Windows Analysis Report
RFQ 242024.exe

Overview

General Information

Sample name: RFQ 242024.exe
Analysis ID: 1541408
MD5: 5fa5f00b74bf9bb524687e6785027135
SHA1: 4f41d3eddbf7844cc60f561c6fd92c44f7f4f282
SHA256: ff410475bb80926bc3933e68f5e84a7185292bb2b78294abe528cb647c78f637
Tags: exe
Infos:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Suricata IDS alerts for network traffic
Yara detected FormBook
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to detect sleep reduction / modifications
Drops VBS files to the startup folder
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: WScript or CScript Dropper
Switches to a custom stack to bypass stack traces
Tries to detect virtualization through RDTSC time measurements
Tries to resolve many domain names, but no domain seems valid
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (date check)
Found evasive API chain (may stop execution after checking a module file name)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
PE file contains an invalid checksum
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Uncommon Svchost Parent Process
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection
barindex
Found malware configuration
Source: 0000000C.00000002.1946757380.0000000002B70000.00000040.10000000.00040000.00000000.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.f6b-crxy.top/cu29/"], "decoy": ["qidr.shop", "usinessaviationconsulting.net", "68716329.xyz", "nd-los.net", "ealthironcladguarantee.shop", "oftware-download-69354.bond", "48372305.top", "omeownershub.top", "mall-chilli.top", "ajakgoid.online", "ire-changer-53482.bond", "rugsrx.shop", "oyang123.info", "azino-forum-pro.online", "817715.rest", "layman.vip", "eb777.club", "ovatonica.net", "urgaslotvip.website", "inn-paaaa.buzz", "reativedreams.design", "upremehomes.shop", "ames-saaab.buzz", "phonelock.xyz", "ideandseekvacations.xyz", "77179ksuhr.top", "ental-bridges-87553.bond", "7win2.bet", "ainan.company", "5mwhs.top", "hopp9.top", "65fhgejd3.xyz", "olandopaintingllc.online", "n-wee.buzz", "reshcasinoinfo2.top", "5734.party", "qtbyj.live", "gil.lat", "siabgc4d.online", "fios.top", "sed-cars-89003.bond", "nlineschools-2507-001-sap.click", "upiloffatemotors.online", "ordf.top", "achhonglan.shop", "irex.info", "oursmile.vip", "leachlondonstore.online", "asukacro.online", "panish-classes-64045.bond", "apita.top", "srtio.xyz", "kdsclci.bond", "ochacha.sbs", "oldsteps.buzz", "yzq0n.top", "npostl.xyz", "ladder-cancer-symptoms-mine.sbs", "400725iimfyuj120.top", "3589.photo", "rasilhojenoticias.online", "ependableequipment.online", "itusbandar126.info", "ohns.app"]}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\piceous\tabulations.exe ReversingLabs: Detection: 26%
Multi AV Scanner detection for submitted file
Source: RFQ 242024.exe ReversingLabs: Detection: 26%
Yara detected FormBook
Source: Yara match File source: 8.2.tabulations.exe.30b0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.tabulations.exe.30b0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.tabulations.exe.2bd0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.tabulations.exe.2bd0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000C.00000002.1946757380.0000000002B70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.4199678590.00000000004B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.1946265005.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.1772698758.0000000002BD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.4200098980.0000000000CC0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.1910016870.00000000030B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.1829240450.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.4200172422.0000000000D10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.1946641867.00000000007D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.1831323631.0000000003840000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.1829945213.0000000002DD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.1950270407.0000000002790000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\piceous\tabulations.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: RFQ 242024.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: RFQ 242024.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: Binary string: systray.pdb source: svchost.exe, 00000002.00000002.1830113260.0000000003212000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1832500709.0000000003870000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 00000002.00000002.1830052440.0000000003200000.00000004.00000020.00020000.00000000.sdmp, systray.exe, 00000004.00000002.4200384289.0000000000EA0000.00000040.80000000.00040000.00000000.sdmp
Source: Binary string: systray.pdbGCTL source: svchost.exe, 00000002.00000002.1830113260.0000000003212000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1832500709.0000000003870000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 00000002.00000002.1830052440.0000000003200000.00000004.00000020.00020000.00000000.sdmp, systray.exe, 00000004.00000002.4200384289.0000000000EA0000.00000040.80000000.00040000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: tabulations.exe, 00000001.00000003.1769406201.0000000004460000.00000004.00001000.00020000.00000000.sdmp, tabulations.exe, 00000001.00000003.1770412440.0000000004600000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1773337204.0000000003700000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1832745228.0000000003A9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1771781121.0000000003500000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1832745228.0000000003900000.00000040.00001000.00020000.00000000.sdmp, systray.exe, 00000004.00000002.4200572033.0000000004630000.00000040.00001000.00020000.00000000.sdmp, systray.exe, 00000004.00000003.1832424192.000000000447C000.00000004.00000020.00020000.00000000.sdmp, systray.exe, 00000004.00000003.1829758139.00000000042C6000.00000004.00000020.00020000.00000000.sdmp, systray.exe, 00000004.00000002.4200572033.00000000047CE000.00000040.00001000.00020000.00000000.sdmp, tabulations.exe, 00000008.00000003.1905484311.0000000004400000.00000004.00001000.00020000.00000000.sdmp, tabulations.exe, 00000008.00000003.1906455172.00000000045A0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.1907647251.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.1947269075.0000000003400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.1947269075.000000000359E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.1909417955.0000000003200000.00000004.00000020.00020000.00000000.sdmp, raserver.exe, 0000000D.00000003.1946224819.000000000458E000.00000004.00000020.00020000.00000000.sdmp, raserver.exe, 0000000D.00000002.1950589096.0000000004A7E000.00000040.00001000.00020000.00000000.sdmp, raserver.exe, 0000000D.00000003.1949049744.0000000004731000.00000004.00000020.00020000.00000000.sdmp, raserver.exe, 0000000D.00000002.1950589096.00000000048E0000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: tabulations.exe, 00000001.00000003.1769406201.0000000004460000.00000004.00001000.00020000.00000000.sdmp, tabulations.exe, 00000001.00000003.1770412440.0000000004600000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.1773337204.0000000003700000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1832745228.0000000003A9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1771781121.0000000003500000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1832745228.0000000003900000.00000040.00001000.00020000.00000000.sdmp, systray.exe, 00000004.00000002.4200572033.0000000004630000.00000040.00001000.00020000.00000000.sdmp, systray.exe, 00000004.00000003.1832424192.000000000447C000.00000004.00000020.00020000.00000000.sdmp, systray.exe, 00000004.00000003.1829758139.00000000042C6000.00000004.00000020.00020000.00000000.sdmp, systray.exe, 00000004.00000002.4200572033.00000000047CE000.00000040.00001000.00020000.00000000.sdmp, tabulations.exe, 00000008.00000003.1905484311.0000000004400000.00000004.00001000.00020000.00000000.sdmp, tabulations.exe, 00000008.00000003.1906455172.00000000045A0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.1907647251.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.1947269075.0000000003400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.1947269075.000000000359E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.1909417955.0000000003200000.00000004.00000020.00020000.00000000.sdmp, raserver.exe, 0000000D.00000003.1946224819.000000000458E000.00000004.00000020.00020000.00000000.sdmp, raserver.exe, 0000000D.00000002.1950589096.0000000004A7E000.00000040.00001000.00020000.00000000.sdmp, raserver.exe, 0000000D.00000003.1949049744.0000000004731000.00000004.00000020.00020000.00000000.sdmp, raserver.exe, 0000000D.00000002.1950589096.00000000048E0000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: RAServer.pdb source: svchost.exe, 0000000C.00000003.1943616444.0000000002E1C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.1943877480.0000000002E35000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.1948363753.0000000004FB0000.00000040.10000000.00040000.00000000.sdmp, raserver.exe, 0000000D.00000002.1950165939.00000000000A0000.00000040.80000000.00040000.00000000.sdmp
Source: Binary string: svchost.pdb source: explorer.exe, 00000003.00000002.4219913492.00000000110AF000.00000004.80000000.00040000.00000000.sdmp, systray.exe, 00000004.00000002.4200997208.0000000004B7F000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000004.00000002.4199927469.00000000006C7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: svchost.pdbUGP source: explorer.exe, 00000003.00000002.4219913492.00000000110AF000.00000004.80000000.00040000.00000000.sdmp, systray.exe, 00000004.00000002.4200997208.0000000004B7F000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000004.00000002.4199927469.00000000006C7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: RAServer.pdbGCTL source: svchost.exe, 0000000C.00000003.1943616444.0000000002E1C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.1943877480.0000000002E35000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.1948363753.0000000004FB0000.00000040.10000000.00040000.00000000.sdmp, raserver.exe, 0000000D.00000002.1950165939.00000000000A0000.00000040.80000000.00040000.00000000.sdmp
Source: C:\Users\user\Desktop\RFQ 242024.exe Code function: 0_2_00452126 FindFirstFileW,Sleep,FindNextFileW,FindClose, 0_2_00452126
Source: C:\Users\user\Desktop\RFQ 242024.exe Code function: 0_2_0045C999 FindFirstFileW,FindNextFileW,FindClose, 0_2_0045C999
Source: C:\Users\user\Desktop\RFQ 242024.exe Code function: 0_2_00436ADE GetFileAttributesW,FindFirstFileW,FindClose, 0_2_00436ADE
Source: C:\Users\user\Desktop\RFQ 242024.exe Code function: 0_2_00434BEE FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 0_2_00434BEE
Source: C:\Users\user\Desktop\RFQ 242024.exe Code function: 0_2_00436D2D FindFirstFileW,CreateFileW,SetFileTime,CloseHandle,SetFileTime,CloseHandle, 0_2_00436D2D
Source: C:\Users\user\Desktop\RFQ 242024.exe Code function: 0_2_00442E1F SetCurrentDirectoryW,FindFirstFileW,SetCurrentDirectoryW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 0_2_00442E1F
Source: C:\Users\user\Desktop\RFQ 242024.exe Code function: 0_2_0045DD7C FindFirstFileW,FindClose, 0_2_0045DD7C
Source: C:\Users\user\Desktop\RFQ 242024.exe Code function: 0_2_0044BD29 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose, 0_2_0044BD29
Source: C:\Users\user\Desktop\RFQ 242024.exe Code function: 0_2_00475FE5 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, 0_2_00475FE5
Source: C:\Users\user\Desktop\RFQ 242024.exe Code function: 0_2_0044BF8D _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose, 0_2_0044BF8D
Source: C:\Users\user\AppData\Local\piceous\tabulations.exe Code function: 1_2_00452126 FindFirstFileW,Sleep,FindNextFileW,FindClose, 1_2_00452126
Source: C:\Users\user\AppData\Local\piceous\tabulations.exe Code function: 1_2_0045C999 FindFirstFileW,FindNextFileW,FindClose, 1_2_0045C999
Source: C:\Users\user\AppData\Local\piceous\tabulations.exe Code function: 1_2_00436ADE GetFileAttributesW,FindFirstFileW,FindClose, 1_2_00436ADE
Source: C:\Users\user\AppData\Local\piceous\tabulations.exe Code function: 1_2_00434BEE FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 1_2_00434BEE
Source: C:\Users\user\AppData\Local\piceous\tabulations.exe Code function: 1_2_00436D2D FindFirstFileW,CreateFileW,SetFileTime,CloseHandle,SetFileTime,CloseHandle, 1_2_00436D2D
Source: C:\Users\user\AppData\Local\piceous\tabulations.exe Code function: 1_2_00442E1F SetCurrentDirectoryW,FindFirstFileW,SetCurrentDirectoryW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 1_2_00442E1F
Source: C:\Users\user\AppData\Local\piceous\tabulations.exe Code function: 1_2_0045DD7C FindFirstFileW,FindClose, 1_2_0045DD7C
Source: C:\Users\user\AppData\Local\piceous\tabulations.exe Code function: 1_2_0044BD29 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose, 1_2_0044BD29
Source: C:\Users\user\AppData\Local\piceous\tabulations.exe Code function: 1_2_00475FE5 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, 1_2_00475FE5
Source: C:\Users\user\AppData\Local\piceous\tabulations.exe Code function: 1_2_0044BF8D _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose, 1_2_0044BF8D
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Windows\SysWOW64\svchost.exe Code function: 4x nop then pop ebx 2_2_00407B22

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2031412 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.4:50002 -> 85.13.166.18:80
Source: Network traffic Suricata IDS: 2031449 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.4:50002 -> 85.13.166.18:80
Source: Network traffic Suricata IDS: 2031453 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.4:50002 -> 85.13.166.18:80
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.f6b-crxy.top/cu29/
Tries to resolve many domain names, but no domain seems valid
Source: unknown DNS traffic detected: query: www.hopp9.top replaycode: Name error (3)
Source: unknown DNS traffic detected: query: www.ordf.top replaycode: Name error (3)
Source: unknown DNS traffic detected: query: www.5mwhs.top replaycode: Name error (3)
Source: unknown DNS traffic detected: query: www.kdsclci.bond replaycode: Name error (3)
Source: unknown DNS traffic detected: query: www.n-wee.buzz replaycode: Name error (3)
Source: unknown DNS traffic detected: query: www.f6b-crxy.top replaycode: Name error (3)
Source: unknown DNS traffic detected: query: www.asukacro.online replaycode: Name error (3)
Source: unknown DNS traffic detected: query: www.reativedreams.design replaycode: Name error (3)
Source: unknown DNS traffic detected: query: www.yzq0n.top replaycode: Name error (3)
Source: unknown DNS traffic detected: query: www.fios.top replaycode: Name error (3)
Source: unknown DNS traffic detected: query: www.5734.party replaycode: Name error (3)
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Users\user\Desktop\RFQ 242024.exe Code function: 0_2_0044289D InternetQueryDataAvailable,InternetReadFile, 0_2_0044289D
Source: global traffic DNS traffic detected: DNS query: www.ordf.top
Source: global traffic DNS traffic detected: DNS query: www.n-wee.buzz
Source: global traffic DNS traffic detected: DNS query: www.yzq0n.top
Source: global traffic DNS traffic detected: DNS query: www.hopp9.top
Source: global traffic DNS traffic detected: DNS query: www.fios.top
Source: global traffic DNS traffic detected: DNS query: www.asukacro.online
Source: global traffic DNS traffic detected: DNS query: www.5mwhs.top
Source: global traffic DNS traffic detected: DNS query: www.reativedreams.design
Source: global traffic DNS traffic detected: DNS query: www.irex.info
Source: global traffic DNS traffic detected: DNS query: www.5734.party
Source: global traffic DNS traffic detected: DNS query: www.kdsclci.bond
Source: global traffic DNS traffic detected: DNS query: www.f6b-crxy.top
Source: explorer.exe, 00000003.00000000.1783846203.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3112584324.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4207257415.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1778528179.00000000079FB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: explorer.exe, 00000003.00000000.1783846203.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3112584324.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4207257415.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1778528179.00000000079FB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: explorer.exe, 00000003.00000000.1783846203.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3112584324.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4207257415.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1778528179.00000000079FB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: explorer.exe, 00000003.00000000.1783846203.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3112584324.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4207257415.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1778528179.00000000079FB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: explorer.exe, 00000003.00000002.4203309500.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1778528179.00000000078AD000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: explorer.exe, 00000003.00000000.1785552751.00000000098A8000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://schemas.mi
Source: explorer.exe, 00000003.00000000.1785552751.00000000098A8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4210779680.00000000098A8000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://schemas.micr
Source: explorer.exe, 00000003.00000000.1783149309.0000000008720000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000002.4204586567.0000000007F40000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000002.4212787758.0000000009B60000.00000002.00000001.00040000.00000000.sdmp String found in binary or memory: http://schemas.micro
Source: explorer.exe, 00000003.00000003.3106246668.000000000CB06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4218794504.000000000CB0A000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.400725iimfyuj120.top
Source: explorer.exe, 00000003.00000002.4218794504.000000000CB0A000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.400725iimfyuj120.top/cu29/
Source: explorer.exe, 00000003.00000003.3106246668.000000000CB06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4218794504.000000000CB0A000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.400725iimfyuj120.topReferer:
Source: explorer.exe, 00000003.00000003.3106246668.000000000CB06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4218794504.000000000CB0A000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.5734.party
Source: explorer.exe, 00000003.00000003.3106246668.000000000CB06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4218794504.000000000CB0A000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.5734.party/cu29/
Source: explorer.exe, 00000003.00000003.3106246668.000000000CB06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4218794504.000000000CB0A000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.5734.party/cu29/www.kdsclci.bond
Source: explorer.exe, 00000003.00000003.3106246668.000000000CB06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4218794504.000000000CB0A000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.5734.partyReferer:
Source: explorer.exe, 00000003.00000003.3106246668.000000000CB06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4218794504.000000000CB0A000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.5mwhs.top
Source: explorer.exe, 00000003.00000003.3106246668.000000000CB06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4218794504.000000000CB0A000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.5mwhs.top/cu29/
Source: explorer.exe, 00000003.00000003.3106246668.000000000CB06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4218794504.000000000CB0A000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.5mwhs.top/cu29/www.reativedreams.design
Source: explorer.exe, 00000003.00000003.3106246668.000000000CB06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4218794504.000000000CB0A000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.5mwhs.topReferer:
Source: explorer.exe, 00000003.00000003.3106246668.000000000CB06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4218794504.000000000CB0A000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.817715.rest
Source: explorer.exe, 00000003.00000003.3106246668.000000000CB06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4218794504.000000000CB0A000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.817715.rest/cu29/
Source: explorer.exe, 00000003.00000003.3106246668.000000000CB06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4218794504.000000000CB0A000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.817715.rest/cu29/www.srtio.xyz
Source: explorer.exe, 00000003.00000003.3106246668.000000000CB06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4218794504.000000000CB0A000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.817715.restReferer:
Source: explorer.exe, 00000003.00000003.3106246668.000000000CB06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4218794504.000000000CB0A000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.asukacro.online
Source: explorer.exe, 00000003.00000003.3106246668.000000000CB06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4218794504.000000000CB0A000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.asukacro.online/cu29/
Source: explorer.exe, 00000003.00000003.3106246668.000000000CB06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4218794504.000000000CB0A000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.asukacro.online/cu29/www.5mwhs.top
