Play interactive tour

Edit tour

Windows Analysis Report SUPPLY_PRICE_ORDER_9978484DF.exe

Overview

General Information

Sample Name:	SUPPLY_PRICE_ORDER_9978484DF.exe
Analysis ID:	491551
MD5:	42346ae289e050d44fe9c0bcfb5e84b0
SHA1:	8409c01d25748b3665cbaf119293d2c778cae1cd
SHA256:	ee3ae7c76f41fab122d32494212625226a1784fb209b46b657272f0f3f0158b9
Tags:	exeFormbook
Infos:
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Multi AV Scanner detection for submitted file

Yara detected FormBook

Malicious sample detected (through community Yara rule)

Yara detected AntiVM3

System process connects to network (likely due to code injection or exploit)

Sample uses process hollowing technique

Maps a DLL or memory area into another process

Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments

Initial sample is a PE file and has a suspicious name

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Performs DNS queries to domains with low reputation

.NET source code contains potential unpacker

Queues an APC in another process (thread injection)

.NET source code contains very large strings

Tries to detect virtualization through RDTSC time measurements

Modifies the context of a thread in another process (thread injection)

C2 URLs / IPs found in malware configuration

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to call native functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Contains functionality for execution timing, often used to detect debuggers

Contains long sleeps (>= 3 min)

Enables debug privileges

Creates a DirectInput object (often for capturing keystrokes)

Sample file is different than original file name gathered from version info

PE file contains strange resources

Contains functionality to read the PEB

Checks if the current process is being debugged

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w10x64

SUPPLY_PRICE_ORDER_9978484DF.exe (PID: 1892 cmdline: 'C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe' MD5: 42346AE289E050D44FE9C0BCFB5E84B0)

RegSvcs.exe (PID: 2848 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)

RegSvcs.exe (PID: 1112 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)

explorer.exe (PID: 3292 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)

autoconv.exe (PID: 6084 cmdline: C:\Windows\SysWOW64\autoconv.exe MD5: 4506BE56787EDCD771A351C10B5AE3B7)

colorcpl.exe (PID: 5436 cmdline: C:\Windows\SysWOW64\colorcpl.exe MD5: 746F3B5E7652EA0766BA10414D317981)

cmd.exe (PID: 5504 cmdline: /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 5672 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.nudesalon.digital/rgoe/"], "decoy": ["iamstevekelsey.com", "homesofchaparralcountryclub.com", "voiceyupcom.com", "searchengineeye.com", "charsantosart.com", "baila.madrid", "yota.store", "halloweenbaldhills.net", "futurodr.com", "centercodebase.com", "666b20.xyz", "4-6-2.com", "gspotworld.com", "rbb78.com", "1kingbet.com", "hzhongon.com", "dossierinc.com", "sustainablefoodfactory.com", "golfsol.art", "socialenterprisestudio.com", "sec-app.pro", "mrcsclass.com", "apseymarine.com", "restate.club", "thenewtocsin.com", "mingwotech.com", "llesman.com", "limiteditionft.com", "ff4c3dgsp.xyz", "travuleaf.com", "whatsaauction.com", "iktbn-c01.com", "dpcqkw.xyz", "mahoyaku-exhibition.com", "bimcell-tlyuklemezamani.com", "thejegroupllc.com", "limponomefacil.com", "bordandoartes.com", "parsvivid.com", "lowkeymastery.com", "missionsafegame.com", "estanciasanpablo.online", "overlandshare.com", "thevillageplumbers.com", "newhollandpurpose.com", "eastmillnorthandover.com", "patrickandmaxine.com", "appleluis.host", "immerseinagro.com", "vapkey.net", "babeshotnud.com", "rap8b55d.com", "afro-occidentstyle.com", "shahjahantravel.com", "toptaxxi.store", "adronesview.com", "kinesio-leman.com", "teelandcompany.com", "bycracky.com", "sehatbersama.store", "snackithalal.com", "nailsestetic.space", "vanmetrecco.com", "pondokbali.store"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
0000000E.00000002.509955285.00000000025A0000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000E.00000002.509955285.00000000025A0000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000E.00000002.509955285.00000000025A0000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ac9:$sqlite3step: 68 34 1C 7B E1 0x16bdc:$sqlite3step: 68 34 1C 7B E1 0x16af8:$sqlite3text: 68 38 2A 90 C5 0x16c1d:$sqlite3text: 68 38 2A 90 C5 0x16b0b:$sqlite3blob: 68 53 D8 7F 8C 0x16c33:$sqlite3blob: 68 53 D8 7F 8C
00000003.00000002.330815984.0000000000B40000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000003.00000002.330815984.0000000000B40000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000003.00000002.330815984.0000000000B40000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ac9:$sqlite3step: 68 34 1C 7B E1 0x16bdc:$sqlite3step: 68 34 1C 7B E1 0x16af8:$sqlite3text: 68 38 2A 90 C5 0x16c1d:$sqlite3text: 68 38 2A 90 C5 0x16b0b:$sqlite3blob: 68 53 D8 7F 8C 0x16c33:$sqlite3blob: 68 53 D8 7F 8C
00000003.00000002.330932008.0000000000C60000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000003.00000002.330932008.0000000000C60000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000003.00000002.330932008.0000000000C60000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ac9:$sqlite3step: 68 34 1C 7B E1 0x16bdc:$sqlite3step: 68 34 1C 7B E1 0x16af8:$sqlite3text: 68 38 2A 90 C5 0x16c1d:$sqlite3text: 68 38 2A 90 C5 0x16b0b:$sqlite3blob: 68 53 D8 7F 8C 0x16c33:$sqlite3blob: 68 53 D8 7F 8C
0000000E.00000002.510129850.00000000025D0000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000E.00000002.510129850.00000000025D0000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000E.00000002.510129850.00000000025D0000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ac9:$sqlite3step: 68 34 1C 7B E1 0x16bdc:$sqlite3step: 68 34 1C 7B E1 0x16af8:$sqlite3text: 68 38 2A 90 C5 0x16c1d:$sqlite3text: 68 38 2A 90 C5 0x16b0b:$sqlite3blob: 68 53 D8 7F 8C 0x16c33:$sqlite3blob: 68 53 D8 7F 8C
00000004.00000000.300246548.000000000E040000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000004.00000000.300246548.000000000E040000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x46c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x41b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x47c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9b97:$sequence_8: 3C 54 74 04 3C 74 75 F4 0xac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000004.00000000.300246548.000000000E040000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x6ac9:$sqlite3step: 68 34 1C 7B E1 0x6bdc:$sqlite3step: 68 34 1C 7B E1 0x6af8:$sqlite3text: 68 38 2A 90 C5 0x6c1d:$sqlite3text: 68 38 2A 90 C5 0x6b0b:$sqlite3blob: 68 53 D8 7F 8C 0x6c33:$sqlite3blob: 68 53 D8 7F 8C
00000003.00000002.330534936.0000000000400000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000003.00000002.330534936.0000000000400000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000003.00000002.330534936.0000000000400000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ac9:$sqlite3step: 68 34 1C 7B E1 0x16bdc:$sqlite3step: 68 34 1C 7B E1 0x16af8:$sqlite3text: 68 38 2A 90 C5 0x16c1d:$sqlite3text: 68 38 2A 90 C5 0x16b0b:$sqlite3blob: 68 53 D8 7F 8C 0x16c33:$sqlite3blob: 68 53 D8 7F 8C
0000000E.00000002.509697209.00000000024A0000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000E.00000002.509697209.00000000024A0000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000E.00000002.509697209.00000000024A0000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ac9:$sqlite3step: 68 34 1C 7B E1 0x16bdc:$sqlite3step: 68 34 1C 7B E1 0x16af8:$sqlite3text: 68 38 2A 90 C5 0x16c1d:$sqlite3text: 68 38 2A 90 C5 0x16b0b:$sqlite3blob: 68 53 D8 7F 8C 0x16c33:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.269111767.0000000004251000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000002.269111767.0000000004251000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x65fb0:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x6634a:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x1a27c8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x1a2b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7205d:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x1ae875:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x71b49:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x1ae361:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x7215f:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1ae977:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x722d7:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x1aeaef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x66d62:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1a357a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x70dc4:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x1ad5dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x67ada:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1a42f2:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x7752f:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1b3d47:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x785d2:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000000.00000002.269111767.0000000004251000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x74461:$sqlite3step: 68 34 1C 7B E1 0x74574:$sqlite3step: 68 34 1C 7B E1 0x1b0c79:$sqlite3step: 68 34 1C 7B E1 0x1b0d8c:$sqlite3step: 68 34 1C 7B E1 0x74490:$sqlite3text: 68 38 2A 90 C5 0x745b5:$sqlite3text: 68 38 2A 90 C5 0x1b0ca8:$sqlite3text: 68 38 2A 90 C5 0x1b0dcd:$sqlite3text: 68 38 2A 90 C5 0x744a3:$sqlite3blob: 68 53 D8 7F 8C 0x745cb:$sqlite3blob: 68 53 D8 7F 8C 0x1b0cbb:$sqlite3blob: 68 53 D8 7F 8C 0x1b0de3:$sqlite3blob: 68 53 D8 7F 8C
00000004.00000000.320533115.000000000E040000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000004.00000000.320533115.000000000E040000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x46c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x41b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x47c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9b97:$sequence_8: 3C 54 74 04 3C 74 75 F4 0xac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000004.00000000.320533115.000000000E040000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x6ac9:$sqlite3step: 68 34 1C 7B E1 0x6bdc:$sqlite3step: 68 34 1C 7B E1 0x6af8:$sqlite3text: 68 38 2A 90 C5 0x6c1d:$sqlite3text: 68 38 2A 90 C5 0x6b0b:$sqlite3blob: 68 53 D8 7F 8C 0x6c33:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.268187190.0000000003251000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000000.00000002.268283403.00000000032CF000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: SUPPLY_PRICE_ORDER_9978484DF.exe PID: 1892	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 25 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
3.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
3.2.RegSvcs.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x7818:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7bb2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x138c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x133b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x139c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x13b3f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x85ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1262c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9342:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x18d97:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x19e3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
3.2.RegSvcs.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x15cc9:$sqlite3step: 68 34 1C 7B E1 0x15ddc:$sqlite3step: 68 34 1C 7B E1 0x15cf8:$sqlite3text: 68 38 2A 90 C5 0x15e1d:$sqlite3text: 68 38 2A 90 C5 0x15d0b:$sqlite3blob: 68 53 D8 7F 8C 0x15e33:$sqlite3blob: 68 53 D8 7F 8C
3.2.RegSvcs.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
3.2.RegSvcs.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
3.2.RegSvcs.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ac9:$sqlite3step: 68 34 1C 7B E1 0x16bdc:$sqlite3step: 68 34 1C 7B E1 0x16af8:$sqlite3text: 68 38 2A 90 C5 0x16c1d:$sqlite3text: 68 38 2A 90 C5 0x16b0b:$sqlite3blob: 68 53 D8 7F 8C 0x16c33:$sqlite3blob: 68 53 D8 7F 8C
0.2.SUPPLY_PRICE_ORDER_9978484DF.exe.32a8610.1.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 2 entries

Sigma Overview

System Summary:

Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments

Show sources

Source: Process started

Author: Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth, Christian Burkard: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ParentCommandLine: 'C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe' , ParentImage: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe, ParentProcessId: 1892, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 2848

Sigma detected: Possible Applocker Bypass

Show sources

Source: Process started

Author: juju4: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ParentCommandLine: 'C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe' , ParentImage: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe, ParentProcessId: 1892, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 2848

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 0000000E.00000002.509955285.00000000025A0000.00000040.00020000.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.nudesalon.digital/rgoe/"], "decoy": ["iamstevekelsey.com", "homesofchaparralcountryclub.com", "voiceyupcom.com", "searchengineeye.com", "charsantosart.com", "baila.madrid", "yota.store", "halloweenbaldhills.net", "futurodr.com", "centercodebase.com", "666b20.xyz", "4-6-2.com", "gspotworld.com", "rbb78.com", "1kingbet.com", "hzhongon.com", "dossierinc.com", "sustainablefoodfactory.com", "golfsol.art", "socialenterprisestudio.com", "sec-app.pro", "mrcsclass.com", "apseymarine.com", "restate.club", "thenewtocsin.com", "mingwotech.com", "llesman.com", "limiteditionft.com", "ff4c3dgsp.xyz", "travuleaf.com", "whatsaauction.com", "iktbn-c01.com", "dpcqkw.xyz", "mahoyaku-exhibition.com", "bimcell-tlyuklemezamani.com", "thejegroupllc.com", "limponomefacil.com", "bordandoartes.com", "parsvivid.com", "lowkeymastery.com", "missionsafegame.com", "estanciasanpablo.online", "overlandshare.com", "thevillageplumbers.com", "newhollandpurpose.com", "eastmillnorthandover.com", "patrickandmaxine.com", "appleluis.host", "immerseinagro.com", "vapkey.net", "babeshotnud.com", "rap8b55d.com", "afro-occidentstyle.com", "shahjahantravel.com", "toptaxxi.store", "adronesview.com", "kinesio-leman.com", "teelandcompany.com", "bycracky.com", "sehatbersama.store", "snackithalal.com", "nailsestetic.space", "vanmetrecco.com", "pondokbali.store"]}

