapViewOfSection,LdrInitializeThunk, 3_2_011B97A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011B9FE0 NtCreateMutant,LdrInitializeThunk, 3_2_011B9FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011B9660 NtAllocateVirtualMemory,LdrInitializeThunk, 3_2_011B9660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011B96E0 NtFreeVirtualMemory,LdrInitializeThunk, 3_2_011B96E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011B9950 NtQueueApcThread, 3_2_011B9950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011B99D0 NtCreateProcessEx, 3_2_011B99D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011B9820 NtEnumerateKey, 3_2_011B9820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011BB040 NtSuspendThread, 3_2_011BB040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011B98A0 NtWriteVirtualMemory, 3_2_011B98A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011B9B00 NtSetValueKey, 3_2_011B9B00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011BA3B0 NtGetContextThread, 3_2_011BA3B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011B9A10 NtQuerySection, 3_2_011B9A10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011B9A80 NtOpenDirectoryObject, 3_2_011B9A80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011BAD30 NtSetContextThread, 3_2_011BAD30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011B9520 NtWaitForSingleObject, 3_2_011B9520
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011B9560 NtWriteFile, 3_2_011B9560
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011B95F0 NtQueryInformationFile, 3_2_011B95F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011BA710 NtOpenProcessToken, 3_2_011BA710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011B9730 NtQueryVirtualMemory, 3_2_011B9730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011B9770 NtSetInformationFile, 3_2_011B9770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011BA770 NtOpenThread, 3_2_011BA770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011B9760 NtOpenProcess, 3_2_011B9760
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011B9610 NtEnumerateValueKey, 3_2_011B9610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011B9650 NtQueryValueKey, 3_2_011B9650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011B9670 NtQueryInformationProcess, 3_2_011B9670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011B96D0 NtCreateKey, 3_2_011B96D0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04679860 NtQuerySystemInformation,LdrInitializeThunk, 14_2_04679860
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04679840 NtDelayExecution,LdrInitializeThunk, 14_2_04679840
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04679540 NtReadFile,LdrInitializeThunk, 14_2_04679540
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04679910 NtAdjustPrivilegesToken,LdrInitializeThunk, 14_2_04679910
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_046795D0 NtClose,LdrInitializeThunk, 14_2_046795D0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_046799A0 NtCreateSection,LdrInitializeThunk, 14_2_046799A0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04679660 NtAllocateVirtualMemory,LdrInitializeThunk, 14_2_04679660
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04679A50 NtCreateFile,LdrInitializeThunk, 14_2_04679A50
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04679650 NtQueryValueKey,LdrInitializeThunk, 14_2_04679650
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_046796E0 NtFreeVirtualMemory,LdrInitializeThunk, 14_2_046796E0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_046796D0 NtCreateKey,LdrInitializeThunk, 14_2_046796D0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04679710 NtQueryInformationToken,LdrInitializeThunk, 14_2_04679710
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04679FE0 NtCreateMutant,LdrInitializeThunk, 14_2_04679FE0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04679780 NtMapViewOfSection,LdrInitializeThunk, 14_2_04679780
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_0467B040 NtSuspendThread, 14_2_0467B040
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04679820 NtEnumerateKey, 14_2_04679820
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_046798F0 NtReadVirtualMemory, 14_2_046798F0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_046798A0 NtWriteVirtualMemory, 14_2_046798A0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04679560 NtWriteFile, 14_2_04679560
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04679950 NtQueueApcThread, 14_2_04679950
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04679520 NtWaitForSingleObject, 14_2_04679520
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_0467AD30 NtSetContextThread, 14_2_0467AD30
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_046795F0 NtQueryInformationFile, 14_2_046795F0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_046799D0 NtCreateProcessEx, 14_2_046799D0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04679670 NtQueryInformationProcess, 14_2_04679670
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04679A20 NtResumeThread, 14_2_04679A20
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04679A00 NtProtectVirtualMemory, 14_2_04679A00
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04679610 NtEnumerateValueKey, 14_2_04679610
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04679A10 NtQuerySection, 14_2_04679A10
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04679A80 NtOpenDirectoryObject, 14_2_04679A80
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04679760 NtOpenProcess, 14_2_04679760
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04679770 NtSetInformationFile, 14_2_04679770
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_0467A770 NtOpenThread, 14_2_0467A770
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04679730 NtQueryVirtualMemory, 14_2_04679730
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04679B00 NtSetValueKey, 14_2_04679B00
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_0467A710 NtOpenProcessToken, 14_2_0467A710
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_046797A0 NtUnmapViewOfSection, 14_2_046797A0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_0467A3B0 NtGetContextThread, 14_2_0467A3B0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_025B8680 NtReadFile, 14_2_025B8680
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_025B8700 NtClose, 14_2_025B8700
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_025B87B0 NtAllocateVirtualMemory, 14_2_025B87B0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_025B85D0 NtCreateFile, 14_2_025B85D0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_025B867A NtReadFile, 14_2_025B867A
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_025B86FB NtClose, 14_2_025B86FB
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_025B872A NtClose, 14_2_025B872A
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_025B87AA NtAllocateVirtualMemory, 14_2_025B87AA
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_025B85CB NtCreateFile, 14_2_025B85CB
Sample file is different than original file name gathered from version info
Source: SUPPLY_PRICE_ORDER_9978484DF.exe, 00000000.00000002.267392729.000000000169B000.00000004.00000020.sdmp Binary or memory string: OriginalFilenameclr.dllT vs SUPPLY_PRICE_ORDER_9978484DF.exe
Source: SUPPLY_PRICE_ORDER_9978484DF.exe, 00000000.00000000.241253374.0000000000F04000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameUCOMIRunningObjectTab.exe4 vs SUPPLY_PRICE_ORDER_9978484DF.exe
Source: SUPPLY_PRICE_ORDER_9978484DF.exe, 00000000.00000002.268283403.00000000032CF000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameColladaLoader.dll4 vs SUPPLY_PRICE_ORDER_9978484DF.exe
Source: SUPPLY_PRICE_ORDER_9978484DF.exe Binary or memory string: OriginalFilenameUCOMIRunningObjectTab.exe4 vs SUPPLY_PRICE_ORDER_9978484DF.exe
PE file contains strange resources
Source: SUPPLY_PRICE_ORDER_9978484DF.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SUPPLY_PRICE_ORDER_9978484DF.exe Virustotal: Detection: 28%
Source: SUPPLY_PRICE_ORDER_9978484DF.exe ReversingLabs: Detection: 28%
Source: SUPPLY_PRICE_ORDER_9978484DF.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe 'C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe'
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\autoconv.exe C:\Windows\SysWOW64\autoconv.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\SysWOW64\colorcpl.exe
Source: C:\Windows\SysWOW64\colorcpl.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe'
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe' Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SUPPLY_PRICE_ORDER_9978484DF.exe.log Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winEXE@10/1@10/6
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5672:120:WilError_01
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: SUPPLY_PRICE_ORDER_9978484DF.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: SUPPLY_PRICE_ORDER_9978484DF.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: RegSvcs.pdb, source: colorcpl.exe, 0000000E.00000002.514451797.0000000004B47000.00000004.00020000.sdmp