Source: explorer.exe, 00000003.00000003.3106246668.000000000CB06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4218794504.000000000CB0A000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.asukacro.onlineReferer:
Source: explorer.exe, 00000003.00000003.3108167431.000000000C9AE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1788938589.000000000C964000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106993530.000000000C974000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: explorer.exe, 00000003.00000003.3106246668.000000000CB06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4218794504.000000000CB0A000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.f6b-crxy.top
Source: explorer.exe, 00000003.00000003.3106246668.000000000CB06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4218794504.000000000CB0A000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.f6b-crxy.top/cu29/
Source: explorer.exe, 00000003.00000003.3106246668.000000000CB06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4218794504.000000000CB0A000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.f6b-crxy.top/cu29/www.817715.rest
Source: explorer.exe, 00000003.00000003.3106246668.000000000CB06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4218794504.000000000CB0A000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.f6b-crxy.topReferer:
Source: explorer.exe, 00000003.00000003.3106246668.000000000CB06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4218794504.000000000CB0A000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.fios.top
Source: explorer.exe, 00000003.00000003.3106246668.000000000CB06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4218794504.000000000CB0A000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.fios.top/cu29/
Source: explorer.exe, 00000003.00000003.3106246668.000000000CB06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4218794504.000000000CB0A000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.fios.top/cu29/www.asukacro.online
Source: explorer.exe, 00000003.00000003.3106246668.000000000CB06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4218794504.000000000CB0A000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.fios.topReferer:
Source: explorer.exe, 00000003.00000003.3106246668.000000000CB06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4218794504.000000000CB0A000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.hopp9.top
Source: explorer.exe, 00000003.00000003.3106246668.000000000CB06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4218794504.000000000CB0A000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.hopp9.top/cu29/
Source: explorer.exe, 00000003.00000003.3106246668.000000000CB06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4218794504.000000000CB0A000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.hopp9.top/cu29/www.fios.top
Source: explorer.exe, 00000003.00000003.3106246668.000000000CB06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4218794504.000000000CB0A000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.hopp9.topReferer:
Source: explorer.exe, 00000003.00000003.3106246668.000000000CB06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4218794504.000000000CB0A000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.irex.info
Source: explorer.exe, 00000003.00000003.3106246668.000000000CB06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4218794504.000000000CB0A000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.irex.info/cu29/
Source: explorer.exe, 00000003.00000003.3106246668.000000000CB06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4218794504.000000000CB0A000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.irex.info/cu29/www.5734.party
Source: explorer.exe, 00000003.00000003.3106246668.000000000CB06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4218794504.000000000CB0A000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.irex.infoReferer:
Source: explorer.exe, 00000003.00000003.3106246668.000000000CB06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4218794504.000000000CB0A000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.kdsclci.bond
Source: explorer.exe, 00000003.00000003.3106246668.000000000CB06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4218794504.000000000CB0A000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.kdsclci.bond/cu29/
Source: explorer.exe, 00000003.00000003.3106246668.000000000CB06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4218794504.000000000CB0A000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.kdsclci.bond/cu29/www.f6b-crxy.top
Source: explorer.exe, 00000003.00000003.3106246668.000000000CB06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4218794504.000000000CB0A000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.kdsclci.bondReferer:
Source: explorer.exe, 00000003.00000003.3106246668.000000000CB06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4218794504.000000000CB0A000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.n-wee.buzz
Source: explorer.exe, 00000003.00000003.3106246668.000000000CB06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4218794504.000000000CB0A000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.n-wee.buzz/cu29/
Source: explorer.exe, 00000003.00000003.3106246668.000000000CB06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4218794504.000000000CB0A000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.n-wee.buzz/cu29/www.yzq0n.top
Source: explorer.exe, 00000003.00000003.3106246668.000000000CB06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4218794504.000000000CB0A000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.n-wee.buzzReferer:
Source: explorer.exe, 00000003.00000003.3106246668.000000000CB06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4218794504.000000000CB0A000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.olandopaintingllc.online
Source: explorer.exe, 00000003.00000003.3106246668.000000000CB06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4218794504.000000000CB0A000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.olandopaintingllc.online/cu29/
Source: explorer.exe, 00000003.00000003.3106246668.000000000CB06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4218794504.000000000CB0A000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.olandopaintingllc.online/cu29/www.400725iimfyuj120.top
Source: explorer.exe, 00000003.00000003.3106246668.000000000CB06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4218794504.000000000CB0A000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.olandopaintingllc.onlineReferer:
Source: explorer.exe, 00000003.00000003.3106246668.000000000CB06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4218794504.000000000CB0A000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.ordf.top
Source: explorer.exe, 00000003.00000003.3106246668.000000000CB06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4218794504.000000000CB0A000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.ordf.top/cu29/
Source: explorer.exe, 00000003.00000003.3106246668.000000000CB06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4218794504.000000000CB0A000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.ordf.top/cu29/www.n-wee.buzz
Source: explorer.exe, 00000003.00000003.3106246668.000000000CB06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4218794504.000000000CB0A000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.ordf.topReferer:
Source: explorer.exe, 00000003.00000003.3106246668.000000000CB06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4218794504.000000000CB0A000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.reativedreams.design
Source: explorer.exe, 00000003.00000003.3106246668.000000000CB06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4218794504.000000000CB0A000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.reativedreams.design/cu29/
Source: explorer.exe, 00000003.00000003.3106246668.000000000CB06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4218794504.000000000CB0A000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.reativedreams.design/cu29/www.irex.info
Source: explorer.exe, 00000003.00000003.3106246668.000000000CB06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4218794504.000000000CB0A000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.reativedreams.designReferer:
Source: explorer.exe, 00000003.00000003.3106246668.000000000CB06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4218794504.000000000CB0A000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.srtio.xyz
Source: explorer.exe, 00000003.00000003.3106246668.000000000CB06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4218794504.000000000CB0A000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.srtio.xyz/cu29/
Source: explorer.exe, 00000003.00000003.3106246668.000000000CB06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4218794504.000000000CB0A000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.srtio.xyz/cu29/www.olandopaintingllc.online
Source: explorer.exe, 00000003.00000003.3106246668.000000000CB06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4218794504.000000000CB0A000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.srtio.xyzReferer:
Source: explorer.exe, 00000003.00000003.3106246668.000000000CB06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4218794504.000000000CB0A000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.yzq0n.top
Source: explorer.exe, 00000003.00000003.3106246668.000000000CB06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4218794504.000000000CB0A000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.yzq0n.top/cu29/
Source: explorer.exe, 00000003.00000003.3106246668.000000000CB06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4218794504.000000000CB0A000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.yzq0n.top/cu29/www.hopp9.top
Source: explorer.exe, 00000003.00000003.3106246668.000000000CB06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4218794504.000000000CB0A000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.yzq0n.topReferer:
Source: explorer.exe, 00000003.00000000.1788938589.000000000C893000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe
Source: explorer.exe, 00000003.00000003.3111512788.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3531957351.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1778528179.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4203309500.00000000079FB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/Vh5j3k
Source: explorer.exe, 00000003.00000003.3111512788.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3531957351.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1778528179.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4203309500.00000000079FB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/odirmr
Source: explorer.exe, 00000003.00000000.1788938589.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4217280404.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 00000003.00000003.3112584324.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4207257415.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1783846203.00000000097D4000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 00000003.00000003.3112584324.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4207257415.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1783846203.00000000097D4000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/q
Source: explorer.exe, 00000003.00000000.1776260071.0000000001248000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4201505387.0000000003700000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4199926862.0000000001240000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1776954323.0000000003700000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 00000003.00000003.3112584324.0000000009701000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1783846203.00000000096DF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4207257415.0000000009702000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?&
Source: explorer.exe, 00000003.00000002.4203309500.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1778528179.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=0CC40BF291614022B7DF6E2143E8A6AF&timeOut=5000&oc
Source: explorer.exe, 00000003.00000002.4203309500.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3112584324.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4207257415.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1778528179.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1783846203.00000000097D4000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
Source: explorer.exe, 00000003.00000003.3112584324.0000000009701000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1783846203.00000000096DF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4207257415.0000000009702000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://arc.msn.comi
Source: explorer.exe, 00000003.00000000.1778528179.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://assets.msn.com/staticsb/statics/latest/traffic/Notification/desktop/svg/RoadHazard.svg
Source: explorer.exe, 00000003.00000000.1778528179.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
Source: explorer.exe, 00000003.00000000.1778528179.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svg
Source: explorer.exe, 00000003.00000002.4203309500.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1778528179.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/humidity.svg
Source: explorer.exe, 00000003.00000002.4203309500.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1778528179.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
Source: explorer.exe, 00000003.00000002.4203309500.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1778528179.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
Source: explorer.exe, 00000003.00000002.4203309500.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1778528179.00000000078AD000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu
Source: explorer.exe, 00000003.00000002.4203309500.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1778528179.00000000078AD000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu-dark
Source: explorer.exe, 00000003.00000002.4203309500.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1778528179.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu
Source: explorer.exe, 00000003.00000002.4203309500.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1778528179.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu-dark
Source: explorer.exe, 00000003.00000002.4203309500.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1778528179.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY
Source: explorer.exe, 00000003.00000002.4203309500.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1778528179.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY-dark
Source: explorer.exe, 00000003.00000000.1788938589.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4217280404.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://excel.office.com
Source: explorer.exe, 00000003.00000002.4203309500.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1778528179.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
Source: explorer.exe, 00000003.00000002.4203309500.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1778528179.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1hlXIY.img
Source: explorer.exe, 00000003.00000002.4203309500.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1778528179.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAKSoFp.img
Source: explorer.exe, 00000003.00000002.4203309500.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1778528179.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAXaopi.img
Source: explorer.exe, 00000003.00000002.4203309500.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1778528179.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAgi0nZ.img
Source: explorer.exe, 00000003.00000002.4203309500.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1778528179.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBqlLky.img
Source: explorer.exe, 00000003.00000002.4203309500.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1778528179.00000000078AD000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://img.s-msn.com/tenant/amp/entityid/AAbC0oi.img
Source: explorer.exe, 00000003.00000000.1788938589.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4217280404.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://outlook.com_
Source: explorer.exe, 00000003.00000000.1788938589.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4217280404.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://powerpoint.office.comcember
Source: explorer.exe, 00000003.00000002.4203309500.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1778528179.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://simpleflying.com/how-do-you-become-an-air-traffic-controller/
Source: explorer.exe, 00000003.00000002.4203309500.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1778528179.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000003.00000002.4203309500.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1778528179.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000003.00000002.4217280404.000000000C557000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1788938589.000000000C557000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://wns.windows.com/L
Source: explorer.exe, 00000003.00000000.1788938589.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4217280404.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://word.office.com
Source: explorer.exe, 00000003.00000002.4203309500.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1778528179.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/lifestyle/lifestyle-buzz/biden-makes-decision-that-will-impact-more-than-1
Source: explorer.exe, 00000003.00000002.4203309500.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1778528179.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/lifestyle/travel/i-ve-worked-at-a-campsite-for-5-years-these-are-the-15-mi
Source: explorer.exe, 00000003.00000002.4203309500.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4203309500.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1778528179.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1778528179.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/13-states-that-don-t-tax-your-retirement-income/ar-A
Source: explorer.exe, 00000003.00000002.4203309500.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1778528179.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/no-wonder-the-american-public-is-confused-if-you-re-
Source: explorer.exe, 00000003.00000002.4203309500.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1778528179.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/politics/clarence-thomas-in-spotlight-as-supreme-court-delivers-blow-
Source: explorer.exe, 00000003.00000002.4203309500.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1778528179.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/politics/exclusive-john-kelly-goes-on-the-record-to-confirm-several-d
Source: explorer.exe, 00000003.00000002.4203309500.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1778528179.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/topic/breast%20cancer%20awareness%20month?ocid=winp1headerevent
Source: explorer.exe, 00000003.00000002.4203309500.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1778528179.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/us/a-nationwide-emergency-alert-will-be-sent-to-all-u-s-cellphones-we
Source: explorer.exe, 00000003.00000002.4203309500.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1778528179.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/us/metro-officials-still-investigating-friday-s-railcar-derailment/ar
Source: explorer.exe, 00000003.00000000.1778528179.00000000078AD000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/us/when-does-daylight-saving-time-end-2023-here-s-when-to-set-your-cl
Source: explorer.exe, 00000003.00000002.4203309500.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1778528179.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/world/agostini-krausz-and-l-huillier-win-physics-nobel-for-looking-at
Source: explorer.exe, 00000003.00000002.4203309500.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1778528179.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/weather/topstories/rest-of-hurricane-season-in-uncharted-waters-because-of
Source: explorer.exe, 00000003.00000002.4203309500.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1778528179.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/weather/topstories/us-weather-super-el-nino-to-bring-more-flooding-and-win
Source: explorer.exe, 00000003.00000002.4203309500.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1778528179.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com:443/en-us/feed
Source: explorer.exe, 00000003.00000002.4203309500.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1778528179.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.rd.com/list/polite-habits-campers-dislike/
Source: explorer.exe, 00000003.00000002.4203309500.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1778528179.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.rd.com/newsletter/?int_source=direct&int_medium=rd.com&int_campaign=nlrda_20221001_toppe
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\RFQ 242024.exe Code function: 0_2_00459FFF OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard, 0_2_00459FFF
Contains functionality to modify clipboard data
Source: C:\Users\user\Desktop\RFQ 242024.exe Code function: 0_2_00459FFF OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard, 0_2_00459FFF
Source: C:\Users\user\AppData\Local\piceous\tabulations.exe Code function: 1_2_00459FFF OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard, 1_2_00459FFF