Multi AV Scanner detection for submitted file

Show sources

Source: SUPPLY_PRICE_ORDER_9978484DF.exe	Virustotal: Detection: 28%			Perma Link
Source: SUPPLY_PRICE_ORDER_9978484DF.exe	ReversingLabs: Detection: 28%

Yara detected FormBook

Show sources

Source: Yara match	File source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.509955285.00000000025A0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.330815984.0000000000B40000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.330932008.0000000000C60000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.510129850.00000000025D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.300246548.000000000E040000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.330534936.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.509697209.00000000024A0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.269111767.0000000004251000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.320533115.000000000E040000.00000040.00020000.sdmp, type: MEMORY

Source: 3.2.RegSvcs.exe.400000.0.unpack

Avira: Label: TR/Crypt.ZPACK.Gen

Source: SUPPLY_PRICE_ORDER_9978484DF.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: SUPPLY_PRICE_ORDER_9978484DF.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: RegSvcs.pdb, source: colorcpl.exe, 0000000E.00000002.514451797.0000000004B47000.00000004.00020000.sdmp
Source:	Binary string: wntdll.pdbUGP source: RegSvcs.exe, 00000003.00000002.331292284.0000000001150000.00000040.00000001.sdmp, colorcpl.exe, 0000000E.00000002.513603550.000000000472F000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: RegSvcs.exe, colorcpl.exe
Source:	Binary string: RegSvcs.pdb source: colorcpl.exe, 0000000E.00000002.514451797.0000000004B47000.00000004.00020000.sdmp

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49685 -> 52.58.78.16:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49685 -> 52.58.78.16:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49685 -> 52.58.78.16:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49686 -> 23.225.139.107:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49686 -> 23.225.139.107:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49686 -> 23.225.139.107:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49687 -> 64.91.246.51:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49687 -> 64.91.246.51:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49687 -> 64.91.246.51:80

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\explorer.exe	Network Connect: 52.58.78.16 80
Source: C:\Windows\explorer.exe	Network Connect: 64.91.246.51 80
Source: C:\Windows\explorer.exe	Network Connect: 91.195.240.94 80
Source: C:\Windows\explorer.exe	Domain query: www.iamstevekelsey.com
Source: C:\Windows\explorer.exe	Domain query: www.gspotworld.com
Source: C:\Windows\explorer.exe	Domain query: www.yota.store
Source: C:\Windows\explorer.exe	Domain query: www.ff4c3dgsp.xyz
Source: C:\Windows\explorer.exe	Domain query: www.newhollandpurpose.com
Source: C:\Windows\explorer.exe	Network Connect: 23.225.139.107 80
Source: C:\Windows\explorer.exe	Domain query: www.appleluis.host
Source: C:\Windows\explorer.exe	Network Connect: 34.102.136.180 80
Source: C:\Windows\explorer.exe	Domain query: www.adronesview.com
Source: C:\Windows\explorer.exe	Domain query: www.teelandcompany.com
Source: C:\Windows\explorer.exe	Network Connect: 35.215.165.29 80

Performs DNS queries to domains with low reputation

Show sources

Source: C:\Windows\explorer.exe

DNS query: www.ff4c3dgsp.xyz

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: www.nudesalon.digital/rgoe/

Source: Joe Sandbox View	ASN Name: AMAZON-02US AMAZON-02US
Source: Joe Sandbox View	ASN Name: LIQUIDWEBUS LIQUIDWEBUS

Source: global traffic	HTTP traffic detected: GET /rgoe/?n0DhB=j0DpGx9XxT-Tnhk&0N9=KdEc5zFmuggnLXnkala38KeRZUwGYpsmBda5bvOgbVa5jGbFYEbNRXOiQtYTCsFpD8+WwfyYDA== HTTP/1.1Host: www.gspotworld.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /rgoe/?n0DhB=j0DpGx9XxT-Tnhk&0N9=vDEbv8rrDmkkiTshm4h8UJjCBA7dTpqpRs2jUd027mZ5NPASlMJS8wDm2zEWwRi0VbXM0fP6PA== HTTP/1.1Host: www.yota.storeConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /rgoe/?n0DhB=j0DpGx9XxT-Tnhk&0N9=sgGY6EHrU2/sPlFv65T/Wb7gB3GGagfeDoLJsp77UP3iiMN1AZE/7XMT6P9bXkgBT15arvy1nw== HTTP/1.1Host: www.ff4c3dgsp.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /rgoe/?0N9=p62UTdjvvun5m4F6E/NDs8CkSXewz0Mmd3OAmKShvilGuUBo5ij0sMfMI9B7yPSR/U/saD/cPg==&n0DhB=j0DpGx9XxT-Tnhk HTTP/1.1Host: www.newhollandpurpose.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /rgoe/?0N9=/t1+ewTNvP58zbN/GTmlHuihgocL7TvwecIdqR1o1yMMHUTs/zxhPcif7gHrks2EHupuL2PvCA==&n0DhB=j0DpGx9XxT-Tnhk HTTP/1.1Host: www.adronesview.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /rgoe/?n0DhB=j0DpGx9XxT-Tnhk&0N9=mDrA6fi9xoCJEIFZWb9JZI5ban60MroB6V8+OTFSy0K1Nt6g1YYxY5Is4mBDlN3bRVBdzT2BPw== HTTP/1.1Host: www.teelandcompany.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View

IP Address: 52.58.78.16 52.58.78.16

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 27 Sep 2021 15:40:09 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Source: SUPPLY_PRICE_ORDER_9978484DF.exe, 00000000.00000002.270901531.0000000007432000.00000004.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: SUPPLY_PRICE_ORDER_9978484DF.exe, 00000000.00000002.270901531.0000000007432000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000004.00000000.310611628.0000000006840000.00000004.00000001.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: SUPPLY_PRICE_ORDER_9978484DF.exe, 00000000.00000002.270901531.0000000007432000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: colorcpl.exe, 0000000E.00000002.514490454.0000000004CC2000.00000004.00020000.sdmp	String found in binary or memory: http://www.dondominio.com/13/
Source: colorcpl.exe, 0000000E.00000002.514490454.0000000004CC2000.00000004.00020000.sdmp	String found in binary or memory: http://www.dondominio.com/13/buscar/baila.madrid/
Source: colorcpl.exe, 0000000E.00000002.514490454.0000000004CC2000.00000004.00020000.sdmp	String found in binary or memory: http://www.dondominio.com/13/products/domains/
Source: colorcpl.exe, 0000000E.00000002.514490454.0000000004CC2000.00000004.00020000.sdmp	String found in binary or memory: http://www.dondominio.com/13/products/services/
Source: colorcpl.exe, 0000000E.00000002.514490454.0000000004CC2000.00000004.00020000.sdmp	String found in binary or memory: http://www.dondominio.com/13/products/ssl/
Source: SUPPLY_PRICE_ORDER_9978484DF.exe, 00000000.00000002.270901531.0000000007432000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: SUPPLY_PRICE_ORDER_9978484DF.exe, 00000000.00000002.270901531.0000000007432000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: SUPPLY_PRICE_ORDER_9978484DF.exe, 00000000.00000002.270901531.0000000007432000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: SUPPLY_PRICE_ORDER_9978484DF.exe, 00000000.00000002.270901531.0000000007432000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: SUPPLY_PRICE_ORDER_9978484DF.exe, 00000000.00000002.270901531.0000000007432000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: SUPPLY_PRICE_ORDER_9978484DF.exe, 00000000.00000002.270901531.0000000007432000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: SUPPLY_PRICE_ORDER_9978484DF.exe, 00000000.00000002.270901531.0000000007432000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: SUPPLY_PRICE_ORDER_9978484DF.exe, 00000000.00000002.270901531.0000000007432000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: SUPPLY_PRICE_ORDER_9978484DF.exe, 00000000.00000002.267907043.0000000001967000.00000004.00000040.sdmp	String found in binary or memory: http://www.fontbureau.com:
Source: SUPPLY_PRICE_ORDER_9978484DF.exe, 00000000.00000002.267907043.0000000001967000.00000004.00000040.sdmp	String found in binary or memory: http://www.fontbureau.comm
Source: SUPPLY_PRICE_ORDER_9978484DF.exe, 00000000.00000002.270901531.0000000007432000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: SUPPLY_PRICE_ORDER_9978484DF.exe, 00000000.00000002.270901531.0000000007432000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: SUPPLY_PRICE_ORDER_9978484DF.exe, 00000000.00000002.270901531.0000000007432000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: SUPPLY_PRICE_ORDER_9978484DF.exe, 00000000.00000002.270901531.0000000007432000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: SUPPLY_PRICE_ORDER_9978484DF.exe, 00000000.00000002.270901531.0000000007432000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: SUPPLY_PRICE_ORDER_9978484DF.exe, 00000000.00000002.270901531.0000000007432000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: SUPPLY_PRICE_ORDER_9978484DF.exe, 00000000.00000002.270901531.0000000007432000.00000004.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: SUPPLY_PRICE_ORDER_9978484DF.exe, 00000000.00000002.270901531.0000000007432000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: SUPPLY_PRICE_ORDER_9978484DF.exe	String found in binary or memory: http://www.rspb.org.uk/wildlife/birdguide/name/
Source: SUPPLY_PRICE_ORDER_9978484DF.exe, 00000000.00000002.270901531.0000000007432000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: SUPPLY_PRICE_ORDER_9978484DF.exe, 00000000.00000002.270901531.0000000007432000.00000004.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: SUPPLY_PRICE_ORDER_9978484DF.exe, 00000000.00000002.270901531.0000000007432000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: SUPPLY_PRICE_ORDER_9978484DF.exe, 00000000.00000002.270901531.0000000007432000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: SUPPLY_PRICE_ORDER_9978484DF.exe, 00000000.00000002.270901531.0000000007432000.00000004.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: SUPPLY_PRICE_ORDER_9978484DF.exe, 00000000.00000002.270901531.0000000007432000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: SUPPLY_PRICE_ORDER_9978484DF.exe, 00000000.00000002.270901531.0000000007432000.00000004.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn

Source: unknown

DNS traffic detected: queries for: www.gspotworld.com

Source: global traffic	HTTP traffic detected: GET /rgoe/?n0DhB=j0DpGx9XxT-Tnhk&0N9=KdEc5zFmuggnLXnkala38KeRZUwGYpsmBda5bvOgbVa5jGbFYEbNRXOiQtYTCsFpD8+WwfyYDA== HTTP/1.1Host: www.gspotworld.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /rgoe/?n0DhB=j0DpGx9XxT-Tnhk&0N9=vDEbv8rrDmkkiTshm4h8UJjCBA7dTpqpRs2jUd027mZ5NPASlMJS8wDm2zEWwRi0VbXM0fP6PA== HTTP/1.1Host: www.yota.storeConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /rgoe/?n0DhB=j0DpGx9XxT-Tnhk&0N9=sgGY6EHrU2/sPlFv65T/Wb7gB3GGagfeDoLJsp77UP3iiMN1AZE/7XMT6P9bXkgBT15arvy1nw== HTTP/1.1Host: www.ff4c3dgsp.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /rgoe/?0N9=p62UTdjvvun5m4F6E/NDs8CkSXewz0Mmd3OAmKShvilGuUBo5ij0sMfMI9B7yPSR/U/saD/cPg==&n0DhB=j0DpGx9XxT-Tnhk HTTP/1.1Host: www.newhollandpurpose.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /rgoe/?0N9=/t1+ewTNvP58zbN/GTmlHuihgocL7TvwecIdqR1o1yMMHUTs/zxhPcif7gHrks2EHupuL2PvCA==&n0DhB=j0DpGx9XxT-Tnhk HTTP/1.1Host: www.adronesview.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /rgoe/?n0DhB=j0DpGx9XxT-Tnhk&0N9=mDrA6fi9xoCJEIFZWb9JZI5ban60MroB6V8+OTFSy0K1Nt6g1YYxY5Is4mBDlN3bRVBdzT2BPw== HTTP/1.1Host: www.teelandcompany.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: SUPPLY_PRICE_ORDER_9978484DF.exe, 00000000.00000002.267392729.000000000169B000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

Yara detected FormBook

Show sources

Source: Yara match	File source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.509955285.00000000025A0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.330815984.0000000000B40000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.330932008.0000000000C60000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.510129850.00000000025D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.300246548.000000000E040000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.330534936.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.509697209.00000000024A0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.269111767.0000000004251000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.320533115.000000000E040000.00000040.00020000.sdmp, type: MEMORY