Source: Binary string: wntdll.pdbUGP source: RegSvcs.exe, 00000003.00000002.331292284.0000000001150000.00000040.00000001.sdmp, colorcpl.exe, 0000000E.00000002.513603550.000000000472F000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdb source: RegSvcs.exe, colorcpl.exe
Source: Binary string: RegSvcs.pdb source: colorcpl.exe, 0000000E.00000002.514451797.0000000004B47000.00000004.00020000.sdmp

Data Obfuscation:

barindex
.NET source code contains potential unpacker
Source: SUPPLY_PRICE_ORDER_9978484DF.exe, Darwin.WindowsForm/MainForm.cs .Net Code: DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0041B87C push eax; ret 3_2_0041B882
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0041B812 push eax; ret 3_2_0041B818
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0041B81B push eax; ret 3_2_0041B882
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0041603B push eax; ret 3_2_0041603C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0041B148 pushad ; ret 3_2_0041B14B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_004152B0 pushad ; retf 3_2_004152B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_004105D2 push ebp; ret 3_2_004105D3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_004156A7 push ss; ret 3_2_004156AA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0041B7C5 push eax; ret 3_2_0041B818
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011CD0D1 push ecx; ret 3_2_011CD0E4
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_0468D0D1 push ecx; ret 14_2_0468D0E4
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_025B52B0 pushad ; retf 14_2_025B52B8
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_025BB87C push eax; ret 14_2_025BB882
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_025BB81B push eax; ret 14_2_025BB882
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_025BB812 push eax; ret 14_2_025BB818
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_025B603B push eax; ret 14_2_025B603C
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_025BB148 pushad ; ret 14_2_025BB14B
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_025B56A7 push ss; ret 14_2_025B56AA
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_025BB7C5 push eax; ret 14_2_025BB818
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_025B05D2 push ebp; ret 14_2_025B05D3
Source: initial sample Static PE information: section name: .text entropy: 6.98098108885
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Yara detected AntiVM3
Source: Yara match File source: 0.2.SUPPLY_PRICE_ORDER_9978484DF.exe.32a8610.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.268187190.0000000003251000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.268283403.00000000032CF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: SUPPLY_PRICE_ORDER_9978484DF.exe PID: 1892, type: MEMORYSTR
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: SUPPLY_PRICE_ORDER_9978484DF.exe, 00000000.00000002.268283403.00000000032CF000.00000004.00000001.sdmp Binary or memory string: SBIEDLL.DLL
Source: SUPPLY_PRICE_ORDER_9978484DF.exe, 00000000.00000002.268283403.00000000032CF000.00000004.00000001.sdmp Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
Tries to detect virtualization through RDTSC time measurements
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe RDTSC instruction interceptor: First address: 0000000000408614 second address: 000000000040861A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe RDTSC instruction interceptor: First address: 00000000004089AE second address: 00000000004089B4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\colorcpl.exe RDTSC instruction interceptor: First address: 00000000025A8614 second address: 00000000025A861A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\colorcpl.exe RDTSC instruction interceptor: First address: 00000000025A89AE second address: 00000000025A89B4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe TID: 4668 Thread sleep time: -36912s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe TID: 5448 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe TID: 5188 Thread sleep time: -36000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\colorcpl.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_004088E0 rdtsc 3_2_004088E0
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Thread delayed: delay time: 36912 Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: explorer.exe, 00000004.00000000.298156044.0000000008A32000.00000004.00000001.sdmp Binary or memory string: VMware SATA CD00dRom0
Source: explorer.exe, 00000004.00000000.298156044.0000000008A32000.00000004.00000001.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: SUPPLY_PRICE_ORDER_9978484DF.exe, 00000000.00000002.268283403.00000000032CF000.00000004.00000001.sdmp Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: explorer.exe, 00000004.00000000.319280852.0000000008B88000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: SUPPLY_PRICE_ORDER_9978484DF.exe, 00000000.00000002.268283403.00000000032CF000.00000004.00000001.sdmp Binary or memory string: vmware
Source: explorer.exe, 00000004.00000000.319280852.0000000008B88000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}e
Source: explorer.exe, 00000004.00000000.293429138.00000000048E0000.00000004.00000001.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000004.00000000.319280852.0000000008B88000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}C
Source: explorer.exe, 00000004.00000000.318990974.0000000008ACF000.00000004.00000001.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000Datc
Source: explorer.exe, 00000004.00000000.318990974.0000000008ACF000.00000004.00000001.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000004.00000000.295878400.00000000069DA000.00000004.00000001.sdmp Binary or memory string: VMware SATA CD002
Source: SUPPLY_PRICE_ORDER_9978484DF.exe, 00000000.00000002.268283403.00000000032CF000.00000004.00000001.sdmp Binary or memory string: VMware SVGA II
Source: SUPPLY_PRICE_ORDER_9978484DF.exe, 00000000.00000002.268283403.00000000032CF000.00000004.00000001.sdmp Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Anti Debugging:

barindex
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_004088E0 rdtsc 3_2_004088E0
Enables debug privileges
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Process token adjusted: Debug Jump to behavior
Contains functionality to read the PEB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01179100 mov eax, dword ptr fs:[00000030h] 3_2_01179100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01179100 mov eax, dword ptr fs:[00000030h] 3_2_01179100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01179100 mov eax, dword ptr fs:[00000030h] 3_2_01179100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011A513A mov eax, dword ptr fs:[00000030h] 3_2_011A513A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011A513A mov eax, dword ptr fs:[00000030h] 3_2_011A513A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01194120 mov eax, dword ptr fs:[00000030h] 3_2_01194120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01194120 mov eax, dword ptr fs:[00000030h] 3_2_01194120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01194120 mov eax, dword ptr fs:[00000030h] 3_2_01194120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01194120 mov eax, dword ptr fs:[00000030h] 3_2_01194120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01194120 mov ecx, dword ptr fs:[00000030h] 3_2_01194120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0119B944 mov eax, dword ptr fs:[00000030h] 3_2_0119B944
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0119B944 mov eax, dword ptr fs:[00000030h] 3_2_0119B944
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0117B171 mov eax, dword ptr fs:[00000030h] 3_2_0117B171
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0117B171 mov eax, dword ptr fs:[00000030h] 3_2_0117B171
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0117C962 mov eax, dword ptr fs:[00000030h] 3_2_0117C962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011A2990 mov eax, dword ptr fs:[00000030h] 3_2_011A2990
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0119C182 mov eax, dword ptr fs:[00000030h] 3_2_0119C182
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011AA185 mov eax, dword ptr fs:[00000030h] 3_2_011AA185
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011F51BE mov eax, dword ptr fs:[00000030h] 3_2_011F51BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011F51BE mov eax, dword ptr fs:[00000030h] 3_2_011F51BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011F51BE mov eax, dword ptr fs:[00000030h] 3_2_011F51BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011F51BE mov eax, dword ptr fs:[00000030h] 3_2_011F51BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011F69A6 mov eax, dword ptr fs:[00000030h] 3_2_011F69A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011A61A0 mov eax, dword ptr fs:[00000030h] 3_2_011A61A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011A61A0 mov eax, dword ptr fs:[00000030h] 3_2_011A61A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_012041E8 mov eax, dword ptr fs:[00000030h] 3_2_012041E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0117B1E1 mov eax, dword ptr fs:[00000030h] 3_2_0117B1E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0117B1E1 mov eax, dword ptr fs:[00000030h] 3_2_0117B1E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0117B1E1 mov eax, dword ptr fs:[00000030h] 3_2_0117B1E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011F7016 mov eax, dword ptr fs:[00000030h] 3_2_011F7016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011F7016 mov eax, dword ptr fs:[00000030h] 3_2_011F7016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011F7016 mov eax, dword ptr fs:[00000030h] 3_2_011F7016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01244015 mov eax, dword ptr fs:[00000030h] 3_2_01244015