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\Desktop\RFQ 242024.exe Code function: 0_2_00456354 GetCursorPos,ScreenToClient,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetWindowLongW, 0_2_00456354
Potential key logger detected (key state polling based)
Source: C:\Users\user\Desktop\RFQ 242024.exe Code function: 0_2_0047C08E SendMessageW,DefDlgProcW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,GetWindowLongW,SendMessageW,SendMessageW,SendMessageW,_wcsncpy,SendMessageW,SendMessageW,SendMessageW,InvalidateRect,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW, 0_2_0047C08E
Source: C:\Users\user\AppData\Local\piceous\tabulations.exe Code function: 1_2_0047C08E SendMessageW,DefDlgProcW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,GetWindowLongW,SendMessageW,SendMessageW,SendMessageW,_wcsncpy,SendMessageW,SendMessageW,SendMessageW,InvalidateRect,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW, 1_2_0047C08E

E-Banking Fraud
barindex
Yara detected FormBook
Source: Yara match File source: 8.2.tabulations.exe.30b0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.tabulations.exe.30b0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.tabulations.exe.2bd0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.tabulations.exe.2bd0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000C.00000002.1946757380.0000000002B70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.4199678590.00000000004B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.1946265005.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.1772698758.0000000002BD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.4200098980.0000000000CC0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.1910016870.00000000030B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.1829240450.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.4200172422.0000000000D10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.1946641867.00000000007D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.1831323631.0000000003840000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.1829945213.0000000002DD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.1950270407.0000000002790000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 8.2.tabulations.exe.30b0000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 8.2.tabulations.exe.30b0000.1.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 8.2.tabulations.exe.30b0000.1.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 12.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 12.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 12.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 12.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 12.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 12.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 8.2.tabulations.exe.30b0000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 8.2.tabulations.exe.30b0000.1.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 8.2.tabulations.exe.30b0000.1.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.tabulations.exe.2bd0000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 1.2.tabulations.exe.2bd0000.1.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.tabulations.exe.2bd0000.1.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.tabulations.exe.2bd0000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 1.2.tabulations.exe.2bd0000.1.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.tabulations.exe.2bd0000.1.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.4219016565.000000000E5DC000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_772cc62d Author: unknown
Source: 0000000C.00000002.1946757380.0000000002B70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000C.00000002.1946757380.0000000002B70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000C.00000002.1946757380.0000000002B70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.4199678590.00000000004B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.4199678590.00000000004B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.4199678590.00000000004B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000C.00000002.1946265005.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000C.00000002.1946265005.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000C.00000002.1946265005.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.1772698758.0000000002BD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000001.00000002.1772698758.0000000002BD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.1772698758.0000000002BD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.4200098980.0000000000CC0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.4200098980.0000000000CC0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.4200098980.0000000000CC0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.1910016870.00000000030B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000008.00000002.1910016870.00000000030B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.1910016870.00000000030B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.1829240450.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.1829240450.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.1829240450.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.4200172422.0000000000D10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.4200172422.0000000000D10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.4200172422.0000000000D10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000C.00000002.1946641867.00000000007D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000C.00000002.1946641867.00000000007D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000C.00000002.1946641867.00000000007D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.1831323631.0000000003840000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.1831323631.0000000003840000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.1831323631.0000000003840000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.1829945213.0000000002DD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.1829945213.0000000002DD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.1829945213.0000000002DD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000002.1950270407.0000000002790000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000D.00000002.1950270407.0000000002790000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000D.00000002.1950270407.0000000002790000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: tabulations.exe PID: 1364, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: svchost.exe PID: 2008, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: systray.exe PID: 5348, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: tabulations.exe PID: 5320, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: svchost.exe PID: 2260, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: raserver.exe PID: 2284, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: RFQ 242024.exe
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Source: C:\Windows\System32\wscript.exe COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8} Jump to behavior
Contains functionality to call native functions
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0041A320 NtCreateFile, 2_2_0041A320
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0041A3D0 NtReadFile, 2_2_0041A3D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0041A450 NtClose, 2_2_0041A450
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0041A500 NtAllocateVirtualMemory, 2_2_0041A500
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0041A31B NtCreateFile, 2_2_0041A31B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0041A44A NtClose, 2_2_0041A44A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0041A4FA NtAllocateVirtualMemory, 2_2_0041A4FA
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03972BF0 NtAllocateVirtualMemory,LdrInitializeThunk, 2_2_03972BF0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03972B60 NtClose,LdrInitializeThunk, 2_2_03972B60
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03972AD0 NtReadFile,LdrInitializeThunk, 2_2_03972AD0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03972F90 NtProtectVirtualMemory,LdrInitializeThunk, 2_2_03972F90
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03972FB0 NtResumeThread,LdrInitializeThunk, 2_2_03972FB0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03972FE0 NtCreateFile,LdrInitializeThunk, 2_2_03972FE0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03972F30 NtCreateSection,LdrInitializeThunk, 2_2_03972F30
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03972E80 NtReadVirtualMemory,LdrInitializeThunk, 2_2_03972E80
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03972EA0 NtAdjustPrivilegesToken,LdrInitializeThunk, 2_2_03972EA0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03972DD0 NtDelayExecution,LdrInitializeThunk, 2_2_03972DD0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03972DF0 NtQuerySystemInformation,LdrInitializeThunk, 2_2_03972DF0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03972D10 NtMapViewOfSection,LdrInitializeThunk, 2_2_03972D10
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03972D30 NtUnmapViewOfSection,LdrInitializeThunk, 2_2_03972D30
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03972CA0 NtQueryInformationToken,LdrInitializeThunk, 2_2_03972CA0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03972C70 NtFreeVirtualMemory,LdrInitializeThunk, 2_2_03972C70
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03974340 NtSetContextThread, 2_2_03974340
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03974650 NtSuspendThread, 2_2_03974650
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03972B80 NtQueryInformationFile, 2_2_03972B80
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03972BA0 NtEnumerateValueKey, 2_2_03972BA0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03972BE0 NtQueryValueKey, 2_2_03972BE0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03972AB0 NtWaitForSingleObject, 2_2_03972AB0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03972AF0 NtWriteFile, 2_2_03972AF0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03972FA0 NtQuerySection, 2_2_03972FA0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03972F60 NtCreateProcessEx, 2_2_03972F60
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03972EE0 NtQueueApcThread, 2_2_03972EE0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03972E30 NtWriteVirtualMemory, 2_2_03972E30
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03972DB0 NtEnumerateKey, 2_2_03972DB0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03972D00 NtSetInformationFile, 2_2_03972D00
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03972CC0 NtQueryVirtualMemory, 2_2_03972CC0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03972CF0 NtOpenProcess, 2_2_03972CF0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03972C00 NtQueryInformationProcess, 2_2_03972C00
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03972C60 NtCreateKey, 2_2_03972C60
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03973090 NtSetValueKey, 2_2_03973090
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03973010 NtOpenDirectoryObject, 2_2_03973010
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039735C0 NtCreateMutant, 2_2_039735C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039739B0 NtGetContextThread, 2_2_039739B0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03973D10 NtOpenProcessToken, 2_2_03973D10
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03973D70 NtOpenThread, 2_2_03973D70
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0388A036 NtQueryInformationProcess,NtSuspendThread,NtSetContextThread,NtQueueApcThread,NtResumeThread,NtClose, 2_2_0388A036
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0388A042 NtQueryInformationProcess, 2_2_0388A042
Source: C:\Windows\explorer.exe Code function: 3_2_0E5C5E12 NtProtectVirtualMemory, 3_2_0E5C5E12
Source: C:\Windows\explorer.exe Code function: 3_2_0E5C4232 NtCreateFile, 3_2_0E5C4232
Source: C:\Windows\explorer.exe Code function: 3_2_0E5C5E0A NtProtectVirtualMemory, 3_2_0E5C5E0A
Contains functionality to communicate with device drivers
Source: C:\Users\user\Desktop\RFQ 242024.exe Code function: 0_2_00434D50: GetFullPathNameW,__swprintf,_wcslen,_wcslen,_wcslen,CreateDirectoryW,CreateFileW,_memset,_wcslen,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle, 0_2_00434D50
Contains functionality to launch a process as a different user
Source: C:\Users\user\Desktop\RFQ 242024.exe Code function: 0_2_004461ED _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,_wcsncpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock, 0_2_004461ED
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\RFQ 242024.exe Code function: 0_2_004364AA GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState, 0_2_004364AA
Source: C:\Users\user\AppData\Local\piceous\tabulations.exe Code function: 1_2_004364AA GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState, 1_2_004364AA
Detected potential crypto function
Source: C:\Users\user\Desktop\RFQ 242024.exe Code function: 0_2_00409A40 0_2_00409A40
Source: C:\Users\user\Desktop\RFQ 242024.exe Code function: 0_2_00412038 0_2_00412038
Source: C:\Users\user\Desktop\RFQ 242024.exe Code function: 0_2_0047E1FA 0_2_0047E1FA
Source: C:\Users\user\Desktop\RFQ 242024.exe Code function: 0_2_0041A46B 0_2_0041A46B
Source: C:\Users\user\Desktop\RFQ 242024.exe Code function: 0_2_0041240C 0_2_0041240C
Source: C:\Users\user\Desktop\RFQ 242024.exe Code function: 0_2_004045E0 0_2_004045E0
Source: C:\Users\user\Desktop\RFQ 242024.exe Code function: 0_2_00412818 0_2_00412818
Source: C:\Users\user\Desktop\RFQ 242024.exe Code function: 0_2_0047CBF0 0_2_0047CBF0
Source: C:\Users\user\Desktop\RFQ 242024.exe Code function: 0_2_0044EBBC 0_2_0044EBBC
Source: C:\Users\user\Desktop\RFQ 242024.exe Code function: 0_2_00412C38 0_2_00412C38
Source: C:\Users\user\Desktop\RFQ 242024.exe Code function: 0_2_00490D70 0_2_00490D70
Source: C:\Users\user\Desktop\RFQ 242024.exe Code function: 0_2_0044ED9A 0_2_0044ED9A
Source: C:\Users\user\Desktop\RFQ 242024.exe Code function: 0_2_00424F70 0_2_00424F70
Source: C:\Users\user\Desktop\RFQ 242024.exe Code function: 0_2_0041AF0D 0_2_0041AF0D
Source: C:\Users\user\Desktop\RFQ 242024.exe Code function: 0_2_00427161 0_2_00427161
Source: C:\Users\user\Desktop\RFQ 242024.exe Code function: 0_2_004212BE 0_2_004212BE
Source: C:\Users\user\Desktop\RFQ 242024.exe Code function: 0_2_00443390 0_2_00443390
Source: C:\Users\user\Desktop\RFQ 242024.exe Code function: 0_2_00443391 0_2_00443391
Source: C:\Users\user\Desktop\RFQ 242024.exe Code function: 0_2_0041D750 0_2_0041D750
Source: C:\Users\user\Desktop\RFQ 242024.exe Code function: 0_2_004037E0 0_2_004037E0
Source: C:\Users\user\Desktop\RFQ 242024.exe Code function: 0_2_00427859 0_2_00427859
Source: C:\Users\user\Desktop\RFQ 242024.exe Code function: 0_2_0040F890 0_2_0040F890
Source: C:\Users\user\Desktop\RFQ 242024.exe Code function: 0_2_0042397B 0_2_0042397B
Source: C:\Users\user\Desktop\RFQ 242024.exe Code function: 0_2_00411B63 0_2_00411B63
Source: C:\Users\user\Desktop\RFQ 242024.exe Code function: 0_2_00423EBF 0_2_00423EBF
Source: C:\Users\user\Desktop\RFQ 242024.exe Code function: 0_2_03FD36A8 0_2_03FD36A8
Source: C:\Users\user\AppData\Local\piceous\tabulations.exe Code function: 1_2_00412038 1_2_00412038
Source: C:\Users\user\AppData\Local\piceous\tabulations.exe Code function: 1_2_0047E1FA 1_2_0047E1FA
Source: C:\Users\user\AppData\Local\piceous\tabulations.exe Code function: 1_2_0041A46B 1_2_0041A46B
Source: C:\Users\user\AppData\Local\piceous\tabulations.exe Code function: 1_2_0041240C 1_2_0041240C
Source: C:\Users\user\AppData\Local\piceous\tabulations.exe Code function: 1_2_004045E0 1_2_004045E0
Source: C:\Users\user\AppData\Local\piceous\tabulations.exe Code function: 1_2_00412818 1_2_00412818
Source: C:\Users\user\AppData\Local\piceous\tabulations.exe Code function: 1_2_0047CBF0 1_2_0047CBF0
Source: C:\Users\user\AppData\Local\piceous\tabulations.exe Code function: 1_2_0044EBBC 1_2_0044EBBC
Source: C:\Users\user\AppData\Local\piceous\tabulations.exe Code function: 1_2_00412C38 1_2_00412C38
Source: C:\Users\user\AppData\Local\piceous\tabulations.exe Code function: 1_2_0044ED9A 1_2_0044ED9A
Source: C:\Users\user\AppData\Local\piceous\tabulations.exe Code function: 1_2_00424F70 1_2_00424F70
Source: C:\Users\user\AppData\Local\piceous\tabulations.exe Code function: 1_2_0041AF0D 1_2_0041AF0D
Source: C:\Users\user\AppData\Local\piceous\tabulations.exe Code function: 1_2_00427161 1_2_00427161
Source: C:\Users\user\AppData\Local\piceous\tabulations.exe Code function: 1_2_004212BE 1_2_004212BE
Source: C:\Users\user\AppData\Local\piceous\tabulations.exe Code function: 1_2_00443390 1_2_00443390
Source: C:\Users\user\AppData\Local\piceous\tabulations.exe Code function: 1_2_00443391 1_2_00443391
Source: C:\Users\user\AppData\Local\piceous\tabulations.exe Code function: 1_2_0041D750 1_2_0041D750
Source: C:\Users\user\AppData\Local\piceous\tabulations.exe Code function: 1_2_004037E0 1_2_004037E0
Source: C:\Users\user\AppData\Local\piceous\tabulations.exe Code function: 1_2_00427859 1_2_00427859
Source: C:\Users\user\AppData\Local\piceous\tabulations.exe Code function: 1_2_0040F890 1_2_0040F890
Source: C:\Users\user\AppData\Local\piceous\tabulations.exe Code function: 1_2_0042397B 1_2_0042397B
Source: C:\Users\user\AppData\Local\piceous\tabulations.exe Code function: 1_2_00409A40 1_2_00409A40
Source: C:\Users\user\AppData\Local\piceous\tabulations.exe Code function: 1_2_00411B63 1_2_00411B63
Source: C:\Users\user\AppData\Local\piceous\tabulations.exe Code function: 1_2_00423EBF 1_2_00423EBF
Source: C:\Users\user\AppData\Local\piceous\tabulations.exe Code function: 1_2_03EB36A8 1_2_03EB36A8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00401030 2_2_00401030
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0041ED75 2_2_0041ED75
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00402D90 2_2_00402D90
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00409E4C 2_2_00409E4C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00409E50 2_2_00409E50
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0041EE8A 2_2_0041EE8A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0041D772 2_2_0041D772
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0041E77C 2_2_0041E77C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00402FB0 2_2_00402FB0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A003E6 2_2_03A003E6
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0394E3F0 2_2_0394E3F0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039FA352 2_2_039FA352
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039C02C0 2_2_039C02C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039E0274 2_2_039E0274
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A001AA 2_2_03A001AA
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039F41A2 2_2_039F41A2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039F81CC 2_2_039F81CC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039DA118 2_2_039DA118
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03930100 2_2_03930100
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039C8158 2_2_039C8158
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039D2000 2_2_039D2000
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0393C7C0 2_2_0393C7C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03964750 2_2_03964750
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03940770 2_2_03940770
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0395C6E0 2_2_0395C6E0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A00591 2_2_03A00591
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03940535 2_2_03940535
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039EE4F6 2_2_039EE4F6
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039E4420 2_2_039E4420
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039F2446 2_2_039F2446
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039F6BD7 2_2_039F6BD7
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039FAB40 2_2_039FAB40
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0393EA80 2_2_0393EA80
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A0A9A6 2_2_03A0A9A6
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039429A0 2_2_039429A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03956962 2_2_03956962
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039268B8 2_2_039268B8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0396E8F0 2_2_0396E8F0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0394A840 2_2_0394A840
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03942840 2_2_03942840
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039BEFA0 2_2_039BEFA0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03932FC8 2_2_03932FC8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03960F30 2_2_03960F30
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039E2F30 2_2_039E2F30
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03982F28 2_2_03982F28
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039B4F40 2_2_039B4F40
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03952E90 2_2_03952E90
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039FCE93 2_2_039FCE93
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039FEEDB 2_2_039FEEDB
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039FEE26 2_2_039FEE26
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03940E59 2_2_03940E59
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03958DBF 2_2_03958DBF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0393ADE0 2_2_0393ADE0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039DCD1F 2_2_039DCD1F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0394AD00 2_2_0394AD00