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 3.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000E.00000002.509955285.00000000025A0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000E.00000002.509955285.00000000025A0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.330815984.0000000000B40000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.330815984.0000000000B40000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.330932008.0000000000C60000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.330932008.0000000000C60000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000E.00000002.510129850.00000000025D0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000E.00000002.510129850.00000000025D0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000000.300246548.000000000E040000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000000.300246548.000000000E040000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.330534936.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.330534936.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000E.00000002.509697209.00000000024A0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000E.00000002.509697209.00000000024A0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.269111767.0000000004251000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.269111767.0000000004251000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000000.320533115.000000000E040000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000000.320533115.000000000E040000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Initial sample is a PE file and has a suspicious name

Show sources

Source: initial sample

Static PE information: Filename: SUPPLY_PRICE_ORDER_9978484DF.exe

.NET source code contains very large strings

Show sources

Source: SUPPLY_PRICE_ORDER_9978484DF.exe, Darwin.WindowsForm/SearchResults.cs

Long String: Length: 34816

Source: SUPPLY_PRICE_ORDER_9978484DF.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 3.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000E.00000002.509955285.00000000025A0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000E.00000002.509955285.00000000025A0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.330815984.0000000000B40000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.330815984.0000000000B40000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.330932008.0000000000C60000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.330932008.0000000000C60000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000E.00000002.510129850.00000000025D0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000E.00000002.510129850.00000000025D0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000000.300246548.000000000E040000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000000.300246548.000000000E040000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.330534936.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.330534936.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000E.00000002.509697209.00000000024A0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000E.00000002.509697209.00000000024A0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.269111767.0000000004251000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.269111767.0000000004251000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000000.320533115.000000000E040000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000000.320533115.000000000E040000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Code function: 0_2_0167C194
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Code function: 0_2_0167E5E0
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Code function: 0_2_0167E5F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00401027
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00401030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0041C966
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0041B931
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00401208
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0041BB7C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0041CBD9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00408C8B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00408C90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0041C5D1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00402D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0041A6B6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00402FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0117F900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01194120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01231002
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0118B090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_011AEBB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01170D20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01241D55
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_011A2581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0118D5E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0118841F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01196E30
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_046F1002
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_0464841F
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_0464B090
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04701D55
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04630D20
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04654120
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_0463F900
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_0464D5E0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04662581
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04656E30
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_0466EBB0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_025BBB7C
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_025BCBD9
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_025BC966
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_025BB931
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_025BA6B6
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_025A2FB0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_025A8C90
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_025A8C8B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_025A2D90

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 0117B150 appears 32 times
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: String function: 0463B150 appears 32 times

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_004185D0 NtCreateFile,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00418680 NtReadFile,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00418700 NtClose,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_004187B0 NtAllocateVirtualMemory,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_004185CB NtCreateFile,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0041867A NtReadFile,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_004186FB NtClose,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0041872A NtClose,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_004187AA NtAllocateVirtualMemory,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_011B9910 NtAdjustPrivilegesToken,LdrInitializeThunk,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_011B99A0 NtCreateSection,LdrInitializeThunk,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_011B9840 NtDelayExecution,LdrInitializeThunk,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_011B9860 NtQuerySystemInformation,LdrInitializeThunk,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_011B98F0 NtReadVirtualMemory,LdrInitializeThunk,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_011B9A00 NtProtectVirtualMemory,LdrInitializeThunk,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_011B9A20 NtResumeThread,LdrInitializeThunk,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_011B9A50 NtCreateFile,LdrInitializeThunk,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_011B9540 NtReadFile,LdrInitializeThunk,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_011B95D0 NtClose,LdrInitializeThunk,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_011B9710 NtQueryInformationToken,LdrInitializeThunk,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_011B9780 NtMapViewOfSection,LdrInitializeThunk,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_011B97A0 NtUnmapViewOfSection,LdrInitializeThunk,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_011B9FE0 NtCreateMutant,LdrInitializeThunk,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_011B9660 NtAllocateVirtualMemory,LdrInitializeThunk,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_011B96E0 NtFreeVirtualMemory,LdrInitializeThunk,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_011B9950 NtQueueApcThread,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_011B99D0 NtCreateProcessEx,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_011B9820 NtEnumerateKey,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_011BB040 NtSuspendThread,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_011B98A0 NtWriteVirtualMemory,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_011B9B00 NtSetValueKey,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_011BA3B0 NtGetContextThread,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_011B9A10 NtQuerySection,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_011B9A80 NtOpenDirectoryObject,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_011BAD30 NtSetContextThread,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_011B9520 NtWaitForSingleObject,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_011B9560 NtWriteFile,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_011B95F0 NtQueryInformationFile,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_011BA710 NtOpenProcessToken,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_011B9730 NtQueryVirtualMemory,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_011B9770 NtSetInformationFile,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_011BA770 NtOpenThread,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_011B9760 NtOpenProcess,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_011B9610 NtEnumerateValueKey,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_011B9650 NtQueryValueKey,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_011B9670 NtQueryInformationProcess,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_011B96D0 NtCreateKey,
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04679860 NtQuerySystemInformation,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04679840 NtDelayExecution,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04679540 NtReadFile,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04679910 NtAdjustPrivilegesToken,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_046795D0 NtClose,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_046799A0 NtCreateSection,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04679660 NtAllocateVirtualMemory,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04679A50 NtCreateFile,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04679650 NtQueryValueKey,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_046796E0 NtFreeVirtualMemory,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_046796D0 NtCreateKey,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04679710 NtQueryInformationToken,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04679FE0 NtCreateMutant,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04679780 NtMapViewOfSection,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_0467B040 NtSuspendThread,
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04679820 NtEnumerateKey,
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_046798F0 NtReadVirtualMemory,
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_046798A0 NtWriteVirtualMemory,
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04679560 NtWriteFile,
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04679950 NtQueueApcThread,
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04679520 NtWaitForSingleObject,
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_0467AD30 NtSetContextThread,
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_046795F0 NtQueryInformationFile,
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_046799D0 NtCreateProcessEx,
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04679670 NtQueryInformationProcess,
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04679A20 NtResumeThread,
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04679A00 NtProtectVirtualMemory,
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04679610 NtEnumerateValueKey,
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04679A10 NtQuerySection,
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04679A80 NtOpenDirectoryObject,
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04679760 NtOpenProcess,
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04679770 NtSetInformationFile,
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_0467A770 NtOpenThread,
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04679730 NtQueryVirtualMemory,
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04679B00 NtSetValueKey,
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_0467A710 NtOpenProcessToken,
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_046797A0 NtUnmapViewOfSection,
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_0467A3B0 NtGetContextThread,
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_025B8680 NtReadFile,
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_025B8700 NtClose,
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_025B87B0 NtAllocateVirtualMemory,
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_025B85D0 NtCreateFile,
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_025B867A NtReadFile,
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_025B86FB NtClose,
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_025B872A NtClose,
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_025B87AA NtAllocateVirtualMemory,
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_025B85CB NtCreateFile,

Source: SUPPLY_PRICE_ORDER_9978484DF.exe, 00000000.00000002.267392729.000000000169B000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs SUPPLY_PRICE_ORDER_9978484DF.exe
Source: SUPPLY_PRICE_ORDER_9978484DF.exe, 00000000.00000000.241253374.0000000000F04000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameUCOMIRunningObjectTab.exe4 vs SUPPLY_PRICE_ORDER_9978484DF.exe
Source: SUPPLY_PRICE_ORDER_9978484DF.exe, 00000000.00000002.268283403.00000000032CF000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameColladaLoader.dll4 vs SUPPLY_PRICE_ORDER_9978484DF.exe
Source: SUPPLY_PRICE_ORDER_9978484DF.exe	Binary or memory string: OriginalFilenameUCOMIRunningObjectTab.exe4 vs SUPPLY_PRICE_ORDER_9978484DF.exe

Source: SUPPLY_PRICE_ORDER_9978484DF.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: SUPPLY_PRICE_ORDER_9978484DF.exe	Virustotal: Detection: 28%
Source: SUPPLY_PRICE_ORDER_9978484DF.exe	ReversingLabs: Detection: 28%

Source: SUPPLY_PRICE_ORDER_9978484DF.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe 'C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe'
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\autoconv.exe C:\Windows\SysWOW64\autoconv.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\SysWOW64\colorcpl.exe
Source: C:\Windows\SysWOW64\colorcpl.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Source: C:\Windows\SysWOW64\colorcpl.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe'

Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SUPPLY_PRICE_ORDER_9978484DF.exe.log

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@10/1@10/6

Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5672:120:WilError_01

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Source: SUPPLY_PRICE_ORDER_9978484DF.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: SUPPLY_PRICE_ORDER_9978484DF.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: RegSvcs.pdb, source: colorcpl.exe, 0000000E.00000002.514451797.0000000004B47000.00000004.00020000.sdmp
Source:	Binary string: wntdll.pdbUGP source: RegSvcs.exe, 00000003.00000002.331292284.0000000001150000.00000040.00000001.sdmp, colorcpl.exe, 0000000E.00000002.513603550.000000000472F000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: RegSvcs.exe, colorcpl.exe
Source:	Binary string: RegSvcs.pdb source: colorcpl.exe, 0000000E.00000002.514451797.0000000004B47000.00000004.00020000.sdmp

Data Obfuscation:

.NET source code contains potential unpacker

Show sources

Source: SUPPLY_PRICE_ORDER_9978484DF.exe, Darwin.WindowsForm/MainForm.cs

.Net Code: DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0041B87C push eax; ret
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0041B812 push eax; ret
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0041B81B push eax; ret
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0041603B push eax; ret
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0041B148 pushad ; ret
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_004152B0 pushad ; retf
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_004105D2 push ebp; ret
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_004156A7 push ss; ret
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0041B7C5 push eax; ret
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_011CD0D1 push ecx; ret
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_0468D0D1 push ecx; ret
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_025B52B0 pushad ; retf
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_025BB87C push eax; ret
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_025BB81B push eax; ret
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_025BB812 push eax; ret
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_025B603B push eax; ret
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_025BB148 pushad ; ret
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_025B56A7 push ss; ret
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_025BB7C5 push eax; ret
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_025B05D2 push ebp; ret

Source: initial sample

Static PE information: section name: .text entropy: 6.98098108885

Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\colorcpl.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Yara detected AntiVM3

Show sources

Source: Yara match	File source: 0.2.SUPPLY_PRICE_ORDER_9978484DF.exe.32a8610.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.268187190.0000000003251000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.268283403.00000000032CF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SUPPLY_PRICE_ORDER_9978484DF.exe PID: 1892, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: SUPPLY_PRICE_ORDER_9978484DF.exe, 00000000.00000002.268283403.00000000032CF000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL
Source: SUPPLY_PRICE_ORDER_9978484DF.exe, 00000000.00000002.268283403.00000000032CF000.00000004.00000001.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	RDTSC instruction interceptor: First address: 0000000000408614 second address: 000000000040861A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	RDTSC instruction interceptor: First address: 00000000004089AE second address: 00000000004089B4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\colorcpl.exe	RDTSC instruction interceptor: First address: 00000000025A8614 second address: 00000000025A861A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\colorcpl.exe	RDTSC instruction interceptor: First address: 00000000025A89AE second address: 00000000025A89B4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe TID: 4668	Thread sleep time: -36912s >= -30000s
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe TID: 5448	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\colorcpl.exe TID: 5188	Thread sleep time: -36000s >= -30000s

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\colorcpl.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 3_2_004088E0 rdtsc

Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe

Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe

Process information queried: ProcessInformation

Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Thread delayed: delay time: 36912
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Thread delayed: delay time: 922337203685477

Source: explorer.exe, 00000004.00000000.298156044.0000000008A32000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00dRom0
Source: explorer.exe, 00000004.00000000.298156044.0000000008A32000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: SUPPLY_PRICE_ORDER_9978484DF.exe, 00000000.00000002.268283403.00000000032CF000.00000004.00000001.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: explorer.exe, 00000004.00000000.319280852.0000000008B88000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: SUPPLY_PRICE_ORDER_9978484DF.exe, 00000000.00000002.268283403.00000000032CF000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: explorer.exe, 00000004.00000000.319280852.0000000008B88000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}e
Source: explorer.exe, 00000004.00000000.293429138.00000000048E0000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000004.00000000.319280852.0000000008B88000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}C
Source: explorer.exe, 00000004.00000000.318990974.0000000008ACF000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000Datc
Source: explorer.exe, 00000004.00000000.318990974.0000000008ACF000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000004.00000000.295878400.00000000069DA000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD002
Source: SUPPLY_PRICE_ORDER_9978484DF.exe, 00000000.00000002.268283403.00000000032CF000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: SUPPLY_PRICE_ORDER_9978484DF.exe, 00000000.00000002.268283403.00000000032CF000.00000004.00000001.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 3_2_004088E0 rdtsc

Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\colorcpl.exe	Process token adjusted: Debug