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01244015 mov eax, dword ptr fs:[00000030h] 3_2_01244015
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0118B02A mov eax, dword ptr fs:[00000030h] 3_2_0118B02A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0118B02A mov eax, dword ptr fs:[00000030h] 3_2_0118B02A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0118B02A mov eax, dword ptr fs:[00000030h] 3_2_0118B02A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0118B02A mov eax, dword ptr fs:[00000030h] 3_2_0118B02A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011A002D mov eax, dword ptr fs:[00000030h] 3_2_011A002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011A002D mov eax, dword ptr fs:[00000030h] 3_2_011A002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011A002D mov eax, dword ptr fs:[00000030h] 3_2_011A002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011A002D mov eax, dword ptr fs:[00000030h] 3_2_011A002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011A002D mov eax, dword ptr fs:[00000030h] 3_2_011A002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01190050 mov eax, dword ptr fs:[00000030h] 3_2_01190050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01190050 mov eax, dword ptr fs:[00000030h] 3_2_01190050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01232073 mov eax, dword ptr fs:[00000030h] 3_2_01232073
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01241074 mov eax, dword ptr fs:[00000030h] 3_2_01241074
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01179080 mov eax, dword ptr fs:[00000030h] 3_2_01179080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011F3884 mov eax, dword ptr fs:[00000030h] 3_2_011F3884
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011F3884 mov eax, dword ptr fs:[00000030h] 3_2_011F3884
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011AF0BF mov ecx, dword ptr fs:[00000030h] 3_2_011AF0BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011AF0BF mov eax, dword ptr fs:[00000030h] 3_2_011AF0BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011AF0BF mov eax, dword ptr fs:[00000030h] 3_2_011AF0BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011B90AF mov eax, dword ptr fs:[00000030h] 3_2_011B90AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0120B8D0 mov eax, dword ptr fs:[00000030h] 3_2_0120B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0120B8D0 mov ecx, dword ptr fs:[00000030h] 3_2_0120B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0120B8D0 mov eax, dword ptr fs:[00000030h] 3_2_0120B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0120B8D0 mov eax, dword ptr fs:[00000030h] 3_2_0120B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0120B8D0 mov eax, dword ptr fs:[00000030h] 3_2_0120B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0120B8D0 mov eax, dword ptr fs:[00000030h] 3_2_0120B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0123131B mov eax, dword ptr fs:[00000030h] 3_2_0123131B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0117F358 mov eax, dword ptr fs:[00000030h] 3_2_0117F358
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0117DB40 mov eax, dword ptr fs:[00000030h] 3_2_0117DB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011A3B7A mov eax, dword ptr fs:[00000030h] 3_2_011A3B7A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011A3B7A mov eax, dword ptr fs:[00000030h] 3_2_011A3B7A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0117DB60 mov ecx, dword ptr fs:[00000030h] 3_2_0117DB60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01248B58 mov eax, dword ptr fs:[00000030h] 3_2_01248B58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01245BA5 mov eax, dword ptr fs:[00000030h] 3_2_01245BA5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011AB390 mov eax, dword ptr fs:[00000030h] 3_2_011AB390
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011A2397 mov eax, dword ptr fs:[00000030h] 3_2_011A2397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01181B8F mov eax, dword ptr fs:[00000030h] 3_2_01181B8F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01181B8F mov eax, dword ptr fs:[00000030h] 3_2_01181B8F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0122D380 mov ecx, dword ptr fs:[00000030h] 3_2_0122D380
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0123138A mov eax, dword ptr fs:[00000030h] 3_2_0123138A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011F53CA mov eax, dword ptr fs:[00000030h] 3_2_011F53CA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011F53CA mov eax, dword ptr fs:[00000030h] 3_2_011F53CA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011A03E2 mov eax, dword ptr fs:[00000030h] 3_2_011A03E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011A03E2 mov eax, dword ptr fs:[00000030h] 3_2_011A03E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011A03E2 mov eax, dword ptr fs:[00000030h] 3_2_011A03E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011A03E2 mov eax, dword ptr fs:[00000030h] 3_2_011A03E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011A03E2 mov eax, dword ptr fs:[00000030h] 3_2_011A03E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011A03E2 mov eax, dword ptr fs:[00000030h] 3_2_011A03E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0117AA16 mov eax, dword ptr fs:[00000030h] 3_2_0117AA16
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0117AA16 mov eax, dword ptr fs:[00000030h] 3_2_0117AA16
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01193A1C mov eax, dword ptr fs:[00000030h] 3_2_01193A1C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01188A0A mov eax, dword ptr fs:[00000030h] 3_2_01188A0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0122B260 mov eax, dword ptr fs:[00000030h] 3_2_0122B260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0122B260 mov eax, dword ptr fs:[00000030h] 3_2_0122B260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01248A62 mov eax, dword ptr fs:[00000030h] 3_2_01248A62
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01179240 mov eax, dword ptr fs:[00000030h] 3_2_01179240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01179240 mov eax, dword ptr fs:[00000030h] 3_2_01179240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01179240 mov eax, dword ptr fs:[00000030h] 3_2_01179240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01179240 mov eax, dword ptr fs:[00000030h] 3_2_01179240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011B927A mov eax, dword ptr fs:[00000030h] 3_2_011B927A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01204257 mov eax, dword ptr fs:[00000030h] 3_2_01204257
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011AD294 mov eax, dword ptr fs:[00000030h] 3_2_011AD294
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011AD294 mov eax, dword ptr fs:[00000030h] 3_2_011AD294
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0118AAB0 mov eax, dword ptr fs:[00000030h] 3_2_0118AAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0118AAB0 mov eax, dword ptr fs:[00000030h] 3_2_0118AAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011AFAB0 mov eax, dword ptr fs:[00000030h] 3_2_011AFAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011752A5 mov eax, dword ptr fs:[00000030h] 3_2_011752A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011752A5 mov eax, dword ptr fs:[00000030h] 3_2_011752A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011752A5 mov eax, dword ptr fs:[00000030h] 3_2_011752A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011752A5 mov eax, dword ptr fs:[00000030h] 3_2_011752A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011752A5 mov eax, dword ptr fs:[00000030h] 3_2_011752A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011A2ACB mov eax, dword ptr fs:[00000030h] 3_2_011A2ACB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011A2AE4 mov eax, dword ptr fs:[00000030h] 3_2_011A2AE4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01248D34 mov eax, dword ptr fs:[00000030h] 3_2_01248D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011A4D3B mov eax, dword ptr fs:[00000030h] 3_2_011A4D3B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011A4D3B mov eax, dword ptr fs:[00000030h] 3_2_011A4D3B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011A4D3B mov eax, dword ptr fs:[00000030h] 3_2_011A4D3B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0117AD30 mov eax, dword ptr fs:[00000030h] 3_2_0117AD30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011FA537 mov eax, dword ptr fs:[00000030h] 3_2_011FA537