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039E0CB5 2_2_039E0CB5
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03930CF2 2_2_03930CF2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03940C00 2_2_03940C00
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0398739A 2_2_0398739A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039F132D 2_2_039F132D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0392D34C 2_2_0392D34C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039452A0 2_2_039452A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0395B2C0 2_2_0395B2C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0395D2F0 2_2_0395D2F0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039E12ED 2_2_039E12ED
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0394B1B0 2_2_0394B1B0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A0B16B 2_2_03A0B16B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0392F172 2_2_0392F172
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0397516C 2_2_0397516C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039EF0CC 2_2_039EF0CC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039470C0 2_2_039470C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039F70E9 2_2_039F70E9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039FF0E0 2_2_039FF0E0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039FF7B0 2_2_039FF7B0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039F16CC 2_2_039F16CC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039DD5B0 2_2_039DD5B0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039F7571 2_2_039F7571
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039FF43F 2_2_039FF43F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03931460 2_2_03931460
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0395FB80 2_2_0395FB80
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039B5BF0 2_2_039B5BF0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0397DBF9 2_2_0397DBF9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039FFB76 2_2_039FFB76
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039DDAAC 2_2_039DDAAC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03985AA0 2_2_03985AA0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039E1AA3 2_2_039E1AA3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039EDAC6 2_2_039EDAC6
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039FFA49 2_2_039FFA49
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039F7A46 2_2_039F7A46
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039B3A6C 2_2_039B3A6C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039D5910 2_2_039D5910
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03949950 2_2_03949950
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0395B950 2_2_0395B950
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039438E0 2_2_039438E0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039AD800 2_2_039AD800
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03941F92 2_2_03941F92
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039FFFB1 2_2_039FFFB1
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039FFF09 2_2_039FFF09
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03949EB0 2_2_03949EB0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0395FDC0 2_2_0395FDC0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039F1D5A 2_2_039F1D5A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03943D40 2_2_03943D40
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039F7D73 2_2_039F7D73
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039FFCF2 2_2_039FFCF2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039B9C32 2_2_039B9C32
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0388A036 2_2_0388A036
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0388B232 2_2_0388B232
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03881082 2_2_03881082
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0388E5CD 2_2_0388E5CD
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03885B30 2_2_03885B30
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03885B32 2_2_03885B32
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03888912 2_2_03888912
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03882D02 2_2_03882D02
Source: C:\Windows\explorer.exe Code function: 3_2_0E4B7232 3_2_0E4B7232
Source: C:\Windows\explorer.exe Code function: 3_2_0E4B1B32 3_2_0E4B1B32
Source: C:\Windows\explorer.exe Code function: 3_2_0E4B1B30 3_2_0E4B1B30
Source: C:\Windows\explorer.exe Code function: 3_2_0E4B6036 3_2_0E4B6036
Source: C:\Windows\explorer.exe Code function: 3_2_0E4AD082 3_2_0E4AD082
Source: C:\Windows\explorer.exe Code function: 3_2_0E4AED02 3_2_0E4AED02
Source: C:\Windows\explorer.exe Code function: 3_2_0E4B4912 3_2_0E4B4912
Source: C:\Windows\explorer.exe Code function: 3_2_0E4BA5CD 3_2_0E4BA5CD
Source: C:\Windows\explorer.exe Code function: 3_2_0E5C4232 3_2_0E5C4232
Source: C:\Windows\explorer.exe Code function: 3_2_0E5C3036 3_2_0E5C3036
Source: C:\Windows\explorer.exe Code function: 3_2_0E5BA082 3_2_0E5BA082
Source: C:\Windows\explorer.exe Code function: 3_2_0E5C1912 3_2_0E5C1912
Source: C:\Windows\explorer.exe Code function: 3_2_0E5BBD02 3_2_0E5BBD02
Source: C:\Windows\explorer.exe Code function: 3_2_0E5BEB32 3_2_0E5BEB32
Source: C:\Windows\explorer.exe Code function: 3_2_0E5BEB30 3_2_0E5BEB30
Source: C:\Windows\explorer.exe Code function: 3_2_0E5C75CD 3_2_0E5C75CD
Source: C:\Windows\explorer.exe Code function: 3_2_0FCB1B32 3_2_0FCB1B32
Source: C:\Windows\explorer.exe Code function: 3_2_0FCB1B30 3_2_0FCB1B30
Source: C:\Windows\explorer.exe Code function: 3_2_0FCB7232 3_2_0FCB7232
Source: C:\Windows\explorer.exe Code function: 3_2_0FCBA5CD 3_2_0FCBA5CD
Source: C:\Windows\explorer.exe Code function: 3_2_0FCAED02 3_2_0FCAED02
Source: C:\Windows\explorer.exe Code function: 3_2_0FCB4912 3_2_0FCB4912
Source: C:\Windows\explorer.exe Code function: 3_2_0FCAD082 3_2_0FCAD082
Source: C:\Windows\explorer.exe Code function: 3_2_0FCB6036 3_2_0FCB6036
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\RFQ 242024.exe Code function: String function: 00445975 appears 65 times
Source: C:\Users\user\Desktop\RFQ 242024.exe Code function: String function: 0041171A appears 37 times
Source: C:\Users\user\Desktop\RFQ 242024.exe Code function: String function: 0041718C appears 44 times
Source: C:\Users\user\Desktop\RFQ 242024.exe Code function: String function: 0040E6D0 appears 35 times
Source: C:\Users\user\AppData\Local\piceous\tabulations.exe Code function: String function: 00445975 appears 65 times
Source: C:\Users\user\AppData\Local\piceous\tabulations.exe Code function: String function: 0041171A appears 37 times
Source: C:\Users\user\AppData\Local\piceous\tabulations.exe Code function: String function: 0041718C appears 44 times
Source: C:\Users\user\AppData\Local\piceous\tabulations.exe Code function: String function: 0040E6D0 appears 35 times
Source: C:\Windows\SysWOW64\svchost.exe Code function: String function: 039BF290 appears 103 times
Source: C:\Windows\SysWOW64\svchost.exe Code function: String function: 0392B970 appears 262 times
Source: C:\Windows\SysWOW64\svchost.exe Code function: String function: 03975130 appears 58 times
Source: C:\Windows\SysWOW64\svchost.exe Code function: String function: 039AEA12 appears 86 times
Source: C:\Windows\SysWOW64\svchost.exe Code function: String function: 03987E54 appears 99 times
Uses 32bit PE files
Source: RFQ 242024.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Yara signature match
Source: 8.2.tabulations.exe.30b0000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 8.2.tabulations.exe.30b0000.1.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 8.2.tabulations.exe.30b0000.1.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 12.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 12.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 12.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 12.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 12.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 12.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 8.2.tabulations.exe.30b0000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 8.2.tabulations.exe.30b0000.1.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 8.2.tabulations.exe.30b0000.1.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.tabulations.exe.2bd0000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 1.2.tabulations.exe.2bd0000.1.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.tabulations.exe.2bd0000.1.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.tabulations.exe.2bd0000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 1.2.tabulations.exe.2bd0000.1.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.tabulations.exe.2bd0000.1.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.4219016565.000000000E5DC000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_772cc62d os = windows, severity = x86, creation_date = 2022-05-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8343b5d02d74791ba2d5d52d19a759f761de2b5470d935000bc27ea6c0633f5, id = 772cc62d-345c-42d8-97ab-f67e447ddca4, last_modified = 2022-07-18
Source: 0000000C.00000002.1946757380.0000000002B70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000C.00000002.1946757380.0000000002B70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000C.00000002.1946757380.0000000002B70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.4199678590.00000000004B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.4199678590.00000000004B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.4199678590.00000000004B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000C.00000002.1946265005.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000C.00000002.1946265005.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000C.00000002.1946265005.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.1772698758.0000000002BD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000001.00000002.1772698758.0000000002BD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.1772698758.0000000002BD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.4200098980.0000000000CC0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.4200098980.0000000000CC0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.4200098980.0000000000CC0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.1910016870.00000000030B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000008.00000002.1910016870.00000000030B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.1910016870.00000000030B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.1829240450.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.1829240450.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.1829240450.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.4200172422.0000000000D10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.4200172422.0000000000D10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.4200172422.0000000000D10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000C.00000002.1946641867.00000000007D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000C.00000002.1946641867.00000000007D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000C.00000002.1946641867.00000000007D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.1831323631.0000000003840000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.1831323631.0000000003840000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.1831323631.0000000003840000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.1829945213.0000000002DD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.1829945213.0000000002DD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.1829945213.0000000002DD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000002.1950270407.0000000002790000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000D.00000002.1950270407.0000000002790000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000D.00000002.1950270407.0000000002790000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: tabulations.exe PID: 1364, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: svchost.exe PID: 2008, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: systray.exe PID: 5348, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: tabulations.exe PID: 5320, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: svchost.exe PID: 2260, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: raserver.exe PID: 2284, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: classification engine Classification label: mal100.troj.expl.evad.winEXE@18/3@12/0
Source: C:\Users\user\Desktop\RFQ 242024.exe Code function: 0_2_0044AF5C GetLastError,FormatMessageW, 0_2_0044AF5C
Source: C:\Users\user\Desktop\RFQ 242024.exe Code function: 0_2_00464422 OpenProcess,GetLastError,GetLastError,GetCurrentThread,OpenThreadToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,AdjustTokenPrivileges,GetLastError,OpenProcess,AdjustTokenPrivileges,CloseHandle,TerminateProcess,GetLastError,CloseHandle, 0_2_00464422
Source: C:\Users\user\Desktop\RFQ 242024.exe Code function: 0_2_004364AA GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState, 0_2_004364AA
Source: C:\Users\user\AppData\Local\piceous\tabulations.exe Code function: 1_2_00464422 OpenProcess,GetLastError,GetLastError,GetCurrentThread,OpenThreadToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,AdjustTokenPrivileges,GetLastError,OpenProcess,AdjustTokenPrivileges,CloseHandle,TerminateProcess,GetLastError,CloseHandle, 1_2_00464422
Source: C:\Users\user\AppData\Local\piceous\tabulations.exe Code function: 1_2_004364AA GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState, 1_2_004364AA
Source: C:\Users\user\Desktop\RFQ 242024.exe Code function: 0_2_0045D517 SetErrorMode,GetDiskFreeSpaceW,GetLastError,SetErrorMode, 0_2_0045D517
Source: C:\Users\user\Desktop\RFQ 242024.exe Code function: 0_2_0043701F CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,__wsplitpath,_wcscat,__wcsicoll,CloseHandle, 0_2_0043701F
Source: C:\Users\user\Desktop\RFQ 242024.exe Code function: 0_2_0047A999 OleInitialize,CLSIDFromProgID,CoCreateInstance,CoInitializeSecurity,_memset,_wcslen,_memset,CoCreateInstanceEx,CoSetProxyBlanket, 0_2_0047A999
Source: C:\Users\user\Desktop\RFQ 242024.exe Code function: 0_2_0043614F __swprintf,__swprintf,__wcsicoll,FindResourceW,LoadResource,LockResource,FindResourceW,LoadResource,SizeofResource,LockResource,CreateIconFromResourceEx, 0_2_0043614F
Source: C:\Users\user\Desktop\RFQ 242024.exe File created: C:\Users\user\AppData\Local\piceous Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4584:120:WilError_03
Source: C:\Users\user\Desktop\RFQ 242024.exe File created: C:\Users\user\AppData\Local\Temp\unjust Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tabulations.vbs"
Source: RFQ 242024.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\RFQ 242024.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\RFQ 242024.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: RFQ 242024.exe ReversingLabs: Detection: 26%
Source: C:\Users\user\Desktop\RFQ 242024.exe File read: C:\Users\user\Desktop\RFQ 242024.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\RFQ 242024.exe "C:\Users\user\Desktop\RFQ 242024.exe"
Source: C:\Users\user\Desktop\RFQ 242024.exe Process created: C:\Users\user\AppData\Local\piceous\tabulations.exe "C:\Users\user\Desktop\RFQ 242024.exe"
Source: C:\Users\user\AppData\Local\piceous\tabulations.exe Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\RFQ 242024.exe"
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\systray.exe "C:\Windows\SysWOW64\systray.exe"
Source: C:\Windows\SysWOW64\systray.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\SysWOW64\svchost.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tabulations.vbs"
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Local\piceous\tabulations.exe "C:\Users\user\AppData\Local\piceous\tabulations.exe"
Source: C:\Users\user\AppData\Local\piceous\tabulations.exe Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\piceous\tabulations.exe"
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\raserver.exe "C:\Windows\SysWOW64\raserver.exe"
Source: C:\Users\user\Desktop\RFQ 242024.exe Process created: C:\Users\user\AppData\Local\piceous\tabulations.exe "C:\Users\user\Desktop\RFQ 242024.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\piceous\tabulations.exe Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\RFQ 242024.exe" Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\systray.exe "C:\Windows\SysWOW64\systray.exe" Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tabulations.vbs" Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\raserver.exe "C:\Windows\SysWOW64\raserver.exe" Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\SysWOW64\svchost.exe" Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Local\piceous\tabulations.exe "C:\Users\user\AppData\Local\piceous\tabulations.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\piceous\tabulations.exe Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\piceous\tabulations.exe" Jump to behavior
Source: C:\Users\user\Desktop\RFQ 242024.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ 242024.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ 242024.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ 242024.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ 242024.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ 242024.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ 242024.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ 242024.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ 242024.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ 242024.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ 242024.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ 242024.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ 242024.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ 242024.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\piceous\tabulations.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\piceous\tabulations.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\piceous\tabulations.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\piceous\tabulations.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\piceous\tabulations.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\piceous\tabulations.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\piceous\tabulations.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\piceous\tabulations.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\piceous\tabulations.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\piceous\tabulations.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\piceous\tabulations.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: vbscript.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrobj.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: mlang.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\piceous\tabulations.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\piceous\tabulations.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\piceous\tabulations.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\piceous\tabulations.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\piceous\tabulations.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\piceous\tabulations.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\piceous\tabulations.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\piceous\tabulations.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\piceous\tabulations.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\piceous\tabulations.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ 242024.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: RFQ 242024.exe Static file information: File size 1162625 > 1048576
Source: Binary string: systray.pdb source: svchost.exe, 00000002.00000002.1830113260.0000000003212000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1832500709.0000000003870000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 00000002.00000002.1830052440.0000000003200000.00000004.00000020.00020000.00000000.sdmp, systray.exe, 00000004.00000002.4200384289.0000000000EA0000.00000040.80000000.00040000.00000000.sdmp