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01179100 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01179100 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01179100 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_011A513A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_011A513A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01194120 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01194120 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01194120 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01194120 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01194120 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0119B944 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0119B944 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0117B171 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0117B171 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0117C962 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_011A2990 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0119C182 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_011AA185 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_011F51BE mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_011F51BE mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_011F51BE mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_011F51BE mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_011F69A6 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_011A61A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_011A61A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_012041E8 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0117B1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0117B1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0117B1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_011F7016 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_011F7016 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_011F7016 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01244015 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01244015 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0118B02A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0118B02A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0118B02A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0118B02A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_011A002D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_011A002D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_011A002D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_011A002D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_011A002D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01190050 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01190050 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01232073 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01241074 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01179080 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_011F3884 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_011F3884 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_011AF0BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_011AF0BF mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_011AF0BF mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_011B90AF mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0120B8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0120B8D0 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0120B8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0120B8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0120B8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0120B8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0123131B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0117F358 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0117DB40 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_011A3B7A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_011A3B7A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0117DB60 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01248B58 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01245BA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_011AB390 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_011A2397 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01181B8F mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01181B8F mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0122D380 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0123138A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_011F53CA mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_011F53CA mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_011A03E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_011A03E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_011A03E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_011A03E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_011A03E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_011A03E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0117AA16 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0117AA16 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01193A1C mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01188A0A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0122B260 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0122B260 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01248A62 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01179240 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01179240 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01179240 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01179240 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_011B927A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01204257 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_011AD294 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_011AD294 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0118AAB0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0118AAB0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_011AFAB0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_011752A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_011752A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_011752A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_011752A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_011752A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_011A2ACB mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_011A2AE4 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01248D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_011A4D3B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_011A4D3B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_011A4D3B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0117AD30 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_011FA537 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01183D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01183D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01183D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01183D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01183D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01183D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01183D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01183D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01183D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01183D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01183D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01183D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01183D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01197D50 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_011B3D43 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_011F3540 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0119C577 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0119C577 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_011AFD9B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_011AFD9B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_011A2581 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_011A2581 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_011A2581 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_011A2581 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01172D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01172D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01172D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01172D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01172D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_011A1DB5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_011A1DB5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_011A1DB5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_011A35A1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01228DF1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0118D5E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0118D5E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_011F6C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_011F6C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_011F6C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_011F6C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01231C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01231C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01231C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01231C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01231C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01231C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01231C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01231C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01231C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01231C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01231C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01231C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01231C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01231C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0124740D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0124740D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0124740D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_011ABC2C mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_011AA44B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0120C450 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0120C450 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0119746D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0118849B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_012314FB mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_011F6CF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_011F6CF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_011F6CF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01248CD6 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0119F716 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_011AA70E mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_011AA70E mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0124070D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0124070D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_011AE730 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0120FF10 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0120FF10 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01174F2E mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01174F2E mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01248F6A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0118EF40 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0118FF60 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_011F7794 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_011F7794 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_011F7794 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01188794 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_011B37F5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_011AA61C mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_011AA61C mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0117C600 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0117C600 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0117C600 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_011A8E00 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0122FE3F mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0117E620 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01187E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01187E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01187E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01187E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01187E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01187E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0119AE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0119AE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0119AE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0119AE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0119AE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0118766D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01240EA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01240EA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01240EA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0120FE87 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_011F46A7 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_011A36CC mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_011B8EC7 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0122FEC0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01248ED6 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_011A16E0 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_011876E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04701074 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_0465746D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_046F2073 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_0466A44B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04650050 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04650050 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_046CC450 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_046CC450 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_0466BC2C mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_0466002D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_0466002D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_0466002D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_0466002D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_0466002D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_0464B02A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_0464B02A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_0464B02A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_0464B02A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_046B6C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_046B6C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_046B6C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_046B6C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04704015 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04704015 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_046F1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_046F1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_046F1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_046F1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_046F1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_046F1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_046F1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_046F1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_046F1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_046F1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_046F1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_046F1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_046F1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_046F1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_046B7016 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_046B7016 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_046B7016 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_0470740D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_0470740D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_0470740D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_046F14FB mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_046B6CF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_046B6CF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_046B6CF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04708CD6 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_046CB8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_046CB8D0 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_046CB8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_046CB8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_046CB8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_046CB8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_046790AF mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_0466F0BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_0466F0BF mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_0466F0BF mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04639080 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_046B3884 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_046B3884 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_0464849B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_0463C962 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_0463B171 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_0463B171 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_0465C577 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_0465C577 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_0465B944 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_0465B944 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04673D43 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_046B3540 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04657D50 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04708D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04654120 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04654120 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04654120 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04654120 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04654120 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04643D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04643D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04643D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04643D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04643D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04643D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04643D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04643D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04643D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04643D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04643D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04643D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04643D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_0463AD30 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_0466513A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_0466513A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_046BA537 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04664D3B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04664D3B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04664D3B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04639100 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04639100 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04639100 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_0463B1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_0463B1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_0463B1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_046C41E8 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_0464D5E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_0464D5E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_046E8DF1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_046661A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_046661A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_046635A1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_046B69A6 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04661DB5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04661DB5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04661DB5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_046B51BE mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_046B51BE mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_046B51BE mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_046B51BE mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_0466A185 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_0465C182 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04662581 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04662581 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04662581 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04662581 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04632D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04632D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04632D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04632D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04632D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04662990 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_0466FD9B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_0466FD9B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_0464766D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_046EB260 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_046EB260 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04708A62 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_0465AE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_0465AE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_0465AE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_0465AE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_0465AE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_0467927A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04639240 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04639240 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04639240 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04639240 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04647E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04647E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04647E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04647E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04647E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04647E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_046C4257 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_0463E620 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_046EFE3F mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_0463C600 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_0463C600 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_0463C600 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04668E00 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04648A0A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_0463AA16 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_0463AA16 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04653A1C mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_0466A61C mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_0466A61C mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04662AE4 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_046616E0 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_046476E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04678EC7 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04708ED6 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_046636CC mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04662ACB mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_046EFEC0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_046352A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_046352A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_046352A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_046352A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_046352A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_046B46A7 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_0464AAB0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_0464AAB0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04700EA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04700EA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04700EA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_0466FAB0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_046CFE87 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_0466D294 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_0466D294 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_0463DB60 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_0464FF60 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04708F6A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04663B7A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04663B7A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_0463DB40 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_0464EF40 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04708B58 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_0463F358 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04634F2E mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04634F2E mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_0466E730 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_0466A70E mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_0466A70E mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_0465F716 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_046F131B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_046CFF10 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_046CFF10 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_0470070D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_0470070D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_046603E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_046603E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_046603E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_046603E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_046603E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_046603E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_046737F5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_046B53CA mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_046B53CA mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04705BA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_046F138A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04641B8F mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04641B8F mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_046ED380 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04648794 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04662397 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_0466B390 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_046B7794 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_046B7794 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_046B7794 mov eax, dword ptr fs:[00000030h]

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\colorcpl.exe	Process queried: DebugPort

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 3_2_00409B50 LdrLoadDll,

Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\explorer.exe	Network Connect: 52.58.78.16 80
Source: C:\Windows\explorer.exe	Network Connect: 64.91.246.51 80
Source: C:\Windows\explorer.exe	Network Connect: 91.195.240.94 80
Source: C:\Windows\explorer.exe	Domain query: www.iamstevekelsey.com
Source: C:\Windows\explorer.exe	Domain query: www.gspotworld.com
Source: C:\Windows\explorer.exe	Domain query: www.yota.store
Source: C:\Windows\explorer.exe	Domain query: www.ff4c3dgsp.xyz
Source: C:\Windows\explorer.exe	Domain query: www.newhollandpurpose.com
Source: C:\Windows\explorer.exe	Network Connect: 23.225.139.107 80
Source: C:\Windows\explorer.exe	Domain query: www.appleluis.host
Source: C:\Windows\explorer.exe	Network Connect: 34.102.136.180 80
Source: C:\Windows\explorer.exe	Domain query: www.adronesview.com
Source: C:\Windows\explorer.exe	Domain query: www.teelandcompany.com
Source: C:\Windows\explorer.exe	Network Connect: 35.215.165.29 80

Sample uses process hollowing technique

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Section unmapped: C:\Windows\SysWOW64\colorcpl.exe base address: 2F0000

Maps a DLL or memory area into another process

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: unknown target: C:\Windows\SysWOW64\colorcpl.exe protection: execute and read and write
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: unknown target: C:\Windows\SysWOW64\colorcpl.exe protection: execute and read and write
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write

Queues an APC in another process (thread injection)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Modifies the context of a thread in another process (thread injection)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread register set: target process: 3292
Source: C:\Windows\SysWOW64\colorcpl.exe	Thread register set: target process: 3292

Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Source: C:\Windows\SysWOW64\colorcpl.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe'

Source: explorer.exe, 00000004.00000000.306881169.0000000001400000.00000002.00020000.sdmp, colorcpl.exe, 0000000E.00000002.511163062.0000000002EC0000.00000002.00020000.sdmp	Binary or memory string: uProgram Manager
Source: explorer.exe, 00000004.00000000.306881169.0000000001400000.00000002.00020000.sdmp, colorcpl.exe, 0000000E.00000002.511163062.0000000002EC0000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000004.00000000.306881169.0000000001400000.00000002.00020000.sdmp, colorcpl.exe, 0000000E.00000002.511163062.0000000002EC0000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000004.00000000.269371688.0000000000EB8000.00000004.00000020.sdmp	Binary or memory string: ProgmanX
Source: explorer.exe, 00000004.00000000.306881169.0000000001400000.00000002.00020000.sdmp, colorcpl.exe, 0000000E.00000002.511163062.0000000002EC0000.00000002.00020000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000004.00000000.318990974.0000000008ACF000.00000004.00000001.sdmp	Binary or memory string: Shell_TrayWndAj

Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.Entity\v4.0_4.0.0.0__b77a5c561934e089\System.Data.Entity.dll VolumeInformation

Source: C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information:

Yara detected FormBook

Show sources

Source: Yara match	File source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.509955285.00000000025A0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.330815984.0000000000B40000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.330932008.0000000000C60000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.510129850.00000000025D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.300246548.000000000E040000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.330534936.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.509697209.00000000024A0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.269111767.0000000004251000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.320533115.000000000E040000.00000040.00020000.sdmp, type: MEMORY

Remote Access Functionality:

Yara detected FormBook

Show sources

Source: Yara match	File source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.509955285.00000000025A0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.330815984.0000000000B40000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.330932008.0000000000C60000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.510129850.00000000025D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.300246548.000000000E040000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.330534936.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.509697209.00000000024A0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.269111767.0000000004251000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.320533115.000000000E040000.00000040.00020000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Shared Modules1	Path Interception	Process Injection512	Masquerading1	Input Capture1	Security Software Discovery221	Remote Services	Input Capture1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Disable or Modify Tools1	LSASS Memory	Process Discovery2	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Ingress Tool Transfer3	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Virtualization/Sandbox Evasion31	Security Account Manager	Virtualization/Sandbox Evasion31	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol3	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Process Injection512	NTDS	Remote System Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol13	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Deobfuscate/Decode Files or Information1	LSA Secrets	System Information Discovery112	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Obfuscated Files or Information3	Cached Domain Credentials	System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Software Packing12	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
SUPPLY_PRICE_ORDER_9978484DF.exe	29%	Virustotal		Browse
SUPPLY_PRICE_ORDER_9978484DF.exe	29%	ReversingLabs	ByteCode-MSIL.Trojan.Taskun