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01183D34 mov eax, dword ptr fs:[00000030h] 3_2_01183D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01183D34 mov eax, dword ptr fs:[00000030h] 3_2_01183D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01183D34 mov eax, dword ptr fs:[00000030h] 3_2_01183D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01183D34 mov eax, dword ptr fs:[00000030h] 3_2_01183D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01183D34 mov eax, dword ptr fs:[00000030h] 3_2_01183D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01183D34 mov eax, dword ptr fs:[00000030h] 3_2_01183D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01183D34 mov eax, dword ptr fs:[00000030h] 3_2_01183D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01183D34 mov eax, dword ptr fs:[00000030h] 3_2_01183D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01183D34 mov eax, dword ptr fs:[00000030h] 3_2_01183D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01183D34 mov eax, dword ptr fs:[00000030h] 3_2_01183D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01183D34 mov eax, dword ptr fs:[00000030h] 3_2_01183D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01183D34 mov eax, dword ptr fs:[00000030h] 3_2_01183D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01183D34 mov eax, dword ptr fs:[00000030h] 3_2_01183D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01197D50 mov eax, dword ptr fs:[00000030h] 3_2_01197D50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011B3D43 mov eax, dword ptr fs:[00000030h] 3_2_011B3D43
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011F3540 mov eax, dword ptr fs:[00000030h] 3_2_011F3540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0119C577 mov eax, dword ptr fs:[00000030h] 3_2_0119C577
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0119C577 mov eax, dword ptr fs:[00000030h] 3_2_0119C577
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011AFD9B mov eax, dword ptr fs:[00000030h] 3_2_011AFD9B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011AFD9B mov eax, dword ptr fs:[00000030h] 3_2_011AFD9B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011A2581 mov eax, dword ptr fs:[00000030h] 3_2_011A2581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011A2581 mov eax, dword ptr fs:[00000030h] 3_2_011A2581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011A2581 mov eax, dword ptr fs:[00000030h] 3_2_011A2581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011A2581 mov eax, dword ptr fs:[00000030h] 3_2_011A2581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01172D8A mov eax, dword ptr fs:[00000030h] 3_2_01172D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01172D8A mov eax, dword ptr fs:[00000030h] 3_2_01172D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01172D8A mov eax, dword ptr fs:[00000030h] 3_2_01172D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01172D8A mov eax, dword ptr fs:[00000030h] 3_2_01172D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01172D8A mov eax, dword ptr fs:[00000030h] 3_2_01172D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011A1DB5 mov eax, dword ptr fs:[00000030h] 3_2_011A1DB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011A1DB5 mov eax, dword ptr fs:[00000030h] 3_2_011A1DB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011A1DB5 mov eax, dword ptr fs:[00000030h] 3_2_011A1DB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011A35A1 mov eax, dword ptr fs:[00000030h] 3_2_011A35A1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01228DF1 mov eax, dword ptr fs:[00000030h] 3_2_01228DF1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0118D5E0 mov eax, dword ptr fs:[00000030h] 3_2_0118D5E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0118D5E0 mov eax, dword ptr fs:[00000030h] 3_2_0118D5E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011F6C0A mov eax, dword ptr fs:[00000030h] 3_2_011F6C0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011F6C0A mov eax, dword ptr fs:[00000030h] 3_2_011F6C0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011F6C0A mov eax, dword ptr fs:[00000030h] 3_2_011F6C0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011F6C0A mov eax, dword ptr fs:[00000030h] 3_2_011F6C0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01231C06 mov eax, dword ptr fs:[00000030h] 3_2_01231C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01231C06 mov eax, dword ptr fs:[00000030h] 3_2_01231C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01231C06 mov eax, dword ptr fs:[00000030h] 3_2_01231C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01231C06 mov eax, dword ptr fs:[00000030h] 3_2_01231C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01231C06 mov eax, dword ptr fs:[00000030h] 3_2_01231C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01231C06 mov eax, dword ptr fs:[00000030h] 3_2_01231C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01231C06 mov eax, dword ptr fs:[00000030h] 3_2_01231C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01231C06 mov eax, dword ptr fs:[00000030h] 3_2_01231C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01231C06 mov eax, dword ptr fs:[00000030h] 3_2_01231C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01231C06 mov eax, dword ptr fs:[00000030h] 3_2_01231C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01231C06 mov eax, dword ptr fs:[00000030h] 3_2_01231C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01231C06 mov eax, dword ptr fs:[00000030h] 3_2_01231C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01231C06 mov eax, dword ptr fs:[00000030h] 3_2_01231C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01231C06 mov eax, dword ptr fs:[00000030h] 3_2_01231C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0124740D mov eax, dword ptr fs:[00000030h] 3_2_0124740D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0124740D mov eax, dword ptr fs:[00000030h] 3_2_0124740D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0124740D mov eax, dword ptr fs:[00000030h] 3_2_0124740D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011ABC2C mov eax, dword ptr fs:[00000030h] 3_2_011ABC2C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011AA44B mov eax, dword ptr fs:[00000030h] 3_2_011AA44B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0120C450 mov eax, dword ptr fs:[00000030h] 3_2_0120C450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0120C450 mov eax, dword ptr fs:[00000030h] 3_2_0120C450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0119746D mov eax, dword ptr fs:[00000030h] 3_2_0119746D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0118849B mov eax, dword ptr fs:[00000030h] 3_2_0118849B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_012314FB mov eax, dword ptr fs:[00000030h] 3_2_012314FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011F6CF0 mov eax, dword ptr fs:[00000030h] 3_2_011F6CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011F6CF0 mov eax, dword ptr fs:[00000030h] 3_2_011F6CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011F6CF0 mov eax, dword ptr fs:[00000030h] 3_2_011F6CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01248CD6 mov eax, dword ptr fs:[00000030h] 3_2_01248CD6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0119F716 mov eax, dword ptr fs:[00000030h] 3_2_0119F716
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011AA70E mov eax, dword ptr fs:[00000030h] 3_2_011AA70E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011AA70E mov eax, dword ptr fs:[00000030h] 3_2_011AA70E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0124070D mov eax, dword ptr fs:[00000030h] 3_2_0124070D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0124070D mov eax, dword ptr fs:[00000030h] 3_2_0124070D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011AE730 mov eax, dword ptr fs:[00000030h] 3_2_011AE730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0120FF10 mov eax, dword ptr fs:[00000030h] 3_2_0120FF10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0120FF10 mov eax, dword ptr fs:[00000030h] 3_2_0120FF10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01174F2E mov eax, dword ptr fs:[00000030h] 3_2_01174F2E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01174F2E mov eax, dword ptr fs:[00000030h] 3_2_01174F2E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01248F6A mov eax, dword ptr fs:[00000030h] 3_2_01248F6A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0118EF40 mov eax, dword ptr fs:[00000030h] 3_2_0118EF40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0118FF60 mov eax, dword ptr fs:[00000030h] 3_2_0118FF60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011F7794 mov eax, dword ptr fs:[00000030h] 3_2_011F7794
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011F7794 mov eax, dword ptr fs:[00000030h] 3_2_011F7794
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011F7794 mov eax, dword ptr fs:[00000030h] 3_2_011F7794
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01188794 mov eax, dword ptr fs:[00000030h] 3_2_01188794