Source: Binary string: systray.pdbGCTL source: svchost.exe, 00000002.00000002.1830113260.0000000003212000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1832500709.0000000003870000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 00000002.00000002.1830052440.0000000003200000.00000004.00000020.00020000.00000000.sdmp, systray.exe, 00000004.00000002.4200384289.0000000000EA0000.00000040.80000000.00040000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: tabulations.exe, 00000001.00000003.1769406201.0000000004460000.00000004.00001000.00020000.00000000.sdmp, tabulations.exe, 00000001.00000003.1770412440.0000000004600000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1773337204.0000000003700000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1832745228.0000000003A9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1771781121.0000000003500000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1832745228.0000000003900000.00000040.00001000.00020000.00000000.sdmp, systray.exe, 00000004.00000002.4200572033.0000000004630000.00000040.00001000.00020000.00000000.sdmp, systray.exe, 00000004.00000003.1832424192.000000000447C000.00000004.00000020.00020000.00000000.sdmp, systray.exe, 00000004.00000003.1829758139.00000000042C6000.00000004.00000020.00020000.00000000.sdmp, systray.exe, 00000004.00000002.4200572033.00000000047CE000.00000040.00001000.00020000.00000000.sdmp, tabulations.exe, 00000008.00000003.1905484311.0000000004400000.00000004.00001000.00020000.00000000.sdmp, tabulations.exe, 00000008.00000003.1906455172.00000000045A0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.1907647251.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.1947269075.0000000003400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.1947269075.000000000359E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.1909417955.0000000003200000.00000004.00000020.00020000.00000000.sdmp, raserver.exe, 0000000D.00000003.1946224819.000000000458E000.00000004.00000020.00020000.00000000.sdmp, raserver.exe, 0000000D.00000002.1950589096.0000000004A7E000.00000040.00001000.00020000.00000000.sdmp, raserver.exe, 0000000D.00000003.1949049744.0000000004731000.00000004.00000020.00020000.00000000.sdmp, raserver.exe, 0000000D.00000002.1950589096.00000000048E0000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: tabulations.exe, 00000001.00000003.1769406201.0000000004460000.00000004.00001000.00020000.00000000.sdmp, tabulations.exe, 00000001.00000003.1770412440.0000000004600000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.1773337204.0000000003700000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1832745228.0000000003A9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1771781121.0000000003500000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1832745228.0000000003900000.00000040.00001000.00020000.00000000.sdmp, systray.exe, 00000004.00000002.4200572033.0000000004630000.00000040.00001000.00020000.00000000.sdmp, systray.exe, 00000004.00000003.1832424192.000000000447C000.00000004.00000020.00020000.00000000.sdmp, systray.exe, 00000004.00000003.1829758139.00000000042C6000.00000004.00000020.00020000.00000000.sdmp, systray.exe, 00000004.00000002.4200572033.00000000047CE000.00000040.00001000.00020000.00000000.sdmp, tabulations.exe, 00000008.00000003.1905484311.0000000004400000.00000004.00001000.00020000.00000000.sdmp, tabulations.exe, 00000008.00000003.1906455172.00000000045A0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.1907647251.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.1947269075.0000000003400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.1947269075.000000000359E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.1909417955.0000000003200000.00000004.00000020.00020000.00000000.sdmp, raserver.exe, 0000000D.00000003.1946224819.000000000458E000.00000004.00000020.00020000.00000000.sdmp, raserver.exe, 0000000D.00000002.1950589096.0000000004A7E000.00000040.00001000.00020000.00000000.sdmp, raserver.exe, 0000000D.00000003.1949049744.0000000004731000.00000004.00000020.00020000.00000000.sdmp, raserver.exe, 0000000D.00000002.1950589096.00000000048E0000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: RAServer.pdb source: svchost.exe, 0000000C.00000003.1943616444.0000000002E1C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.1943877480.0000000002E35000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.1948363753.0000000004FB0000.00000040.10000000.00040000.00000000.sdmp, raserver.exe, 0000000D.00000002.1950165939.00000000000A0000.00000040.80000000.00040000.00000000.sdmp
Source: Binary string: svchost.pdb source: explorer.exe, 00000003.00000002.4219913492.00000000110AF000.00000004.80000000.00040000.00000000.sdmp, systray.exe, 00000004.00000002.4200997208.0000000004B7F000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000004.00000002.4199927469.00000000006C7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: svchost.pdbUGP source: explorer.exe, 00000003.00000002.4219913492.00000000110AF000.00000004.80000000.00040000.00000000.sdmp, systray.exe, 00000004.00000002.4200997208.0000000004B7F000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000004.00000002.4199927469.00000000006C7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: RAServer.pdbGCTL source: svchost.exe, 0000000C.00000003.1943616444.0000000002E1C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.1943877480.0000000002E35000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.1948363753.0000000004FB0000.00000040.10000000.00040000.00000000.sdmp, raserver.exe, 0000000D.00000002.1950165939.00000000000A0000.00000040.80000000.00040000.00000000.sdmp
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\RFQ 242024.exe Code function: 0_2_0040EB70 LoadLibraryA,GetProcAddress, 0_2_0040EB70
PE file contains an invalid checksum
Source: tabulations.exe.0.dr Static PE information: real checksum: 0xa2135 should be: 0x122c74
Source: RFQ 242024.exe Static PE information: real checksum: 0xa2135 should be: 0x122c74
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\RFQ 242024.exe Code function: 0_2_004171D1 push ecx; ret 0_2_004171E4
Source: C:\Users\user\AppData\Local\piceous\tabulations.exe Code function: 1_2_004171D1 push ecx; ret 1_2_004171E4
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0041794F push ss; ret 2_2_0041797F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00417993 push ss; ret 2_2_0041797F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00416B24 push ss; retf 2_2_00416B27
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0041D475 push eax; ret 2_2_0041D4C8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0041D4C2 push eax; ret 2_2_0041D4C8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0041D4CB push eax; ret 2_2_0041D532
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0041ED53 push dword ptr [914FBFDDh]; ret 2_2_0041ED74
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0041D52C push eax; ret 2_2_0041D532
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0041E77C push 2E339416h; ret 2_2_0041E842
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0041779C push esp; retf 2_2_0041779D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039309AD push ecx; mov dword ptr [esp], ecx 2_2_039309B6
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0388EB02 push esp; retn 0000h 2_2_0388EB03
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0388EB1E push esp; retn 0000h 2_2_0388EB1F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0388E9B5 push esp; retn 0000h 2_2_0388EAE7
Source: C:\Windows\explorer.exe Code function: 3_2_0E4BAB02 push esp; retn 0000h 3_2_0E4BAB03
Source: C:\Windows\explorer.exe Code function: 3_2_0E4BAB1E push esp; retn 0000h 3_2_0E4BAB1F
Source: C:\Windows\explorer.exe Code function: 3_2_0E4BA9B5 push esp; retn 0000h 3_2_0E4BAAE7
Source: C:\Windows\explorer.exe Code function: 3_2_0E5C7B1E push esp; retn 0000h 3_2_0E5C7B1F
Source: C:\Windows\explorer.exe Code function: 3_2_0E5C7B02 push esp; retn 0000h 3_2_0E5C7B03
Source: C:\Windows\explorer.exe Code function: 3_2_0E5C79B5 push esp; retn 0000h 3_2_0E5C7AE7
Source: C:\Windows\explorer.exe Code function: 3_2_0FCBAB02 push esp; retn 0000h 3_2_0FCBAB03
Source: C:\Windows\explorer.exe Code function: 3_2_0FCBAB1E push esp; retn 0000h 3_2_0FCBAB1F
Source: C:\Windows\explorer.exe Code function: 3_2_0FCBA9B5 push esp; retn 0000h 3_2_0FCBAAE7
Drops PE files
Source: C:\Users\user\Desktop\RFQ 242024.exe File created: C:\Users\user\AppData\Local\piceous\tabulations.exe Jump to dropped file

Boot Survival
barindex
Drops VBS files to the startup folder
Source: C:\Users\user\AppData\Local\piceous\tabulations.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tabulations.vbs Jump to dropped file
Creates a start menu entry (Start Menu\Programs\Startup)
Source: C:\Users\user\AppData\Local\piceous\tabulations.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tabulations.vbs Jump to behavior
Stores files to the Windows start menu directory
Source: C:\Users\user\AppData\Local\piceous\tabulations.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tabulations.vbs Jump to behavior
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\Desktop\RFQ 242024.exe Code function: 0_2_004772DE IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed, 0_2_004772DE
Source: C:\Users\user\Desktop\RFQ 242024.exe Code function: 0_2_004375B0 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput, 0_2_004375B0
Source: C:\Users\user\AppData\Local\piceous\tabulations.exe Code function: 1_2_004772DE IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed, 1_2_004772DE
Source: C:\Users\user\AppData\Local\piceous\tabulations.exe Code function: 1_2_004375B0 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput, 1_2_004375B0
Source: C:\Users\user\Desktop\RFQ 242024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\piceous\tabulations.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\piceous\tabulations.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Contains functionality to detect sleep reduction / modifications
Source: C:\Users\user\Desktop\RFQ 242024.exe Code function: 0_2_00444078 0_2_00444078
Source: C:\Users\user\AppData\Local\piceous\tabulations.exe Code function: 1_2_00444078 1_2_00444078
Switches to a custom stack to bypass stack traces
Source: C:\Users\user\AppData\Local\piceous\tabulations.exe API/Special instruction interceptor: Address: 3EB32CC
Source: C:\Windows\SysWOW64\svchost.exe API/Special instruction interceptor: Address: 7FFE2220D324
Source: C:\Windows\SysWOW64\svchost.exe API/Special instruction interceptor: Address: 7FFE22210774
Source: C:\Windows\SysWOW64\svchost.exe API/Special instruction interceptor: Address: 7FFE22210154
Source: C:\Windows\SysWOW64\svchost.exe API/Special instruction interceptor: Address: 7FFE2220D8A4
Source: C:\Windows\SysWOW64\svchost.exe API/Special instruction interceptor: Address: 7FFE2220DA44
Source: C:\Windows\SysWOW64\svchost.exe API/Special instruction interceptor: Address: 7FFE2220D1E4
Source: C:\Users\user\AppData\Local\piceous\tabulations.exe API/Special instruction interceptor: Address: 3F032CC
Source: C:\Windows\SysWOW64\systray.exe API/Special instruction interceptor: Address: 7FFE2220D324
Source: C:\Windows\SysWOW64\systray.exe API/Special instruction interceptor: Address: 7FFE22210774
Source: C:\Windows\SysWOW64\systray.exe API/Special instruction interceptor: Address: 7FFE2220D944
Source: C:\Windows\SysWOW64\systray.exe API/Special instruction interceptor: Address: 7FFE2220D504
Source: C:\Windows\SysWOW64\systray.exe API/Special instruction interceptor: Address: 7FFE2220D544
Source: C:\Windows\SysWOW64\systray.exe API/Special instruction interceptor: Address: 7FFE2220D1E4
Source: C:\Windows\SysWOW64\systray.exe API/Special instruction interceptor: Address: 7FFE22210154
Source: C:\Windows\SysWOW64\systray.exe API/Special instruction interceptor: Address: 7FFE2220D8A4
Source: C:\Windows\SysWOW64\systray.exe API/Special instruction interceptor: Address: 7FFE2220DA44
Tries to detect virtualization through RDTSC time measurements
Source: C:\Windows\SysWOW64\svchost.exe RDTSC instruction interceptor: First address: 409904 second address: 40990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\svchost.exe RDTSC instruction interceptor: First address: 409B6E second address: 409B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\systray.exe RDTSC instruction interceptor: First address: 4B9904 second address: 4B990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\systray.exe RDTSC instruction interceptor: First address: 4B9B6E second address: 4B9B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\raserver.exe RDTSC instruction interceptor: First address: 2799904 second address: 279990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\raserver.exe RDTSC instruction interceptor: First address: 2799B6E second address: 2799B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00409AA0 rdtsc 2_2_00409AA0
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 9853 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: foregroundWindowGot 797 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: foregroundWindowGot 790 Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe Window / User API: threadDelayed 2590 Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe Window / User API: threadDelayed 7383 Jump to behavior
Found evasive API chain (date check)
Source: C:\Users\user\AppData\Local\piceous\tabulations.exe Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Found evasive API chain (may stop execution after checking a module file name)
Source: C:\Users\user\AppData\Local\piceous\tabulations.exe Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\RFQ 242024.exe API coverage: 3.2 %
Source: C:\Users\user\AppData\Local\piceous\tabulations.exe API coverage: 3.3 %
Source: C:\Windows\SysWOW64\svchost.exe API coverage: 2.1 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\explorer.exe TID: 5332 Thread sleep time: -19706000s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 5332 Thread sleep time: -192000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe TID: 6528 Thread sleep count: 2590 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe TID: 6528 Thread sleep time: -5180000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe TID: 6528 Thread sleep count: 7383 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe TID: 6528 Thread sleep time: -14766000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\SysWOW64\systray.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\systray.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\RFQ 242024.exe Code function: 0_2_00452126 FindFirstFileW,Sleep,FindNextFileW,FindClose, 0_2_00452126
Source: C:\Users\user\Desktop\RFQ 242024.exe Code function: 0_2_0045C999 FindFirstFileW,FindNextFileW,FindClose, 0_2_0045C999
Source: C:\Users\user\Desktop\RFQ 242024.exe Code function: 0_2_00436ADE GetFileAttributesW,FindFirstFileW,FindClose, 0_2_00436ADE
Source: C:\Users\user\Desktop\RFQ 242024.exe Code function: 0_2_00434BEE FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 0_2_00434BEE
Source: C:\Users\user\Desktop\RFQ 242024.exe Code function: 0_2_00436D2D FindFirstFileW,CreateFileW,SetFileTime,CloseHandle,SetFileTime,CloseHandle, 0_2_00436D2D
Source: C:\Users\user\Desktop\RFQ 242024.exe Code function: 0_2_00442E1F SetCurrentDirectoryW,FindFirstFileW,SetCurrentDirectoryW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 0_2_00442E1F
Source: C:\Users\user\Desktop\RFQ 242024.exe Code function: 0_2_0045DD7C FindFirstFileW,FindClose, 0_2_0045DD7C
Source: C:\Users\user\Desktop\RFQ 242024.exe Code function: 0_2_0044BD29 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose, 0_2_0044BD29
Source: C:\Users\user\Desktop\RFQ 242024.exe Code function: 0_2_00475FE5 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, 0_2_00475FE5
Source: C:\Users\user\Desktop\RFQ 242024.exe Code function: 0_2_0044BF8D _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose, 0_2_0044BF8D
Source: C:\Users\user\AppData\Local\piceous\tabulations.exe Code function: 1_2_00452126 FindFirstFileW,Sleep,FindNextFileW,FindClose, 1_2_00452126
Source: C:\Users\user\AppData\Local\piceous\tabulations.exe Code function: 1_2_0045C999 FindFirstFileW,FindNextFileW,FindClose, 1_2_0045C999
Source: C:\Users\user\AppData\Local\piceous\tabulations.exe Code function: 1_2_00436ADE GetFileAttributesW,FindFirstFileW,FindClose, 1_2_00436ADE
Source: C:\Users\user\AppData\Local\piceous\tabulations.exe Code function: 1_2_00434BEE FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 1_2_00434BEE
Source: C:\Users\user\AppData\Local\piceous\tabulations.exe Code function: 1_2_00436D2D FindFirstFileW,CreateFileW,SetFileTime,CloseHandle,SetFileTime,CloseHandle, 1_2_00436D2D
Source: C:\Users\user\AppData\Local\piceous\tabulations.exe Code function: 1_2_00442E1F SetCurrentDirectoryW,FindFirstFileW,SetCurrentDirectoryW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 1_2_00442E1F
Source: C:\Users\user\AppData\Local\piceous\tabulations.exe Code function: 1_2_0045DD7C FindFirstFileW,FindClose, 1_2_0045DD7C
Source: C:\Users\user\AppData\Local\piceous\tabulations.exe Code function: 1_2_0044BD29 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose, 1_2_0044BD29
Source: C:\Users\user\AppData\Local\piceous\tabulations.exe Code function: 1_2_00475FE5 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, 1_2_00475FE5
Source: C:\Users\user\AppData\Local\piceous\tabulations.exe Code function: 1_2_0044BF8D _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose, 1_2_0044BF8D
Source: C:\Users\user\Desktop\RFQ 242024.exe Code function: 0_2_0040E470 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo, 0_2_0040E470
Source: explorer.exe, 00000003.00000002.4210779680.00000000098A8000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: k&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: tabulations.exe, 00000001.00000002.1772368981.0000000000AC2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\~
Source: explorer.exe, 00000003.00000003.3112584324.0000000009815000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}$
Source: explorer.exe, 00000003.00000003.3112584324.0000000009815000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: NECVMWar VMware SATA CD00\w
Source: explorer.exe, 00000003.00000002.4210779680.00000000098A8000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 00000003.00000002.4199926862.0000000001240000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&0000000}
Source: explorer.exe, 00000003.00000002.4203309500.00000000079FB000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: tabulations.exe, 00000001.00000002.1772368981.0000000000AC2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000003.00000002.4211841560.000000000997A000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000003.00000000.1778528179.00000000078AD000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: NXTTAVMWare
Source: explorer.exe, 00000003.00000003.3112584324.0000000009815000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f&0&000000
Source: explorer.exe, 00000003.00000000.1783846203.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3112584324.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3112584324.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4207257415.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4207257415.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1783846203.00000000097D4000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000003.00000002.4211841560.000000000997A000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: explorer.exe, 00000003.00000003.3111512788.0000000007A34000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4203309500.0000000007A34000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3531957351.0000000007A34000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1778528179.0000000007A34000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWen-GBnx
Source: explorer.exe, 00000003.00000002.4199926862.0000000001240000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: explorer.exe, 00000003.00000002.4206677878.0000000009660000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000er
Source: explorer.exe, 00000003.00000002.4199926862.0000000001240000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: C:\Users\user\AppData\Local\piceous\tabulations.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\piceous\tabulations.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\svchost.exe Process information queried: ProcessInformation Jump to behavior
Checks if the current process is being debugged
Source: C:\Windows\SysWOW64\svchost.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00409AA0 rdtsc 2_2_00409AA0
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0040ACE0 LdrLoadDll, 2_2_0040ACE0
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Source: C:\Users\user\Desktop\RFQ 242024.exe Code function: 0_2_0045A259 BlockInput, 0_2_0045A259
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\RFQ 242024.exe Code function: 0_2_0040D6D0 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,GetForegroundWindow,ShellExecuteW, 0_2_0040D6D0
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\RFQ 242024.exe Code function: 0_2_0040EB70 LoadLibraryA,GetProcAddress, 0_2_0040EB70
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\RFQ 242024.exe Code function: 0_2_03FD3598 mov eax, dword ptr fs:[00000030h] 0_2_03FD3598
Source: C:\Users\user\Desktop\RFQ 242024.exe Code function: 0_2_03FD3538 mov eax, dword ptr fs:[00000030h] 0_2_03FD3538
Source: C:\Users\user\Desktop\RFQ 242024.exe Code function: 0_2_03FD1EE8 mov eax, dword ptr fs:[00000030h] 0_2_03FD1EE8
Source: C:\Users\user\AppData\Local\piceous\tabulations.exe Code function: 1_2_03EB3598 mov eax, dword ptr fs:[00000030h] 1_2_03EB3598
Source: C:\Users\user\AppData\Local\piceous\tabulations.exe Code function: 1_2_03EB3538 mov eax, dword ptr fs:[00000030h] 1_2_03EB3538
Source: C:\Users\user\AppData\Local\piceous\tabulations.exe Code function: 1_2_03EB1EE8 mov eax, dword ptr fs:[00000030h] 1_2_03EB1EE8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03928397 mov eax, dword ptr fs:[00000030h] 2_2_03928397
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03928397 mov eax, dword ptr fs:[00000030h] 2_2_03928397
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03928397 mov eax, dword ptr fs:[00000030h] 2_2_03928397
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0392E388 mov eax, dword ptr fs:[00000030h] 2_2_0392E388
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0392E388 mov eax, dword ptr fs:[00000030h] 2_2_0392E388
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0392E388 mov eax, dword ptr fs:[00000030h] 2_2_0392E388
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0395438F mov eax, dword ptr fs:[00000030h] 2_2_0395438F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0395438F mov eax, dword ptr fs:[00000030h] 2_2_0395438F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039DE3DB mov eax, dword ptr fs:[00000030h] 2_2_039DE3DB
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039DE3DB mov eax, dword ptr fs:[00000030h] 2_2_039DE3DB
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039DE3DB mov ecx, dword ptr fs:[00000030h] 2_2_039DE3DB
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039DE3DB mov eax, dword ptr fs:[00000030h] 2_2_039DE3DB
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039D43D4 mov eax, dword ptr fs:[00000030h] 2_2_039D43D4
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039D43D4 mov eax, dword ptr fs:[00000030h] 2_2_039D43D4
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039EC3CD mov eax, dword ptr fs:[00000030h] 2_2_039EC3CD