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
3.2.RegSvcs.exe.400000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen		Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://www.adronesview.com/rgoe/?0N9=/t1+ewTNvP58zbN/GTmlHuihgocL7TvwecIdqR1o1yMMHUTs/zxhPcif7gHrks2EHupuL2PvCA==&n0DhB=j0DpGx9XxT-Tnhk	0%	Avira URL Cloud	safe
http://www.rspb.org.uk/wildlife/birdguide/name/	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.gspotworld.com/rgoe/?n0DhB=j0DpGx9XxT-Tnhk&0N9=KdEc5zFmuggnLXnkala38KeRZUwGYpsmBda5bvOgbVa5jGbFYEbNRXOiQtYTCsFpD8+WwfyYDA==	0%	Avira URL Cloud	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.teelandcompany.com/rgoe/?n0DhB=j0DpGx9XxT-Tnhk&0N9=mDrA6fi9xoCJEIFZWb9JZI5ban60MroB6V8+OTFSy0K1Nt6g1YYxY5Is4mBDlN3bRVBdzT2BPw==	0%	Avira URL Cloud	safe
http://www.newhollandpurpose.com/rgoe/?0N9=p62UTdjvvun5m4F6E/NDs8CkSXewz0Mmd3OAmKShvilGuUBo5ij0sMfMI9B7yPSR/U/saD/cPg==&n0DhB=j0DpGx9XxT-Tnhk	0%	Avira URL Cloud	safe
www.nudesalon.digital/rgoe/	0%	Avira URL Cloud	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.ff4c3dgsp.xyz/rgoe/?n0DhB=j0DpGx9XxT-Tnhk&0N9=sgGY6EHrU2/sPlFv65T/Wb7gB3GGagfeDoLJsp77UP3iiMN1AZE/7XMT6P9bXkgBT15arvy1nw==	0%	Avira URL Cloud	safe
http://www.fontbureau.comm	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.yota.store/rgoe/?n0DhB=j0DpGx9XxT-Tnhk&0N9=vDEbv8rrDmkkiTshm4h8UJjCBA7dTpqpRs2jUd027mZ5NPASlMJS8wDm2zEWwRi0VbXM0fP6PA==	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
ff4c3dgsp.xyz	23.225.139.107	true	true	unknown
www.yota.store	52.58.78.16	true	true	unknown
newhollandpurpose.com	64.91.246.51	true	true	unknown
teelandcompany.com	34.102.136.180	true	false	unknown
parkingsrv0.dondominio.com	31.214.178.54	true	false	high
www.adronesview.com	91.195.240.94	true	true	unknown
www.gspotworld.com	35.215.165.29	true	true	unknown
www.iamstevekelsey.com	unknown	unknown	true	unknown
www.ff4c3dgsp.xyz	unknown	unknown	true	unknown
www.snackithalal.com	unknown	unknown	true	unknown
www.newhollandpurpose.com	unknown	unknown	true	unknown
www.appleluis.host	unknown	unknown	true	unknown
www.teelandcompany.com	unknown	unknown	true	unknown
www.baila.madrid	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.adronesview.com/rgoe/?0N9=/t1+ewTNvP58zbN/GTmlHuihgocL7TvwecIdqR1o1yMMHUTs/zxhPcif7gHrks2EHupuL2PvCA==&n0DhB=j0DpGx9XxT-Tnhk	true	Avira URL Cloud: safe	unknown
http://www.gspotworld.com/rgoe/?n0DhB=j0DpGx9XxT-Tnhk&0N9=KdEc5zFmuggnLXnkala38KeRZUwGYpsmBda5bvOgbVa5jGbFYEbNRXOiQtYTCsFpD8+WwfyYDA==	true	Avira URL Cloud: safe	unknown
http://www.teelandcompany.com/rgoe/?n0DhB=j0DpGx9XxT-Tnhk&0N9=mDrA6fi9xoCJEIFZWb9JZI5ban60MroB6V8+OTFSy0K1Nt6g1YYxY5Is4mBDlN3bRVBdzT2BPw==	false	Avira URL Cloud: safe	unknown
http://www.newhollandpurpose.com/rgoe/?0N9=p62UTdjvvun5m4F6E/NDs8CkSXewz0Mmd3OAmKShvilGuUBo5ij0sMfMI9B7yPSR/U/saD/cPg==&n0DhB=j0DpGx9XxT-Tnhk	true	Avira URL Cloud: safe	unknown
www.nudesalon.digital/rgoe/	true	Avira URL Cloud: safe	low
http://www.ff4c3dgsp.xyz/rgoe/?n0DhB=j0DpGx9XxT-Tnhk&0N9=sgGY6EHrU2/sPlFv65T/Wb7gB3GGagfeDoLJsp77UP3iiMN1AZE/7XMT6P9bXkgBT15arvy1nw==	true	Avira URL Cloud: safe	unknown
http://www.yota.store/rgoe/?n0DhB=j0DpGx9XxT-Tnhk&0N9=vDEbv8rrDmkkiTshm4h8UJjCBA7dTpqpRs2jUd027mZ5NPASlMJS8wDm2zEWwRi0VbXM0fP6PA==	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.autoitscript.com/autoit3/J	explorer.exe, 00000004.00000000.310611628.0000000006840000.00000004.00000001.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0	SUPPLY_PRICE_ORDER_9978484DF.exe, 00000000.00000002.270901531.0000000007432000.00000004.00000001.sdmp	false		high
http://www.dondominio.com/13/products/ssl/	colorcpl.exe, 0000000E.00000002.514490454.0000000004CC2000.00000004.00020000.sdmp	false		high
http://www.fontbureau.com	SUPPLY_PRICE_ORDER_9978484DF.exe, 00000000.00000002.270901531.0000000007432000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com/designersG	SUPPLY_PRICE_ORDER_9978484DF.exe, 00000000.00000002.270901531.0000000007432000.00000004.00000001.sdmp	false		high
http://www.rspb.org.uk/wildlife/birdguide/name/	SUPPLY_PRICE_ORDER_9978484DF.exe	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers/?	SUPPLY_PRICE_ORDER_9978484DF.exe, 00000000.00000002.270901531.0000000007432000.00000004.00000001.sdmp	false		high
http://www.founder.com.cn/cn/bThe	SUPPLY_PRICE_ORDER_9978484DF.exe, 00000000.00000002.270901531.0000000007432000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	SUPPLY_PRICE_ORDER_9978484DF.exe, 00000000.00000002.270901531.0000000007432000.00000004.00000001.sdmp	false		high
http://www.dondominio.com/13/	colorcpl.exe, 0000000E.00000002.514490454.0000000004CC2000.00000004.00020000.sdmp	false		high
http://www.tiro.com	SUPPLY_PRICE_ORDER_9978484DF.exe, 00000000.00000002.270901531.0000000007432000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers	SUPPLY_PRICE_ORDER_9978484DF.exe, 00000000.00000002.270901531.0000000007432000.00000004.00000001.sdmp	false		high
http://www.goodfont.co.kr	SUPPLY_PRICE_ORDER_9978484DF.exe, 00000000.00000002.270901531.0000000007432000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.dondominio.com/13/products/services/	colorcpl.exe, 0000000E.00000002.514490454.0000000004CC2000.00000004.00020000.sdmp	false		high
http://www.dondominio.com/13/buscar/baila.madrid/	colorcpl.exe, 0000000E.00000002.514490454.0000000004CC2000.00000004.00020000.sdmp	false		high
http://www.carterandcone.coml	SUPPLY_PRICE_ORDER_9978484DF.exe, 00000000.00000002.270901531.0000000007432000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.sajatypeworks.com	SUPPLY_PRICE_ORDER_9978484DF.exe, 00000000.00000002.270901531.0000000007432000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.typography.netD	SUPPLY_PRICE_ORDER_9978484DF.exe, 00000000.00000002.270901531.0000000007432000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	SUPPLY_PRICE_ORDER_9978484DF.exe, 00000000.00000002.270901531.0000000007432000.00000004.00000001.sdmp	false		high
http://www.founder.com.cn/cn/cThe	SUPPLY_PRICE_ORDER_9978484DF.exe, 00000000.00000002.270901531.0000000007432000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	SUPPLY_PRICE_ORDER_9978484DF.exe, 00000000.00000002.270901531.0000000007432000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://fontfabrik.com	SUPPLY_PRICE_ORDER_9978484DF.exe, 00000000.00000002.270901531.0000000007432000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn	SUPPLY_PRICE_ORDER_9978484DF.exe, 00000000.00000002.270901531.0000000007432000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	SUPPLY_PRICE_ORDER_9978484DF.exe, 00000000.00000002.270901531.0000000007432000.00000004.00000001.sdmp	false		high
http://www.fontbureau.comm	SUPPLY_PRICE_ORDER_9978484DF.exe, 00000000.00000002.267907043.0000000001967000.00000004.00000040.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/	SUPPLY_PRICE_ORDER_9978484DF.exe, 00000000.00000002.270901531.0000000007432000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com:	SUPPLY_PRICE_ORDER_9978484DF.exe, 00000000.00000002.267907043.0000000001967000.00000004.00000040.sdmp	false		high
http://www.galapagosdesign.com/DPlease	SUPPLY_PRICE_ORDER_9978484DF.exe, 00000000.00000002.270901531.0000000007432000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	SUPPLY_PRICE_ORDER_9978484DF.exe, 00000000.00000002.270901531.0000000007432000.00000004.00000001.sdmp	false		high
http://www.fonts.com	SUPPLY_PRICE_ORDER_9978484DF.exe, 00000000.00000002.270901531.0000000007432000.00000004.00000001.sdmp	false		high
http://www.sandoll.co.kr	SUPPLY_PRICE_ORDER_9978484DF.exe, 00000000.00000002.270901531.0000000007432000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.urwpp.deDPlease	SUPPLY_PRICE_ORDER_9978484DF.exe, 00000000.00000002.270901531.0000000007432000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	SUPPLY_PRICE_ORDER_9978484DF.exe, 00000000.00000002.270901531.0000000007432000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.dondominio.com/13/products/domains/	colorcpl.exe, 0000000E.00000002.514490454.0000000004CC2000.00000004.00020000.sdmp	false		high
http://www.sakkal.com	SUPPLY_PRICE_ORDER_9978484DF.exe, 00000000.00000002.270901531.0000000007432000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
52.58.78.16	www.yota.store	United States	16509	AMAZON-02US	true
64.91.246.51	newhollandpurpose.com	United States	32244	LIQUIDWEBUS	true
91.195.240.94	www.adronesview.com	Germany	47846	SEDO-ASDE	true
23.225.139.107	ff4c3dgsp.xyz	United States	40065	CNSERVERSUS	true
34.102.136.180	teelandcompany.com	United States	15169	GOOGLEUS	false
35.215.165.29	www.gspotworld.com	United States	19527	GOOGLE-2US	true