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011B37F5 mov eax, dword ptr fs:[00000030h] 3_2_011B37F5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011AA61C mov eax, dword ptr fs:[00000030h] 3_2_011AA61C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011AA61C mov eax, dword ptr fs:[00000030h] 3_2_011AA61C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0117C600 mov eax, dword ptr fs:[00000030h] 3_2_0117C600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0117C600 mov eax, dword ptr fs:[00000030h] 3_2_0117C600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0117C600 mov eax, dword ptr fs:[00000030h] 3_2_0117C600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011A8E00 mov eax, dword ptr fs:[00000030h] 3_2_011A8E00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0122FE3F mov eax, dword ptr fs:[00000030h] 3_2_0122FE3F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0117E620 mov eax, dword ptr fs:[00000030h] 3_2_0117E620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01187E41 mov eax, dword ptr fs:[00000030h] 3_2_01187E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01187E41 mov eax, dword ptr fs:[00000030h] 3_2_01187E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01187E41 mov eax, dword ptr fs:[00000030h] 3_2_01187E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01187E41 mov eax, dword ptr fs:[00000030h] 3_2_01187E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01187E41 mov eax, dword ptr fs:[00000030h] 3_2_01187E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01187E41 mov eax, dword ptr fs:[00000030h] 3_2_01187E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0119AE73 mov eax, dword ptr fs:[00000030h] 3_2_0119AE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0119AE73 mov eax, dword ptr fs:[00000030h] 3_2_0119AE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0119AE73 mov eax, dword ptr fs:[00000030h] 3_2_0119AE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0119AE73 mov eax, dword ptr fs:[00000030h] 3_2_0119AE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0119AE73 mov eax, dword ptr fs:[00000030h] 3_2_0119AE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0118766D mov eax, dword ptr fs:[00000030h] 3_2_0118766D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01240EA5 mov eax, dword ptr fs:[00000030h] 3_2_01240EA5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01240EA5 mov eax, dword ptr fs:[00000030h] 3_2_01240EA5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01240EA5 mov eax, dword ptr fs:[00000030h] 3_2_01240EA5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0120FE87 mov eax, dword ptr fs:[00000030h] 3_2_0120FE87
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011F46A7 mov eax, dword ptr fs:[00000030h] 3_2_011F46A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011A36CC mov eax, dword ptr fs:[00000030h] 3_2_011A36CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011B8EC7 mov eax, dword ptr fs:[00000030h] 3_2_011B8EC7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0122FEC0 mov eax, dword ptr fs:[00000030h] 3_2_0122FEC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01248ED6 mov eax, dword ptr fs:[00000030h] 3_2_01248ED6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011A16E0 mov ecx, dword ptr fs:[00000030h] 3_2_011A16E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011876E2 mov eax, dword ptr fs:[00000030h] 3_2_011876E2
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04701074 mov eax, dword ptr fs:[00000030h] 14_2_04701074
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_0465746D mov eax, dword ptr fs:[00000030h] 14_2_0465746D
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_046F2073 mov eax, dword ptr fs:[00000030h] 14_2_046F2073
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_0466A44B mov eax, dword ptr fs:[00000030h] 14_2_0466A44B
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04650050 mov eax, dword ptr fs:[00000030h] 14_2_04650050
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04650050 mov eax, dword ptr fs:[00000030h] 14_2_04650050
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_046CC450 mov eax, dword ptr fs:[00000030h] 14_2_046CC450
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_046CC450 mov eax, dword ptr fs:[00000030h] 14_2_046CC450
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_0466BC2C mov eax, dword ptr fs:[00000030h] 14_2_0466BC2C
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_0466002D mov eax, dword ptr fs:[00000030h] 14_2_0466002D
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_0466002D mov eax, dword ptr fs:[00000030h] 14_2_0466002D
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_0466002D mov eax, dword ptr fs:[00000030h] 14_2_0466002D
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_0466002D mov eax, dword ptr fs:[00000030h] 14_2_0466002D
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_0466002D mov eax, dword ptr fs:[00000030h] 14_2_0466002D
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_0464B02A mov eax, dword ptr fs:[00000030h] 14_2_0464B02A
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_0464B02A mov eax, dword ptr fs:[00000030h] 14_2_0464B02A
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_0464B02A mov eax, dword ptr fs:[00000030h] 14_2_0464B02A
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_0464B02A mov eax, dword ptr fs:[00000030h] 14_2_0464B02A
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_046B6C0A mov eax, dword ptr fs:[00000030h] 14_2_046B6C0A
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_046B6C0A mov eax, dword ptr fs:[00000030h] 14_2_046B6C0A
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_046B6C0A mov eax, dword ptr fs:[00000030h] 14_2_046B6C0A
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_046B6C0A mov eax, dword ptr fs:[00000030h] 14_2_046B6C0A
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04704015 mov eax, dword ptr fs:[00000030h] 14_2_04704015
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04704015 mov eax, dword ptr fs:[00000030h] 14_2_04704015
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_046F1C06 mov eax, dword ptr fs:[00000030h] 14_2_046F1C06
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_046F1C06 mov eax, dword ptr fs:[00000030h] 14_2_046F1C06
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_046F1C06 mov eax, dword ptr fs:[00000030h] 14_2_046F1C06
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_046F1C06 mov eax, dword ptr fs:[00000030h] 14_2_046F1C06
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_046F1C06 mov eax, dword ptr fs:[00000030h] 14_2_046F1C06
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_046F1C06 mov eax, dword ptr fs:[00000030h] 14_2_046F1C06
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_046F1C06 mov eax, dword ptr fs:[00000030h] 14_2_046F1C06
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_046F1C06 mov eax, dword ptr fs:[00000030h] 14_2_046F1C06
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_046F1C06 mov eax, dword ptr fs:[00000030h] 14_2_046F1C06
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_046F1C06 mov eax, dword ptr fs:[00000030h] 14_2_046F1C06
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_046F1C06 mov eax, dword ptr fs:[00000030h] 14_2_046F1C06
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_046F1C06 mov eax, dword ptr fs:[00000030h] 14_2_046F1C06
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_046F1C06 mov eax, dword ptr fs:[00000030h] 14_2_046F1C06
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_046F1C06 mov eax, dword ptr fs:[00000030h] 14_2_046F1C06
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_046B7016 mov eax, dword ptr fs:[00000030h] 14_2_046B7016
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_046B7016 mov eax, dword ptr fs:[00000030h] 14_2_046B7016
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_046B7016 mov eax, dword ptr fs:[00000030h] 14_2_046B7016
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_0470740D mov eax, dword ptr fs:[00000030h] 14_2_0470740D
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_0470740D mov eax, dword ptr fs:[00000030h] 14_2_0470740D
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_0470740D mov eax, dword ptr fs:[00000030h] 14_2_0470740D
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_046F14FB mov eax, dword ptr fs:[00000030h] 14_2_046F14FB
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_046B6CF0 mov eax, dword ptr fs:[00000030h] 14_2_046B6CF0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_046B6CF0 mov eax, dword ptr fs:[00000030h] 14_2_046B6CF0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_046B6CF0 mov eax, dword ptr fs:[00000030h] 14_2_046B6CF0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04708CD6 mov eax, dword ptr fs:[00000030h] 14_2_04708CD6
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_046CB8D0 mov eax, dword ptr fs:[00000030h] 14_2_046CB8D0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_046CB8D0 mov ecx, dword ptr fs:[00000030h] 14_2_046CB8D0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_046CB8D0 mov eax, dword ptr fs:[00000030h] 14_2_046CB8D0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_046CB8D0 mov eax, dword ptr fs:[00000030h] 14_2_046CB8D0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_046CB8D0 mov eax, dword ptr fs:[00000030h] 14_2_046CB8D0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_046CB8D0 mov eax, dword ptr fs:[00000030h] 14_2_046CB8D0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_046790AF mov eax, dword ptr fs:[00000030h] 14_2_046790AF