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0393A3C0 mov eax, dword ptr fs:[00000030h] 2_2_0393A3C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0393A3C0 mov eax, dword ptr fs:[00000030h] 2_2_0393A3C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0393A3C0 mov eax, dword ptr fs:[00000030h] 2_2_0393A3C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0393A3C0 mov eax, dword ptr fs:[00000030h] 2_2_0393A3C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0393A3C0 mov eax, dword ptr fs:[00000030h] 2_2_0393A3C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0393A3C0 mov eax, dword ptr fs:[00000030h] 2_2_0393A3C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039383C0 mov eax, dword ptr fs:[00000030h] 2_2_039383C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039383C0 mov eax, dword ptr fs:[00000030h] 2_2_039383C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039383C0 mov eax, dword ptr fs:[00000030h] 2_2_039383C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039383C0 mov eax, dword ptr fs:[00000030h] 2_2_039383C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039B63C0 mov eax, dword ptr fs:[00000030h] 2_2_039B63C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0394E3F0 mov eax, dword ptr fs:[00000030h] 2_2_0394E3F0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0394E3F0 mov eax, dword ptr fs:[00000030h] 2_2_0394E3F0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0394E3F0 mov eax, dword ptr fs:[00000030h] 2_2_0394E3F0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039663FF mov eax, dword ptr fs:[00000030h] 2_2_039663FF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039403E9 mov eax, dword ptr fs:[00000030h] 2_2_039403E9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039403E9 mov eax, dword ptr fs:[00000030h] 2_2_039403E9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039403E9 mov eax, dword ptr fs:[00000030h] 2_2_039403E9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039403E9 mov eax, dword ptr fs:[00000030h] 2_2_039403E9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039403E9 mov eax, dword ptr fs:[00000030h] 2_2_039403E9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039403E9 mov eax, dword ptr fs:[00000030h] 2_2_039403E9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039403E9 mov eax, dword ptr fs:[00000030h] 2_2_039403E9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039403E9 mov eax, dword ptr fs:[00000030h] 2_2_039403E9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0392C310 mov ecx, dword ptr fs:[00000030h] 2_2_0392C310
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03950310 mov ecx, dword ptr fs:[00000030h] 2_2_03950310
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0396A30B mov eax, dword ptr fs:[00000030h] 2_2_0396A30B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0396A30B mov eax, dword ptr fs:[00000030h] 2_2_0396A30B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0396A30B mov eax, dword ptr fs:[00000030h] 2_2_0396A30B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039B035C mov eax, dword ptr fs:[00000030h] 2_2_039B035C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039B035C mov eax, dword ptr fs:[00000030h] 2_2_039B035C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039B035C mov eax, dword ptr fs:[00000030h] 2_2_039B035C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039B035C mov ecx, dword ptr fs:[00000030h] 2_2_039B035C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039B035C mov eax, dword ptr fs:[00000030h] 2_2_039B035C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039B035C mov eax, dword ptr fs:[00000030h] 2_2_039B035C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039FA352 mov eax, dword ptr fs:[00000030h] 2_2_039FA352
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039D8350 mov ecx, dword ptr fs:[00000030h] 2_2_039D8350
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h] 2_2_039B2349
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h] 2_2_039B2349
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h] 2_2_039B2349
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h] 2_2_039B2349
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h] 2_2_039B2349
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h] 2_2_039B2349
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h] 2_2_039B2349
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h] 2_2_039B2349
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h] 2_2_039B2349
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h] 2_2_039B2349
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h] 2_2_039B2349
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h] 2_2_039B2349
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h] 2_2_039B2349
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h] 2_2_039B2349
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h] 2_2_039B2349
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039D437C mov eax, dword ptr fs:[00000030h] 2_2_039D437C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0396E284 mov eax, dword ptr fs:[00000030h] 2_2_0396E284
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0396E284 mov eax, dword ptr fs:[00000030h] 2_2_0396E284
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039B0283 mov eax, dword ptr fs:[00000030h] 2_2_039B0283
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039B0283 mov eax, dword ptr fs:[00000030h] 2_2_039B0283
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039B0283 mov eax, dword ptr fs:[00000030h] 2_2_039B0283
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039402A0 mov eax, dword ptr fs:[00000030h] 2_2_039402A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039402A0 mov eax, dword ptr fs:[00000030h] 2_2_039402A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039C62A0 mov eax, dword ptr fs:[00000030h] 2_2_039C62A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039C62A0 mov ecx, dword ptr fs:[00000030h] 2_2_039C62A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039C62A0 mov eax, dword ptr fs:[00000030h] 2_2_039C62A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039C62A0 mov eax, dword ptr fs:[00000030h] 2_2_039C62A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039C62A0 mov eax, dword ptr fs:[00000030h] 2_2_039C62A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039C62A0 mov eax, dword ptr fs:[00000030h] 2_2_039C62A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0393A2C3 mov eax, dword ptr fs:[00000030h] 2_2_0393A2C3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0393A2C3 mov eax, dword ptr fs:[00000030h] 2_2_0393A2C3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0393A2C3 mov eax, dword ptr fs:[00000030h] 2_2_0393A2C3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0393A2C3 mov eax, dword ptr fs:[00000030h] 2_2_0393A2C3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0393A2C3 mov eax, dword ptr fs:[00000030h] 2_2_0393A2C3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039402E1 mov eax, dword ptr fs:[00000030h] 2_2_039402E1
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039402E1 mov eax, dword ptr fs:[00000030h] 2_2_039402E1
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039402E1 mov eax, dword ptr fs:[00000030h] 2_2_039402E1
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0392823B mov eax, dword ptr fs:[00000030h] 2_2_0392823B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0392A250 mov eax, dword ptr fs:[00000030h] 2_2_0392A250
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03936259 mov eax, dword ptr fs:[00000030h] 2_2_03936259
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039EA250 mov eax, dword ptr fs:[00000030h] 2_2_039EA250
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039EA250 mov eax, dword ptr fs:[00000030h] 2_2_039EA250
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039B8243 mov eax, dword ptr fs:[00000030h] 2_2_039B8243
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039B8243 mov ecx, dword ptr fs:[00000030h] 2_2_039B8243
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039E0274 mov eax, dword ptr fs:[00000030h] 2_2_039E0274
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039E0274 mov eax, dword ptr fs:[00000030h] 2_2_039E0274
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039E0274 mov eax, dword ptr fs:[00000030h] 2_2_039E0274
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039E0274 mov eax, dword ptr fs:[00000030h] 2_2_039E0274
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039E0274 mov eax, dword ptr fs:[00000030h] 2_2_039E0274
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039E0274 mov eax, dword ptr fs:[00000030h] 2_2_039E0274
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039E0274 mov eax, dword ptr fs:[00000030h] 2_2_039E0274
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039E0274 mov eax, dword ptr fs:[00000030h] 2_2_039E0274
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039E0274 mov eax, dword ptr fs:[00000030h] 2_2_039E0274
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039E0274 mov eax, dword ptr fs:[00000030h] 2_2_039E0274
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039E0274 mov eax, dword ptr fs:[00000030h] 2_2_039E0274
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039E0274 mov eax, dword ptr fs:[00000030h] 2_2_039E0274
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03934260 mov eax, dword ptr fs:[00000030h] 2_2_03934260
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03934260 mov eax, dword ptr fs:[00000030h] 2_2_03934260
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03934260 mov eax, dword ptr fs:[00000030h] 2_2_03934260
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0392826B mov eax, dword ptr fs:[00000030h] 2_2_0392826B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039B019F mov eax, dword ptr fs:[00000030h] 2_2_039B019F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039B019F mov eax, dword ptr fs:[00000030h] 2_2_039B019F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039B019F mov eax, dword ptr fs:[00000030h] 2_2_039B019F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039B019F mov eax, dword ptr fs:[00000030h] 2_2_039B019F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0392A197 mov eax, dword ptr fs:[00000030h] 2_2_0392A197
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0392A197 mov eax, dword ptr fs:[00000030h] 2_2_0392A197
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0392A197 mov eax, dword ptr fs:[00000030h] 2_2_0392A197
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03970185 mov eax, dword ptr fs:[00000030h] 2_2_03970185
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039EC188 mov eax, dword ptr fs:[00000030h] 2_2_039EC188
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039EC188 mov eax, dword ptr fs:[00000030h] 2_2_039EC188
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039D4180 mov eax, dword ptr fs:[00000030h] 2_2_039D4180
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039D4180 mov eax, dword ptr fs:[00000030h] 2_2_039D4180
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A061E5 mov eax, dword ptr fs:[00000030h] 2_2_03A061E5
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039AE1D0 mov eax, dword ptr fs:[00000030h] 2_2_039AE1D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039AE1D0 mov eax, dword ptr fs:[00000030h] 2_2_039AE1D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039AE1D0 mov ecx, dword ptr fs:[00000030h] 2_2_039AE1D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039AE1D0 mov eax, dword ptr fs:[00000030h] 2_2_039AE1D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039AE1D0 mov eax, dword ptr fs:[00000030h] 2_2_039AE1D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039F61C3 mov eax, dword ptr fs:[00000030h] 2_2_039F61C3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039F61C3 mov eax, dword ptr fs:[00000030h] 2_2_039F61C3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039601F8 mov eax, dword ptr fs:[00000030h] 2_2_039601F8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039DA118 mov ecx, dword ptr fs:[00000030h] 2_2_039DA118
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039DA118 mov eax, dword ptr fs:[00000030h] 2_2_039DA118
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039DA118 mov eax, dword ptr fs:[00000030h] 2_2_039DA118
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039DA118 mov eax, dword ptr fs:[00000030h] 2_2_039DA118
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039F0115 mov eax, dword ptr fs:[00000030h] 2_2_039F0115
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039DE10E mov eax, dword ptr fs:[00000030h] 2_2_039DE10E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039DE10E mov ecx, dword ptr fs:[00000030h] 2_2_039DE10E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039DE10E mov eax, dword ptr fs:[00000030h] 2_2_039DE10E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039DE10E mov eax, dword ptr fs:[00000030h] 2_2_039DE10E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039DE10E mov ecx, dword ptr fs:[00000030h] 2_2_039DE10E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039DE10E mov eax, dword ptr fs:[00000030h] 2_2_039DE10E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039DE10E mov eax, dword ptr fs:[00000030h] 2_2_039DE10E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039DE10E mov ecx, dword ptr fs:[00000030h] 2_2_039DE10E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039DE10E mov eax, dword ptr fs:[00000030h] 2_2_039DE10E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039DE10E mov ecx, dword ptr fs:[00000030h] 2_2_039DE10E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03960124 mov eax, dword ptr fs:[00000030h] 2_2_03960124
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0392C156 mov eax, dword ptr fs:[00000030h] 2_2_0392C156
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039C8158 mov eax, dword ptr fs:[00000030h] 2_2_039C8158
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03936154 mov eax, dword ptr fs:[00000030h] 2_2_03936154
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03936154 mov eax, dword ptr fs:[00000030h] 2_2_03936154
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039C4144 mov eax, dword ptr fs:[00000030h] 2_2_039C4144
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039C4144 mov eax, dword ptr fs:[00000030h] 2_2_039C4144
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039C4144 mov ecx, dword ptr fs:[00000030h] 2_2_039C4144
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039C4144 mov eax, dword ptr fs:[00000030h] 2_2_039C4144
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039C4144 mov eax, dword ptr fs:[00000030h] 2_2_039C4144
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0393208A mov eax, dword ptr fs:[00000030h] 2_2_0393208A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039F60B8 mov eax, dword ptr fs:[00000030h] 2_2_039F60B8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039F60B8 mov ecx, dword ptr fs:[00000030h] 2_2_039F60B8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039C80A8 mov eax, dword ptr fs:[00000030h] 2_2_039C80A8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039B20DE mov eax, dword ptr fs:[00000030h] 2_2_039B20DE
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0392C0F0 mov eax, dword ptr fs:[00000030h] 2_2_0392C0F0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039720F0 mov ecx, dword ptr fs:[00000030h] 2_2_039720F0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0392A0E3 mov ecx, dword ptr fs:[00000030h] 2_2_0392A0E3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039380E9 mov eax, dword ptr fs:[00000030h] 2_2_039380E9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039B60E0 mov eax, dword ptr fs:[00000030h] 2_2_039B60E0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0394E016 mov eax, dword ptr fs:[00000030h] 2_2_0394E016
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0394E016 mov eax, dword ptr fs:[00000030h] 2_2_0394E016
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0394E016 mov eax, dword ptr fs:[00000030h] 2_2_0394E016
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0394E016 mov eax, dword ptr fs:[00000030h] 2_2_0394E016
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039B4000 mov ecx, dword ptr fs:[00000030h] 2_2_039B4000
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039D2000 mov eax, dword ptr fs:[00000030h] 2_2_039D2000
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039D2000 mov eax, dword ptr fs:[00000030h] 2_2_039D2000
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039D2000 mov eax, dword ptr fs:[00000030h] 2_2_039D2000
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039D2000 mov eax, dword ptr fs:[00000030h] 2_2_039D2000
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039D2000 mov eax, dword ptr fs:[00000030h] 2_2_039D2000
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039D2000 mov eax, dword ptr fs:[00000030h] 2_2_039D2000
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039D2000 mov eax, dword ptr fs:[00000030h] 2_2_039D2000
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039D2000 mov eax, dword ptr fs:[00000030h] 2_2_039D2000
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039C6030 mov eax, dword ptr fs:[00000030h] 2_2_039C6030
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0392A020 mov eax, dword ptr fs:[00000030h] 2_2_0392A020
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0392C020 mov eax, dword ptr fs:[00000030h] 2_2_0392C020
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03932050 mov eax, dword ptr fs:[00000030h] 2_2_03932050
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039B6050 mov eax, dword ptr fs:[00000030h] 2_2_039B6050
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0395C073 mov eax, dword ptr fs:[00000030h] 2_2_0395C073
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039D678E mov eax, dword ptr fs:[00000030h] 2_2_039D678E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039307AF mov eax, dword ptr fs:[00000030h] 2_2_039307AF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039E47A0 mov eax, dword ptr fs:[00000030h] 2_2_039E47A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0393C7C0 mov eax, dword ptr fs:[00000030h] 2_2_0393C7C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039B07C3 mov eax, dword ptr fs:[00000030h] 2_2_039B07C3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039347FB mov eax, dword ptr fs:[00000030h] 2_2_039347FB
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039347FB mov eax, dword ptr fs:[00000030h] 2_2_039347FB
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039527ED mov eax, dword ptr fs:[00000030h] 2_2_039527ED
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039527ED mov eax, dword ptr fs:[00000030h] 2_2_039527ED
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039527ED mov eax, dword ptr fs:[00000030h] 2_2_039527ED
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039BE7E1 mov eax, dword ptr fs:[00000030h] 2_2_039BE7E1
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03930710 mov eax, dword ptr fs:[00000030h] 2_2_03930710
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03960710 mov eax, dword ptr fs:[00000030h] 2_2_03960710
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0396C700 mov eax, dword ptr fs:[00000030h] 2_2_0396C700
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0396273C mov eax, dword ptr fs:[00000030h] 2_2_0396273C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0396273C mov ecx, dword ptr fs:[00000030h] 2_2_0396273C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0396273C mov eax, dword ptr fs:[00000030h] 2_2_0396273C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039AC730 mov eax, dword ptr fs:[00000030h] 2_2_039AC730
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0396C720 mov eax, dword ptr fs:[00000030h] 2_2_0396C720
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0396C720 mov eax, dword ptr fs:[00000030h] 2_2_0396C720
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03930750 mov eax, dword ptr fs:[00000030h] 2_2_03930750
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039BE75D mov eax, dword ptr fs:[00000030h] 2_2_039BE75D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03972750 mov eax, dword ptr fs:[00000030h] 2_2_03972750
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03972750 mov eax, dword ptr fs:[00000030h] 2_2_03972750
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039B4755 mov eax, dword ptr fs:[00000030h] 2_2_039B4755
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0396674D mov esi, dword ptr fs:[00000030h] 2_2_0396674D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0396674D mov eax, dword ptr fs:[00000030h] 2_2_0396674D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0396674D mov eax, dword ptr fs:[00000030h] 2_2_0396674D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03938770 mov eax, dword ptr fs:[00000030h] 2_2_03938770
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03940770 mov eax, dword ptr fs:[00000030h] 2_2_03940770
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03940770 mov eax, dword ptr fs:[00000030h] 2_2_03940770
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03940770 mov eax, dword ptr fs:[00000030h] 2_2_03940770
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03940770 mov eax, dword ptr fs:[00000030h] 2_2_03940770
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03940770 mov eax, dword ptr fs:[00000030h] 2_2_03940770
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03940770 mov eax, dword ptr fs:[00000030h] 2_2_03940770
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03940770 mov eax, dword ptr fs:[00000030h] 2_2_03940770
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03940770 mov eax, dword ptr fs:[00000030h] 2_2_03940770
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03940770 mov eax, dword ptr fs:[00000030h] 2_2_03940770