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	491551
Start date:	27.09.2021
Start time:	17:37:54
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 11m 50s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	SUPPLY_PRICE_ORDER_9978484DF.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	18
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@10/1@10/6
EGA Information:	Failed
HDC Information:	Successful, ratio: 52.1% (good quality ratio 47.6%) Quality average: 71% Quality standard deviation: 31.7%
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe Excluded IPs from analysis (whitelisted): 95.100.54.203 Excluded domains from analysis (whitelisted): fs.microsoft.com, e1723.g.akamaiedge.net, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net Not all processes where analyzed, report is missing behavior information Report size getting too big, too many NtAllocateVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
17:38:59	API Interceptor	2x Sleep call for process: SUPPLY_PRICE_ORDER_9978484DF.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
52.58.78.16	NEW ORDER RE PO88224.PDF.EXE	Get hash	malicious	Browse	www.micomunidadcenter.com/ny9y/?U6kL4z=23/iwRxwSLSzasw0TphUHgWs88I3eSCUV5e0scr20yVXZozDYOBdmM5gaQNr8R72GlgZ&m48Dz=6lU4XF78
	Medical Order 092021.exe	Get hash	malicious	Browse	www.clearthefear.com/u89u/?q6=MN6x-tT086cD&Bv-le4o8=nk6RKoLHD/7U0k5q2Ds7uHLNSYJNsv7YZbE57SdXhp0czLEVViRVtuwEavcEiCpFyhAD
	TNT 07833955.exe	Get hash	malicious	Browse	www.villamante.com/b5ce/?C2M=7yv+sRlAJqST60jDhfTKkVYz9ALetPX59nt/q3NTarObbD6Qp3RvHJttKgbeFsW/Tl/p7rMteA==&2dtd=2dTpyPZX3Tqt_8d0
	ibefrankzx.exe	Get hash	malicious	Browse	www.hellohomeowner.com/if60/?4hV8uV6=8s6KWWR+5oH5p/5kYOTLy7MlSrvYRAsbSz+XGmfA8M0nnzS+NjTChWRYGldrrPF+jR2r&vR-pL=oBZ4BzuxwXzDVX
	payment..exe	Get hash	malicious	Browse	www.simera.xyz/etaf/?7n=Pzrtyx08&lHFx40t=g93QQfEc0y//TzIsdcwzV8qrP5ZvntJQzb0qwPDJTSBww162D9OYPZEA9+I0sjS/dYHN
	La lista de carga.exe	Get hash	malicious	Browse	www.smoothcontract.com/cb3b/?u2=-ZyLOPeH44YdHFMp&g8U=+4YzqtPsAmqZ5oh2OV/3jJxgPTkkCjUYxsix9kU/cx8RL4LCy8xFdT1oIwt5N4+QqzVG
	list.xlsx	Get hash	malicious	Browse	www.gamifibase.com/uytf/?droDtj=4h5xofUhs&m48=CwRnMgJ9dEKezCvlIZg7oborm7R79l5xa+5n2ZgG5sEle5VUrafcSaxshLf6ImIV/hCaMA==
	QUOTATION.exe	Get hash	malicious	Browse	www.opexma.com/tgnd/?b0GXqB=lzutZFupcl&0brhL=Ro5q4gBgYR1Pzna33h87154KGtgPkdNzz9moAL1wG6IIDJ/xcleiJW19OAhFIswNhMjZ
	Remittance_Advice_details001009142021.xlsx	Get hash	malicious	Browse	www.ecofingers.com/dy8g/?illD=X9Az7RtkaU81d6o9S6tJRjQeFUHqBPh6fbjII6Bm04v0rRN3gQJahLAd3CrM9JEnxgRa3A==&7nh=0br0WzXxgHiLa
	QUOTATION.exe	Get hash	malicious	Browse	www.virtualvandy.com/m4ts/?KHDXBF=wlFLGUAsp6BDGTS0jQI4z7Znr3dDkQDTTcVdFU/Rey3f2VeaBOrua3jxtl/rZ4AM1efI&tR-DU=ETYX
	PAYMENT COPY 02092021 PDF.exe	Get hash	malicious	Browse	www.totalcateringsolutions.com/nvts/?bL0Xot=UHVDS2sp&o6Aln=eadEcrBkBhUFvNqvPjTp+4BF7ywTZELqHgQMi/+k6oDfgcIaaimiwhKoz7JvDoSHD7EM
	mgUoskhcYw.exe	Get hash	malicious	Browse	www.algoswipe.com/i7dg/?c8DXBtGx=QlwSkxbZadzUeQqQ30CvqyB6rj7s5Q3MCb1zrrX2cqYPaGvNcrPTJxNDLiAhi6vAbY6C&oFNlP=nVnHMzW8Enl4w
	SOA.exe	Get hash	malicious	Browse	www.malikakids.com/bp39/?3fkpkd=4hKTJV&FL=qzkPggjnCd/Vmi+c26VefrYfl/NXi2h+iB46oNAc8jlNjWrHAQrLoO2c1oUjeDtDrMr9
	Alkhalo Trading Specification N0-00180091 pdf.exe	Get hash	malicious	Browse	www.unitedold.com/h388/?AHrxEXhh=HeOxd3fTK3emeSZhIcEHyZUbH5pi5uzRBKaOyXjbbuHI/gxjF5X3QotEpSoKmdp15nJu&v8kDE=KZtLDXk
	wLQpoUtFRW.exe	Get hash	malicious	Browse	www.foodboxprogram.com/hisp/?EtJLUP=mPq+goc2WbnDmv4fbddgDYidLsOkPwzb1ZDdyOKSZuYaGeRjfw+Mm+Zx6e1a6ZRBUbvQ&m8=_6Ax3F7HL65px0pP
	payment details.exe	Get hash	malicious	Browse	www.kumamotors.com/imm8/?m0G0H=WNbJnnYKyXaFNyvqUv7OM8tc6Ip+G1TKO56RrIv1d9VKfxOXYBkfWrW8PXSlo33BkjPg&v0=4h-PAlbPzLHPfRf
	42yTynkXXH.exe	Get hash	malicious	Browse	www.algoswipe.com/i7dg/?TN9=gjiTTXEh9H_&eFQl7bE=QlwSkxbZadzUeQqQ30CvqyB6rj7s5Q3MCb1zrrX2cqYPaGvNcrPTJxNDLhgxtb/4F9TF
	rich.exe	Get hash	malicious	Browse	www.localhistory.uk/angp/?aDKd98=Tqni2fLSXG5mIFQutWn33nbGnah9sr0oZ31AuXOcuD6yn/9oT6+GkOZo4u+Wx4yaERuP&3fuH=1bVdAz0HBbVxO
	Wire-Confirmation.xlsx	Get hash	malicious	Browse	www.mobiessence.com/6mam/?b0D4=KE8gpfUButRuMRaKHV5goIwNmc44LE6Oi+XDAS05rkp2RTHle1NPjCzZMh2LYYHbaIsWTA==&r0DpR=Fvl0dr_Xh
	purchase order_8019.exe	Get hash	malicious	Browse	www.bkardd.com/qb4a/?TL3D=FrgLUJvHzHA4&V48DtRqP=iuWoEo5fxLAlF0IL2VGkxaRFKkUcGJCzRj1yNytJ9vDbgBTcOBN48hgRcyIJeosCgetp

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
parkingsrv0.dondominio.com	PROFORMA-PDA 00GGTBGX00001A.xlsx	Get hash	malicious	Browse	31.214.178.54
	1SGErShR6f.exe	Get hash	malicious	Browse	31.214.178.54
	EWVNnyXoRS.exe	Get hash	malicious	Browse	31.214.178.54
	SALES CONTRACT 914 VIPA ORDER 213581.xlsx	Get hash	malicious	Browse	31.214.178.54
	CTM_50,000.exe	Get hash	malicious	Browse	31.214.178.54
	PAYMENT INVOICE.exe	Get hash	malicious	Browse	31.214.178.54
	RFQ_00701521.exe	Get hash	malicious	Browse	31.214.178.54
	IMG_01670_Scanned.doc	Get hash	malicious	Browse	37.152.88.54
	Payment_Advice.exe	Get hash	malicious	Browse	37.152.88.54
	SWIFT Payment DOOEL EUR 74,246.41 20210101950848.exe	Get hash	malicious	Browse	37.152.88.54
	pY5XEdTwX7.exe	Get hash	malicious	Browse	37.152.88.54
	001207.exe	Get hash	malicious	Browse	37.152.88.54
	Confectionary and choco.xlsx	Get hash	malicious	Browse	37.152.88.54
	RFQ.exe.exe	Get hash	malicious	Browse	37.152.88.54
	30_outputE565F3F#U202egp.exe	Get hash	malicious	Browse	37.152.88.55

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
AMAZON-02US	ZFb3RmLJzo	Get hash	malicious	Browse	184.76.99.170
	N1Cyp2N7r0	Get hash	malicious	Browse	13.244.63.184
	G3kV1FpdsS	Get hash	malicious	Browse	52.31.137.232
	T5BjNBDzJa	Get hash	malicious	Browse	52.49.157.211
	DHL EXPRESS TESL#U0130MAT B#U0130LD#U0130R#U0130M#U0130 - AWB 9420174470.PDF.exe	Get hash	malicious	Browse	75.2.26.18
	Inquiry Order 26-09-2021.exe	Get hash	malicious	Browse	75.2.115.196
	GbjE8Awfrz	Get hash	malicious	Browse	13.239.133.6
	TfaQUm3e4Y	Get hash	malicious	Browse	18.133.169.79
	fmS6YYhBy1	Get hash	malicious	Browse	18.146.208.84
	cropy2.exe	Get hash	malicious	Browse	54.218.102.67
	83Sb5L88ry.exe	Get hash	malicious	Browse	18.139.111.104
	EhB2SUfLy2.exe	Get hash	malicious	Browse	44.227.65.245
	McYFrqRcE3.exe	Get hash	malicious	Browse	18.139.111.104
	sora.arm7	Get hash	malicious	Browse	18.180.172.181
	sora.x86	Get hash	malicious	Browse	13.220.139.156
	iMobile.apk	Get hash	malicious	Browse	18.219.6.85
	L3Gl0GugHo	Get hash	malicious	Browse	34.255.251.235
	7sT7tPtEkp	Get hash	malicious	Browse	54.171.230.55
	F0ZMmHZif5	Get hash	malicious	Browse	65.11.71.47
	0GmF3xh0B5	Get hash	malicious	Browse	54.171.230.55
LIQUIDWEBUS	DHL Shipment WaybillDoc_TransportLabel_3990350970.exe	Get hash	malicious	Browse	67.227.232.54
	DHL NOTIFICATIONS.exe	Get hash	malicious	Browse	50.28.78.111
	DHL NOTIFICATION.exe	Get hash	malicious	Browse	50.28.78.111
	A4B51BD72DFFD28AD3841217FFEC9E43D21EE3C6F889B.exe	Get hash	malicious	Browse	69.16.213.208
	05BB79760B2D993C39D526717DA95AEC99AD74D8FC23E.exe	Get hash	malicious	Browse	69.16.213.208
	setup_x86_x64_install.exe	Get hash	malicious	Browse	69.16.213.208
	AA9830B26F9C0DB4C3DA3C04A96199550B57251B56F8C.exe	Get hash	malicious	Browse	69.16.213.208
	Pendants.exe	Get hash	malicious	Browse	50.28.78.111
	IYtpAQqaaN.exe	Get hash	malicious	Browse	69.16.213.208
	ovdfd61Ecc.exe	Get hash	malicious	Browse	208.75.149.34
	XMae11M5yg	Get hash	malicious	Browse	69.167.187.66
	DHL Airwaybill documents_TransportLabel 3831234006.exe	Get hash	malicious	Browse	67.227.232.54
	DHL Airwaybill documents_TransportLabel 3831234009.exe	Get hash	malicious	Browse	67.227.232.54
	DHL Airwaybill documents_TransportLabel 3831234009.exe	Get hash	malicious	Browse	67.227.232.54
	PAYMENT COPY.exe	Get hash	malicious	Browse	67.227.167.12
	DHL Airwaybill documents_TransportLabel 3831234005.exe	Get hash	malicious	Browse	67.227.232.54
	DHL Airwaybill documents_TransportLabel 3831234005.exe	Get hash	malicious	Browse	67.227.232.54
	Inquiry.exe	Get hash	malicious	Browse	50.28.78.111
	DHL Airwaybill documents_TransportLabel 3831234005.exe	Get hash	malicious	Browse	67.227.232.54
	New Order Specifications.exe	Get hash	malicious	Browse	72.52.178.23

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SUPPLY_PRICE_ORDER_9978484DF.exe.log Download File
Process:	C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1309
Entropy (8bit):	5.3528008810928345
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84aE4Ks:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzg
MD5:	542338C5A30B02E372089FECDC54D607
SHA1:	6FAD29FF14686FC847B160E876C1E078333F6DCB
SHA-256:	6CEA4E70947B962733754346CE49553BE3FB6E1FB3949C29EC22FA9CA4B7E7B6
SHA-512:	FE4431305A8958C4940EB4AC65723A38DA6057C3D30F789C6EDDEBA8962B62E9C0583254E74740855027CF3AE9315E3001A7EEB54168073ED0D2AB9B1F05503A
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	6.923939152690002
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	SUPPLY_PRICE_ORDER_9978484DF.exe
File size:	829440
MD5:	42346ae289e050d44fe9c0bcfb5e84b0
SHA1:	8409c01d25748b3665cbaf119293d2c778cae1cd
SHA256:	ee3ae7c76f41fab122d32494212625226a1784fb209b46b657272f0f3f0158b9
SHA512:	a43972cd083b1823c7ce93351af0f3e586fefb9375ced7f89191d6511043cf6d9a9b095a77f270a6711c831b43f3ab75c49f76e5cc24b693adb290cb20ab298f
SSDEEP:	24576:BSIFDUfsyMdK3nu7svcZPknp7tF+Xee8:BSIFD+s3KasUZPap7t
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...+[Qa..............0..............,... ...@....@.. ....................................@................................

File Icon


Icon Hash:	0b19312929316931

Static PE Info

General
Entrypoint:	0x4b2ca6
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x61515B2B [Mon Sep 27 05:48:27 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xb2c54	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xb4000	0x194a4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xce000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xb0cac	0xb0e00	False	0.663924469965	data	6.98098108885	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0xb4000	0x194a4	0x19600	False	0.363666102217	data	5.4272949491	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xce000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0xb4220	0x4228	dBase IV DBT of \200.DBF, blocks size 0, block length 16384, next free block index 40, next free block 4294967295, next used block 4294967295
RT_ICON	0xb8448	0x10828	data
RT_ICON	0xc8c70	0x25a8	data
RT_ICON	0xcb218	0x10a8	data
RT_ICON	0xcc2c0	0x468	GLS_BINARY_LSB_FIRST
RT_GROUP_ICON	0xcc728	0x22	data
RT_GROUP_ICON	0xcc74c	0x4c	data
RT_VERSION	0xcc798	0x35c	data
RT_MANIFEST	0xccaf4	0x9b0	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF, LF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright F@Soft
Assembly Version	1.0.6.2
InternalName	UCOMIRunningObjectTab.exe
FileVersion	1.0.6.0
CompanyName	F@Soft
LegalTrademarks
Comments
ProductName	Darwin AW
ProductVersion	1.0.6.0
FileDescription	Darwin AW
OriginalFilename	UCOMIRunningObjectTab.exe

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
09/27/21-17:40:19.654385	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49685	80	192.168.2.7	52.58.78.16
09/27/21-17:40:19.654385	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49685	80	192.168.2.7	52.58.78.16
09/27/21-17:40:19.654385	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49685	80	192.168.2.7	52.58.78.16
09/27/21-17:40:30.021119	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49686	80	192.168.2.7	23.225.139.107
09/27/21-17:40:30.021119	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49686	80	192.168.2.7	23.225.139.107
09/27/21-17:40:30.021119	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49686	80	192.168.2.7	23.225.139.107
09/27/21-17:40:35.347868	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49687	80	192.168.2.7	64.91.246.51
09/27/21-17:40:35.347868	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49687	80	192.168.2.7	64.91.246.51
09/27/21-17:40:35.347868	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49687	80	192.168.2.7	64.91.246.51
09/27/21-17:40:50.892047	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49689	34.102.136.180	192.168.2.7