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_0466F0BF mov ecx, dword ptr fs:[00000030h] 14_2_0466F0BF
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_0466F0BF mov eax, dword ptr fs:[00000030h] 14_2_0466F0BF
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_0466F0BF mov eax, dword ptr fs:[00000030h] 14_2_0466F0BF
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04639080 mov eax, dword ptr fs:[00000030h] 14_2_04639080
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_046B3884 mov eax, dword ptr fs:[00000030h] 14_2_046B3884
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_046B3884 mov eax, dword ptr fs:[00000030h] 14_2_046B3884
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_0464849B mov eax, dword ptr fs:[00000030h] 14_2_0464849B
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_0463C962 mov eax, dword ptr fs:[00000030h] 14_2_0463C962
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_0463B171 mov eax, dword ptr fs:[00000030h] 14_2_0463B171
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_0463B171 mov eax, dword ptr fs:[00000030h] 14_2_0463B171
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_0465C577 mov eax, dword ptr fs:[00000030h] 14_2_0465C577
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_0465C577 mov eax, dword ptr fs:[00000030h] 14_2_0465C577
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_0465B944 mov eax, dword ptr fs:[00000030h] 14_2_0465B944
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_0465B944 mov eax, dword ptr fs:[00000030h] 14_2_0465B944
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04673D43 mov eax, dword ptr fs:[00000030h] 14_2_04673D43
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_046B3540 mov eax, dword ptr fs:[00000030h] 14_2_046B3540
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04657D50 mov eax, dword ptr fs:[00000030h] 14_2_04657D50
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04708D34 mov eax, dword ptr fs:[00000030h] 14_2_04708D34
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04654120 mov eax, dword ptr fs:[00000030h] 14_2_04654120
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04654120 mov eax, dword ptr fs:[00000030h] 14_2_04654120
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04654120 mov eax, dword ptr fs:[00000030h] 14_2_04654120
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04654120 mov eax, dword ptr fs:[00000030h] 14_2_04654120
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04654120 mov ecx, dword ptr fs:[00000030h] 14_2_04654120
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04643D34 mov eax, dword ptr fs:[00000030h] 14_2_04643D34
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04643D34 mov eax, dword ptr fs:[00000030h] 14_2_04643D34
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04643D34 mov eax, dword ptr fs:[00000030h] 14_2_04643D34
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04643D34 mov eax, dword ptr fs:[00000030h] 14_2_04643D34
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04643D34 mov eax, dword ptr fs:[00000030h] 14_2_04643D34
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04643D34 mov eax, dword ptr fs:[00000030h] 14_2_04643D34
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04643D34 mov eax, dword ptr fs:[00000030h] 14_2_04643D34
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04643D34 mov eax, dword ptr fs:[00000030h] 14_2_04643D34
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04643D34 mov eax, dword ptr fs:[00000030h] 14_2_04643D34
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04643D34 mov eax, dword ptr fs:[00000030h] 14_2_04643D34
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04643D34 mov eax, dword ptr fs:[00000030h] 14_2_04643D34
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04643D34 mov eax, dword ptr fs:[00000030h] 14_2_04643D34
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04643D34 mov eax, dword ptr fs:[00000030h] 14_2_04643D34
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_0463AD30 mov eax, dword ptr fs:[00000030h] 14_2_0463AD30
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_0466513A mov eax, dword ptr fs:[00000030h] 14_2_0466513A
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_0466513A mov eax, dword ptr fs:[00000030h] 14_2_0466513A
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_046BA537 mov eax, dword ptr fs:[00000030h] 14_2_046BA537
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04664D3B mov eax, dword ptr fs:[00000030h] 14_2_04664D3B
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04664D3B mov eax, dword ptr fs:[00000030h] 14_2_04664D3B
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04664D3B mov eax, dword ptr fs:[00000030h] 14_2_04664D3B
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04639100 mov eax, dword ptr fs:[00000030h] 14_2_04639100
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04639100 mov eax, dword ptr fs:[00000030h] 14_2_04639100
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04639100 mov eax, dword ptr fs:[00000030h] 14_2_04639100
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_0463B1E1 mov eax, dword ptr fs:[00000030h] 14_2_0463B1E1
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_0463B1E1 mov eax, dword ptr fs:[00000030h] 14_2_0463B1E1
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_0463B1E1 mov eax, dword ptr fs:[00000030h] 14_2_0463B1E1
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_046C41E8 mov eax, dword ptr fs:[00000030h] 14_2_046C41E8
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_0464D5E0 mov eax, dword ptr fs:[00000030h] 14_2_0464D5E0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_0464D5E0 mov eax, dword ptr fs:[00000030h] 14_2_0464D5E0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_046E8DF1 mov eax, dword ptr fs:[00000030h] 14_2_046E8DF1
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_046661A0 mov eax, dword ptr fs:[00000030h] 14_2_046661A0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_046661A0 mov eax, dword ptr fs:[00000030h] 14_2_046661A0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_046635A1 mov eax, dword ptr fs:[00000030h] 14_2_046635A1
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_046B69A6 mov eax, dword ptr fs:[00000030h] 14_2_046B69A6
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04661DB5 mov eax, dword ptr fs:[00000030h] 14_2_04661DB5
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04661DB5 mov eax, dword ptr fs:[00000030h] 14_2_04661DB5
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04661DB5 mov eax, dword ptr fs:[00000030h] 14_2_04661DB5
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_046B51BE mov eax, dword ptr fs:[00000030h] 14_2_046B51BE
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_046B51BE mov eax, dword ptr fs:[00000030h] 14_2_046B51BE
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_046B51BE mov eax, dword ptr fs:[00000030h] 14_2_046B51BE
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_046B51BE mov eax, dword ptr fs:[00000030h] 14_2_046B51BE
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_0466A185 mov eax, dword ptr fs:[00000030h] 14_2_0466A185
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_0465C182 mov eax, dword ptr fs:[00000030h] 14_2_0465C182
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04662581 mov eax, dword ptr fs:[00000030h] 14_2_04662581
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04662581 mov eax, dword ptr fs:[00000030h] 14_2_04662581
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04662581 mov eax, dword ptr fs:[00000030h] 14_2_04662581
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04662581 mov eax, dword ptr fs:[00000030h] 14_2_04662581
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04632D8A mov eax, dword ptr fs:[00000030h] 14_2_04632D8A
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04632D8A mov eax, dword ptr fs:[00000030h] 14_2_04632D8A
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04632D8A mov eax, dword ptr fs:[00000030h] 14_2_04632D8A
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04632D8A mov eax, dword ptr fs:[00000030h] 14_2_04632D8A
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04632D8A mov eax, dword ptr fs:[00000030h] 14_2_04632D8A
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04662990 mov eax, dword ptr fs:[00000030h] 14_2_04662990
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_0466FD9B mov eax, dword ptr fs:[00000030h] 14_2_0466FD9B
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_0466FD9B mov eax, dword ptr fs:[00000030h] 14_2_0466FD9B
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_0464766D mov eax, dword ptr fs:[00000030h] 14_2_0464766D
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_046EB260 mov eax, dword ptr fs:[00000030h] 14_2_046EB260
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_046EB260 mov eax, dword ptr fs:[00000030h] 14_2_046EB260
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04708A62 mov eax, dword ptr fs:[00000030h] 14_2_04708A62
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_0465AE73 mov eax, dword ptr fs:[00000030h] 14_2_0465AE73
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_0465AE73 mov eax, dword ptr fs:[00000030h] 14_2_0465AE73