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03940770 mov eax, dword ptr fs:[00000030h] 2_2_03940770
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03940770 mov eax, dword ptr fs:[00000030h] 2_2_03940770
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03940770 mov eax, dword ptr fs:[00000030h] 2_2_03940770
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03934690 mov eax, dword ptr fs:[00000030h] 2_2_03934690
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03934690 mov eax, dword ptr fs:[00000030h] 2_2_03934690
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039666B0 mov eax, dword ptr fs:[00000030h] 2_2_039666B0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0396C6A6 mov eax, dword ptr fs:[00000030h] 2_2_0396C6A6
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0396A6C7 mov ebx, dword ptr fs:[00000030h] 2_2_0396A6C7
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0396A6C7 mov eax, dword ptr fs:[00000030h] 2_2_0396A6C7
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039AE6F2 mov eax, dword ptr fs:[00000030h] 2_2_039AE6F2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039AE6F2 mov eax, dword ptr fs:[00000030h] 2_2_039AE6F2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039AE6F2 mov eax, dword ptr fs:[00000030h] 2_2_039AE6F2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039AE6F2 mov eax, dword ptr fs:[00000030h] 2_2_039AE6F2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039B06F1 mov eax, dword ptr fs:[00000030h] 2_2_039B06F1
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039B06F1 mov eax, dword ptr fs:[00000030h] 2_2_039B06F1
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03972619 mov eax, dword ptr fs:[00000030h] 2_2_03972619
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039AE609 mov eax, dword ptr fs:[00000030h] 2_2_039AE609
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0394260B mov eax, dword ptr fs:[00000030h] 2_2_0394260B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0394260B mov eax, dword ptr fs:[00000030h] 2_2_0394260B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0394260B mov eax, dword ptr fs:[00000030h] 2_2_0394260B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0394260B mov eax, dword ptr fs:[00000030h] 2_2_0394260B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0394260B mov eax, dword ptr fs:[00000030h] 2_2_0394260B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0394260B mov eax, dword ptr fs:[00000030h] 2_2_0394260B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0394260B mov eax, dword ptr fs:[00000030h] 2_2_0394260B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0394E627 mov eax, dword ptr fs:[00000030h] 2_2_0394E627
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03966620 mov eax, dword ptr fs:[00000030h] 2_2_03966620
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03968620 mov eax, dword ptr fs:[00000030h] 2_2_03968620
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0393262C mov eax, dword ptr fs:[00000030h] 2_2_0393262C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0394C640 mov eax, dword ptr fs:[00000030h] 2_2_0394C640
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03962674 mov eax, dword ptr fs:[00000030h] 2_2_03962674
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039F866E mov eax, dword ptr fs:[00000030h] 2_2_039F866E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039F866E mov eax, dword ptr fs:[00000030h] 2_2_039F866E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0396A660 mov eax, dword ptr fs:[00000030h] 2_2_0396A660
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0396A660 mov eax, dword ptr fs:[00000030h] 2_2_0396A660
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0396E59C mov eax, dword ptr fs:[00000030h] 2_2_0396E59C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03932582 mov eax, dword ptr fs:[00000030h] 2_2_03932582
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03932582 mov ecx, dword ptr fs:[00000030h] 2_2_03932582
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03964588 mov eax, dword ptr fs:[00000030h] 2_2_03964588
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039545B1 mov eax, dword ptr fs:[00000030h] 2_2_039545B1
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039545B1 mov eax, dword ptr fs:[00000030h] 2_2_039545B1
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039B05A7 mov eax, dword ptr fs:[00000030h] 2_2_039B05A7
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039B05A7 mov eax, dword ptr fs:[00000030h] 2_2_039B05A7
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039B05A7 mov eax, dword ptr fs:[00000030h] 2_2_039B05A7
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039365D0 mov eax, dword ptr fs:[00000030h] 2_2_039365D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0396A5D0 mov eax, dword ptr fs:[00000030h] 2_2_0396A5D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0396A5D0 mov eax, dword ptr fs:[00000030h] 2_2_0396A5D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0396E5CF mov eax, dword ptr fs:[00000030h] 2_2_0396E5CF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0396E5CF mov eax, dword ptr fs:[00000030h] 2_2_0396E5CF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0395E5E7 mov eax, dword ptr fs:[00000030h] 2_2_0395E5E7
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0395E5E7 mov eax, dword ptr fs:[00000030h] 2_2_0395E5E7
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0395E5E7 mov eax, dword ptr fs:[00000030h] 2_2_0395E5E7
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0395E5E7 mov eax, dword ptr fs:[00000030h] 2_2_0395E5E7
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0395E5E7 mov eax, dword ptr fs:[00000030h] 2_2_0395E5E7
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0395E5E7 mov eax, dword ptr fs:[00000030h] 2_2_0395E5E7
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0395E5E7 mov eax, dword ptr fs:[00000030h] 2_2_0395E5E7
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0395E5E7 mov eax, dword ptr fs:[00000030h] 2_2_0395E5E7
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039325E0 mov eax, dword ptr fs:[00000030h] 2_2_039325E0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0396C5ED mov eax, dword ptr fs:[00000030h] 2_2_0396C5ED
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0396C5ED mov eax, dword ptr fs:[00000030h] 2_2_0396C5ED
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039C6500 mov eax, dword ptr fs:[00000030h] 2_2_039C6500
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A04500 mov eax, dword ptr fs:[00000030h] 2_2_03A04500
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A04500 mov eax, dword ptr fs:[00000030h] 2_2_03A04500
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A04500 mov eax, dword ptr fs:[00000030h] 2_2_03A04500
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A04500 mov eax, dword ptr fs:[00000030h] 2_2_03A04500
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A04500 mov eax, dword ptr fs:[00000030h] 2_2_03A04500
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A04500 mov eax, dword ptr fs:[00000030h] 2_2_03A04500
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A04500 mov eax, dword ptr fs:[00000030h] 2_2_03A04500
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03940535 mov eax, dword ptr fs:[00000030h] 2_2_03940535
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03940535 mov eax, dword ptr fs:[00000030h] 2_2_03940535
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03940535 mov eax, dword ptr fs:[00000030h] 2_2_03940535
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03940535 mov eax, dword ptr fs:[00000030h] 2_2_03940535
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03940535 mov eax, dword ptr fs:[00000030h] 2_2_03940535
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03940535 mov eax, dword ptr fs:[00000030h] 2_2_03940535
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0395E53E mov eax, dword ptr fs:[00000030h] 2_2_0395E53E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0395E53E mov eax, dword ptr fs:[00000030h] 2_2_0395E53E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0395E53E mov eax, dword ptr fs:[00000030h] 2_2_0395E53E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0395E53E mov eax, dword ptr fs:[00000030h] 2_2_0395E53E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0395E53E mov eax, dword ptr fs:[00000030h] 2_2_0395E53E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03938550 mov eax, dword ptr fs:[00000030h] 2_2_03938550
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03938550 mov eax, dword ptr fs:[00000030h] 2_2_03938550
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0396656A mov eax, dword ptr fs:[00000030h] 2_2_0396656A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0396656A mov eax, dword ptr fs:[00000030h] 2_2_0396656A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0396656A mov eax, dword ptr fs:[00000030h] 2_2_0396656A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039EA49A mov eax, dword ptr fs:[00000030h] 2_2_039EA49A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039644B0 mov ecx, dword ptr fs:[00000030h] 2_2_039644B0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039BA4B0 mov eax, dword ptr fs:[00000030h] 2_2_039BA4B0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039364AB mov eax, dword ptr fs:[00000030h] 2_2_039364AB
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039304E5 mov ecx, dword ptr fs:[00000030h] 2_2_039304E5
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03968402 mov eax, dword ptr fs:[00000030h] 2_2_03968402
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03968402 mov eax, dword ptr fs:[00000030h] 2_2_03968402
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03968402 mov eax, dword ptr fs:[00000030h] 2_2_03968402
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0392E420 mov eax, dword ptr fs:[00000030h] 2_2_0392E420
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0392E420 mov eax, dword ptr fs:[00000030h] 2_2_0392E420
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0392E420 mov eax, dword ptr fs:[00000030h] 2_2_0392E420
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0392C427 mov eax, dword ptr fs:[00000030h] 2_2_0392C427
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039B6420 mov eax, dword ptr fs:[00000030h] 2_2_039B6420
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039B6420 mov eax, dword ptr fs:[00000030h] 2_2_039B6420
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039B6420 mov eax, dword ptr fs:[00000030h] 2_2_039B6420
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039B6420 mov eax, dword ptr fs:[00000030h] 2_2_039B6420
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039B6420 mov eax, dword ptr fs:[00000030h] 2_2_039B6420
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039B6420 mov eax, dword ptr fs:[00000030h] 2_2_039B6420
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039B6420 mov eax, dword ptr fs:[00000030h] 2_2_039B6420
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039EA456 mov eax, dword ptr fs:[00000030h] 2_2_039EA456
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0392645D mov eax, dword ptr fs:[00000030h] 2_2_0392645D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0395245A mov eax, dword ptr fs:[00000030h] 2_2_0395245A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0396E443 mov eax, dword ptr fs:[00000030h] 2_2_0396E443
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0396E443 mov eax, dword ptr fs:[00000030h] 2_2_0396E443
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0396E443 mov eax, dword ptr fs:[00000030h] 2_2_0396E443
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0396E443 mov eax, dword ptr fs:[00000030h] 2_2_0396E443
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0396E443 mov eax, dword ptr fs:[00000030h] 2_2_0396E443
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0396E443 mov eax, dword ptr fs:[00000030h] 2_2_0396E443
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0396E443 mov eax, dword ptr fs:[00000030h] 2_2_0396E443
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0396E443 mov eax, dword ptr fs:[00000030h] 2_2_0396E443
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0395A470 mov eax, dword ptr fs:[00000030h] 2_2_0395A470
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0395A470 mov eax, dword ptr fs:[00000030h] 2_2_0395A470
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0395A470 mov eax, dword ptr fs:[00000030h] 2_2_0395A470
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039BC460 mov ecx, dword ptr fs:[00000030h] 2_2_039BC460
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03940BBE mov eax, dword ptr fs:[00000030h] 2_2_03940BBE
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03940BBE mov eax, dword ptr fs:[00000030h] 2_2_03940BBE
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039E4BB0 mov eax, dword ptr fs:[00000030h] 2_2_039E4BB0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039E4BB0 mov eax, dword ptr fs:[00000030h] 2_2_039E4BB0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039DEBD0 mov eax, dword ptr fs:[00000030h] 2_2_039DEBD0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03950BCB mov eax, dword ptr fs:[00000030h] 2_2_03950BCB
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03950BCB mov eax, dword ptr fs:[00000030h] 2_2_03950BCB
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03950BCB mov eax, dword ptr fs:[00000030h] 2_2_03950BCB
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03930BCD mov eax, dword ptr fs:[00000030h] 2_2_03930BCD
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03930BCD mov eax, dword ptr fs:[00000030h] 2_2_03930BCD
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03930BCD mov eax, dword ptr fs:[00000030h] 2_2_03930BCD
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03938BF0 mov eax, dword ptr fs:[00000030h] 2_2_03938BF0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03938BF0 mov eax, dword ptr fs:[00000030h] 2_2_03938BF0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03938BF0 mov eax, dword ptr fs:[00000030h] 2_2_03938BF0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0395EBFC mov eax, dword ptr fs:[00000030h] 2_2_0395EBFC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039BCBF0 mov eax, dword ptr fs:[00000030h] 2_2_039BCBF0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039AEB1D mov eax, dword ptr fs:[00000030h] 2_2_039AEB1D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039AEB1D mov eax, dword ptr fs:[00000030h] 2_2_039AEB1D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039AEB1D mov eax, dword ptr fs:[00000030h] 2_2_039AEB1D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039AEB1D mov eax, dword ptr fs:[00000030h] 2_2_039AEB1D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039AEB1D mov eax, dword ptr fs:[00000030h] 2_2_039AEB1D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039AEB1D mov eax, dword ptr fs:[00000030h] 2_2_039AEB1D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039AEB1D mov eax, dword ptr fs:[00000030h] 2_2_039AEB1D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039AEB1D mov eax, dword ptr fs:[00000030h] 2_2_039AEB1D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039AEB1D mov eax, dword ptr fs:[00000030h] 2_2_039AEB1D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0395EB20 mov eax, dword ptr fs:[00000030h] 2_2_0395EB20
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0395EB20 mov eax, dword ptr fs:[00000030h] 2_2_0395EB20
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039F8B28 mov eax, dword ptr fs:[00000030h] 2_2_039F8B28
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039F8B28 mov eax, dword ptr fs:[00000030h] 2_2_039F8B28
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039DEB50 mov eax, dword ptr fs:[00000030h] 2_2_039DEB50
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039E4B4B mov eax, dword ptr fs:[00000030h] 2_2_039E4B4B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039E4B4B mov eax, dword ptr fs:[00000030h] 2_2_039E4B4B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039C6B40 mov eax, dword ptr fs:[00000030h] 2_2_039C6B40
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039C6B40 mov eax, dword ptr fs:[00000030h] 2_2_039C6B40
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039FAB40 mov eax, dword ptr fs:[00000030h] 2_2_039FAB40
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039D8B42 mov eax, dword ptr fs:[00000030h] 2_2_039D8B42
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0392CB7E mov eax, dword ptr fs:[00000030h] 2_2_0392CB7E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03968A90 mov edx, dword ptr fs:[00000030h] 2_2_03968A90
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0393EA80 mov eax, dword ptr fs:[00000030h] 2_2_0393EA80
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0393EA80 mov eax, dword ptr fs:[00000030h] 2_2_0393EA80
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0393EA80 mov eax, dword ptr fs:[00000030h] 2_2_0393EA80
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0393EA80 mov eax, dword ptr fs:[00000030h] 2_2_0393EA80
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0393EA80 mov eax, dword ptr fs:[00000030h] 2_2_0393EA80
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0393EA80 mov eax, dword ptr fs:[00000030h] 2_2_0393EA80
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0393EA80 mov eax, dword ptr fs:[00000030h] 2_2_0393EA80
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0393EA80 mov eax, dword ptr fs:[00000030h] 2_2_0393EA80
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0393EA80 mov eax, dword ptr fs:[00000030h] 2_2_0393EA80
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A04A80 mov eax, dword ptr fs:[00000030h] 2_2_03A04A80
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03938AA0 mov eax, dword ptr fs:[00000030h] 2_2_03938AA0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03938AA0 mov eax, dword ptr fs:[00000030h] 2_2_03938AA0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03986AA4 mov eax, dword ptr fs:[00000030h] 2_2_03986AA4
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03930AD0 mov eax, dword ptr fs:[00000030h] 2_2_03930AD0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03964AD0 mov eax, dword ptr fs:[00000030h] 2_2_03964AD0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03964AD0 mov eax, dword ptr fs:[00000030h] 2_2_03964AD0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03986ACC mov eax, dword ptr fs:[00000030h] 2_2_03986ACC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03986ACC mov eax, dword ptr fs:[00000030h] 2_2_03986ACC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03986ACC mov eax, dword ptr fs:[00000030h] 2_2_03986ACC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0396AAEE mov eax, dword ptr fs:[00000030h] 2_2_0396AAEE
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0396AAEE mov eax, dword ptr fs:[00000030h] 2_2_0396AAEE
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039BCA11 mov eax, dword ptr fs:[00000030h] 2_2_039BCA11
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03954A35 mov eax, dword ptr fs:[00000030h] 2_2_03954A35
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03954A35 mov eax, dword ptr fs:[00000030h] 2_2_03954A35
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0396CA24 mov eax, dword ptr fs:[00000030h] 2_2_0396CA24
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0395EA2E mov eax, dword ptr fs:[00000030h] 2_2_0395EA2E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03936A50 mov eax, dword ptr fs:[00000030h] 2_2_03936A50
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03936A50 mov eax, dword ptr fs:[00000030h] 2_2_03936A50
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03936A50 mov eax, dword ptr fs:[00000030h] 2_2_03936A50
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03936A50 mov eax, dword ptr fs:[00000030h] 2_2_03936A50
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03936A50 mov eax, dword ptr fs:[00000030h] 2_2_03936A50
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03936A50 mov eax, dword ptr fs:[00000030h] 2_2_03936A50
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03936A50 mov eax, dword ptr fs:[00000030h] 2_2_03936A50
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03940A5B mov eax, dword ptr fs:[00000030h] 2_2_03940A5B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03940A5B mov eax, dword ptr fs:[00000030h] 2_2_03940A5B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039ACA72 mov eax, dword ptr fs:[00000030h] 2_2_039ACA72
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039ACA72 mov eax, dword ptr fs:[00000030h] 2_2_039ACA72
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0396CA6F mov eax, dword ptr fs:[00000030h] 2_2_0396CA6F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0396CA6F mov eax, dword ptr fs:[00000030h] 2_2_0396CA6F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0396CA6F mov eax, dword ptr fs:[00000030h] 2_2_0396CA6F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039DEA60 mov eax, dword ptr fs:[00000030h] 2_2_039DEA60