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 27, 2021 17:40:08.720257998 CEST	49684	80	192.168.2.7	35.215.165.29
Sep 27, 2021 17:40:08.983249903 CEST	80	49684	35.215.165.29	192.168.2.7
Sep 27, 2021 17:40:08.986577034 CEST	49684	80	192.168.2.7	35.215.165.29
Sep 27, 2021 17:40:08.986748934 CEST	49684	80	192.168.2.7	35.215.165.29
Sep 27, 2021 17:40:09.255561113 CEST	80	49684	35.215.165.29	192.168.2.7
Sep 27, 2021 17:40:09.255940914 CEST	80	49684	35.215.165.29	192.168.2.7
Sep 27, 2021 17:40:09.255976915 CEST	80	49684	35.215.165.29	192.168.2.7
Sep 27, 2021 17:40:09.257278919 CEST	49684	80	192.168.2.7	35.215.165.29
Sep 27, 2021 17:40:09.257355928 CEST	49684	80	192.168.2.7	35.215.165.29
Sep 27, 2021 17:40:09.523240089 CEST	80	49684	35.215.165.29	192.168.2.7
Sep 27, 2021 17:40:19.635881901 CEST	49685	80	192.168.2.7	52.58.78.16
Sep 27, 2021 17:40:19.654062033 CEST	80	49685	52.58.78.16	192.168.2.7
Sep 27, 2021 17:40:19.654206991 CEST	49685	80	192.168.2.7	52.58.78.16
Sep 27, 2021 17:40:19.654385090 CEST	49685	80	192.168.2.7	52.58.78.16
Sep 27, 2021 17:40:19.672354937 CEST	80	49685	52.58.78.16	192.168.2.7
Sep 27, 2021 17:40:19.672382116 CEST	80	49685	52.58.78.16	192.168.2.7
Sep 27, 2021 17:40:19.672390938 CEST	80	49685	52.58.78.16	192.168.2.7
Sep 27, 2021 17:40:19.672636032 CEST	49685	80	192.168.2.7	52.58.78.16
Sep 27, 2021 17:40:19.672755957 CEST	49685	80	192.168.2.7	52.58.78.16
Sep 27, 2021 17:40:19.690948009 CEST	80	49685	52.58.78.16	192.168.2.7
Sep 27, 2021 17:40:29.863497972 CEST	49686	80	192.168.2.7	23.225.139.107
Sep 27, 2021 17:40:30.020665884 CEST	80	49686	23.225.139.107	192.168.2.7
Sep 27, 2021 17:40:30.020828009 CEST	49686	80	192.168.2.7	23.225.139.107
Sep 27, 2021 17:40:30.021119118 CEST	49686	80	192.168.2.7	23.225.139.107
Sep 27, 2021 17:40:30.179701090 CEST	80	49686	23.225.139.107	192.168.2.7
Sep 27, 2021 17:40:30.179723024 CEST	80	49686	23.225.139.107	192.168.2.7
Sep 27, 2021 17:40:30.180020094 CEST	49686	80	192.168.2.7	23.225.139.107
Sep 27, 2021 17:40:30.180062056 CEST	49686	80	192.168.2.7	23.225.139.107
Sep 27, 2021 17:40:30.337403059 CEST	80	49686	23.225.139.107	192.168.2.7
Sep 27, 2021 17:40:35.225095034 CEST	49687	80	192.168.2.7	64.91.246.51
Sep 27, 2021 17:40:35.347248077 CEST	80	49687	64.91.246.51	192.168.2.7
Sep 27, 2021 17:40:35.347836971 CEST	49687	80	192.168.2.7	64.91.246.51
Sep 27, 2021 17:40:35.347867966 CEST	49687	80	192.168.2.7	64.91.246.51
Sep 27, 2021 17:40:35.472997904 CEST	80	49687	64.91.246.51	192.168.2.7
Sep 27, 2021 17:40:35.473385096 CEST	80	49687	64.91.246.51	192.168.2.7
Sep 27, 2021 17:40:35.473403931 CEST	80	49687	64.91.246.51	192.168.2.7
Sep 27, 2021 17:40:35.473578930 CEST	49687	80	192.168.2.7	64.91.246.51
Sep 27, 2021 17:40:35.473712921 CEST	49687	80	192.168.2.7	64.91.246.51
Sep 27, 2021 17:40:35.595577955 CEST	80	49687	64.91.246.51	192.168.2.7
Sep 27, 2021 17:40:45.592109919 CEST	49688	80	192.168.2.7	91.195.240.94
Sep 27, 2021 17:40:45.616101980 CEST	80	49688	91.195.240.94	192.168.2.7
Sep 27, 2021 17:40:45.616338015 CEST	49688	80	192.168.2.7	91.195.240.94
Sep 27, 2021 17:40:45.616533995 CEST	49688	80	192.168.2.7	91.195.240.94
Sep 27, 2021 17:40:45.639813900 CEST	80	49688	91.195.240.94	192.168.2.7
Sep 27, 2021 17:40:45.647933006 CEST	80	49688	91.195.240.94	192.168.2.7
Sep 27, 2021 17:40:45.648051023 CEST	80	49688	91.195.240.94	192.168.2.7
Sep 27, 2021 17:40:45.648164034 CEST	49688	80	192.168.2.7	91.195.240.94
Sep 27, 2021 17:40:45.648205042 CEST	49688	80	192.168.2.7	91.195.240.94
Sep 27, 2021 17:40:45.671483040 CEST	80	49688	91.195.240.94	192.168.2.7
Sep 27, 2021 17:40:50.699676037 CEST	49689	80	192.168.2.7	34.102.136.180
Sep 27, 2021 17:40:50.712726116 CEST	80	49689	34.102.136.180	192.168.2.7
Sep 27, 2021 17:40:50.713010073 CEST	49689	80	192.168.2.7	34.102.136.180
Sep 27, 2021 17:40:50.713532925 CEST	49689	80	192.168.2.7	34.102.136.180
Sep 27, 2021 17:40:50.726408958 CEST	80	49689	34.102.136.180	192.168.2.7
Sep 27, 2021 17:40:50.892046928 CEST	80	49689	34.102.136.180	192.168.2.7
Sep 27, 2021 17:40:50.892080069 CEST	80	49689	34.102.136.180	192.168.2.7
Sep 27, 2021 17:40:50.892453909 CEST	49689	80	192.168.2.7	34.102.136.180
Sep 27, 2021 17:40:50.892843008 CEST	49689	80	192.168.2.7	34.102.136.180
Sep 27, 2021 17:40:50.905642033 CEST	80	49689	34.102.136.180	192.168.2.7

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 27, 2021 17:39:00.858103037 CEST	64321	53	192.168.2.7	8.8.8.8
Sep 27, 2021 17:39:00.877535105 CEST	53	64321	8.8.8.8	192.168.2.7
Sep 27, 2021 17:40:08.529829979 CEST	61952	53	192.168.2.7	8.8.8.8
Sep 27, 2021 17:40:08.710267067 CEST	53	61952	8.8.8.8	192.168.2.7
Sep 27, 2021 17:40:19.601403952 CEST	56217	53	192.168.2.7	8.8.8.8
Sep 27, 2021 17:40:19.634404898 CEST	53	56217	8.8.8.8	192.168.2.7
Sep 27, 2021 17:40:24.719019890 CEST	63354	53	192.168.2.7	8.8.8.8
Sep 27, 2021 17:40:24.798568010 CEST	53	63354	8.8.8.8	192.168.2.7
Sep 27, 2021 17:40:29.831146002 CEST	53129	53	192.168.2.7	8.8.8.8
Sep 27, 2021 17:40:29.862195015 CEST	53	53129	8.8.8.8	192.168.2.7
Sep 27, 2021 17:40:35.191315889 CEST	62452	53	192.168.2.7	8.8.8.8
Sep 27, 2021 17:40:35.223239899 CEST	53	62452	8.8.8.8	192.168.2.7
Sep 27, 2021 17:40:40.522716999 CEST	57820	53	192.168.2.7	8.8.8.8
Sep 27, 2021 17:40:40.558794975 CEST	53	57820	8.8.8.8	192.168.2.7
Sep 27, 2021 17:40:45.567109108 CEST	50848	53	192.168.2.7	8.8.8.8
Sep 27, 2021 17:40:45.590652943 CEST	53	50848	8.8.8.8	192.168.2.7
Sep 27, 2021 17:40:50.660631895 CEST	61242	53	192.168.2.7	8.8.8.8
Sep 27, 2021 17:40:50.698527098 CEST	53	61242	8.8.8.8	192.168.2.7
Sep 27, 2021 17:40:55.907670975 CEST	58562	53	192.168.2.7	8.8.8.8
Sep 27, 2021 17:40:55.975321054 CEST	53	58562	8.8.8.8	192.168.2.7
Sep 27, 2021 17:41:01.095741987 CEST	56590	53	192.168.2.7	8.8.8.8
Sep 27, 2021 17:41:01.124341011 CEST	53	56590	8.8.8.8	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Sep 27, 2021 17:40:08.529829979 CEST	192.168.2.7	8.8.8.8	0xe59	Standard query (0)	www.gspotworld.com	A (IP address)	IN (0x0001)
Sep 27, 2021 17:40:19.601403952 CEST	192.168.2.7	8.8.8.8	0x675b	Standard query (0)	www.yota.store	A (IP address)	IN (0x0001)
Sep 27, 2021 17:40:24.719019890 CEST	192.168.2.7	8.8.8.8	0x4148	Standard query (0)	www.iamstevekelsey.com	A (IP address)	IN (0x0001)
Sep 27, 2021 17:40:29.831146002 CEST	192.168.2.7	8.8.8.8	0x3762	Standard query (0)	www.ff4c3dgsp.xyz	A (IP address)	IN (0x0001)
Sep 27, 2021 17:40:35.191315889 CEST	192.168.2.7	8.8.8.8	0x4a83	Standard query (0)	www.newhollandpurpose.com	A (IP address)	IN (0x0001)
Sep 27, 2021 17:40:40.522716999 CEST	192.168.2.7	8.8.8.8	0xa26f	Standard query (0)	www.appleluis.host	A (IP address)	IN (0x0001)
Sep 27, 2021 17:40:45.567109108 CEST	192.168.2.7	8.8.8.8	0x140	Standard query (0)	www.adronesview.com	A (IP address)	IN (0x0001)
Sep 27, 2021 17:40:50.660631895 CEST	192.168.2.7	8.8.8.8	0x5b9f	Standard query (0)	www.teelandcompany.com	A (IP address)	IN (0x0001)
Sep 27, 2021 17:40:55.907670975 CEST	192.168.2.7	8.8.8.8	0xabc7	Standard query (0)	www.baila.madrid	A (IP address)	IN (0x0001)
Sep 27, 2021 17:41:01.095741987 CEST	192.168.2.7	8.8.8.8	0xdbc4	Standard query (0)	www.snackithalal.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Sep 27, 2021 17:40:08.710267067 CEST	8.8.8.8	192.168.2.7	0xe59	No error (0)	www.gspotworld.com		35.215.165.29	A (IP address)	IN (0x0001)
Sep 27, 2021 17:40:19.634404898 CEST	8.8.8.8	192.168.2.7	0x675b	No error (0)	www.yota.store		52.58.78.16	A (IP address)	IN (0x0001)
Sep 27, 2021 17:40:24.798568010 CEST	8.8.8.8	192.168.2.7	0x4148	Name error (3)	www.iamstevekelsey.com	none	none	A (IP address)	IN (0x0001)
Sep 27, 2021 17:40:29.862195015 CEST	8.8.8.8	192.168.2.7	0x3762	No error (0)	www.ff4c3dgsp.xyz	ff4c3dgsp.xyz		CNAME (Canonical name)	IN (0x0001)
Sep 27, 2021 17:40:29.862195015 CEST	8.8.8.8	192.168.2.7	0x3762	No error (0)	ff4c3dgsp.xyz		23.225.139.107	A (IP address)	IN (0x0001)
Sep 27, 2021 17:40:35.223239899 CEST	8.8.8.8	192.168.2.7	0x4a83	No error (0)	www.newhollandpurpose.com	newhollandpurpose.com		CNAME (Canonical name)	IN (0x0001)
Sep 27, 2021 17:40:35.223239899 CEST	8.8.8.8	192.168.2.7	0x4a83	No error (0)	newhollandpurpose.com		64.91.246.51	A (IP address)	IN (0x0001)
Sep 27, 2021 17:40:40.558794975 CEST	8.8.8.8	192.168.2.7	0xa26f	No error (0)	www.appleluis.host	appleluis.host		CNAME (Canonical name)	IN (0x0001)
Sep 27, 2021 17:40:45.590652943 CEST	8.8.8.8	192.168.2.7	0x140	No error (0)	www.adronesview.com		91.195.240.94	A (IP address)	IN (0x0001)
Sep 27, 2021 17:40:50.698527098 CEST	8.8.8.8	192.168.2.7	0x5b9f	No error (0)	www.teelandcompany.com	teelandcompany.com		CNAME (Canonical name)	IN (0x0001)
Sep 27, 2021 17:40:50.698527098 CEST	8.8.8.8	192.168.2.7	0x5b9f	No error (0)	teelandcompany.com		34.102.136.180	A (IP address)	IN (0x0001)
Sep 27, 2021 17:40:55.975321054 CEST	8.8.8.8	192.168.2.7	0xabc7	No error (0)	www.baila.madrid	parkingsrv0.dondominio.com		CNAME (Canonical name)	IN (0x0001)
Sep 27, 2021 17:40:55.975321054 CEST	8.8.8.8	192.168.2.7	0xabc7	No error (0)	parkingsrv0.dondominio.com		31.214.178.54	A (IP address)	IN (0x0001)
Sep 27, 2021 17:41:01.124341011 CEST	8.8.8.8	192.168.2.7	0xdbc4	Name error (3)	www.snackithalal.com	none	none	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