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_0465AE73 mov eax, dword ptr fs:[00000030h] 14_2_0465AE73
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_0465AE73 mov eax, dword ptr fs:[00000030h] 14_2_0465AE73
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_0465AE73 mov eax, dword ptr fs:[00000030h] 14_2_0465AE73
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_0467927A mov eax, dword ptr fs:[00000030h] 14_2_0467927A
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04639240 mov eax, dword ptr fs:[00000030h] 14_2_04639240
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04639240 mov eax, dword ptr fs:[00000030h] 14_2_04639240
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04639240 mov eax, dword ptr fs:[00000030h] 14_2_04639240
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04639240 mov eax, dword ptr fs:[00000030h] 14_2_04639240
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04647E41 mov eax, dword ptr fs:[00000030h] 14_2_04647E41
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04647E41 mov eax, dword ptr fs:[00000030h] 14_2_04647E41
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04647E41 mov eax, dword ptr fs:[00000030h] 14_2_04647E41
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04647E41 mov eax, dword ptr fs:[00000030h] 14_2_04647E41
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04647E41 mov eax, dword ptr fs:[00000030h] 14_2_04647E41
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04647E41 mov eax, dword ptr fs:[00000030h] 14_2_04647E41
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_046C4257 mov eax, dword ptr fs:[00000030h] 14_2_046C4257
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_0463E620 mov eax, dword ptr fs:[00000030h] 14_2_0463E620
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_046EFE3F mov eax, dword ptr fs:[00000030h] 14_2_046EFE3F
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_0463C600 mov eax, dword ptr fs:[00000030h] 14_2_0463C600
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_0463C600 mov eax, dword ptr fs:[00000030h] 14_2_0463C600
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_0463C600 mov eax, dword ptr fs:[00000030h] 14_2_0463C600
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04668E00 mov eax, dword ptr fs:[00000030h] 14_2_04668E00
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04648A0A mov eax, dword ptr fs:[00000030h] 14_2_04648A0A
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_0463AA16 mov eax, dword ptr fs:[00000030h] 14_2_0463AA16
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_0463AA16 mov eax, dword ptr fs:[00000030h] 14_2_0463AA16
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04653A1C mov eax, dword ptr fs:[00000030h] 14_2_04653A1C
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_0466A61C mov eax, dword ptr fs:[00000030h] 14_2_0466A61C
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_0466A61C mov eax, dword ptr fs:[00000030h] 14_2_0466A61C
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04662AE4 mov eax, dword ptr fs:[00000030h] 14_2_04662AE4
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_046616E0 mov ecx, dword ptr fs:[00000030h] 14_2_046616E0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_046476E2 mov eax, dword ptr fs:[00000030h] 14_2_046476E2
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04678EC7 mov eax, dword ptr fs:[00000030h] 14_2_04678EC7
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04708ED6 mov eax, dword ptr fs:[00000030h] 14_2_04708ED6
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_046636CC mov eax, dword ptr fs:[00000030h] 14_2_046636CC
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04662ACB mov eax, dword ptr fs:[00000030h] 14_2_04662ACB
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_046EFEC0 mov eax, dword ptr fs:[00000030h] 14_2_046EFEC0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_046352A5 mov eax, dword ptr fs:[00000030h] 14_2_046352A5
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_046352A5 mov eax, dword ptr fs:[00000030h] 14_2_046352A5
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_046352A5 mov eax, dword ptr fs:[00000030h] 14_2_046352A5
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_046352A5 mov eax, dword ptr fs:[00000030h] 14_2_046352A5
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_046352A5 mov eax, dword ptr fs:[00000030h] 14_2_046352A5
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_046B46A7 mov eax, dword ptr fs:[00000030h] 14_2_046B46A7
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_0464AAB0 mov eax, dword ptr fs:[00000030h] 14_2_0464AAB0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_0464AAB0 mov eax, dword ptr fs:[00000030h] 14_2_0464AAB0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04700EA5 mov eax, dword ptr fs:[00000030h] 14_2_04700EA5
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04700EA5 mov eax, dword ptr fs:[00000030h] 14_2_04700EA5
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04700EA5 mov eax, dword ptr fs:[00000030h] 14_2_04700EA5
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_0466FAB0 mov eax, dword ptr fs:[00000030h] 14_2_0466FAB0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_046CFE87 mov eax, dword ptr fs:[00000030h] 14_2_046CFE87
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_0466D294 mov eax, dword ptr fs:[00000030h] 14_2_0466D294
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_0466D294 mov eax, dword ptr fs:[00000030h] 14_2_0466D294
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_0463DB60 mov ecx, dword ptr fs:[00000030h] 14_2_0463DB60
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_0464FF60 mov eax, dword ptr fs:[00000030h] 14_2_0464FF60
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04708F6A mov eax, dword ptr fs:[00000030h] 14_2_04708F6A
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04663B7A mov eax, dword ptr fs:[00000030h] 14_2_04663B7A
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04663B7A mov eax, dword ptr fs:[00000030h] 14_2_04663B7A
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_0463DB40 mov eax, dword ptr fs:[00000030h] 14_2_0463DB40
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_0464EF40 mov eax, dword ptr fs:[00000030h] 14_2_0464EF40
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04708B58 mov eax, dword ptr fs:[00000030h] 14_2_04708B58
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_0463F358 mov eax, dword ptr fs:[00000030h] 14_2_0463F358
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04634F2E mov eax, dword ptr fs:[00000030h] 14_2_04634F2E
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04634F2E mov eax, dword ptr fs:[00000030h] 14_2_04634F2E
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_0466E730 mov eax, dword ptr fs:[00000030h] 14_2_0466E730
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_0466A70E mov eax, dword ptr fs:[00000030h] 14_2_0466A70E
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_0466A70E mov eax, dword ptr fs:[00000030h] 14_2_0466A70E
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_0465F716 mov eax, dword ptr fs:[00000030h] 14_2_0465F716
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_046F131B mov eax, dword ptr fs:[00000030h] 14_2_046F131B
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_046CFF10 mov eax, dword ptr fs:[00000030h] 14_2_046CFF10
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_046CFF10 mov eax, dword ptr fs:[00000030h] 14_2_046CFF10
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_0470070D mov eax, dword ptr fs:[00000030h] 14_2_0470070D
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_0470070D mov eax, dword ptr fs:[00000030h] 14_2_0470070D
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_046603E2 mov eax, dword ptr fs:[00000030h] 14_2_046603E2
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_046603E2 mov eax, dword ptr fs:[00000030h] 14_2_046603E2
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_046603E2 mov eax, dword ptr fs:[00000030h] 14_2_046603E2
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_046603E2 mov eax, dword ptr fs:[00000030h] 14_2_046603E2
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_046603E2 mov eax, dword ptr fs:[00000030h] 14_2_046603E2
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_046603E2 mov eax, dword ptr fs:[00000030h] 14_2_046603E2
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_046737F5 mov eax, dword ptr fs:[00000030h] 14_2_046737F5
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_046B53CA mov eax, dword ptr fs:[00000030h] 14_2_046B53CA
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_046B53CA mov eax, dword ptr fs:[00000030h] 14_2_046B53CA
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04705BA5 mov eax, dword ptr fs:[00000030h] 14_2_04705BA5
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_046F138A mov eax, dword ptr fs:[00000030h] 14_2_046F138A
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04641B8F mov eax, dword ptr fs:[00000030h] 14_2_04641B8F
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04641B8F mov eax, dword ptr fs:[00000030h] 14_2_04641B8F
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_046ED380 mov ecx, dword ptr fs:[00000030h] 14_2_046ED380
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04648794 mov eax, dword ptr fs:[00000030h] 14_2_04648794
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_04662397 mov eax, dword ptr fs:[00000030h] 14_2_04662397
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_0466B390 mov eax, dword ptr fs:[00000030h] 14_2_0466B390
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_046B7794 mov eax, dword ptr fs:[00000030h] 14_2_046B7794
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_046B7794 mov eax, dword ptr fs:[00000030h] 14_2_046B7794
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 14_2_046B7794 mov eax, dword ptr fs:[00000030h] 14_2_046B7794
Checks if the current process is being debugged
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00409B50 LdrLoadDll, 3_2_00409B50
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 52.58.78.16 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 64.91.246.51 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 91.195.240.94 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.iamstevekelsey.com
Source: C:\Windows\explorer.exe Domain query: www.gspotworld.com
Source: C:\Windows\explorer.exe Domain query: www.yota.store
Source: C:\Windows\explorer.exe Domain query: www.ff4c3dgsp.xyz
Source: C:\Windows\explorer.exe Domain query: www.newhollandpurpose.com
Source: C:\Windows\explorer.exe Network Connect: 23.225.139.107 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.appleluis.host
Source: C:\Windows\explorer.exe Network Connect: 34.102.136.180 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.adronesview.com
Source: C:\Windows\explorer.exe Domain query: www.teelandcompany.com
Source: C:\Windows\explorer.exe Network Connect: 35.215.165.29 80 Jump to behavior
Sample uses process hollowing technique
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Section unmapped: C:\Windows\SysWOW64\colorcpl.exe base address: 2F0000 Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Section loaded: unknown target: C:\Windows\SysWOW64\colorcpl.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Section loaded: unknown target: C:\Windows\SysWOW64\colorcpl.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread register set: target process: 3292 Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Thread register set: target process: 3292 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe' Jump to behavior
Source: explorer.exe, 00000004.00000000.306881169.0000000001400000.00000002.00020000.sdmp, colorcpl.exe, 0000000E.00000002.511163062.0000000002EC0000.00000002.00020000.sdmp Binary or memory string: uProgram Manager
Source: explorer.exe, 00000004.00000000.306881169.0000000001400000.00000002.00020000.sdmp, colorcpl.exe, 0000000E.00000002.511163062.0000000002EC0000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000004.00000000.306881169.0000000001400000.00000002.00020000.sdmp, colorcpl.exe, 0000000E.00000002.511163062.0000000002EC0000.00000002.00020000.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000004.00000000.269371688.0000000000EB8000.00000004.00000020.sdmp Binary or memory string: ProgmanX
Source: explorer.exe, 00000004.00000000.306881169.0000000001400000.00000002.00020000.sdmp, colorcpl.exe, 0000000E.00000002.511163062.0000000002EC0000.00000002.00020000.sdmp Binary or memory string: Progmanlock
Source: explorer.exe, 00000004.00000000.318990974.0000000008ACF000.00000004.00000001.sdmp Binary or memory string: Shell_TrayWndAj

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.Entity\v4.0_4.0.0.0__b77a5c561934e089\System.Data.Entity.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected FormBook
Source: Yara match File source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000E.00000002.509955285.00000000025A0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.330815984.0000000000B40000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.330932008.0000000000C60000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.510129850.00000000025D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.300246548.000000000E040000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.330534936.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.509697209.00000000024A0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.269111767.0000000004251000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.320533115.000000000E040000.00000040.00020000.sdmp, type: MEMORY

Remote Access Functionality:

barindex
Yara detected FormBook
Source: Yara match File source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000E.00000002.509955285.00000000025A0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.330815984.0000000000B40000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.330932008.0000000000C60000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.510129850.00000000025D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.300246548.000000000E040000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.330534936.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.509697209.00000000024A0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.269111767.0000000004251000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.320533115.000000000E040000.00000040.00020000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 491551 Sample: SUPPLY_PRICE_ORDER_9978484DF.exe Startdate: 27/09/2021 Architecture: WINDOWS Score: 100 34 www.snackithalal.com 2->34 36 www.baila.madrid 2->36 38 parkingsrv0.dondominio.com 2->38 46 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->46 48 Found malware configuration 2->48 50 Malicious sample detected (through community Yara rule) 2->50 52 9 other signatures 2->52 11 SUPPLY_PRICE_ORDER_9978484DF.exe 3 2->11         started        signatures3 process4 file5 32 C:\...\SUPPLY_PRICE_ORDER_9978484DF.exe.log, ASCII 11->32 dropped 14 RegSvcs.exe 11->14         started        17 RegSvcs.exe 11->17         started        process6 signatures7 64 Modifies the context of a thread in another process (thread injection) 14->64 66 Maps a DLL or memory area into another process 14->66 68 Sample uses process hollowing technique 14->68 70 Queues an APC in another process (thread injection) 14->70 19 explorer.exe 14->19 injected 72 Tries to detect virtualization through RDTSC time measurements 17->72 process8 dnsIp9 40 www.adronesview.com 91.195.240.94, 49688, 80 SEDO-ASDE Germany 19->40 42 newhollandpurpose.com 64.91.246.51, 49687, 80 LIQUIDWEBUS United States 19->42 44 9 other IPs or domains 19->44 54 System process connects to network (likely due to code injection or exploit) 19->54 56 Performs DNS queries to domains with low reputation 19->56 23 colorcpl.exe 19->23         started        26 autoconv.exe 19->26         started        signatures10 process11 signatures12 58 Modifies the context of a thread in another process (thread injection) 23->58 60 Maps a DLL or memory area into another process 23->60 62 Tries to detect virtualization through RDTSC time measurements 23->62 28 cmd.exe 1 23->28         started        process13 process14 30 conhost.exe 28->30         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
52.58.78.16
 www.yota.store United States
16509 AMAZON-02US true
64.91.246.51
 newhollandpurpose.com United States
32244 LIQUIDWEBUS true
91.195.240.94
 www.adronesview.com Germany
47846 SEDO-ASDE true
23.225.139.107
 ff4c3dgsp.xyz United States
40065 CNSERVERSUS true
34.102.136.180
 teelandcompany.com United States
15169 GOOGLEUS false
35.215.165.29
 www.gspotworld.com United States
19527 GOOGLE-2US true

Contacted Domains

Name IP Active
ff4c3dgsp.xyz 23.225.139.107 true
www.yota.store 52.58.78.16 true
newhollandpurpose.com 64.91.246.51 true
teelandcompany.com 34.102.136.180 true
parkingsrv0.dondominio.com 31.214.178.54 true
www.adronesview.com 91.195.240.94 true
www.gspotworld.com 35.215.165.29 true
www.iamstevekelsey.com unknown unknown
www.ff4c3dgsp.xyz unknown unknown
www.snackithalal.com unknown unknown
www.newhollandpurpose.com unknown unknown
www.appleluis.host unknown unknown
www.teelandcompany.com unknown unknown
www.baila.madrid unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://www.adronesview.com/rgoe/?0N9=/t1+ewTNvP58zbN/GTmlHuihgocL7TvwecIdqR1o1yMMHUTs/zxhPcif7gHrks2EHupuL2PvCA==&n0DhB=j0DpGx9XxT-Tnhk true
  • Avira URL Cloud: safe
 unknown
http://www.gspotworld.com/rgoe/?n0DhB=j0DpGx9XxT-Tnhk&0N9=KdEc5zFmuggnLXnkala38KeRZUwGYpsmBda5bvOgbVa5jGbFYEbNRXOiQtYTCsFpD8+WwfyYDA== true
  • Avira URL Cloud: safe
 unknown
http://www.teelandcompany.com/rgoe/?n0DhB=j0DpGx9XxT-Tnhk&0N9=mDrA6fi9xoCJEIFZWb9JZI5ban60MroB6V8+OTFSy0K1Nt6g1YYxY5Is4mBDlN3bRVBdzT2BPw== false
  • Avira URL Cloud: safe
 unknown
http://www.newhollandpurpose.com/rgoe/?0N9=p62UTdjvvun5m4F6E/NDs8CkSXewz0Mmd3OAmKShvilGuUBo5ij0sMfMI9B7yPSR/U/saD/cPg==&n0DhB=j0DpGx9XxT-Tnhk true
  • Avira URL Cloud: safe
 unknown
www.nudesalon.digital/rgoe/ true
  • Avira URL Cloud: safe
 low
http://www.ff4c3dgsp.xyz/rgoe/?n0DhB=j0DpGx9XxT-Tnhk&0N9=sgGY6EHrU2/sPlFv65T/Wb7gB3GGagfeDoLJsp77UP3iiMN1AZE/7XMT6P9bXkgBT15arvy1nw== true
  • Avira URL Cloud: safe
 unknown
http://www.yota.store/rgoe/?n0DhB=j0DpGx9XxT-Tnhk&0N9=vDEbv8rrDmkkiTshm4h8UJjCBA7dTpqpRs2jUd027mZ5NPASlMJS8wDm2zEWwRi0VbXM0fP6PA== true
  • Avira URL Cloud: safe
 unknown