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039B89B3 mov esi, dword ptr fs:[00000030h] 2_2_039B89B3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039B89B3 mov eax, dword ptr fs:[00000030h] 2_2_039B89B3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039B89B3 mov eax, dword ptr fs:[00000030h] 2_2_039B89B3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039429A0 mov eax, dword ptr fs:[00000030h] 2_2_039429A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039429A0 mov eax, dword ptr fs:[00000030h] 2_2_039429A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039429A0 mov eax, dword ptr fs:[00000030h] 2_2_039429A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039429A0 mov eax, dword ptr fs:[00000030h] 2_2_039429A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039429A0 mov eax, dword ptr fs:[00000030h] 2_2_039429A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039429A0 mov eax, dword ptr fs:[00000030h] 2_2_039429A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039429A0 mov eax, dword ptr fs:[00000030h] 2_2_039429A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039429A0 mov eax, dword ptr fs:[00000030h] 2_2_039429A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039429A0 mov eax, dword ptr fs:[00000030h] 2_2_039429A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039429A0 mov eax, dword ptr fs:[00000030h] 2_2_039429A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039429A0 mov eax, dword ptr fs:[00000030h] 2_2_039429A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039429A0 mov eax, dword ptr fs:[00000030h] 2_2_039429A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039429A0 mov eax, dword ptr fs:[00000030h] 2_2_039429A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039309AD mov eax, dword ptr fs:[00000030h] 2_2_039309AD
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039309AD mov eax, dword ptr fs:[00000030h] 2_2_039309AD
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0393A9D0 mov eax, dword ptr fs:[00000030h] 2_2_0393A9D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0393A9D0 mov eax, dword ptr fs:[00000030h] 2_2_0393A9D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0393A9D0 mov eax, dword ptr fs:[00000030h] 2_2_0393A9D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0393A9D0 mov eax, dword ptr fs:[00000030h] 2_2_0393A9D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0393A9D0 mov eax, dword ptr fs:[00000030h] 2_2_0393A9D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0393A9D0 mov eax, dword ptr fs:[00000030h] 2_2_0393A9D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039649D0 mov eax, dword ptr fs:[00000030h] 2_2_039649D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039FA9D3 mov eax, dword ptr fs:[00000030h] 2_2_039FA9D3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039C69C0 mov eax, dword ptr fs:[00000030h] 2_2_039C69C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039629F9 mov eax, dword ptr fs:[00000030h] 2_2_039629F9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039629F9 mov eax, dword ptr fs:[00000030h] 2_2_039629F9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039BE9E0 mov eax, dword ptr fs:[00000030h] 2_2_039BE9E0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039BC912 mov eax, dword ptr fs:[00000030h] 2_2_039BC912
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03928918 mov eax, dword ptr fs:[00000030h] 2_2_03928918
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03928918 mov eax, dword ptr fs:[00000030h] 2_2_03928918
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039AE908 mov eax, dword ptr fs:[00000030h] 2_2_039AE908
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039AE908 mov eax, dword ptr fs:[00000030h] 2_2_039AE908
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039B892A mov eax, dword ptr fs:[00000030h] 2_2_039B892A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039C892B mov eax, dword ptr fs:[00000030h] 2_2_039C892B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039B0946 mov eax, dword ptr fs:[00000030h] 2_2_039B0946
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039D4978 mov eax, dword ptr fs:[00000030h] 2_2_039D4978
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039D4978 mov eax, dword ptr fs:[00000030h] 2_2_039D4978
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039BC97C mov eax, dword ptr fs:[00000030h] 2_2_039BC97C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03956962 mov eax, dword ptr fs:[00000030h] 2_2_03956962
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03956962 mov eax, dword ptr fs:[00000030h] 2_2_03956962
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03956962 mov eax, dword ptr fs:[00000030h] 2_2_03956962
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0397096E mov eax, dword ptr fs:[00000030h] 2_2_0397096E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0397096E mov edx, dword ptr fs:[00000030h] 2_2_0397096E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0397096E mov eax, dword ptr fs:[00000030h] 2_2_0397096E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039BC89D mov eax, dword ptr fs:[00000030h] 2_2_039BC89D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03930887 mov eax, dword ptr fs:[00000030h] 2_2_03930887
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0395E8C0 mov eax, dword ptr fs:[00000030h] 2_2_0395E8C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0396C8F9 mov eax, dword ptr fs:[00000030h] 2_2_0396C8F9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0396C8F9 mov eax, dword ptr fs:[00000030h] 2_2_0396C8F9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039FA8E4 mov eax, dword ptr fs:[00000030h] 2_2_039FA8E4
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039BC810 mov eax, dword ptr fs:[00000030h] 2_2_039BC810
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03952835 mov eax, dword ptr fs:[00000030h] 2_2_03952835
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03952835 mov eax, dword ptr fs:[00000030h] 2_2_03952835
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03952835 mov eax, dword ptr fs:[00000030h] 2_2_03952835
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03952835 mov ecx, dword ptr fs:[00000030h] 2_2_03952835
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03952835 mov eax, dword ptr fs:[00000030h] 2_2_03952835
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03952835 mov eax, dword ptr fs:[00000030h] 2_2_03952835
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0396A830 mov eax, dword ptr fs:[00000030h] 2_2_0396A830
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039D483A mov eax, dword ptr fs:[00000030h] 2_2_039D483A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039D483A mov eax, dword ptr fs:[00000030h] 2_2_039D483A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03960854 mov eax, dword ptr fs:[00000030h] 2_2_03960854
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03934859 mov eax, dword ptr fs:[00000030h] 2_2_03934859
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03934859 mov eax, dword ptr fs:[00000030h] 2_2_03934859
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03942840 mov ecx, dword ptr fs:[00000030h] 2_2_03942840
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039BE872 mov eax, dword ptr fs:[00000030h] 2_2_039BE872
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039BE872 mov eax, dword ptr fs:[00000030h] 2_2_039BE872
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039C6870 mov eax, dword ptr fs:[00000030h] 2_2_039C6870
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039C6870 mov eax, dword ptr fs:[00000030h] 2_2_039C6870
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03962F98 mov eax, dword ptr fs:[00000030h] 2_2_03962F98
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03962F98 mov eax, dword ptr fs:[00000030h] 2_2_03962F98
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0396CF80 mov eax, dword ptr fs:[00000030h] 2_2_0396CF80
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\RFQ 242024.exe Code function: 0_2_00426DA1 CreateFileW,__lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock, 0_2_00426DA1
Enables debug privileges
Source: C:\Windows\SysWOW64\svchost.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\RFQ 242024.exe Code function: 0_2_0042202E SetUnhandledExceptionFilter, 0_2_0042202E
Source: C:\Users\user\Desktop\RFQ 242024.exe Code function: 0_2_004230F5 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_004230F5
Source: C:\Users\user\Desktop\RFQ 242024.exe Code function: 0_2_00417D93 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00417D93
Source: C:\Users\user\Desktop\RFQ 242024.exe Code function: 0_2_00421FA7 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00421FA7
Source: C:\Users\user\AppData\Local\piceous\tabulations.exe Code function: 1_2_0042202E SetUnhandledExceptionFilter, 1_2_0042202E
Source: C:\Users\user\AppData\Local\piceous\tabulations.exe Code function: 1_2_004230F5 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_004230F5
Source: C:\Users\user\AppData\Local\piceous\tabulations.exe Code function: 1_2_00417D93 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 1_2_00417D93
Source: C:\Users\user\AppData\Local\piceous\tabulations.exe Code function: 1_2_00421FA7 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 1_2_00421FA7

HIPS / PFW / Operating System Protection Evasion
barindex
Maps a DLL or memory area into another process
Source: C:\Users\user\AppData\Local\piceous\tabulations.exe Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: NULL target: C:\Windows\SysWOW64\systray.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: NULL target: C:\Windows\SysWOW64\systray.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe Section loaded: NULL target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\piceous\tabulations.exe Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: NULL target: C:\Windows\SysWOW64\raserver.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: NULL target: C:\Windows\SysWOW64\raserver.exe protection: execute and read and write Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Windows\SysWOW64\svchost.exe Thread register set: target process: 2580 Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe Thread register set: target process: 2580 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread register set: target process: 2580 Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Windows\SysWOW64\svchost.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Sample uses process hollowing technique
Source: C:\Windows\SysWOW64\svchost.exe Section unmapped: C:\Windows\SysWOW64\systray.exe base address: EA0000 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section unmapped: C:\Windows\SysWOW64\raserver.exe base address: A0000 Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\AppData\Local\piceous\tabulations.exe Memory written: C:\Windows\SysWOW64\svchost.exe base: 2F09008 Jump to behavior
Source: C:\Users\user\AppData\Local\piceous\tabulations.exe Memory written: C:\Windows\SysWOW64\svchost.exe base: 99C008 Jump to behavior
Contains functionality to execute programs as a different user
Source: C:\Users\user\Desktop\RFQ 242024.exe Code function: 0_2_0043916A LogonUserW, 0_2_0043916A
Contains functionality to launch a program with higher privileges
Source: C:\Users\user\Desktop\RFQ 242024.exe Code function: 0_2_0040D6D0 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,GetForegroundWindow,ShellExecuteW, 0_2_0040D6D0
Contains functionality to simulate keystroke presses
Source: C:\Users\user\Desktop\RFQ 242024.exe Code function: 0_2_004375B0 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput, 0_2_004375B0
Contains functionality to simulate mouse events
Source: C:\Users\user\Desktop\RFQ 242024.exe Code function: 0_2_00436431 __wcsicoll,mouse_event,__wcsicoll,mouse_event, 0_2_00436431
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\AppData\Local\piceous\tabulations.exe Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\RFQ 242024.exe" Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\SysWOW64\svchost.exe" Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Local\piceous\tabulations.exe "C:\Users\user\AppData\Local\piceous\tabulations.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\piceous\tabulations.exe Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\piceous\tabulations.exe" Jump to behavior
Source: C:\Users\user\Desktop\RFQ 242024.exe Code function: 0_2_00445DD3 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity, 0_2_00445DD3
Source: RFQ 242024.exe, tabulations.exe, explorer.exe, 00000003.00000002.4200595115.00000000018A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.1783846203.0000000009815000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4202981380.0000000004CE0000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000003.00000002.4200595115.00000000018A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.1776551368.00000000018A1000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progman
Source: RFQ 242024.exe, tabulations.exe.0.dr Binary or memory string: @3PDASCRWINUPRWINDOWNLWINUPLWINDOWNSHIFTUPSHIFTDOWNALTUPALTDOWNCTRLUPCTRLDOWNMOUSE_XBUTTON2MOUSE_XBUTTON1MOUSE_MBUTTONMOUSE_RBUTTONMOUSE_LBUTTONLAUNCH_APP2LAUNCH_APP1LAUNCH_MEDIALAUNCH_MAILMEDIA_PLAY_PAUSEMEDIA_STOPMEDIA_PREVMEDIA_NEXTVOLUME_UPVOLUME_DOWNVOLUME_MUTEBROWSER_HOMEBROWSER_FAVORTIESBROWSER_SEARCHBROWSER_STOPBROWSER_REFRESHBROWSER_FORWARDBROWSER_BACKNUMPADENTERSLEEPRSHIFTLSHIFTRALTLALTRCTRLLCTRLAPPSKEYNUMPADDIVNUMPADDOTNUMPADSUBNUMPADADDNUMPADMULTNUMPAD9NUMPAD8NUMPAD7NUMPAD6NUMPAD5NUMPAD4NUMPAD3NUMPAD2NUMPAD1NUMPAD0CAPSLOCKPAUSEBREAKNUMLOCKSCROLLLOCKRWINLWINPRINTSCREENUPTABSPACERIGHTPGUPPGDNLEFTINSERTINSHOMEF12F11F10F9F8F7F6F5F4F3F2F1ESCAPEESCENTERENDDOWNDELETEDELBSBACKSPACEALTONOFF0%d%dShell_TrayWndExitScript Pausedblankinfoquestionstopwarning
Source: explorer.exe, 00000003.00000000.1776260071.0000000001248000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4199926862.0000000001240000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 1Progman$
Source: explorer.exe, 00000003.00000002.4200595115.00000000018A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.1776551368.00000000018A1000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Source: explorer.exe, 00000003.00000002.4203309500.00000000079D3000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Shell_TrayWnd|0
Source: explorer.exe, 00000003.00000002.4200595115.00000000018A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.1776551368.00000000018A1000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: }Program Manager
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\RFQ 242024.exe Code function: 0_2_00410D10 cpuid 0_2_00410D10
Source: C:\Users\user\Desktop\RFQ 242024.exe Code function: 0_2_004223BC GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 0_2_004223BC
Source: C:\Users\user\Desktop\RFQ 242024.exe Code function: 0_2_004711D2 GetUserNameW, 0_2_004711D2
Source: C:\Users\user\Desktop\RFQ 242024.exe Code function: 0_2_0042039F __invoke_watson,__get_daylight,__invoke_watson,__get_daylight,__invoke_watson,____lc_codepage_func,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,__invoke_watson,__invoke_watson, 0_2_0042039F
Source: C:\Users\user\Desktop\RFQ 242024.exe Code function: 0_2_0040E470 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo, 0_2_0040E470
Source: C:\Users\user\Desktop\RFQ 242024.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected FormBook
Source: Yara match File source: 8.2.tabulations.exe.30b0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.tabulations.exe.30b0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.tabulations.exe.2bd0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.tabulations.exe.2bd0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000C.00000002.1946757380.0000000002B70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.4199678590.00000000004B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.1946265005.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.1772698758.0000000002BD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.4200098980.0000000000CC0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.1910016870.00000000030B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.1829240450.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.4200172422.0000000000D10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.1946641867.00000000007D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.1831323631.0000000003840000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.1829945213.0000000002DD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.1950270407.0000000002790000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
OS version to string mapping found (often used in BOTs)
Source: tabulations.exe.0.dr Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPWIN_2000InstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 6, 0USERPROFILEUSERDOMAINUSERDNSDOMAINDefaultGetSystemWow64DirectoryWSeDebugPrivilege:cdeclwinapistdcallnonestrwstrintbooluintlongulongdwordshortushortwordbyteubytebooleanfloatdoubleptrhwndhandlelresultlparamwparamint64uint64int_ptruint_ptrlong_ptrulong_ptrdword_ptridispatch64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYadvapi32.dllRegDeleteKeyExW+.-.+-\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]ISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXISTSEXPANDmsctls_statusbar321tooltips_class32AutoIt v3 GUI%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----
Source: tabulations.exe Binary or memory string: WIN_XP
Source: tabulations.exe Binary or memory string: WIN_XPe
Source: tabulations.exe Binary or memory string: WIN_VISTA
Source: tabulations.exe Binary or memory string: WIN_7

Remote Access Functionality
barindex
Yara detected FormBook
Source: Yara match File source: 8.2.tabulations.exe.30b0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.tabulations.exe.30b0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.tabulations.exe.2bd0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.tabulations.exe.2bd0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000C.00000002.1946757380.0000000002B70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.4199678590.00000000004B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.1946265005.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.1772698758.0000000002BD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.4200098980.0000000000CC0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.1910016870.00000000030B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.1829240450.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.4200172422.0000000000D10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.1946641867.00000000007D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.1831323631.0000000003840000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.1829945213.0000000002DD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.1950270407.0000000002790000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\Desktop\RFQ 242024.exe Code function: 0_2_004741BB socket,WSAGetLastError,bind,WSAGetLastError,closesocket, 0_2_004741BB
Source: C:\Users\user\Desktop\RFQ 242024.exe Code function: 0_2_0046483C socket,WSAGetLastError,bind,WSAGetLastError,listen,WSAGetLastError,closesocket, 0_2_0046483C
Source: C:\Users\user\Desktop\RFQ 242024.exe Code function: 0_2_0047AD92 OleInitialize,_wcslen,CreateBindCtx,MkParseDisplayName,CLSIDFromProgID,GetActiveObject, 0_2_0047AD92
Source: C:\Users\user\AppData\Local\piceous\tabulations.exe Code function: 1_2_004741BB socket,WSAGetLastError,bind,WSAGetLastError,closesocket, 1_2_004741BB
Source: C:\Users\user\AppData\Local\piceous\tabulations.exe Code function: 1_2_0046483C socket,WSAGetLastError,bind,WSAGetLastError,listen,WSAGetLastError,closesocket, 1_2_0046483C
Source: C:\Users\user\AppData\Local\piceous\tabulations.exe Code function: 1_2_0047AD92 OleInitialize,_wcslen,CreateBindCtx,MkParseDisplayName,CLSIDFromProgID,GetActiveObject, 1_2_0047AD92
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1541408 Sample: RFQ 242024.exe Startdate: 24/10/2024 Architecture: WINDOWS Score: 100 45 www.yzq0n.top 2->45 47 www.reativedreams.design 2->47 49 10 other IPs or domains 2->49 59 Suricata IDS alerts for network traffic 2->59 61 Found malware configuration 2->61 63 Malicious sample detected (through community Yara rule) 2->63 65 10 other signatures 2->65 12 RFQ 242024.exe 3 2->12         started        signatures3 process4 file5 41 C:\Users\user\AppData\...\tabulations.exe, PE32 12->41 dropped 15 tabulations.exe 1 12->15         started        process6 file7 43 C:\Users\user\AppData\...\tabulations.vbs, data 15->43 dropped 51 Multi AV Scanner detection for dropped file 15->51 53 Machine Learning detection for dropped file 15->53 55 Drops VBS files to the startup folder 15->55 57 4 other signatures 15->57 19 svchost.exe 15->19         started        signatures8 process9 signatures10 67 Modifies the context of a thread in another process (thread injection) 19->67 69 Maps a DLL or memory area into another process 19->69 71 Sample uses process hollowing technique 19->71 73 3 other signatures 19->73 22 explorer.exe 73 2 19->22 injected process11 process12 24 wscript.exe 1 22->24         started        27 systray.exe 22->27         started        29 raserver.exe 22->29         started        signatures13 81 Windows Scripting host queries suspicious COM object (likely to drop second stage) 24->81 31 tabulations.exe 24->31         started        83 Modifies the context of a thread in another process (thread injection) 27->83 85 Maps a DLL or memory area into another process 27->85 87 Tries to detect virtualization through RDTSC time measurements 27->87 89 Switches to a custom stack to bypass stack traces 27->89 34 cmd.exe 1 27->34         started        process14 signatures15 91 Writes to foreign memory regions 31->91 93 Maps a DLL or memory area into another process 31->93 36 svchost.exe 31->36         started        39 conhost.exe 34->39         started        process16 signatures17 75 Modifies the context of a thread in another process (thread injection) 36->75 77 Maps a DLL or memory area into another process 36->77 79 Sample uses process hollowing technique 36->79
No contacted IP infos

Contacted Domains

Name IP Active
www.irex.info 85.13.166.18 true
www.ordf.top unknown unknown
www.f6b-crxy.top unknown unknown
www.n-wee.buzz unknown unknown
www.fios.top unknown unknown
www.reativedreams.design unknown unknown
www.asukacro.online unknown unknown
www.kdsclci.bond unknown unknown
www.5mwhs.top unknown unknown
www.yzq0n.top unknown unknown
www.hopp9.top unknown unknown
www.5734.party unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
www.f6b-crxy.top/cu29/ true
    		unknown