www.gspotworld.com

www.yota.store

www.ff4c3dgsp.xyz

www.newhollandpurpose.com

www.adronesview.com

www.teelandcompany.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.7	49684	35.215.165.29	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Sep 27, 2021 17:40:08.986748934 CEST	180	OUT	GET /rgoe/?n0DhB=j0DpGx9XxT-Tnhk&0N9=KdEc5zFmuggnLXnkala38KeRZUwGYpsmBda5bvOgbVa5jGbFYEbNRXOiQtYTCsFpD8+WwfyYDA== HTTP/1.1 Host: www.gspotworld.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Sep 27, 2021 17:40:09.255940914 CEST	180	IN	HTTP/1.1 404 Not Found Server: nginx Date: Mon, 27 Sep 2021 15:40:09 GMT Content-Type: text/html Content-Length: 146 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.7	49685	52.58.78.16	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Sep 27, 2021 17:40:19.654385090 CEST	181	OUT	GET /rgoe/?n0DhB=j0DpGx9XxT-Tnhk&0N9=vDEbv8rrDmkkiTshm4h8UJjCBA7dTpqpRs2jUd027mZ5NPASlMJS8wDm2zEWwRi0VbXM0fP6PA== HTTP/1.1 Host: www.yota.store Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Sep 27, 2021 17:40:19.672382116 CEST	182	IN	HTTP/1.1 410 Gone Server: openresty Date: Mon, 27 Sep 2021 15:39:30 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Data Raw: 37 0d 0a 3c 68 74 6d 6c 3e 0a 0d 0a 39 0d 0a 20 20 3c 68 65 61 64 3e 0a 0d 0a 34 61 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 27 72 65 66 72 65 73 68 27 20 63 6f 6e 74 65 6e 74 3d 27 35 3b 20 75 72 6c 3d 68 74 74 70 3a 2f 2f 77 77 77 2e 79 6f 74 61 2e 73 74 6f 72 65 2f 27 20 2f 3e 0a 0d 0a 61 0d 0a 20 20 3c 2f 68 65 61 64 3e 0a 0d 0a 39 0d 0a 20 20 3c 62 6f 64 79 3e 0a 0d 0a 33 36 0d 0a 20 20 20 20 59 6f 75 20 61 72 65 20 62 65 69 6e 67 20 72 65 64 69 72 65 63 74 65 64 20 74 6f 20 68 74 74 70 3a 2f 2f 77 77 77 2e 79 6f 74 61 2e 73 74 6f 72 65 0a 0d 0a 61 0d 0a 20 20 3c 2f 62 6f 64 79 3e 0a 0d 0a 38 0d 0a 3c 2f 68 74 6d 6c 3e 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 7<html>9 <head>4a <meta http-equiv='refresh' content='5; url=http://www.yota.store/' />a </head>9 <body>36 You are being redirected to http://www.yota.storea </body>8</html>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.7	49686	23.225.139.107	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Sep 27, 2021 17:40:30.021119118 CEST	183	OUT	GET /rgoe/?n0DhB=j0DpGx9XxT-Tnhk&0N9=sgGY6EHrU2/sPlFv65T/Wb7gB3GGagfeDoLJsp77UP3iiMN1AZE/7XMT6P9bXkgBT15arvy1nw== HTTP/1.1 Host: www.ff4c3dgsp.xyz Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Sep 27, 2021 17:40:30.179701090 CEST	183	IN	HTTP/1.1 404 Not Found Date: Mon, 27 Sep 2021 15:40:29 GMT Server: Apache/2.4.46 (Win32) OpenSSL/1.1.1g mod_fcgid/2.3.9a Content-Length: 196 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.7	49687	64.91.246.51	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Sep 27, 2021 17:40:35.347867966 CEST	184	OUT	GET /rgoe/?0N9=p62UTdjvvun5m4F6E/NDs8CkSXewz0Mmd3OAmKShvilGuUBo5ij0sMfMI9B7yPSR/U/saD/cPg==&n0DhB=j0DpGx9XxT-Tnhk HTTP/1.1 Host: www.newhollandpurpose.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Sep 27, 2021 17:40:35.473385096 CEST	185	IN	HTTP/1.1 301 Moved Permanently Date: Mon, 27 Sep 2021 15:40:35 GMT Server: Apache Location: https://www.newhollandpurpose.com/rgoe/?0N9=p62UTdjvvun5m4F6E/NDs8CkSXewz0Mmd3OAmKShvilGuUBo5ij0sMfMI9B7yPSR/U/saD/cPg==&n0DhB=j0DpGx9XxT-Tnhk Cache-Control: max-age=600 Expires: Mon, 27 Sep 2021 15:50:35 GMT Content-Length: 354 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6e 65 77 68 6f 6c 6c 61 6e 64 70 75 72 70 6f 73 65 2e 63 6f 6d 2f 72 67 6f 65 2f 3f 30 4e 39 3d 70 36 32 55 54 64 6a 76 76 75 6e 35 6d 34 46 36 45 2f 4e 44 73 38 43 6b 53 58 65 77 7a 30 4d 6d 64 33 4f 41 6d 4b 53 68 76 69 6c 47 75 55 42 6f 35 69 6a 30 73 4d 66 4d 49 39 42 37 79 50 53 52 2f 55 2f 73 61 44 2f 63 50 67 3d 3d 26 61 6d 70 3b 6e 30 44 68 42 3d 6a 30 44 70 47 78 39 58 78 54 2d 54 6e 68 6b 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="https://www.newhollandpurpose.com/rgoe/?0N9=p62UTdjvvun5m4F6E/NDs8CkSXewz0Mmd3OAmKShvilGuUBo5ij0sMfMI9B7yPSR/U/saD/cPg==&n0DhB=j0DpGx9XxT-Tnhk">here</a>.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.7	49688	91.195.240.94	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Sep 27, 2021 17:40:45.616533995 CEST	186	OUT	GET /rgoe/?0N9=/t1+ewTNvP58zbN/GTmlHuihgocL7TvwecIdqR1o1yMMHUTs/zxhPcif7gHrks2EHupuL2PvCA==&n0DhB=j0DpGx9XxT-Tnhk HTTP/1.1 Host: www.adronesview.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Sep 27, 2021 17:40:45.647933006 CEST	187	IN	HTTP/1.1 301 Moved Permanently Content-Type: text/html; charset=utf-8 Location: https://www.adronesview.com/rgoe/?0N9=/t1+ewTNvP58zbN/GTmlHuihgocL7TvwecIdqR1o1yMMHUTs/zxhPcif7gHrks2EHupuL2PvCA==&n0DhB=j0DpGx9XxT-Tnhk Date: Mon, 27 Sep 2021 15:40:45 GMT Content-Length: 175 Connection: close Data Raw: 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 61 64 72 6f 6e 65 73 76 69 65 77 2e 63 6f 6d 2f 72 67 6f 65 2f 3f 30 4e 39 3d 2f 74 31 2b 65 77 54 4e 76 50 35 38 7a 62 4e 2f 47 54 6d 6c 48 75 69 68 67 6f 63 4c 37 54 76 77 65 63 49 64 71 52 31 6f 31 79 4d 4d 48 55 54 73 2f 7a 78 68 50 63 69 66 37 67 48 72 6b 73 32 45 48 75 70 75 4c 32 50 76 43 41 3d 3d 26 61 6d 70 3b 6e 30 44 68 42 3d 6a 30 44 70 47 78 39 58 78 54 2d 54 6e 68 6b 22 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 61 3e 2e 0a 0a Data Ascii: <a href="https://www.adronesview.com/rgoe/?0N9=/t1+ewTNvP58zbN/GTmlHuihgocL7TvwecIdqR1o1yMMHUTs/zxhPcif7gHrks2EHupuL2PvCA==&n0DhB=j0DpGx9XxT-Tnhk">Moved Permanently</a>.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	192.168.2.7	49689	34.102.136.180	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Sep 27, 2021 17:40:50.713532925 CEST	187	OUT	GET /rgoe/?n0DhB=j0DpGx9XxT-Tnhk&0N9=mDrA6fi9xoCJEIFZWb9JZI5ban60MroB6V8+OTFSy0K1Nt6g1YYxY5Is4mBDlN3bRVBdzT2BPw== HTTP/1.1 Host: www.teelandcompany.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Sep 27, 2021 17:40:50.892046928 CEST	188	IN	HTTP/1.1 403 Forbidden Server: openresty Date: Mon, 27 Sep 2021 15:40:50 GMT Content-Type: text/html Content-Length: 275 ETag: "6151bfae-113" Via: 1.1 google Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: SUPPLY_PRICE_ORDER_9978484DF.exe PID: 1892 Parent PID: 5552

General

Start time:	17:38:49
Start date:	27/09/2021
Path:	C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\SUPPLY_PRICE_ORDER_9978484DF.exe'
Imagebase:	0xe50000
File size:	829440 bytes
MD5 hash:	42346AE289E050D44FE9C0BCFB5E84B0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.269111767.0000000004251000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.269111767.0000000004251000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.269111767.0000000004251000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.268187190.0000000003251000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.268283403.00000000032CF000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Analysis Process: RegSvcs.exe PID: 2848 Parent PID: 1892

General

Start time:	17:39:00
Start date:	27/09/2021
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Imagebase:	0x2f0000
File size:	45152 bytes
MD5 hash:	2867A3817C9245F7CF518524DFD18F28
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: RegSvcs.exe PID: 1112 Parent PID: 1892

General

Start time:	17:39:00
Start date:	27/09/2021
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Imagebase:	0x6b0000
File size:	45152 bytes
MD5 hash:	2867A3817C9245F7CF518524DFD18F28
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.330815984.0000000000B40000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.330815984.0000000000B40000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.330815984.0000000000B40000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.330932008.0000000000C60000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.330932008.0000000000C60000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.330932008.0000000000C60000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.330534936.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.330534936.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.330534936.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Analysis Process: explorer.exe PID: 3292 Parent PID: 1112

General

Start time:	17:39:02
Start date:	27/09/2021
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff662bf0000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000000.300246548.000000000E040000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000000.300246548.000000000E040000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000000.300246548.000000000E040000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000000.320533115.000000000E040000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000000.320533115.000000000E040000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000000.320533115.000000000E040000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group

Analysis Process: autoconv.exe PID: 6084 Parent PID: 3292

General

Start time:	17:39:27
Start date:	27/09/2021
Path:	C:\Windows\SysWOW64\autoconv.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\SysWOW64\autoconv.exe
Imagebase:	0xb30000
File size:	851968 bytes
MD5 hash:	4506BE56787EDCD771A351C10B5AE3B7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: colorcpl.exe PID: 5436 Parent PID: 3292

General

Start time:	17:39:28
Start date:	27/09/2021
Path:	C:\Windows\SysWOW64\colorcpl.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\colorcpl.exe
Imagebase:	0x2f0000
File size:	86528 bytes
MD5 hash:	746F3B5E7652EA0766BA10414D317981
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000E.00000002.509955285.00000000025A0000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000E.00000002.509955285.00000000025A0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000E.00000002.509955285.00000000025A0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000E.00000002.510129850.00000000025D0000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000E.00000002.510129850.00000000025D0000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000E.00000002.510129850.00000000025D0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000E.00000002.509697209.00000000024A0000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000E.00000002.509697209.00000000024A0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000E.00000002.509697209.00000000024A0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group

Analysis Process: cmd.exe PID: 5504 Parent PID: 5436

General

Start time:	17:39:32
Start date:	27/09/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe'
Imagebase:	0x870000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: conhost.exe PID: 5672 Parent PID: 5504

General

Start time:	17:39:32
Start date:	27/09/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff774ee0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report SUPPLY_PRICE_ORDER_9978484DF.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: FormBook

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Jbx Signature Overview

AV Detection:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers