Windows Analysis Report
PAID CA2686+CA2687+CA2688.exe

Overview

General Information

Sample name: PAID CA2686+CA2687+CA2688.exe
Analysis ID: 1543813
MD5: a4b51a4a802bbd22c815f978f47ea06f
SHA1: a8735f152d4e1e21d2ed3095821b909b022a4201
SHA256: 069a4c2c42050c9037f6a11f9083b312c8bc3159fbe2b73f1e84760da762e6a8
Tags: exe
Infos:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Yara detected FormBook
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to detect sleep reduction / modifications
Drops VBS files to the startup folder
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: WScript or CScript Dropper
Switches to a custom stack to bypass stack traces
Tries to detect virtualization through RDTSC time measurements
Tries to resolve many domain names, but no domain seems valid
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
PE file contains an invalid checksum
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Uncommon Svchost Parent Process
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection
barindex
Found malware configuration
Source: 00000001.00000002.1821424988.0000000002CA0000.00000004.00001000.00020000.00000000.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.f6b-crxy.top/cu29/"], "decoy": ["qidr.shop", "usinessaviationconsulting.net", "68716329.xyz", "nd-los.net", "ealthironcladguarantee.shop", "oftware-download-69354.bond", "48372305.top", "omeownershub.top", "mall-chilli.top", "ajakgoid.online", "ire-changer-53482.bond", "rugsrx.shop", "oyang123.info", "azino-forum-pro.online", "817715.rest", "layman.vip", "eb777.club", "ovatonica.net", "urgaslotvip.website", "inn-paaaa.buzz", "reativedreams.design", "upremehomes.shop", "ames-saaab.buzz", "phonelock.xyz", "ideandseekvacations.xyz", "77179ksuhr.top", "ental-bridges-87553.bond", "7win2.bet", "ainan.company", "5mwhs.top", "hopp9.top", "65fhgejd3.xyz", "olandopaintingllc.online", "n-wee.buzz", "reshcasinoinfo2.top", "5734.party", "qtbyj.live", "gil.lat", "siabgc4d.online", "fios.top", "sed-cars-89003.bond", "nlineschools-2507-001-sap.click", "upiloffatemotors.online", "ordf.top", "achhonglan.shop", "irex.info", "oursmile.vip", "leachlondonstore.online", "asukacro.online", "panish-classes-64045.bond", "apita.top", "srtio.xyz", "kdsclci.bond", "ochacha.sbs", "oldsteps.buzz", "yzq0n.top", "npostl.xyz", "ladder-cancer-symptoms-mine.sbs", "400725iimfyuj120.top", "3589.photo", "rasilhojenoticias.online", "ependableequipment.online", "itusbandar126.info", "ohns.app"]}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe ReversingLabs: Detection: 63%
Multi AV Scanner detection for submitted file
Source: PAID CA2686+CA2687+CA2688.exe ReversingLabs: Detection: 63%
Yara detected FormBook
Source: Yara match File source: 12.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.subpredicate.exe.3b00000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.subpredicate.exe.2ca0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.subpredicate.exe.3b00000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.subpredicate.exe.2ca0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.1821424988.0000000002CA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.1891937275.0000000003A40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.4229145919.0000000004BF0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.1977797675.0000000003840000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.1943729283.0000000003B00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.1891494654.00000000031C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.1977867744.0000000003870000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.1985487468.0000000002830000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.4228922642.00000000031B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.4228627536.0000000002D80000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.1976601301.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.1891157084.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: PAID CA2686+CA2687+CA2688.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: PAID CA2686+CA2687+CA2688.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: Binary string: systray.pdb source: svchost.exe, 00000002.00000002.1891636834.0000000003412000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1891843269.00000000037F0000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 00000002.00000002.1891609279.0000000003400000.00000004.00000020.00020000.00000000.sdmp, systray.exe, 00000004.00000002.4228481901.0000000000060000.00000040.80000000.00040000.00000000.sdmp
Source: Binary string: msdt.pdbGCTL source: svchost.exe, 0000000C.00000003.1976225426.000000000347B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.1976026188.000000000341B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.1979179878.0000000003D50000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 0000000C.00000003.1976026188.000000000347B000.00000004.00000020.00020000.00000000.sdmp, msdt.exe, 00000010.00000002.1985172664.0000000000310000.00000040.80000000.00040000.00000000.sdmp
Source: Binary string: systray.pdbGCTL source: svchost.exe, 00000002.00000002.1891636834.0000000003412000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1891843269.00000000037F0000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 00000002.00000002.1891609279.0000000003400000.00000004.00000020.00020000.00000000.sdmp, systray.exe, 00000004.00000002.4228481901.0000000000060000.00000040.80000000.00040000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: subpredicate.exe, 00000001.00000003.1818045897.0000000002D30000.00000004.00001000.00020000.00000000.sdmp, subpredicate.exe, 00000001.00000003.1820116092.0000000004530000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1892029982.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1820604175.0000000003700000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1892029982.0000000003C9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1822606229.0000000003900000.00000004.00000020.00020000.00000000.sdmp, systray.exe, 00000004.00000003.1893291940.0000000004DA1000.00000004.00000020.00020000.00000000.sdmp, systray.exe, 00000004.00000002.4229465366.0000000004F50000.00000040.00001000.00020000.00000000.sdmp, systray.exe, 00000004.00000003.1891373718.0000000004BF5000.00000004.00000020.00020000.00000000.sdmp, systray.exe, 00000004.00000002.4229465366.00000000050EE000.00000040.00001000.00020000.00000000.sdmp, subpredicate.exe, 0000000A.00000003.1941588547.0000000004640000.00000004.00001000.00020000.00000000.sdmp, subpredicate.exe, 0000000A.00000003.1941952015.00000000044A0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.1978306297.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.1978306297.0000000003B9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.1944013702.0000000003800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.1942163961.0000000003600000.00000004.00000020.00020000.00000000.sdmp, msdt.exe, 00000010.00000003.1977240698.00000000046D1000.00000004.00000020.00020000.00000000.sdmp, msdt.exe, 00000010.00000002.1986903941.0000000004BCE000.00000040.00001000.00020000.00000000.sdmp, msdt.exe, 00000010.00000003.1983091572.0000000004883000.00000004.00000020.00020000.00000000.sdmp, msdt.exe, 00000010.00000002.1986903941.0000000004A30000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: subpredicate.exe, 00000001.00000003.1818045897.0000000002D30000.00000004.00001000.00020000.00000000.sdmp, subpredicate.exe, 00000001.00000003.1820116092.0000000004530000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000002.1892029982.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1820604175.0000000003700000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1892029982.0000000003C9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1822606229.0000000003900000.00000004.00000020.00020000.00000000.sdmp, systray.exe, 00000004.00000003.1893291940.0000000004DA1000.00000004.00000020.00020000.00000000.sdmp, systray.exe, 00000004.00000002.4229465366.0000000004F50000.00000040.00001000.00020000.00000000.sdmp, systray.exe, 00000004.00000003.1891373718.0000000004BF5000.00000004.00000020.00020000.00000000.sdmp, systray.exe, 00000004.00000002.4229465366.00000000050EE000.00000040.00001000.00020000.00000000.sdmp, subpredicate.exe, 0000000A.00000003.1941588547.0000000004640000.00000004.00001000.00020000.00000000.sdmp, subpredicate.exe, 0000000A.00000003.1941952015.00000000044A0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.1978306297.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.1978306297.0000000003B9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.1944013702.0000000003800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.1942163961.0000000003600000.00000004.00000020.00020000.00000000.sdmp, msdt.exe, 00000010.00000003.1977240698.00000000046D1000.00000004.00000020.00020000.00000000.sdmp, msdt.exe, 00000010.00000002.1986903941.0000000004BCE000.00000040.00001000.00020000.00000000.sdmp, msdt.exe, 00000010.00000003.1983091572.0000000004883000.00000004.00000020.00020000.00000000.sdmp, msdt.exe, 00000010.00000002.1986903941.0000000004A30000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: svchost.pdb source: explorer.exe, 00000003.00000002.4242567585.0000000010EDF000.00000004.80000000.00040000.00000000.sdmp, systray.exe, 00000004.00000002.4228753453.0000000003046000.00000004.00000020.00020000.00000000.sdmp, systray.exe, 00000004.00000002.4230115897.000000000549F000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: svchost.pdbUGP source: explorer.exe, 00000003.00000002.4242567585.0000000010EDF000.00000004.80000000.00040000.00000000.sdmp, systray.exe, 00000004.00000002.4228753453.0000000003046000.00000004.00000020.00020000.00000000.sdmp, systray.exe, 00000004.00000002.4230115897.000000000549F000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: msdt.pdb source: svchost.exe, 0000000C.00000003.1976225426.000000000347B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.1976026188.000000000341B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.1979179878.0000000003D50000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 0000000C.00000003.1976026188.000000000347B000.00000004.00000020.00020000.00000000.sdmp, msdt.exe, 00000010.00000002.1985172664.0000000000310000.00000040.80000000.00040000.00000000.sdmp
Source: C:\Users\user\Desktop\PAID CA2686+CA2687+CA2688.exe Code function: 0_2_00452126 FindFirstFileW,Sleep,FindNextFileW,FindClose, 0_2_00452126
Source: C:\Users\user\Desktop\PAID CA2686+CA2687+CA2688.exe Code function: 0_2_0045C999 FindFirstFileW,FindNextFileW,FindClose, 0_2_0045C999
Source: C:\Users\user\Desktop\PAID CA2686+CA2687+CA2688.exe Code function: 0_2_00436ADE GetFileAttributesW,FindFirstFileW,FindClose, 0_2_00436ADE
Source: C:\Users\user\Desktop\PAID CA2686+CA2687+CA2688.exe Code function: 0_2_00434BEE FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 0_2_00434BEE
Source: C:\Users\user\Desktop\PAID CA2686+CA2687+CA2688.exe Code function: 0_2_00436D2D FindFirstFileW,CreateFileW,SetFileTime,CloseHandle,SetFileTime,CloseHandle, 0_2_00436D2D
Source: C:\Users\user\Desktop\PAID CA2686+CA2687+CA2688.exe Code function: 0_2_00442E1F SetCurrentDirectoryW,FindFirstFileW,SetCurrentDirectoryW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 0_2_00442E1F
Source: C:\Users\user\Desktop\PAID CA2686+CA2687+CA2688.exe Code function: 0_2_0045DD7C FindFirstFileW,FindClose, 0_2_0045DD7C
Source: C:\Users\user\Desktop\PAID CA2686+CA2687+CA2688.exe Code function: 0_2_0044BD29 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose, 0_2_0044BD29
Source: C:\Users\user\Desktop\PAID CA2686+CA2687+CA2688.exe Code function: 0_2_00475FE5 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, 0_2_00475FE5
Source: C:\Users\user\Desktop\PAID CA2686+CA2687+CA2688.exe Code function: 0_2_0044BF8D _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose, 0_2_0044BF8D
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Code function: 1_2_00452126 FindFirstFileW,Sleep,FindNextFileW,FindClose, 1_2_00452126
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Code function: 1_2_0045C999 FindFirstFileW,FindNextFileW,FindClose, 1_2_0045C999
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Code function: 1_2_00436ADE GetFileAttributesW,FindFirstFileW,FindClose, 1_2_00436ADE
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Code function: 1_2_00434BEE FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 1_2_00434BEE
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Code function: 1_2_00436D2D FindFirstFileW,CreateFileW,SetFileTime,CloseHandle,SetFileTime,CloseHandle, 1_2_00436D2D
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Code function: 1_2_00442E1F SetCurrentDirectoryW,FindFirstFileW,SetCurrentDirectoryW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 1_2_00442E1F
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Code function: 1_2_0045DD7C FindFirstFileW,FindClose, 1_2_0045DD7C
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Code function: 1_2_0044BD29 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose, 1_2_0044BD29
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Code function: 1_2_00475FE5 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, 1_2_00475FE5
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Code function: 1_2_0044BF8D _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose, 1_2_0044BF8D
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Windows\SysWOW64\svchost.exe Code function: 4x nop then pop ebx 2_2_00407B22

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.f6b-crxy.top/cu29/
Performs DNS queries to domains with low reputation
Source: DNS query: www.65fhgejd3.xyz
Source: DNS query: www.68716329.xyz
Tries to resolve many domain names, but no domain seems valid
Source: unknown DNS traffic detected: query: www.68716329.xyz replaycode: Name error (3)
Source: unknown DNS traffic detected: query: www.ependableequipment.online replaycode: Name error (3)
Source: unknown DNS traffic detected: query: www.ovatonica.net replaycode: Name error (3)
Source: unknown DNS traffic detected: query: www.eb777.club replaycode: Name error (3)
Source: unknown DNS traffic detected: query: www.achhonglan.shop replaycode: Name error (3)
Source: unknown DNS traffic detected: query: www.65fhgejd3.xyz replaycode: Name error (3)
Source: unknown DNS traffic detected: query: www.ealthironcladguarantee.shop replaycode: Name error (3)
Source: unknown DNS traffic detected: query: www.f6b-crxy.top replaycode: Name error (3)
Source: unknown DNS traffic detected: query: www.yzq0n.top replaycode: Name error (3)
Source: unknown DNS traffic detected: query: www.3589.photo replaycode: Name error (3)
Source: unknown DNS traffic detected: query: www.olandopaintingllc.online replaycode: Name error (3)
Source: unknown DNS traffic detected: query: www.qidr.shop replaycode: Name error (3)
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Source: unknown DNS traffic detected: query: www.68716329.xyz replaycode: Name error (3)
Source: unknown DNS traffic detected: query: www.ependableequipment.online replaycode: Name error (3)
Source: unknown DNS traffic detected: query: www.ovatonica.net replaycode: Name error (3)
Source: unknown DNS traffic detected: query: www.eb777.club replaycode: Name error (3)
Source: unknown DNS traffic detected: query: www.achhonglan.shop replaycode: Name error (3)
Source: unknown DNS traffic detected: query: www.65fhgejd3.xyz replaycode: Name error (3)
Source: unknown DNS traffic detected: query: www.ealthironcladguarantee.shop replaycode: Name error (3)
Source: unknown DNS traffic detected: query: www.f6b-crxy.top replaycode: Name error (3)
Source: unknown DNS traffic detected: query: www.yzq0n.top replaycode: Name error (3)
Source: unknown DNS traffic detected: query: www.3589.photo replaycode: Name error (3)
Source: unknown DNS traffic detected: query: www.olandopaintingllc.online replaycode: Name error (3)
Source: unknown DNS traffic detected: query: www.qidr.shop replaycode: Name error (3)
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Users\user\Desktop\PAID CA2686+CA2687+CA2688.exe Code function: 0_2_0044289D InternetQueryDataAvailable,InternetReadFile, 0_2_0044289D
Source: global traffic DNS traffic detected: DNS query: www.f6b-crxy.top
Source: global traffic DNS traffic detected: DNS query: www.3589.photo
Source: global traffic DNS traffic detected: DNS query: www.eb777.club
Source: global traffic DNS traffic detected: DNS query: www.ealthironcladguarantee.shop
Source: global traffic DNS traffic detected: DNS query: www.65fhgejd3.xyz
Source: global traffic DNS traffic detected: DNS query: www.yzq0n.top
Source: global traffic DNS traffic detected: DNS query: www.ependableequipment.online
Source: global traffic DNS traffic detected: DNS query: www.qidr.shop
Source: global traffic DNS traffic detected: DNS query: www.ovatonica.net
Source: global traffic DNS traffic detected: DNS query: www.achhonglan.shop
Source: global traffic DNS traffic detected: DNS query: www.olandopaintingllc.online
Source: global traffic DNS traffic detected: DNS query: www.68716329.xyz
Source: explorer.exe, 00000003.00000000.1835273779.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4231735203.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106675114.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1831846866.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4235696558.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3569453956.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106493709.00000000079FB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: explorer.exe, 00000003.00000000.1835273779.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4231735203.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106675114.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1831846866.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4235696558.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3569453956.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106493709.00000000079FB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: explorer.exe, 00000003.00000000.1835273779.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4231735203.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106675114.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1831846866.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4235696558.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3569453956.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106493709.00000000079FB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: explorer.exe, 00000003.00000000.1835273779.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4231735203.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106675114.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1831846866.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4235696558.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3569453956.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106493709.00000000079FB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: explorer.exe, 00000003.00000000.1831846866.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4231735203.00000000078AD000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: explorer.exe, 00000003.00000000.1833307910.0000000007F40000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.1834130346.0000000008720000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.1837379302.0000000009B60000.00000002.00000001.00040000.00000000.sdmp String found in binary or memory: http://schemas.micro
Source: explorer.exe, 00000003.00000003.3105190170.000000000CB72000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106197588.000000000CB72000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4241351586.000000000CB72000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.3589.photo
Source: explorer.exe, 00000003.00000003.3105190170.000000000CB72000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106197588.000000000CB72000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4241351586.000000000CB72000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.3589.photo/cu29/
Source: explorer.exe, 00000003.00000003.3105190170.000000000CB72000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106197588.000000000CB72000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4241351586.000000000CB72000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.3589.photo/cu29/www.eb777.club
Source: explorer.exe, 00000003.00000003.3105190170.000000000CB72000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106197588.000000000CB72000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4241351586.000000000CB72000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.3589.photoReferer:
Source: explorer.exe, 00000003.00000003.3105190170.000000000CB72000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106197588.000000000CB72000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4241351586.000000000CB72000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.65fhgejd3.xyz
Source: explorer.exe, 00000003.00000003.3105190170.000000000CB72000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106197588.000000000CB72000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4241351586.000000000CB72000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.65fhgejd3.xyz/cu29/
Source: explorer.exe, 00000003.00000003.3105190170.000000000CB72000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106197588.000000000CB72000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4241351586.000000000CB72000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.65fhgejd3.xyz/cu29/www.yzq0n.top
Source: explorer.exe, 00000003.00000003.3105190170.000000000CB72000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106197588.000000000CB72000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4241351586.000000000CB72000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.65fhgejd3.xyzReferer:
Source: explorer.exe, 00000003.00000003.3105190170.000000000CB72000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106197588.000000000CB72000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4241351586.000000000CB72000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.68716329.xyz
Source: explorer.exe, 00000003.00000003.3105190170.000000000CB72000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106197588.000000000CB72000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4241351586.000000000CB72000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.68716329.xyz/cu29/
Source: explorer.exe, 00000003.00000003.3105190170.000000000CB72000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106197588.000000000CB72000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4241351586.000000000CB72000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.68716329.xyz/cu29/www.rugsrx.shop
Source: explorer.exe, 00000003.00000003.3105190170.000000000CB72000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106197588.000000000CB72000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4241351586.000000000CB72000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.68716329.xyzReferer:
Source: explorer.exe, 00000003.00000003.3105190170.000000000CB72000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106197588.000000000CB72000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4241351586.000000000CB72000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.817715.rest
Source: explorer.exe, 00000003.00000002.4241351586.000000000CB72000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.817715.rest/cu29/
Source: explorer.exe, 00000003.00000003.3105190170.000000000CB72000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106197588.000000000CB72000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4241351586.000000000CB72000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.817715.restReferer:
Source: explorer.exe, 00000003.00000003.3105190170.000000000CB72000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106197588.000000000CB72000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4241351586.000000000CB72000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.achhonglan.shop
Source: explorer.exe, 00000003.00000003.3105190170.000000000CB72000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106197588.000000000CB72000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4241351586.000000000CB72000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.achhonglan.shop/cu29/
Source: explorer.exe, 00000003.00000003.3105190170.000000000CB72000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106197588.000000000CB72000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4241351586.000000000CB72000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.achhonglan.shop/cu29/www.olandopaintingllc.online
Source: explorer.exe, 00000003.00000003.3105190170.000000000CB72000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106197588.000000000CB72000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4241351586.000000000CB72000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.achhonglan.shopReferer:
Source: explorer.exe, 00000003.00000003.3106243322.000000000C9AE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3105668322.000000000C999000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1839655792.000000000C964000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4240815666.000000000C9AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3569193951.000000000C9AE000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: explorer.exe, 00000003.00000003.3105190170.000000000CB72000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106197588.000000000CB72000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4241351586.000000000CB72000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.ealthironcladguarantee.shop
Source: explorer.exe, 00000003.00000003.3105190170.000000000CB72000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106197588.000000000CB72000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4241351586.000000000CB72000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.ealthironcladguarantee.shop/cu29/
Source: explorer.exe, 00000003.00000003.3105190170.000000000CB72000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106197588.000000000CB72000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4241351586.000000000CB72000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.ealthironcladguarantee.shop/cu29/www.65fhgejd3.xyz
Source: explorer.exe, 00000003.00000003.3105190170.000000000CB72000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106197588.000000000CB72000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4241351586.000000000CB72000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.ealthironcladguarantee.shopReferer:
Source: explorer.exe, 00000003.00000003.3105190170.000000000CB72000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106197588.000000000CB72000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4241351586.000000000CB72000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.eb777.club
Source: explorer.exe, 00000003.00000003.3105190170.000000000CB72000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106197588.000000000CB72000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4241351586.000000000CB72000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.eb777.club/cu29/
Source: explorer.exe, 00000003.00000003.3105190170.000000000CB72000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106197588.000000000CB72000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4241351586.000000000CB72000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.eb777.club/cu29/www.ealthironcladguarantee.shop
Source: explorer.exe, 00000003.00000003.3105190170.000000000CB72000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106197588.000000000CB72000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4241351586.000000000CB72000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.eb777.clubReferer:
Source: explorer.exe, 00000003.00000003.3105190170.000000000CB72000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106197588.000000000CB72000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4241351586.000000000CB72000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.ependableequipment.online
Source: explorer.exe, 00000003.00000003.3105190170.000000000CB72000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106197588.000000000CB72000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4241351586.000000000CB72000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.ependableequipment.online/cu29/
Source: explorer.exe, 00000003.00000003.3105190170.000000000CB72000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106197588.000000000CB72000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4241351586.000000000CB72000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.ependableequipment.online/cu29/www.qidr.shop
Source: explorer.exe, 00000003.00000003.3105190170.000000000CB72000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106197588.000000000CB72000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4241351586.000000000CB72000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.ependableequipment.onlineReferer:
Source: explorer.exe, 00000003.00000003.3105190170.000000000CB72000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106197588.000000000CB72000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4241351586.000000000CB72000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.f6b-crxy.top
Source: explorer.exe, 00000003.00000003.3105190170.000000000CB72000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106197588.000000000CB72000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4241351586.000000000CB72000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.f6b-crxy.top/cu29/
Source: explorer.exe, 00000003.00000003.3105190170.000000000CB72000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106197588.000000000CB72000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4241351586.000000000CB72000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.f6b-crxy.top/cu29/www.3589.photo
Source: explorer.exe, 00000003.00000003.3105190170.000000000CB72000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106197588.000000000CB72000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4241351586.000000000CB72000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.f6b-crxy.topReferer:
Source: explorer.exe, 00000003.00000003.3105190170.000000000CB72000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106197588.000000000CB72000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4241351586.000000000CB72000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.olandopaintingllc.online
Source: explorer.exe, 00000003.00000003.3105190170.000000000CB72000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106197588.000000000CB72000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4241351586.000000000CB72000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.olandopaintingllc.online/cu29/
Source: explorer.exe, 00000003.00000003.3105190170.000000000CB72000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106197588.000000000CB72000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4241351586.000000000CB72000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.olandopaintingllc.online/cu29/www.68716329.xyz
Source: explorer.exe, 00000003.00000003.3105190170.000000000CB72000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106197588.000000000CB72000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4241351586.000000000CB72000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.olandopaintingllc.onlineReferer:
Source: explorer.exe, 00000003.00000003.3105190170.000000000CB72000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106197588.000000000CB72000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4241351586.000000000CB72000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.ovatonica.net
Source: explorer.exe, 00000003.00000003.3105190170.000000000CB72000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106197588.000000000CB72000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4241351586.000000000CB72000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.ovatonica.net/cu29/
Source: explorer.exe, 00000003.00000003.3105190170.000000000CB72000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106197588.000000000CB72000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4241351586.000000000CB72000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.ovatonica.net/cu29/www.achhonglan.shop
Source: explorer.exe, 00000003.00000003.3105190170.000000000CB72000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106197588.000000000CB72000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4241351586.000000000CB72000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.ovatonica.netReferer:
Source: explorer.exe, 00000003.00000003.3105190170.000000000CB72000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106197588.000000000CB72000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4241351586.000000000CB72000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.qidr.shop
Source: explorer.exe, 00000003.00000003.3105190170.000000000CB72000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106197588.000000000CB72000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4241351586.000000000CB72000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.qidr.shop/cu29/
Source: explorer.exe, 00000003.00000003.3105190170.000000000CB72000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106197588.000000000CB72000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4241351586.000000000CB72000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.qidr.shop/cu29/www.ovatonica.net
Source: explorer.exe, 00000003.00000003.3105190170.000000000CB72000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106197588.000000000CB72000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4241351586.000000000CB72000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.qidr.shopReferer:
Source: explorer.exe, 00000003.00000003.3105190170.000000000CB72000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106197588.000000000CB72000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4241351586.000000000CB72000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.rugsrx.shop
Source: explorer.exe, 00000003.00000003.3105190170.000000000CB72000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106197588.000000000CB72000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4241351586.000000000CB72000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.rugsrx.shop/cu29/
Source: explorer.exe, 00000003.00000003.3105190170.000000000CB72000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106197588.000000000CB72000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4241351586.000000000CB72000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.rugsrx.shop/cu29/www.srtio.xyz
Source: explorer.exe, 00000003.00000003.3105190170.000000000CB72000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106197588.000000000CB72000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4241351586.000000000CB72000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.rugsrx.shopReferer:
Source: explorer.exe, 00000003.00000003.3105190170.000000000CB72000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106197588.000000000CB72000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4241351586.000000000CB72000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.srtio.xyz
Source: explorer.exe, 00000003.00000003.3105190170.000000000CB72000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106197588.000000000CB72000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4241351586.000000000CB72000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.srtio.xyz/cu29/
Source: explorer.exe, 00000003.00000003.3105190170.000000000CB72000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106197588.000000000CB72000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4241351586.000000000CB72000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.srtio.xyz/cu29/www.upremehomes.shop
Source: explorer.exe, 00000003.00000003.3105190170.000000000CB72000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106197588.000000000CB72000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4241351586.000000000CB72000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.srtio.xyzReferer:
Source: explorer.exe, 00000003.00000003.3105190170.000000000CB72000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106197588.000000000CB72000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4241351586.000000000CB72000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.upremehomes.shop
Source: explorer.exe, 00000003.00000003.3105190170.000000000CB72000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106197588.000000000CB72000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4241351586.000000000CB72000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.upremehomes.shop/cu29/
Source: explorer.exe, 00000003.00000003.3105190170.000000000CB72000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106197588.000000000CB72000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4241351586.000000000CB72000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.upremehomes.shop/cu29/www.817715.rest
Source: explorer.exe, 00000003.00000003.3105190170.000000000CB72000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106197588.000000000CB72000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4241351586.000000000CB72000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.upremehomes.shopReferer:
Source: explorer.exe, 00000003.00000003.3105190170.000000000CB72000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106197588.000000000CB72000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4241351586.000000000CB72000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.yzq0n.top
Source: explorer.exe, 00000003.00000003.3105190170.000000000CB72000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106197588.000000000CB72000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4241351586.000000000CB72000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.yzq0n.top/cu29/
Source: explorer.exe, 00000003.00000003.3105190170.000000000CB72000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106197588.000000000CB72000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4241351586.000000000CB72000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.yzq0n.top/cu29/www.ependableequipment.online
Source: explorer.exe, 00000003.00000003.3105190170.000000000CB72000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106197588.000000000CB72000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4241351586.000000000CB72000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.yzq0n.topReferer:
Source: explorer.exe, 00000003.00000002.4239464587.000000000C893000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1839655792.000000000C893000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe
Source: explorer.exe, 00000003.00000002.4231735203.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1831846866.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3569453956.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106493709.00000000079FB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/Vh5j3k
Source: explorer.exe, 00000003.00000002.4231735203.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1831846866.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3569453956.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106493709.00000000079FB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/odirmr
Source: explorer.exe, 00000003.00000002.4239464587.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1839655792.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 00000003.00000000.1835273779.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4235696558.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106675114.00000000097D4000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 00000003.00000000.1835273779.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4235696558.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106675114.00000000097D4000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/q
Source: explorer.exe, 00000003.00000002.4228788665.0000000001240000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1830000358.0000000001248000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4229775291.000000000370D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1830621230.0000000003700000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 00000003.00000000.1835273779.00000000096DF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106675114.0000000009701000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4235696558.0000000009702000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?&
Source: explorer.exe, 00000003.00000000.1831846866.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4231735203.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=0CC40BF291614022B7DF6E2143E8A6AF&timeOut=5000&oc
Source: explorer.exe, 00000003.00000000.1835273779.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4235696558.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1831846866.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4231735203.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106675114.00000000097D4000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
Source: explorer.exe, 00000003.00000000.1835273779.00000000096DF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106675114.0000000009701000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4235696558.0000000009702000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://arc.msn.comi
Source: explorer.exe, 00000003.00000002.4231735203.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://assets.msn.com/staticsb/statics/latest/traffic/Notification/desktop/svg/RoadHazard.svg
Source: explorer.exe, 00000003.00000002.4231735203.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
Source: explorer.exe, 00000003.00000002.4231735203.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svg
Source: explorer.exe, 00000003.00000000.1831846866.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4231735203.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/humidity.svg
Source: explorer.exe, 00000003.00000000.1831846866.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4231735203.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
Source: explorer.exe, 00000003.00000000.1831846866.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4231735203.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
Source: explorer.exe, 00000003.00000000.1831846866.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4231735203.00000000078AD000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu
Source: explorer.exe, 00000003.00000000.1831846866.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4231735203.00000000078AD000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu-dark
Source: explorer.exe, 00000003.00000000.1831846866.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4231735203.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu
Source: explorer.exe, 00000003.00000000.1831846866.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4231735203.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu-dark
Source: explorer.exe, 00000003.00000000.1831846866.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4231735203.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY
Source: explorer.exe, 00000003.00000000.1831846866.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4231735203.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY-dark
Source: explorer.exe, 00000003.00000002.4239464587.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1839655792.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://excel.office.com
Source: explorer.exe, 00000003.00000000.1831846866.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4231735203.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
Source: explorer.exe, 00000003.00000000.1831846866.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4231735203.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1hlXIY.img
Source: explorer.exe, 00000003.00000000.1831846866.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4231735203.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAKSoFp.img
Source: explorer.exe, 00000003.00000000.1831846866.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4231735203.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAXaopi.img
Source: explorer.exe, 00000003.00000000.1831846866.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4231735203.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAgi0nZ.img
Source: explorer.exe, 00000003.00000000.1831846866.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4231735203.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBqlLky.img
Source: explorer.exe, 00000003.00000000.1831846866.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4231735203.00000000078AD000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://img.s-msn.com/tenant/amp/entityid/AAbC0oi.img
Source: explorer.exe, 00000003.00000002.4239464587.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1839655792.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://outlook.com_
Source: explorer.exe, 00000003.00000002.4239464587.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1839655792.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://powerpoint.office.comcember
Source: explorer.exe, 00000003.00000000.1831846866.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4231735203.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://simpleflying.com/how-do-you-become-an-air-traffic-controller/
Source: explorer.exe, 00000003.00000000.1831846866.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4231735203.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000003.00000000.1831846866.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4231735203.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000003.00000000.1839655792.000000000C557000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4239464587.000000000C557000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://wns.windows.com/L
Source: explorer.exe, 00000003.00000002.4239464587.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1839655792.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://word.office.com
Source: explorer.exe, 00000003.00000000.1831846866.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4231735203.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/lifestyle/lifestyle-buzz/biden-makes-decision-that-will-impact-more-than-1
Source: explorer.exe, 00000003.00000000.1831846866.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4231735203.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/lifestyle/travel/i-ve-worked-at-a-campsite-for-5-years-these-are-the-15-mi
Source: explorer.exe, 00000003.00000000.1831846866.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4231735203.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1831846866.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4231735203.00000000078AD000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/13-states-that-don-t-tax-your-retirement-income/ar-A
Source: explorer.exe, 00000003.00000000.1831846866.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4231735203.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/no-wonder-the-american-public-is-confused-if-you-re-
Source: explorer.exe, 00000003.00000000.1831846866.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4231735203.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/politics/clarence-thomas-in-spotlight-as-supreme-court-delivers-blow-
Source: explorer.exe, 00000003.00000000.1831846866.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4231735203.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/politics/exclusive-john-kelly-goes-on-the-record-to-confirm-several-d
Source: explorer.exe, 00000003.00000000.1831846866.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4231735203.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/topic/breast%20cancer%20awareness%20month?ocid=winp1headerevent
Source: explorer.exe, 00000003.00000000.1831846866.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4231735203.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/us/a-nationwide-emergency-alert-will-be-sent-to-all-u-s-cellphones-we
Source: explorer.exe, 00000003.00000000.1831846866.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4231735203.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/us/metro-officials-still-investigating-friday-s-railcar-derailment/ar
Source: explorer.exe, 00000003.00000002.4231735203.00000000078AD000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/us/when-does-daylight-saving-time-end-2023-here-s-when-to-set-your-cl
Source: explorer.exe, 00000003.00000000.1831846866.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4231735203.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/world/agostini-krausz-and-l-huillier-win-physics-nobel-for-looking-at
Source: explorer.exe, 00000003.00000000.1831846866.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4231735203.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/weather/topstories/rest-of-hurricane-season-in-uncharted-waters-because-of
Source: explorer.exe, 00000003.00000000.1831846866.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4231735203.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/weather/topstories/us-weather-super-el-nino-to-bring-more-flooding-and-win
Source: explorer.exe, 00000003.00000000.1831846866.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4231735203.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com:443/en-us/feed
Source: explorer.exe, 00000003.00000000.1831846866.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4231735203.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.rd.com/list/polite-habits-campers-dislike/
Source: explorer.exe, 00000003.00000000.1831846866.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4231735203.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.rd.com/newsletter/?int_source=direct&int_medium=rd.com&int_campaign=nlrda_20221001_toppe
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\PAID CA2686+CA2687+CA2688.exe Code function: 0_2_00459FFF OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard, 0_2_00459FFF
Contains functionality to modify clipboard data
Source: C:\Users\user\Desktop\PAID CA2686+CA2687+CA2688.exe Code function: 0_2_00459FFF OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard, 0_2_00459FFF
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Code function: 1_2_00459FFF OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard, 1_2_00459FFF
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\Desktop\PAID CA2686+CA2687+CA2688.exe Code function: 0_2_00456354 GetCursorPos,ScreenToClient,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetWindowLongW, 0_2_00456354
Potential key logger detected (key state polling based)
Source: C:\Users\user\Desktop\PAID CA2686+CA2687+CA2688.exe Code function: 0_2_0047C08E SendMessageW,DefDlgProcW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,GetWindowLongW,SendMessageW,SendMessageW,SendMessageW,_wcsncpy,SendMessageW,SendMessageW,SendMessageW,InvalidateRect,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW, 0_2_0047C08E
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Code function: 1_2_0047C08E SendMessageW,DefDlgProcW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,GetWindowLongW,SendMessageW,SendMessageW,SendMessageW,_wcsncpy,SendMessageW,SendMessageW,SendMessageW,InvalidateRect,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW, 1_2_0047C08E

E-Banking Fraud
barindex
Yara detected FormBook
Source: Yara match File source: 12.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.subpredicate.exe.3b00000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.subpredicate.exe.2ca0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.subpredicate.exe.3b00000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.subpredicate.exe.2ca0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.1821424988.0000000002CA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.1891937275.0000000003A40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.4229145919.0000000004BF0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.1977797675.0000000003840000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.1943729283.0000000003B00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.1891494654.00000000031C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.1977867744.0000000003870000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.1985487468.0000000002830000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.4228922642.00000000031B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.4228627536.0000000002D80000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.1976601301.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.1891157084.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 12.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 12.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 12.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 10.2.subpredicate.exe.3b00000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 10.2.subpredicate.exe.3b00000.1.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 10.2.subpredicate.exe.3b00000.1.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.subpredicate.exe.2ca0000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 1.2.subpredicate.exe.2ca0000.1.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.subpredicate.exe.2ca0000.1.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 12.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 12.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 12.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 10.2.subpredicate.exe.3b00000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 10.2.subpredicate.exe.3b00000.1.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 10.2.subpredicate.exe.3b00000.1.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.subpredicate.exe.2ca0000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 1.2.subpredicate.exe.2ca0000.1.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.subpredicate.exe.2ca0000.1.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.4243037289.00000000118AA000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_772cc62d Author: unknown
Source: 00000001.00000002.1821424988.0000000002CA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000001.00000002.1821424988.0000000002CA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.1821424988.0000000002CA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.1891937275.0000000003A40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.1891937275.0000000003A40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.1891937275.0000000003A40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.4229145919.0000000004BF0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.4229145919.0000000004BF0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.4229145919.0000000004BF0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000C.00000002.1977797675.0000000003840000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000C.00000002.1977797675.0000000003840000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000C.00000002.1977797675.0000000003840000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000002.1943729283.0000000003B00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000A.00000002.1943729283.0000000003B00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000A.00000002.1943729283.0000000003B00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.1891494654.00000000031C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.1891494654.00000000031C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.1891494654.00000000031C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000C.00000002.1977867744.0000000003870000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000C.00000002.1977867744.0000000003870000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000C.00000002.1977867744.0000000003870000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000002.1985487468.0000000002830000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000010.00000002.1985487468.0000000002830000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000010.00000002.1985487468.0000000002830000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.4228922642.00000000031B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.4228922642.00000000031B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.4228922642.00000000031B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.4228627536.0000000002D80000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.4228627536.0000000002D80000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.4228627536.0000000002D80000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000C.00000002.1976601301.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000C.00000002.1976601301.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000C.00000002.1976601301.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.1891157084.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.1891157084.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.1891157084.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: subpredicate.exe PID: 7328, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: svchost.exe PID: 7356, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: systray.exe PID: 7416, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: subpredicate.exe PID: 7660, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: svchost.exe PID: 7724, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: msdt.exe PID: 7796, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Source: C:\Windows\System32\wscript.exe COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8} Jump to behavior
Contains functionality to call native functions
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0041A320 NtCreateFile, 2_2_0041A320
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0041A3D0 NtReadFile, 2_2_0041A3D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0041A450 NtClose, 2_2_0041A450
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0041A500 NtAllocateVirtualMemory, 2_2_0041A500
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0041A31B NtCreateFile, 2_2_0041A31B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0041A44A NtClose, 2_2_0041A44A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0041A4FA NtAllocateVirtualMemory, 2_2_0041A4FA
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B72BF0 NtAllocateVirtualMemory,LdrInitializeThunk, 2_2_03B72BF0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B72B60 NtClose,LdrInitializeThunk, 2_2_03B72B60
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B72AD0 NtReadFile,LdrInitializeThunk, 2_2_03B72AD0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B72FB0 NtResumeThread,LdrInitializeThunk, 2_2_03B72FB0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B72F90 NtProtectVirtualMemory,LdrInitializeThunk, 2_2_03B72F90
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B72FE0 NtCreateFile,LdrInitializeThunk, 2_2_03B72FE0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B72F30 NtCreateSection,LdrInitializeThunk, 2_2_03B72F30
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B72EA0 NtAdjustPrivilegesToken,LdrInitializeThunk, 2_2_03B72EA0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B72E80 NtReadVirtualMemory,LdrInitializeThunk, 2_2_03B72E80
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B72DF0 NtQuerySystemInformation,LdrInitializeThunk, 2_2_03B72DF0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B72DD0 NtDelayExecution,LdrInitializeThunk, 2_2_03B72DD0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B72D30 NtUnmapViewOfSection,LdrInitializeThunk, 2_2_03B72D30
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B72D10 NtMapViewOfSection,LdrInitializeThunk, 2_2_03B72D10
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B72CA0 NtQueryInformationToken,LdrInitializeThunk, 2_2_03B72CA0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B72C70 NtFreeVirtualMemory,LdrInitializeThunk, 2_2_03B72C70
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B74340 NtSetContextThread, 2_2_03B74340
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B73090 NtSetValueKey, 2_2_03B73090
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B73010 NtOpenDirectoryObject, 2_2_03B73010
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B74650 NtSuspendThread, 2_2_03B74650
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B735C0 NtCreateMutant, 2_2_03B735C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B72BA0 NtEnumerateValueKey, 2_2_03B72BA0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B72B80 NtQueryInformationFile, 2_2_03B72B80
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B72BE0 NtQueryValueKey, 2_2_03B72BE0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B72AB0 NtWaitForSingleObject, 2_2_03B72AB0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B72AF0 NtWriteFile, 2_2_03B72AF0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B739B0 NtGetContextThread, 2_2_03B739B0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B72FA0 NtQuerySection, 2_2_03B72FA0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B72F60 NtCreateProcessEx, 2_2_03B72F60
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B72EE0 NtQueueApcThread, 2_2_03B72EE0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B72E30 NtWriteVirtualMemory, 2_2_03B72E30
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B72DB0 NtEnumerateKey, 2_2_03B72DB0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B73D10 NtOpenProcessToken, 2_2_03B73D10
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B72D00 NtSetInformationFile, 2_2_03B72D00
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B73D70 NtOpenThread, 2_2_03B73D70
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B72CF0 NtOpenProcess, 2_2_03B72CF0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B72CC0 NtQueryVirtualMemory, 2_2_03B72CC0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B72C00 NtQueryInformationProcess, 2_2_03B72C00
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B72C60 NtCreateKey, 2_2_03B72C60
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A8A036 NtQueryInformationProcess,NtSuspendThread,NtSetContextThread,NtQueueApcThread,NtResumeThread,NtClose, 2_2_03A8A036
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A8A042 NtQueryInformationProcess, 2_2_03A8A042
Source: C:\Windows\explorer.exe Code function: 3_2_11893E12 NtProtectVirtualMemory, 3_2_11893E12
Source: C:\Windows\explorer.exe Code function: 3_2_11892232 NtCreateFile, 3_2_11892232
Source: C:\Windows\explorer.exe Code function: 3_2_11893E0A NtProtectVirtualMemory, 3_2_11893E0A
Contains functionality to communicate with device drivers
Source: C:\Users\user\Desktop\PAID CA2686+CA2687+CA2688.exe Code function: 0_2_00434D50: GetFullPathNameW,__swprintf,_wcslen,_wcslen,_wcslen,CreateDirectoryW,CreateFileW,_memset,_wcslen,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle, 0_2_00434D50
Contains functionality to launch a process as a different user
Source: C:\Users\user\Desktop\PAID CA2686+CA2687+CA2688.exe Code function: 0_2_004461ED _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,_wcsncpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock, 0_2_004461ED
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\PAID CA2686+CA2687+CA2688.exe Code function: 0_2_004364AA GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState, 0_2_004364AA
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Code function: 1_2_004364AA GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState, 1_2_004364AA
Detected potential crypto function
Source: C:\Users\user\Desktop\PAID CA2686+CA2687+CA2688.exe Code function: 0_2_00409A40 0_2_00409A40
Source: C:\Users\user\Desktop\PAID CA2686+CA2687+CA2688.exe Code function: 0_2_00412038 0_2_00412038
Source: C:\Users\user\Desktop\PAID CA2686+CA2687+CA2688.exe Code function: 0_2_0047E1FA 0_2_0047E1FA
Source: C:\Users\user\Desktop\PAID CA2686+CA2687+CA2688.exe Code function: 0_2_0041A46B 0_2_0041A46B
Source: C:\Users\user\Desktop\PAID CA2686+CA2687+CA2688.exe Code function: 0_2_0041240C 0_2_0041240C
Source: C:\Users\user\Desktop\PAID CA2686+CA2687+CA2688.exe Code function: 0_2_004045E0 0_2_004045E0
Source: C:\Users\user\Desktop\PAID CA2686+CA2687+CA2688.exe Code function: 0_2_00412818 0_2_00412818
Source: C:\Users\user\Desktop\PAID CA2686+CA2687+CA2688.exe Code function: 0_2_0047CBF0 0_2_0047CBF0
Source: C:\Users\user\Desktop\PAID CA2686+CA2687+CA2688.exe Code function: 0_2_0044EBBC 0_2_0044EBBC
Source: C:\Users\user\Desktop\PAID CA2686+CA2687+CA2688.exe Code function: 0_2_00412C38 0_2_00412C38
Source: C:\Users\user\Desktop\PAID CA2686+CA2687+CA2688.exe Code function: 0_2_0044ED9A 0_2_0044ED9A
Source: C:\Users\user\Desktop\PAID CA2686+CA2687+CA2688.exe Code function: 0_2_00424F70 0_2_00424F70
Source: C:\Users\user\Desktop\PAID CA2686+CA2687+CA2688.exe Code function: 0_2_0041AF0D 0_2_0041AF0D
Source: C:\Users\user\Desktop\PAID CA2686+CA2687+CA2688.exe Code function: 0_2_00427161 0_2_00427161
Source: C:\Users\user\Desktop\PAID CA2686+CA2687+CA2688.exe Code function: 0_2_004212BE 0_2_004212BE
Source: C:\Users\user\Desktop\PAID CA2686+CA2687+CA2688.exe Code function: 0_2_00443390 0_2_00443390
Source: C:\Users\user\Desktop\PAID CA2686+CA2687+CA2688.exe Code function: 0_2_00443391 0_2_00443391
Source: C:\Users\user\Desktop\PAID CA2686+CA2687+CA2688.exe Code function: 0_2_0041D750 0_2_0041D750
Source: C:\Users\user\Desktop\PAID CA2686+CA2687+CA2688.exe Code function: 0_2_004037E0 0_2_004037E0
Source: C:\Users\user\Desktop\PAID CA2686+CA2687+CA2688.exe Code function: 0_2_00427859 0_2_00427859
Source: C:\Users\user\Desktop\PAID CA2686+CA2687+CA2688.exe Code function: 0_2_0040F890 0_2_0040F890
Source: C:\Users\user\Desktop\PAID CA2686+CA2687+CA2688.exe Code function: 0_2_0042397B 0_2_0042397B
Source: C:\Users\user\Desktop\PAID CA2686+CA2687+CA2688.exe Code function: 0_2_00411B63 0_2_00411B63
Source: C:\Users\user\Desktop\PAID CA2686+CA2687+CA2688.exe Code function: 0_2_00423EBF 0_2_00423EBF
Source: C:\Users\user\Desktop\PAID CA2686+CA2687+CA2688.exe Code function: 0_2_040CA6B0 0_2_040CA6B0
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Code function: 1_2_00409A40 1_2_00409A40
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Code function: 1_2_00412038 1_2_00412038
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Code function: 1_2_0047E1FA 1_2_0047E1FA
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Code function: 1_2_0041A46B 1_2_0041A46B
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Code function: 1_2_0041240C 1_2_0041240C
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Code function: 1_2_004045E0 1_2_004045E0
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Code function: 1_2_00412818 1_2_00412818
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Code function: 1_2_0047CBF0 1_2_0047CBF0
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Code function: 1_2_0044EBBC 1_2_0044EBBC
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Code function: 1_2_00412C38 1_2_00412C38
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Code function: 1_2_0044ED9A 1_2_0044ED9A
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Code function: 1_2_00424F70 1_2_00424F70
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Code function: 1_2_0041AF0D 1_2_0041AF0D
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Code function: 1_2_00427161 1_2_00427161
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Code function: 1_2_004212BE 1_2_004212BE
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Code function: 1_2_00443390 1_2_00443390
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Code function: 1_2_00443391 1_2_00443391
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Code function: 1_2_0041D750 1_2_0041D750
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Code function: 1_2_004037E0 1_2_004037E0
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Code function: 1_2_00427859 1_2_00427859
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Code function: 1_2_0040F890 1_2_0040F890
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Code function: 1_2_0042397B 1_2_0042397B
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Code function: 1_2_00411B63 1_2_00411B63
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Code function: 1_2_00423EBF 1_2_00423EBF
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Code function: 1_2_03F696B8 1_2_03F696B8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00401030 2_2_00401030
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0041ED75 2_2_0041ED75
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00402D90 2_2_00402D90
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00409E4C 2_2_00409E4C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00409E50 2_2_00409E50
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0041EE8A 2_2_0041EE8A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0041D772 2_2_0041D772
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0041E77C 2_2_0041E77C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00402FB0 2_2_00402FB0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B8739A 2_2_03B8739A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C003E6 2_2_03C003E6
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B4E3F0 2_2_03B4E3F0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BF132D 2_2_03BF132D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BFA352 2_2_03BFA352
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B2D34C 2_2_03B2D34C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B452A0 2_2_03B452A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B5D2F0 2_2_03B5D2F0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BE12ED 2_2_03BE12ED
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B5B2C0 2_2_03B5B2C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BE0274 2_2_03BE0274
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B4B1B0 2_2_03B4B1B0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C001AA 2_2_03C001AA
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BF81CC 2_2_03BF81CC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BDA118 2_2_03BDA118
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C0B16B 2_2_03C0B16B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B30100 2_2_03B30100
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B2F172 2_2_03B2F172
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B7516C 2_2_03B7516C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BC8158 2_2_03BC8158
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BF70E9 2_2_03BF70E9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BFF0E0 2_2_03BFF0E0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BEF0CC 2_2_03BEF0CC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B470C0 2_2_03B470C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BFF7B0 2_2_03BFF7B0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B3C7C0 2_2_03B3C7C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B40770 2_2_03B40770
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B64750 2_2_03B64750
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B5C6E0 2_2_03B5C6E0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BF16CC 2_2_03BF16CC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BDD5B0 2_2_03BDD5B0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C00591 2_2_03C00591
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B40535 2_2_03B40535
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BF7571 2_2_03BF7571
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BEE4F6 2_2_03BEE4F6
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BFF43F 2_2_03BFF43F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B31460 2_2_03B31460
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BF2446 2_2_03BF2446
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B09B80 2_2_03B09B80
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B5FB80 2_2_03B5FB80
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BB5BF0 2_2_03BB5BF0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B7DBF9 2_2_03B7DBF9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BF6BD7 2_2_03BF6BD7
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BFFB76 2_2_03BFFB76
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BFAB40 2_2_03BFAB40
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BDDAAC 2_2_03BDDAAC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B85AA0 2_2_03B85AA0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B3EA80 2_2_03B3EA80
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BEDAC6 2_2_03BEDAC6
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BB3A6C 2_2_03BB3A6C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BFFA49 2_2_03BFFA49
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BF7A46 2_2_03BF7A46
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B429A0 2_2_03B429A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C0A9A6 2_2_03C0A9A6
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B56962 2_2_03B56962
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B49950 2_2_03B49950
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B5B950 2_2_03B5B950
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B268B8 2_2_03B268B8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B6E8F0 2_2_03B6E8F0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B438E0 2_2_03B438E0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BAD800 2_2_03BAD800
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B42840 2_2_03B42840
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B4A840 2_2_03B4A840
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BFFFB1 2_2_03BFFFB1
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B41F92 2_2_03B41F92
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B03FD2 2_2_03B03FD2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B03FD5 2_2_03B03FD5
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B32FC8 2_2_03B32FC8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B60F30 2_2_03B60F30
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B82F28 2_2_03B82F28
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BFFF09 2_2_03BFFF09
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BB4F40 2_2_03BB4F40
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B49EB0 2_2_03B49EB0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B52E90 2_2_03B52E90
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BFCE93 2_2_03BFCE93
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BFEEDB 2_2_03BFEEDB
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BFEE26 2_2_03BFEE26
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B40E59 2_2_03B40E59
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B58DBF 2_2_03B58DBF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B3ADE0 2_2_03B3ADE0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B5FDC0 2_2_03B5FDC0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B4AD00 2_2_03B4AD00
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BF7D73 2_2_03BF7D73
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BF1D5A 2_2_03BF1D5A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B43D40 2_2_03B43D40
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BE0CB5 2_2_03BE0CB5
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B30CF2 2_2_03B30CF2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BFFCF2 2_2_03BFFCF2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BB9C32 2_2_03BB9C32
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B40C00 2_2_03B40C00
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A8A036 2_2_03A8A036
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A8B232 2_2_03A8B232
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A81082 2_2_03A81082
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A8E5CD 2_2_03A8E5CD
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A85B30 2_2_03A85B30
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A85B32 2_2_03A85B32
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A88912 2_2_03A88912
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A82D02 2_2_03A82D02
Source: C:\Windows\explorer.exe Code function: 3_2_0FC52B30 3_2_0FC52B30
Source: C:\Windows\explorer.exe Code function: 3_2_0FC52B32 3_2_0FC52B32
Source: C:\Windows\explorer.exe Code function: 3_2_0FC58232 3_2_0FC58232
Source: C:\Windows\explorer.exe Code function: 3_2_0FC5B5CD 3_2_0FC5B5CD
Source: C:\Windows\explorer.exe Code function: 3_2_0FC4FD02 3_2_0FC4FD02
Source: C:\Windows\explorer.exe Code function: 3_2_0FC55912 3_2_0FC55912
Source: C:\Windows\explorer.exe Code function: 3_2_0FC4E082 3_2_0FC4E082
Source: C:\Windows\explorer.exe Code function: 3_2_0FC57036 3_2_0FC57036
Source: C:\Windows\explorer.exe Code function: 3_2_116F3D02 3_2_116F3D02
Source: C:\Windows\explorer.exe Code function: 3_2_116F9912 3_2_116F9912
Source: C:\Windows\explorer.exe Code function: 3_2_116FF5CD 3_2_116FF5CD
Source: C:\Windows\explorer.exe Code function: 3_2_116FB036 3_2_116FB036
Source: C:\Windows\explorer.exe Code function: 3_2_116F2082 3_2_116F2082
Source: C:\Windows\explorer.exe Code function: 3_2_116F6B32 3_2_116F6B32
Source: C:\Windows\explorer.exe Code function: 3_2_116F6B30 3_2_116F6B30
Source: C:\Windows\explorer.exe Code function: 3_2_116FC232 3_2_116FC232
Source: C:\Windows\explorer.exe Code function: 3_2_11892232 3_2_11892232
Source: C:\Windows\explorer.exe Code function: 3_2_118955CD 3_2_118955CD
Source: C:\Windows\explorer.exe Code function: 3_2_11889D02 3_2_11889D02
Source: C:\Windows\explorer.exe Code function: 3_2_1188F912 3_2_1188F912
Source: C:\Windows\explorer.exe Code function: 3_2_1188CB30 3_2_1188CB30
Source: C:\Windows\explorer.exe Code function: 3_2_1188CB32 3_2_1188CB32
Source: C:\Windows\explorer.exe Code function: 3_2_11888082 3_2_11888082
Source: C:\Windows\explorer.exe Code function: 3_2_11891036 3_2_11891036
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\PAID CA2686+CA2687+CA2688.exe Code function: String function: 00445975 appears 65 times
Source: C:\Users\user\Desktop\PAID CA2686+CA2687+CA2688.exe Code function: String function: 0041171A appears 37 times
Source: C:\Users\user\Desktop\PAID CA2686+CA2687+CA2688.exe Code function: String function: 0041718C appears 44 times
Source: C:\Users\user\Desktop\PAID CA2686+CA2687+CA2688.exe Code function: String function: 0040E6D0 appears 35 times
Source: C:\Windows\SysWOW64\svchost.exe Code function: String function: 03BAEA12 appears 86 times
Source: C:\Windows\SysWOW64\svchost.exe Code function: String function: 03B75130 appears 36 times
Source: C:\Windows\SysWOW64\svchost.exe Code function: String function: 03BBF290 appears 103 times
Source: C:\Windows\SysWOW64\svchost.exe Code function: String function: 03B2B970 appears 250 times
Source: C:\Windows\SysWOW64\svchost.exe Code function: String function: 03B87E54 appears 93 times
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Code function: String function: 00445975 appears 65 times
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Code function: String function: 0041171A appears 37 times
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Code function: String function: 0041718C appears 44 times
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Code function: String function: 0040E6D0 appears 35 times
Uses 32bit PE files
Source: PAID CA2686+CA2687+CA2688.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Yara signature match
Source: 12.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 12.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 12.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 10.2.subpredicate.exe.3b00000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 10.2.subpredicate.exe.3b00000.1.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 10.2.subpredicate.exe.3b00000.1.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.subpredicate.exe.2ca0000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 1.2.subpredicate.exe.2ca0000.1.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.subpredicate.exe.2ca0000.1.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 12.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 12.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 12.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 10.2.subpredicate.exe.3b00000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 10.2.subpredicate.exe.3b00000.1.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 10.2.subpredicate.exe.3b00000.1.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.subpredicate.exe.2ca0000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 1.2.subpredicate.exe.2ca0000.1.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.subpredicate.exe.2ca0000.1.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.4243037289.00000000118AA000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_772cc62d os = windows, severity = x86, creation_date = 2022-05-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8343b5d02d74791ba2d5d52d19a759f761de2b5470d935000bc27ea6c0633f5, id = 772cc62d-345c-42d8-97ab-f67e447ddca4, last_modified = 2022-07-18
Source: 00000001.00000002.1821424988.0000000002CA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000001.00000002.1821424988.0000000002CA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.1821424988.0000000002CA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.1891937275.0000000003A40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.1891937275.0000000003A40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.1891937275.0000000003A40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.4229145919.0000000004BF0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.4229145919.0000000004BF0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.4229145919.0000000004BF0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000C.00000002.1977797675.0000000003840000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000C.00000002.1977797675.0000000003840000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000C.00000002.1977797675.0000000003840000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000002.1943729283.0000000003B00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000A.00000002.1943729283.0000000003B00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000A.00000002.1943729283.0000000003B00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.1891494654.00000000031C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.1891494654.00000000031C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.1891494654.00000000031C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000C.00000002.1977867744.0000000003870000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000C.00000002.1977867744.0000000003870000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000C.00000002.1977867744.0000000003870000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000002.1985487468.0000000002830000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000010.00000002.1985487468.0000000002830000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000010.00000002.1985487468.0000000002830000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.4228922642.00000000031B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.4228922642.00000000031B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.4228922642.00000000031B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.4228627536.0000000002D80000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.4228627536.0000000002D80000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.4228627536.0000000002D80000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000C.00000002.1976601301.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000C.00000002.1976601301.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000C.00000002.1976601301.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.1891157084.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.1891157084.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.1891157084.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: subpredicate.exe PID: 7328, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: svchost.exe PID: 7356, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: systray.exe PID: 7416, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: subpredicate.exe PID: 7660, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: svchost.exe PID: 7724, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: msdt.exe PID: 7796, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: classification engine Classification label: mal100.troj.expl.evad.winEXE@272/3@12/0
Source: C:\Users\user\Desktop\PAID CA2686+CA2687+CA2688.exe Code function: 0_2_0044AF5C GetLastError,FormatMessageW, 0_2_0044AF5C
Source: C:\Users\user\Desktop\PAID CA2686+CA2687+CA2688.exe Code function: 0_2_00464422 OpenProcess,GetLastError,GetLastError,GetCurrentThread,OpenThreadToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,AdjustTokenPrivileges,GetLastError,OpenProcess,AdjustTokenPrivileges,CloseHandle,TerminateProcess,GetLastError,CloseHandle, 0_2_00464422
Source: C:\Users\user\Desktop\PAID CA2686+CA2687+CA2688.exe Code function: 0_2_004364AA GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState, 0_2_004364AA
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Code function: 1_2_00464422 OpenProcess,GetLastError,GetLastError,GetCurrentThread,OpenThreadToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,AdjustTokenPrivileges,GetLastError,OpenProcess,AdjustTokenPrivileges,CloseHandle,TerminateProcess,GetLastError,CloseHandle, 1_2_00464422
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Code function: 1_2_004364AA GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState, 1_2_004364AA
Source: C:\Users\user\Desktop\PAID CA2686+CA2687+CA2688.exe Code function: 0_2_0045D517 SetErrorMode,GetDiskFreeSpaceW,GetLastError,SetErrorMode, 0_2_0045D517
Source: C:\Users\user\Desktop\PAID CA2686+CA2687+CA2688.exe Code function: 0_2_0043701F CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,__wsplitpath,_wcscat,__wcsicoll,CloseHandle, 0_2_0043701F
Source: C:\Users\user\Desktop\PAID CA2686+CA2687+CA2688.exe Code function: 0_2_0047A999 OleInitialize,CLSIDFromProgID,CoCreateInstance,CoInitializeSecurity,_memset,_wcslen,_memset,CoCreateInstanceEx,CoSetProxyBlanket, 0_2_0047A999
Source: C:\Users\user\Desktop\PAID CA2686+CA2687+CA2688.exe Code function: 0_2_0043614F __swprintf,__swprintf,__wcsicoll,FindResourceW,LoadResource,LockResource,FindResourceW,LoadResource,SizeofResource,LockResource,CreateIconFromResourceEx, 0_2_0043614F
Source: C:\Users\user\Desktop\PAID CA2686+CA2687+CA2688.exe File created: C:\Users\user\AppData\Local\meshuggenah Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7468:120:WilError_03
Source: C:\Users\user\Desktop\PAID CA2686+CA2687+CA2688.exe File created: C:\Users\user\AppData\Local\Temp\pyogenesis Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\subpredicate.vbs"
Source: PAID CA2686+CA2687+CA2688.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\PAID CA2686+CA2687+CA2688.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\PAID CA2686+CA2687+CA2688.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: PAID CA2686+CA2687+CA2688.exe ReversingLabs: Detection: 63%
Source: C:\Users\user\Desktop\PAID CA2686+CA2687+CA2688.exe File read: C:\Users\user\Desktop\PAID CA2686+CA2687+CA2688.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\PAID CA2686+CA2687+CA2688.exe "C:\Users\user\Desktop\PAID CA2686+CA2687+CA2688.exe"
Source: C:\Users\user\Desktop\PAID CA2686+CA2687+CA2688.exe Process created: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe "C:\Users\user\Desktop\PAID CA2686+CA2687+CA2688.exe"
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\PAID CA2686+CA2687+CA2688.exe"
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\systray.exe "C:\Windows\SysWOW64\systray.exe"
Source: C:\Windows\SysWOW64\systray.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\SysWOW64\svchost.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\subpredicate.vbs"
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe "C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe"
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe"
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\autoconv.exe "C:\Windows\SysWOW64\autoconv.exe"
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\autoconv.exe "C:\Windows\SysWOW64\autoconv.exe"
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\autoconv.exe "C:\Windows\SysWOW64\autoconv.exe"
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\msdt.exe "C:\Windows\SysWOW64\msdt.exe"
Source: C:\Users\user\Desktop\PAID CA2686+CA2687+CA2688.exe Process created: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe "C:\Users\user\Desktop\PAID CA2686+CA2687+CA2688.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\PAID CA2686+CA2687+CA2688.exe" Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\systray.exe "C:\Windows\SysWOW64\systray.exe" Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\subpredicate.vbs" Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\autoconv.exe "C:\Windows\SysWOW64\autoconv.exe" Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\autoconv.exe "C:\Windows\SysWOW64\autoconv.exe" Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\autoconv.exe "C:\Windows\SysWOW64\autoconv.exe" Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\msdt.exe "C:\Windows\SysWOW64\msdt.exe" Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\SysWOW64\svchost.exe" Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe "C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe" Jump to behavior
Source: C:\Users\user\Desktop\PAID CA2686+CA2687+CA2688.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\PAID CA2686+CA2687+CA2688.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\Desktop\PAID CA2686+CA2687+CA2688.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\PAID CA2686+CA2687+CA2688.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\PAID CA2686+CA2687+CA2688.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\PAID CA2686+CA2687+CA2688.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\PAID CA2686+CA2687+CA2688.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\PAID CA2686+CA2687+CA2688.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\PAID CA2686+CA2687+CA2688.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\PAID CA2686+CA2687+CA2688.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\PAID CA2686+CA2687+CA2688.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\PAID CA2686+CA2687+CA2688.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\PAID CA2686+CA2687+CA2688.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\PAID CA2686+CA2687+CA2688.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: vbscript.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrobj.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: mlang.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\PAID CA2686+CA2687+CA2688.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: PAID CA2686+CA2687+CA2688.exe Static file information: File size 1153651 > 1048576
Source: Binary string: systray.pdb source: svchost.exe, 00000002.00000002.1891636834.0000000003412000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1891843269.00000000037F0000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 00000002.00000002.1891609279.0000000003400000.00000004.00000020.00020000.00000000.sdmp, systray.exe, 00000004.00000002.4228481901.0000000000060000.00000040.80000000.00040000.00000000.sdmp
Source: Binary string: msdt.pdbGCTL source: svchost.exe, 0000000C.00000003.1976225426.000000000347B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.1976026188.000000000341B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.1979179878.0000000003D50000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 0000000C.00000003.1976026188.000000000347B000.00000004.00000020.00020000.00000000.sdmp, msdt.exe, 00000010.00000002.1985172664.0000000000310000.00000040.80000000.00040000.00000000.sdmp
Source: Binary string: systray.pdbGCTL source: svchost.exe, 00000002.00000002.1891636834.0000000003412000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1891843269.00000000037F0000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 00000002.00000002.1891609279.0000000003400000.00000004.00000020.00020000.00000000.sdmp, systray.exe, 00000004.00000002.4228481901.0000000000060000.00000040.80000000.00040000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: subpredicate.exe, 00000001.00000003.1818045897.0000000002D30000.00000004.00001000.00020000.00000000.sdmp, subpredicate.exe, 00000001.00000003.1820116092.0000000004530000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1892029982.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1820604175.0000000003700000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1892029982.0000000003C9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1822606229.0000000003900000.00000004.00000020.00020000.00000000.sdmp, systray.exe, 00000004.00000003.1893291940.0000000004DA1000.00000004.00000020.00020000.00000000.sdmp, systray.exe, 00000004.00000002.4229465366.0000000004F50000.00000040.00001000.00020000.00000000.sdmp, systray.exe, 00000004.00000003.1891373718.0000000004BF5000.00000004.00000020.00020000.00000000.sdmp, systray.exe, 00000004.00000002.4229465366.00000000050EE000.00000040.00001000.00020000.00000000.sdmp, subpredicate.exe, 0000000A.00000003.1941588547.0000000004640000.00000004.00001000.00020000.00000000.sdmp, subpredicate.exe, 0000000A.00000003.1941952015.00000000044A0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.1978306297.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.1978306297.0000000003B9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.1944013702.0000000003800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.1942163961.0000000003600000.00000004.00000020.00020000.00000000.sdmp, msdt.exe, 00000010.00000003.1977240698.00000000046D1000.00000004.00000020.00020000.00000000.sdmp, msdt.exe, 00000010.00000002.1986903941.0000000004BCE000.00000040.00001000.00020000.00000000.sdmp, msdt.exe, 00000010.00000003.1983091572.0000000004883000.00000004.00000020.00020000.00000000.sdmp, msdt.exe, 00000010.00000002.1986903941.0000000004A30000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: subpredicate.exe, 00000001.00000003.1818045897.0000000002D30000.00000004.00001000.00020000.00000000.sdmp, subpredicate.exe, 00000001.00000003.1820116092.0000000004530000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000002.1892029982.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1820604175.0000000003700000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1892029982.0000000003C9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1822606229.0000000003900000.00000004.00000020.00020000.00000000.sdmp, systray.exe, 00000004.00000003.1893291940.0000000004DA1000.00000004.00000020.00020000.00000000.sdmp, systray.exe, 00000004.00000002.4229465366.0000000004F50000.00000040.00001000.00020000.00000000.sdmp, systray.exe, 00000004.00000003.1891373718.0000000004BF5000.00000004.00000020.00020000.00000000.sdmp, systray.exe, 00000004.00000002.4229465366.00000000050EE000.00000040.00001000.00020000.00000000.sdmp, subpredicate.exe, 0000000A.00000003.1941588547.0000000004640000.00000004.00001000.00020000.00000000.sdmp, subpredicate.exe, 0000000A.00000003.1941952015.00000000044A0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.1978306297.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.1978306297.0000000003B9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.1944013702.0000000003800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.1942163961.0000000003600000.00000004.00000020.00020000.00000000.sdmp, msdt.exe, 00000010.00000003.1977240698.00000000046D1000.00000004.00000020.00020000.00000000.sdmp, msdt.exe, 00000010.00000002.1986903941.0000000004BCE000.00000040.00001000.00020000.00000000.sdmp, msdt.exe, 00000010.00000003.1983091572.0000000004883000.00000004.00000020.00020000.00000000.sdmp, msdt.exe, 00000010.00000002.1986903941.0000000004A30000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: svchost.pdb source: explorer.exe, 00000003.00000002.4242567585.0000000010EDF000.00000004.80000000.00040000.00000000.sdmp, systray.exe, 00000004.00000002.4228753453.0000000003046000.00000004.00000020.00020000.00000000.sdmp, systray.exe, 00000004.00000002.4230115897.000000000549F000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: svchost.pdbUGP source: explorer.exe, 00000003.00000002.4242567585.0000000010EDF000.00000004.80000000.00040000.00000000.sdmp, systray.exe, 00000004.00000002.4228753453.0000000003046000.00000004.00000020.00020000.00000000.sdmp, systray.exe, 00000004.00000002.4230115897.000000000549F000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: msdt.pdb source: svchost.exe, 0000000C.00000003.1976225426.000000000347B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.1976026188.000000000341B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.1979179878.0000000003D50000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 0000000C.00000003.1976026188.000000000347B000.00000004.00000020.00020000.00000000.sdmp, msdt.exe, 00000010.00000002.1985172664.0000000000310000.00000040.80000000.00040000.00000000.sdmp
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\PAID CA2686+CA2687+CA2688.exe Code function: 0_2_0040EB70 LoadLibraryA,GetProcAddress, 0_2_0040EB70
PE file contains an invalid checksum
Source: subpredicate.exe.0.dr Static PE information: real checksum: 0xa2135 should be: 0x11ef23
Source: PAID CA2686+CA2687+CA2688.exe Static PE information: real checksum: 0xa2135 should be: 0x11ef23
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\PAID CA2686+CA2687+CA2688.exe Code function: 0_2_004171D1 push ecx; ret 0_2_004171E4
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Code function: 1_2_004171D1 push ecx; ret 1_2_004171E4
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0041794F push ss; ret 2_2_0041797F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00417993 push ss; ret 2_2_0041797F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00416B24 push ss; retf 2_2_00416B27
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0041D475 push eax; ret 2_2_0041D4C8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0041D4C2 push eax; ret 2_2_0041D4C8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0041D4CB push eax; ret 2_2_0041D532
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0041ED53 push dword ptr [914FBFDDh]; ret 2_2_0041ED74
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0041D52C push eax; ret 2_2_0041D532
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0041E77C push 2E339416h; ret 2_2_0041E842
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0041779C push esp; retf 2_2_0041779D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B0225F pushad ; ret 2_2_03B027F9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B0B008 push es; iretd 2_2_03B0B009
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B027FA pushad ; ret 2_2_03B027F9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B309AD push ecx; mov dword ptr [esp], ecx 2_2_03B309B6
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B09939 push es; iretd 2_2_03B09940
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B0283D push eax; iretd 2_2_03B02858
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A8EB02 push esp; retn 0000h 2_2_03A8EB03
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A8EB1E push esp; retn 0000h 2_2_03A8EB1F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A8E9B5 push esp; retn 0000h 2_2_03A8EAE7
Source: C:\Windows\explorer.exe Code function: 3_2_0FC5BB02 push esp; retn 0000h 3_2_0FC5BB03
Source: C:\Windows\explorer.exe Code function: 3_2_0FC5BB1E push esp; retn 0000h 3_2_0FC5BB1F
Source: C:\Windows\explorer.exe Code function: 3_2_0FC5B9B5 push esp; retn 0000h 3_2_0FC5BAE7
Source: C:\Windows\explorer.exe Code function: 3_2_116FF9B5 push esp; retn 0000h 3_2_116FFAE7
Source: C:\Windows\explorer.exe Code function: 3_2_116FFB02 push esp; retn 0000h 3_2_116FFB03
Source: C:\Windows\explorer.exe Code function: 3_2_116FFB1E push esp; retn 0000h 3_2_116FFB1F
Source: C:\Windows\explorer.exe Code function: 3_2_118959B5 push esp; retn 0000h 3_2_11895AE7
Source: C:\Windows\explorer.exe Code function: 3_2_11895B02 push esp; retn 0000h 3_2_11895B03
Source: C:\Windows\explorer.exe Code function: 3_2_11895B1E push esp; retn 0000h 3_2_11895B1F
Drops PE files
Source: C:\Users\user\Desktop\PAID CA2686+CA2687+CA2688.exe File created: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Jump to dropped file

Boot Survival
barindex
Drops VBS files to the startup folder
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\subpredicate.vbs Jump to dropped file
Creates a start menu entry (Start Menu\Programs\Startup)
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\subpredicate.vbs Jump to behavior
Stores files to the Windows start menu directory
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\subpredicate.vbs Jump to behavior
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\Desktop\PAID CA2686+CA2687+CA2688.exe Code function: 0_2_004772DE IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed, 0_2_004772DE
Source: C:\Users\user\Desktop\PAID CA2686+CA2687+CA2688.exe Code function: 0_2_004375B0 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput, 0_2_004375B0
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Code function: 1_2_004772DE IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed, 1_2_004772DE
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Code function: 1_2_004375B0 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput, 1_2_004375B0
Source: C:\Users\user\Desktop\PAID CA2686+CA2687+CA2688.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Contains functionality to detect sleep reduction / modifications
Source: C:\Users\user\Desktop\PAID CA2686+CA2687+CA2688.exe Code function: 0_2_00444078 0_2_00444078
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Code function: 1_2_00444078 1_2_00444078
Switches to a custom stack to bypass stack traces
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe API/Special instruction interceptor: Address: 3F692DC
Source: C:\Windows\SysWOW64\svchost.exe API/Special instruction interceptor: Address: 7FFE2220D324
Source: C:\Windows\SysWOW64\svchost.exe API/Special instruction interceptor: Address: 7FFE22210774
Source: C:\Windows\SysWOW64\svchost.exe API/Special instruction interceptor: Address: 7FFE22210154
Source: C:\Windows\SysWOW64\svchost.exe API/Special instruction interceptor: Address: 7FFE2220D8A4
Source: C:\Windows\SysWOW64\svchost.exe API/Special instruction interceptor: Address: 7FFE2220DA44
Source: C:\Windows\SysWOW64\svchost.exe API/Special instruction interceptor: Address: 7FFE2220D1E4
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe API/Special instruction interceptor: Address: 3DFA2FC
Source: C:\Windows\SysWOW64\systray.exe API/Special instruction interceptor: Address: 7FFE2220D324
Source: C:\Windows\SysWOW64\systray.exe API/Special instruction interceptor: Address: 7FFE22210774
Source: C:\Windows\SysWOW64\systray.exe API/Special instruction interceptor: Address: 7FFE2220D944
Source: C:\Windows\SysWOW64\systray.exe API/Special instruction interceptor: Address: 7FFE2220D504
Source: C:\Windows\SysWOW64\systray.exe API/Special instruction interceptor: Address: 7FFE2220D544
Source: C:\Windows\SysWOW64\systray.exe API/Special instruction interceptor: Address: 7FFE2220D1E4
Source: C:\Windows\SysWOW64\systray.exe API/Special instruction interceptor: Address: 7FFE22210154
Source: C:\Windows\SysWOW64\systray.exe API/Special instruction interceptor: Address: 7FFE2220D8A4
Source: C:\Windows\SysWOW64\systray.exe API/Special instruction interceptor: Address: 7FFE2220DA44
Tries to detect virtualization through RDTSC time measurements
Source: C:\Windows\SysWOW64\svchost.exe RDTSC instruction interceptor: First address: 409904 second address: 40990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\svchost.exe RDTSC instruction interceptor: First address: 409B6E second address: 409B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\systray.exe RDTSC instruction interceptor: First address: 2D89904 second address: 2D8990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\systray.exe RDTSC instruction interceptor: First address: 2D89B6E second address: 2D89B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\msdt.exe RDTSC instruction interceptor: First address: 2839904 second address: 283990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\msdt.exe RDTSC instruction interceptor: First address: 2839B6E second address: 2839B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00409AA0 rdtsc 2_2_00409AA0
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 1293 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 8647 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: foregroundWindowGot 784 Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe Window / User API: threadDelayed 6539 Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe Window / User API: threadDelayed 3432 Jump to behavior
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\PAID CA2686+CA2687+CA2688.exe API coverage: 3.2 %
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe API coverage: 3.5 %
Source: C:\Windows\SysWOW64\svchost.exe API coverage: 2.4 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\explorer.exe TID: 7924 Thread sleep time: -2586000s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 7924 Thread sleep time: -17294000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe TID: 7688 Thread sleep count: 6539 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe TID: 7688 Thread sleep time: -13078000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe TID: 7688 Thread sleep count: 3432 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe TID: 7688 Thread sleep time: -6864000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\SysWOW64\systray.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\systray.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\PAID CA2686+CA2687+CA2688.exe Code function: 0_2_00452126 FindFirstFileW,Sleep,FindNextFileW,FindClose, 0_2_00452126
Source: C:\Users\user\Desktop\PAID CA2686+CA2687+CA2688.exe Code function: 0_2_0045C999 FindFirstFileW,FindNextFileW,FindClose, 0_2_0045C999
Source: C:\Users\user\Desktop\PAID CA2686+CA2687+CA2688.exe Code function: 0_2_00436ADE GetFileAttributesW,FindFirstFileW,FindClose, 0_2_00436ADE
Source: C:\Users\user\Desktop\PAID CA2686+CA2687+CA2688.exe Code function: 0_2_00434BEE FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 0_2_00434BEE
Source: C:\Users\user\Desktop\PAID CA2686+CA2687+CA2688.exe Code function: 0_2_00436D2D FindFirstFileW,CreateFileW,SetFileTime,CloseHandle,SetFileTime,CloseHandle, 0_2_00436D2D
Source: C:\Users\user\Desktop\PAID CA2686+CA2687+CA2688.exe Code function: 0_2_00442E1F SetCurrentDirectoryW,FindFirstFileW,SetCurrentDirectoryW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 0_2_00442E1F
Source: C:\Users\user\Desktop\PAID CA2686+CA2687+CA2688.exe Code function: 0_2_0045DD7C FindFirstFileW,FindClose, 0_2_0045DD7C
Source: C:\Users\user\Desktop\PAID CA2686+CA2687+CA2688.exe Code function: 0_2_0044BD29 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose, 0_2_0044BD29
Source: C:\Users\user\Desktop\PAID CA2686+CA2687+CA2688.exe Code function: 0_2_00475FE5 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, 0_2_00475FE5
Source: C:\Users\user\Desktop\PAID CA2686+CA2687+CA2688.exe Code function: 0_2_0044BF8D _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose, 0_2_0044BF8D
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Code function: 1_2_00452126 FindFirstFileW,Sleep,FindNextFileW,FindClose, 1_2_00452126
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Code function: 1_2_0045C999 FindFirstFileW,FindNextFileW,FindClose, 1_2_0045C999
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Code function: 1_2_00436ADE GetFileAttributesW,FindFirstFileW,FindClose, 1_2_00436ADE
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Code function: 1_2_00434BEE FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 1_2_00434BEE
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Code function: 1_2_00436D2D FindFirstFileW,CreateFileW,SetFileTime,CloseHandle,SetFileTime,CloseHandle, 1_2_00436D2D
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Code function: 1_2_00442E1F SetCurrentDirectoryW,FindFirstFileW,SetCurrentDirectoryW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 1_2_00442E1F
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Code function: 1_2_0045DD7C FindFirstFileW,FindClose, 1_2_0045DD7C
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Code function: 1_2_0044BD29 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose, 1_2_0044BD29
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Code function: 1_2_00475FE5 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, 1_2_00475FE5
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Code function: 1_2_0044BF8D _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose, 1_2_0044BF8D
Source: C:\Users\user\Desktop\PAID CA2686+CA2687+CA2688.exe Code function: 0_2_0040E470 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo, 0_2_0040E470
Source: explorer.exe, 00000003.00000002.4236567724.00000000098A8000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: k&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 00000003.00000003.3106675114.0000000009815000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}$
Source: explorer.exe, 00000003.00000003.3106675114.0000000009815000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: NECVMWar VMware SATA CD00\w
Source: explorer.exe, 00000003.00000002.4236567724.00000000098A8000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 00000003.00000000.1830000358.0000000001248000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&0000000}
Source: explorer.exe, 00000003.00000003.3106493709.00000000079FB000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000003.00000003.3106493709.00000000079FB000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}%
Source: wscript.exe, 00000007.00000003.1914437152.0000022532FA4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000003.00000000.1837076273.0000000009977000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware SATA CD00
Source: PAID CA2686+CA2687+CA2688.exe, 00000000.00000002.1801301107.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\
Source: explorer.exe, 00000003.00000002.4231735203.00000000078AD000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: NXTTAVMWare
Source: subpredicate.exe, 0000000A.00000002.1943481276.0000000000B98000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: War&Prod_VMware_SATA_CD00#
Source: explorer.exe, 00000003.00000003.3106675114.0000000009815000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f&0&000000
Source: explorer.exe, 00000003.00000000.1835273779.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4235696558.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1835273779.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106675114.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106675114.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4235696558.000000000982D000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000003.00000000.1837076273.0000000009977000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: explorer.exe, 00000003.00000003.3569453956.0000000007A34000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1831846866.0000000007A34000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3106493709.0000000007A34000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4231735203.0000000007A34000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWen-GBnx
Source: wscript.exe, 00000007.00000003.1914437152.0000022532FA4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: -b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000003.00000002.4235590737.0000000009660000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000er
Source: explorer.exe, 00000003.00000000.1830000358.0000000001248000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: explorer.exe, 00000003.00000000.1830000358.0000000001248000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: C:\Windows\SysWOW64\svchost.exe Process information queried: ProcessInformation Jump to behavior
Checks if the current process is being debugged
Source: C:\Windows\SysWOW64\svchost.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00409AA0 rdtsc 2_2_00409AA0
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0040ACE0 LdrLoadDll, 2_2_0040ACE0
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Source: C:\Users\user\Desktop\PAID CA2686+CA2687+CA2688.exe Code function: 0_2_0045A259 BlockInput, 0_2_0045A259
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\PAID CA2686+CA2687+CA2688.exe Code function: 0_2_0040D6D0 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,GetForegroundWindow,ShellExecuteW, 0_2_0040D6D0
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\PAID CA2686+CA2687+CA2688.exe Code function: 0_2_0040EB70 LoadLibraryA,GetProcAddress, 0_2_0040EB70
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\PAID CA2686+CA2687+CA2688.exe Code function: 0_2_040CA540 mov eax, dword ptr fs:[00000030h] 0_2_040CA540
Source: C:\Users\user\Desktop\PAID CA2686+CA2687+CA2688.exe Code function: 0_2_040CA5A0 mov eax, dword ptr fs:[00000030h] 0_2_040CA5A0
Source: C:\Users\user\Desktop\PAID CA2686+CA2687+CA2688.exe Code function: 0_2_040C8ED0 mov eax, dword ptr fs:[00000030h] 0_2_040C8ED0
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Code function: 1_2_03F695A8 mov eax, dword ptr fs:[00000030h] 1_2_03F695A8
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Code function: 1_2_03F69548 mov eax, dword ptr fs:[00000030h] 1_2_03F69548
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Code function: 1_2_03F67ED8 mov eax, dword ptr fs:[00000030h] 1_2_03F67ED8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B533A5 mov eax, dword ptr fs:[00000030h] 2_2_03B533A5
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B633A0 mov eax, dword ptr fs:[00000030h] 2_2_03B633A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B633A0 mov eax, dword ptr fs:[00000030h] 2_2_03B633A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B8739A mov eax, dword ptr fs:[00000030h] 2_2_03B8739A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B8739A mov eax, dword ptr fs:[00000030h] 2_2_03B8739A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B28397 mov eax, dword ptr fs:[00000030h] 2_2_03B28397
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B28397 mov eax, dword ptr fs:[00000030h] 2_2_03B28397
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B28397 mov eax, dword ptr fs:[00000030h] 2_2_03B28397
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B2E388 mov eax, dword ptr fs:[00000030h] 2_2_03B2E388
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B2E388 mov eax, dword ptr fs:[00000030h] 2_2_03B2E388
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B2E388 mov eax, dword ptr fs:[00000030h] 2_2_03B2E388
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B5438F mov eax, dword ptr fs:[00000030h] 2_2_03B5438F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B5438F mov eax, dword ptr fs:[00000030h] 2_2_03B5438F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C053FC mov eax, dword ptr fs:[00000030h] 2_2_03C053FC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B4E3F0 mov eax, dword ptr fs:[00000030h] 2_2_03B4E3F0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B4E3F0 mov eax, dword ptr fs:[00000030h] 2_2_03B4E3F0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B4E3F0 mov eax, dword ptr fs:[00000030h] 2_2_03B4E3F0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B663FF mov eax, dword ptr fs:[00000030h] 2_2_03B663FF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BEF3E6 mov eax, dword ptr fs:[00000030h] 2_2_03BEF3E6
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C0539D mov eax, dword ptr fs:[00000030h] 2_2_03C0539D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B403E9 mov eax, dword ptr fs:[00000030h] 2_2_03B403E9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B403E9 mov eax, dword ptr fs:[00000030h] 2_2_03B403E9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B403E9 mov eax, dword ptr fs:[00000030h] 2_2_03B403E9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B403E9 mov eax, dword ptr fs:[00000030h] 2_2_03B403E9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B403E9 mov eax, dword ptr fs:[00000030h] 2_2_03B403E9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B403E9 mov eax, dword ptr fs:[00000030h] 2_2_03B403E9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B403E9 mov eax, dword ptr fs:[00000030h] 2_2_03B403E9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B403E9 mov eax, dword ptr fs:[00000030h] 2_2_03B403E9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BEB3D0 mov ecx, dword ptr fs:[00000030h] 2_2_03BEB3D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BEC3CD mov eax, dword ptr fs:[00000030h] 2_2_03BEC3CD
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B3A3C0 mov eax, dword ptr fs:[00000030h] 2_2_03B3A3C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B3A3C0 mov eax, dword ptr fs:[00000030h] 2_2_03B3A3C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B3A3C0 mov eax, dword ptr fs:[00000030h] 2_2_03B3A3C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B3A3C0 mov eax, dword ptr fs:[00000030h] 2_2_03B3A3C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B3A3C0 mov eax, dword ptr fs:[00000030h] 2_2_03B3A3C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B3A3C0 mov eax, dword ptr fs:[00000030h] 2_2_03B3A3C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B383C0 mov eax, dword ptr fs:[00000030h] 2_2_03B383C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B383C0 mov eax, dword ptr fs:[00000030h] 2_2_03B383C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B383C0 mov eax, dword ptr fs:[00000030h] 2_2_03B383C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B383C0 mov eax, dword ptr fs:[00000030h] 2_2_03B383C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BB63C0 mov eax, dword ptr fs:[00000030h] 2_2_03BB63C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C05341 mov eax, dword ptr fs:[00000030h] 2_2_03C05341
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B27330 mov eax, dword ptr fs:[00000030h] 2_2_03B27330
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BF132D mov eax, dword ptr fs:[00000030h] 2_2_03BF132D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BF132D mov eax, dword ptr fs:[00000030h] 2_2_03BF132D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B5F32A mov eax, dword ptr fs:[00000030h] 2_2_03B5F32A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B2C310 mov ecx, dword ptr fs:[00000030h] 2_2_03B2C310
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B50310 mov ecx, dword ptr fs:[00000030h] 2_2_03B50310
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BB930B mov eax, dword ptr fs:[00000030h] 2_2_03BB930B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BB930B mov eax, dword ptr fs:[00000030h] 2_2_03BB930B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BB930B mov eax, dword ptr fs:[00000030h] 2_2_03BB930B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B6A30B mov eax, dword ptr fs:[00000030h] 2_2_03B6A30B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B6A30B mov eax, dword ptr fs:[00000030h] 2_2_03B6A30B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B6A30B mov eax, dword ptr fs:[00000030h] 2_2_03B6A30B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BD437C mov eax, dword ptr fs:[00000030h] 2_2_03BD437C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B37370 mov eax, dword ptr fs:[00000030h] 2_2_03B37370
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B37370 mov eax, dword ptr fs:[00000030h] 2_2_03B37370
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B37370 mov eax, dword ptr fs:[00000030h] 2_2_03B37370
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BEF367 mov eax, dword ptr fs:[00000030h] 2_2_03BEF367
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B29353 mov eax, dword ptr fs:[00000030h] 2_2_03B29353
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B29353 mov eax, dword ptr fs:[00000030h] 2_2_03B29353
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BB035C mov eax, dword ptr fs:[00000030h] 2_2_03BB035C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BB035C mov eax, dword ptr fs:[00000030h] 2_2_03BB035C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BB035C mov eax, dword ptr fs:[00000030h] 2_2_03BB035C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BB035C mov ecx, dword ptr fs:[00000030h] 2_2_03BB035C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BB035C mov eax, dword ptr fs:[00000030h] 2_2_03BB035C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BB035C mov eax, dword ptr fs:[00000030h] 2_2_03BB035C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BFA352 mov eax, dword ptr fs:[00000030h] 2_2_03BFA352
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BB2349 mov eax, dword ptr fs:[00000030h] 2_2_03BB2349
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BB2349 mov eax, dword ptr fs:[00000030h] 2_2_03BB2349
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BB2349 mov eax, dword ptr fs:[00000030h] 2_2_03BB2349
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BB2349 mov eax, dword ptr fs:[00000030h] 2_2_03BB2349
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BB2349 mov eax, dword ptr fs:[00000030h] 2_2_03BB2349
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BB2349 mov eax, dword ptr fs:[00000030h] 2_2_03BB2349
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BB2349 mov eax, dword ptr fs:[00000030h] 2_2_03BB2349
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BB2349 mov eax, dword ptr fs:[00000030h] 2_2_03BB2349
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BB2349 mov eax, dword ptr fs:[00000030h] 2_2_03BB2349
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BB2349 mov eax, dword ptr fs:[00000030h] 2_2_03BB2349
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BB2349 mov eax, dword ptr fs:[00000030h] 2_2_03BB2349
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BB2349 mov eax, dword ptr fs:[00000030h] 2_2_03BB2349
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BB2349 mov eax, dword ptr fs:[00000030h] 2_2_03BB2349
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BB2349 mov eax, dword ptr fs:[00000030h] 2_2_03BB2349
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BB2349 mov eax, dword ptr fs:[00000030h] 2_2_03BB2349
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B2D34C mov eax, dword ptr fs:[00000030h] 2_2_03B2D34C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B2D34C mov eax, dword ptr fs:[00000030h] 2_2_03B2D34C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BB92BC mov eax, dword ptr fs:[00000030h] 2_2_03BB92BC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BB92BC mov eax, dword ptr fs:[00000030h] 2_2_03BB92BC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BB92BC mov ecx, dword ptr fs:[00000030h] 2_2_03BB92BC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BB92BC mov ecx, dword ptr fs:[00000030h] 2_2_03BB92BC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B402A0 mov eax, dword ptr fs:[00000030h] 2_2_03B402A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B402A0 mov eax, dword ptr fs:[00000030h] 2_2_03B402A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B452A0 mov eax, dword ptr fs:[00000030h] 2_2_03B452A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B452A0 mov eax, dword ptr fs:[00000030h] 2_2_03B452A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B452A0 mov eax, dword ptr fs:[00000030h] 2_2_03B452A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B452A0 mov eax, dword ptr fs:[00000030h] 2_2_03B452A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BF92A6 mov eax, dword ptr fs:[00000030h] 2_2_03BF92A6
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BF92A6 mov eax, dword ptr fs:[00000030h] 2_2_03BF92A6
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BF92A6 mov eax, dword ptr fs:[00000030h] 2_2_03BF92A6
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BF92A6 mov eax, dword ptr fs:[00000030h] 2_2_03BF92A6
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BC62A0 mov eax, dword ptr fs:[00000030h] 2_2_03BC62A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BC62A0 mov ecx, dword ptr fs:[00000030h] 2_2_03BC62A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BC62A0 mov eax, dword ptr fs:[00000030h] 2_2_03BC62A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BC62A0 mov eax, dword ptr fs:[00000030h] 2_2_03BC62A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BC62A0 mov eax, dword ptr fs:[00000030h] 2_2_03BC62A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BC62A0 mov eax, dword ptr fs:[00000030h] 2_2_03BC62A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BC72A0 mov eax, dword ptr fs:[00000030h] 2_2_03BC72A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BC72A0 mov eax, dword ptr fs:[00000030h] 2_2_03BC72A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C052E2 mov eax, dword ptr fs:[00000030h] 2_2_03C052E2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B6329E mov eax, dword ptr fs:[00000030h] 2_2_03B6329E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B6329E mov eax, dword ptr fs:[00000030h] 2_2_03B6329E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B6E284 mov eax, dword ptr fs:[00000030h] 2_2_03B6E284
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B6E284 mov eax, dword ptr fs:[00000030h] 2_2_03B6E284
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BB0283 mov eax, dword ptr fs:[00000030h] 2_2_03BB0283
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BB0283 mov eax, dword ptr fs:[00000030h] 2_2_03BB0283
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BB0283 mov eax, dword ptr fs:[00000030h] 2_2_03BB0283
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C05283 mov eax, dword ptr fs:[00000030h] 2_2_03C05283
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BEF2F8 mov eax, dword ptr fs:[00000030h] 2_2_03BEF2F8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B292FF mov eax, dword ptr fs:[00000030h] 2_2_03B292FF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BE12ED mov eax, dword ptr fs:[00000030h] 2_2_03BE12ED
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BE12ED mov eax, dword ptr fs:[00000030h] 2_2_03BE12ED
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BE12ED mov eax, dword ptr fs:[00000030h] 2_2_03BE12ED
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BE12ED mov eax, dword ptr fs:[00000030h] 2_2_03BE12ED
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BE12ED mov eax, dword ptr fs:[00000030h] 2_2_03BE12ED
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BE12ED mov eax, dword ptr fs:[00000030h] 2_2_03BE12ED
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BE12ED mov eax, dword ptr fs:[00000030h] 2_2_03BE12ED
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BE12ED mov eax, dword ptr fs:[00000030h] 2_2_03BE12ED
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BE12ED mov eax, dword ptr fs:[00000030h] 2_2_03BE12ED
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BE12ED mov eax, dword ptr fs:[00000030h] 2_2_03BE12ED
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BE12ED mov eax, dword ptr fs:[00000030h] 2_2_03BE12ED
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BE12ED mov eax, dword ptr fs:[00000030h] 2_2_03BE12ED
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BE12ED mov eax, dword ptr fs:[00000030h] 2_2_03BE12ED
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BE12ED mov eax, dword ptr fs:[00000030h] 2_2_03BE12ED
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B402E1 mov eax, dword ptr fs:[00000030h] 2_2_03B402E1
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B402E1 mov eax, dword ptr fs:[00000030h] 2_2_03B402E1
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B402E1 mov eax, dword ptr fs:[00000030h] 2_2_03B402E1
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B2B2D3 mov eax, dword ptr fs:[00000030h] 2_2_03B2B2D3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B2B2D3 mov eax, dword ptr fs:[00000030h] 2_2_03B2B2D3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B2B2D3 mov eax, dword ptr fs:[00000030h] 2_2_03B2B2D3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B5F2D0 mov eax, dword ptr fs:[00000030h] 2_2_03B5F2D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B5F2D0 mov eax, dword ptr fs:[00000030h] 2_2_03B5F2D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B3A2C3 mov eax, dword ptr fs:[00000030h] 2_2_03B3A2C3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B3A2C3 mov eax, dword ptr fs:[00000030h] 2_2_03B3A2C3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B3A2C3 mov eax, dword ptr fs:[00000030h] 2_2_03B3A2C3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B3A2C3 mov eax, dword ptr fs:[00000030h] 2_2_03B3A2C3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B3A2C3 mov eax, dword ptr fs:[00000030h] 2_2_03B3A2C3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B5B2C0 mov eax, dword ptr fs:[00000030h] 2_2_03B5B2C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B5B2C0 mov eax, dword ptr fs:[00000030h] 2_2_03B5B2C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B5B2C0 mov eax, dword ptr fs:[00000030h] 2_2_03B5B2C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B5B2C0 mov eax, dword ptr fs:[00000030h] 2_2_03B5B2C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B5B2C0 mov eax, dword ptr fs:[00000030h] 2_2_03B5B2C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B5B2C0 mov eax, dword ptr fs:[00000030h] 2_2_03B5B2C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B5B2C0 mov eax, dword ptr fs:[00000030h] 2_2_03B5B2C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B392C5 mov eax, dword ptr fs:[00000030h] 2_2_03B392C5
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B392C5 mov eax, dword ptr fs:[00000030h] 2_2_03B392C5
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B2823B mov eax, dword ptr fs:[00000030h] 2_2_03B2823B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B67208 mov eax, dword ptr fs:[00000030h] 2_2_03B67208
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B67208 mov eax, dword ptr fs:[00000030h] 2_2_03B67208
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B59274 mov eax, dword ptr fs:[00000030h] 2_2_03B59274
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B71270 mov eax, dword ptr fs:[00000030h] 2_2_03B71270
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B71270 mov eax, dword ptr fs:[00000030h] 2_2_03B71270
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BE0274 mov eax, dword ptr fs:[00000030h] 2_2_03BE0274
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BE0274 mov eax, dword ptr fs:[00000030h] 2_2_03BE0274
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BE0274 mov eax, dword ptr fs:[00000030h] 2_2_03BE0274
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BE0274 mov eax, dword ptr fs:[00000030h] 2_2_03BE0274
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BE0274 mov eax, dword ptr fs:[00000030h] 2_2_03BE0274
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BE0274 mov eax, dword ptr fs:[00000030h] 2_2_03BE0274
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BE0274 mov eax, dword ptr fs:[00000030h] 2_2_03BE0274
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BE0274 mov eax, dword ptr fs:[00000030h] 2_2_03BE0274
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BE0274 mov eax, dword ptr fs:[00000030h] 2_2_03BE0274
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BE0274 mov eax, dword ptr fs:[00000030h] 2_2_03BE0274
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BE0274 mov eax, dword ptr fs:[00000030h] 2_2_03BE0274
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BE0274 mov eax, dword ptr fs:[00000030h] 2_2_03BE0274
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B34260 mov eax, dword ptr fs:[00000030h] 2_2_03B34260
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B34260 mov eax, dword ptr fs:[00000030h] 2_2_03B34260
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B34260 mov eax, dword ptr fs:[00000030h] 2_2_03B34260
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BFD26B mov eax, dword ptr fs:[00000030h] 2_2_03BFD26B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BFD26B mov eax, dword ptr fs:[00000030h] 2_2_03BFD26B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B2826B mov eax, dword ptr fs:[00000030h] 2_2_03B2826B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B2A250 mov eax, dword ptr fs:[00000030h] 2_2_03B2A250
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C05227 mov eax, dword ptr fs:[00000030h] 2_2_03C05227
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BEB256 mov eax, dword ptr fs:[00000030h] 2_2_03BEB256
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BEB256 mov eax, dword ptr fs:[00000030h] 2_2_03BEB256
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B36259 mov eax, dword ptr fs:[00000030h] 2_2_03B36259
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B29240 mov eax, dword ptr fs:[00000030h] 2_2_03B29240
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B29240 mov eax, dword ptr fs:[00000030h] 2_2_03B29240
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BB8243 mov eax, dword ptr fs:[00000030h] 2_2_03BB8243
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BB8243 mov ecx, dword ptr fs:[00000030h] 2_2_03BB8243
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B6724D mov eax, dword ptr fs:[00000030h] 2_2_03B6724D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B4B1B0 mov eax, dword ptr fs:[00000030h] 2_2_03B4B1B0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C051CB mov eax, dword ptr fs:[00000030h] 2_2_03C051CB
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BE11A4 mov eax, dword ptr fs:[00000030h] 2_2_03BE11A4
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BE11A4 mov eax, dword ptr fs:[00000030h] 2_2_03BE11A4
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BE11A4 mov eax, dword ptr fs:[00000030h] 2_2_03BE11A4
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BE11A4 mov eax, dword ptr fs:[00000030h] 2_2_03BE11A4
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BB019F mov eax, dword ptr fs:[00000030h] 2_2_03BB019F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BB019F mov eax, dword ptr fs:[00000030h] 2_2_03BB019F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BB019F mov eax, dword ptr fs:[00000030h] 2_2_03BB019F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BB019F mov eax, dword ptr fs:[00000030h] 2_2_03BB019F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B2A197 mov eax, dword ptr fs:[00000030h] 2_2_03B2A197
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B2A197 mov eax, dword ptr fs:[00000030h] 2_2_03B2A197
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B2A197 mov eax, dword ptr fs:[00000030h] 2_2_03B2A197
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C061E5 mov eax, dword ptr fs:[00000030h] 2_2_03C061E5
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B87190 mov eax, dword ptr fs:[00000030h] 2_2_03B87190
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B70185 mov eax, dword ptr fs:[00000030h] 2_2_03B70185
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BEC188 mov eax, dword ptr fs:[00000030h] 2_2_03BEC188
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BEC188 mov eax, dword ptr fs:[00000030h] 2_2_03BEC188
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BD71F9 mov esi, dword ptr fs:[00000030h] 2_2_03BD71F9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B601F8 mov eax, dword ptr fs:[00000030h] 2_2_03B601F8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B551EF mov eax, dword ptr fs:[00000030h] 2_2_03B551EF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B551EF mov eax, dword ptr fs:[00000030h] 2_2_03B551EF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B551EF mov eax, dword ptr fs:[00000030h] 2_2_03B551EF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B551EF mov eax, dword ptr fs:[00000030h] 2_2_03B551EF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B551EF mov eax, dword ptr fs:[00000030h] 2_2_03B551EF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B551EF mov eax, dword ptr fs:[00000030h] 2_2_03B551EF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B551EF mov eax, dword ptr fs:[00000030h] 2_2_03B551EF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B551EF mov eax, dword ptr fs:[00000030h] 2_2_03B551EF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B551EF mov eax, dword ptr fs:[00000030h] 2_2_03B551EF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B551EF mov eax, dword ptr fs:[00000030h] 2_2_03B551EF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B551EF mov eax, dword ptr fs:[00000030h] 2_2_03B551EF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B551EF mov eax, dword ptr fs:[00000030h] 2_2_03B551EF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B551EF mov eax, dword ptr fs:[00000030h] 2_2_03B551EF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B351ED mov eax, dword ptr fs:[00000030h] 2_2_03B351ED
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B6D1D0 mov eax, dword ptr fs:[00000030h] 2_2_03B6D1D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B6D1D0 mov ecx, dword ptr fs:[00000030h] 2_2_03B6D1D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BAE1D0 mov eax, dword ptr fs:[00000030h] 2_2_03BAE1D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BAE1D0 mov eax, dword ptr fs:[00000030h] 2_2_03BAE1D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BAE1D0 mov ecx, dword ptr fs:[00000030h] 2_2_03BAE1D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BAE1D0 mov eax, dword ptr fs:[00000030h] 2_2_03BAE1D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BAE1D0 mov eax, dword ptr fs:[00000030h] 2_2_03BAE1D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BF61C3 mov eax, dword ptr fs:[00000030h] 2_2_03BF61C3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BF61C3 mov eax, dword ptr fs:[00000030h] 2_2_03BF61C3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B31131 mov eax, dword ptr fs:[00000030h] 2_2_03B31131
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B31131 mov eax, dword ptr fs:[00000030h] 2_2_03B31131
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B2B136 mov eax, dword ptr fs:[00000030h] 2_2_03B2B136
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B2B136 mov eax, dword ptr fs:[00000030h] 2_2_03B2B136
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B2B136 mov eax, dword ptr fs:[00000030h] 2_2_03B2B136
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B2B136 mov eax, dword ptr fs:[00000030h] 2_2_03B2B136
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C05152 mov eax, dword ptr fs:[00000030h] 2_2_03C05152
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B60124 mov eax, dword ptr fs:[00000030h] 2_2_03B60124
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BDA118 mov ecx, dword ptr fs:[00000030h] 2_2_03BDA118
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BDA118 mov eax, dword ptr fs:[00000030h] 2_2_03BDA118
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BDA118 mov eax, dword ptr fs:[00000030h] 2_2_03BDA118
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BDA118 mov eax, dword ptr fs:[00000030h] 2_2_03BDA118
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BF0115 mov eax, dword ptr fs:[00000030h] 2_2_03BF0115
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B2F172 mov eax, dword ptr fs:[00000030h] 2_2_03B2F172
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B2F172 mov eax, dword ptr fs:[00000030h] 2_2_03B2F172
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B2F172 mov eax, dword ptr fs:[00000030h] 2_2_03B2F172
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B2F172 mov eax, dword ptr fs:[00000030h] 2_2_03B2F172
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B2F172 mov eax, dword ptr fs:[00000030h] 2_2_03B2F172
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B2F172 mov eax, dword ptr fs:[00000030h] 2_2_03B2F172
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B2F172 mov eax, dword ptr fs:[00000030h] 2_2_03B2F172
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B2F172 mov eax, dword ptr fs:[00000030h] 2_2_03B2F172
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B2F172 mov eax, dword ptr fs:[00000030h] 2_2_03B2F172
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B2F172 mov eax, dword ptr fs:[00000030h] 2_2_03B2F172
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B2F172 mov eax, dword ptr fs:[00000030h] 2_2_03B2F172
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B2F172 mov eax, dword ptr fs:[00000030h] 2_2_03B2F172
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B2F172 mov eax, dword ptr fs:[00000030h] 2_2_03B2F172
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B2F172 mov eax, dword ptr fs:[00000030h] 2_2_03B2F172
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B2F172 mov eax, dword ptr fs:[00000030h] 2_2_03B2F172
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B2F172 mov eax, dword ptr fs:[00000030h] 2_2_03B2F172
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B2F172 mov eax, dword ptr fs:[00000030h] 2_2_03B2F172
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B2F172 mov eax, dword ptr fs:[00000030h] 2_2_03B2F172
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B2F172 mov eax, dword ptr fs:[00000030h] 2_2_03B2F172
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B2F172 mov eax, dword ptr fs:[00000030h] 2_2_03B2F172
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B2F172 mov eax, dword ptr fs:[00000030h] 2_2_03B2F172
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BC9179 mov eax, dword ptr fs:[00000030h] 2_2_03BC9179
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B37152 mov eax, dword ptr fs:[00000030h] 2_2_03B37152
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B2C156 mov eax, dword ptr fs:[00000030h] 2_2_03B2C156
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BC8158 mov eax, dword ptr fs:[00000030h] 2_2_03BC8158
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B36154 mov eax, dword ptr fs:[00000030h] 2_2_03B36154
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B36154 mov eax, dword ptr fs:[00000030h] 2_2_03B36154
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BC4144 mov eax, dword ptr fs:[00000030h] 2_2_03BC4144
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BC4144 mov eax, dword ptr fs:[00000030h] 2_2_03BC4144
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BC4144 mov ecx, dword ptr fs:[00000030h] 2_2_03BC4144
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BC4144 mov eax, dword ptr fs:[00000030h] 2_2_03BC4144
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BC4144 mov eax, dword ptr fs:[00000030h] 2_2_03BC4144
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B29148 mov eax, dword ptr fs:[00000030h] 2_2_03B29148
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B29148 mov eax, dword ptr fs:[00000030h] 2_2_03B29148
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B29148 mov eax, dword ptr fs:[00000030h] 2_2_03B29148
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B29148 mov eax, dword ptr fs:[00000030h] 2_2_03B29148
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BF60B8 mov eax, dword ptr fs:[00000030h] 2_2_03BF60B8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BF60B8 mov ecx, dword ptr fs:[00000030h] 2_2_03BF60B8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BC80A8 mov eax, dword ptr fs:[00000030h] 2_2_03BC80A8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C050D9 mov eax, dword ptr fs:[00000030h] 2_2_03C050D9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B35096 mov eax, dword ptr fs:[00000030h] 2_2_03B35096
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B5D090 mov eax, dword ptr fs:[00000030h] 2_2_03B5D090
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B5D090 mov eax, dword ptr fs:[00000030h] 2_2_03B5D090
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B6909C mov eax, dword ptr fs:[00000030h] 2_2_03B6909C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B3208A mov eax, dword ptr fs:[00000030h] 2_2_03B3208A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B2D08D mov eax, dword ptr fs:[00000030h] 2_2_03B2D08D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B2C0F0 mov eax, dword ptr fs:[00000030h] 2_2_03B2C0F0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B720F0 mov ecx, dword ptr fs:[00000030h] 2_2_03B720F0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B550E4 mov eax, dword ptr fs:[00000030h] 2_2_03B550E4
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B550E4 mov ecx, dword ptr fs:[00000030h] 2_2_03B550E4
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B2A0E3 mov ecx, dword ptr fs:[00000030h] 2_2_03B2A0E3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B380E9 mov eax, dword ptr fs:[00000030h] 2_2_03B380E9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BB60E0 mov eax, dword ptr fs:[00000030h] 2_2_03BB60E0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BB20DE mov eax, dword ptr fs:[00000030h] 2_2_03BB20DE
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B590DB mov eax, dword ptr fs:[00000030h] 2_2_03B590DB
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B470C0 mov eax, dword ptr fs:[00000030h] 2_2_03B470C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B470C0 mov ecx, dword ptr fs:[00000030h] 2_2_03B470C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B470C0 mov ecx, dword ptr fs:[00000030h] 2_2_03B470C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B470C0 mov eax, dword ptr fs:[00000030h] 2_2_03B470C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B470C0 mov ecx, dword ptr fs:[00000030h] 2_2_03B470C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B470C0 mov ecx, dword ptr fs:[00000030h] 2_2_03B470C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B470C0 mov eax, dword ptr fs:[00000030h] 2_2_03B470C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B470C0 mov eax, dword ptr fs:[00000030h] 2_2_03B470C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B470C0 mov eax, dword ptr fs:[00000030h] 2_2_03B470C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B470C0 mov eax, dword ptr fs:[00000030h] 2_2_03B470C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B470C0 mov eax, dword ptr fs:[00000030h] 2_2_03B470C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B470C0 mov eax, dword ptr fs:[00000030h] 2_2_03B470C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B470C0 mov eax, dword ptr fs:[00000030h] 2_2_03B470C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B470C0 mov eax, dword ptr fs:[00000030h] 2_2_03B470C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B470C0 mov eax, dword ptr fs:[00000030h] 2_2_03B470C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B470C0 mov eax, dword ptr fs:[00000030h] 2_2_03B470C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B470C0 mov eax, dword ptr fs:[00000030h] 2_2_03B470C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B470C0 mov eax, dword ptr fs:[00000030h] 2_2_03B470C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BAD0C0 mov eax, dword ptr fs:[00000030h] 2_2_03BAD0C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BAD0C0 mov eax, dword ptr fs:[00000030h] 2_2_03BAD0C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BF903E mov eax, dword ptr fs:[00000030h] 2_2_03BF903E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BF903E mov eax, dword ptr fs:[00000030h] 2_2_03BF903E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BF903E mov eax, dword ptr fs:[00000030h] 2_2_03BF903E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BF903E mov eax, dword ptr fs:[00000030h] 2_2_03BF903E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B2A020 mov eax, dword ptr fs:[00000030h] 2_2_03B2A020
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B2C020 mov eax, dword ptr fs:[00000030h] 2_2_03B2C020
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C05060 mov eax, dword ptr fs:[00000030h] 2_2_03C05060
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B4E016 mov eax, dword ptr fs:[00000030h] 2_2_03B4E016
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B4E016 mov eax, dword ptr fs:[00000030h] 2_2_03B4E016
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B4E016 mov eax, dword ptr fs:[00000030h] 2_2_03B4E016
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B4E016 mov eax, dword ptr fs:[00000030h] 2_2_03B4E016
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BB4000 mov ecx, dword ptr fs:[00000030h] 2_2_03BB4000
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B41070 mov eax, dword ptr fs:[00000030h] 2_2_03B41070
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B41070 mov ecx, dword ptr fs:[00000030h] 2_2_03B41070
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B41070 mov eax, dword ptr fs:[00000030h] 2_2_03B41070
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B41070 mov eax, dword ptr fs:[00000030h] 2_2_03B41070
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B41070 mov eax, dword ptr fs:[00000030h] 2_2_03B41070
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B41070 mov eax, dword ptr fs:[00000030h] 2_2_03B41070
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B41070 mov eax, dword ptr fs:[00000030h] 2_2_03B41070
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B41070 mov eax, dword ptr fs:[00000030h] 2_2_03B41070
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B41070 mov eax, dword ptr fs:[00000030h] 2_2_03B41070
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B41070 mov eax, dword ptr fs:[00000030h] 2_2_03B41070
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B41070 mov eax, dword ptr fs:[00000030h] 2_2_03B41070
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B41070 mov eax, dword ptr fs:[00000030h] 2_2_03B41070
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B41070 mov eax, dword ptr fs:[00000030h] 2_2_03B41070
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B5C073 mov eax, dword ptr fs:[00000030h] 2_2_03B5C073
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BAD070 mov ecx, dword ptr fs:[00000030h] 2_2_03BAD070
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BB106E mov eax, dword ptr fs:[00000030h] 2_2_03BB106E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B32050 mov eax, dword ptr fs:[00000030h] 2_2_03B32050
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BD705E mov ebx, dword ptr fs:[00000030h] 2_2_03BD705E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BD705E mov eax, dword ptr fs:[00000030h] 2_2_03BD705E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B5B052 mov eax, dword ptr fs:[00000030h] 2_2_03B5B052
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BB6050 mov eax, dword ptr fs:[00000030h] 2_2_03BB6050
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B5D7B0 mov eax, dword ptr fs:[00000030h] 2_2_03B5D7B0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B2F7BA mov eax, dword ptr fs:[00000030h] 2_2_03B2F7BA
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B2F7BA mov eax, dword ptr fs:[00000030h] 2_2_03B2F7BA
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B2F7BA mov eax, dword ptr fs:[00000030h] 2_2_03B2F7BA
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B2F7BA mov eax, dword ptr fs:[00000030h] 2_2_03B2F7BA
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B2F7BA mov eax, dword ptr fs:[00000030h] 2_2_03B2F7BA
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B2F7BA mov eax, dword ptr fs:[00000030h] 2_2_03B2F7BA
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B2F7BA mov eax, dword ptr fs:[00000030h] 2_2_03B2F7BA
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B2F7BA mov eax, dword ptr fs:[00000030h] 2_2_03B2F7BA
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B2F7BA mov eax, dword ptr fs:[00000030h] 2_2_03B2F7BA
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BB97A9 mov eax, dword ptr fs:[00000030h] 2_2_03BB97A9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BBF7AF mov eax, dword ptr fs:[00000030h] 2_2_03BBF7AF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BBF7AF mov eax, dword ptr fs:[00000030h] 2_2_03BBF7AF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BBF7AF mov eax, dword ptr fs:[00000030h] 2_2_03BBF7AF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BBF7AF mov eax, dword ptr fs:[00000030h] 2_2_03BBF7AF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BBF7AF mov eax, dword ptr fs:[00000030h] 2_2_03BBF7AF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B307AF mov eax, dword ptr fs:[00000030h] 2_2_03B307AF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BEF78A mov eax, dword ptr fs:[00000030h] 2_2_03BEF78A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B347FB mov eax, dword ptr fs:[00000030h] 2_2_03B347FB
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B347FB mov eax, dword ptr fs:[00000030h] 2_2_03B347FB
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B3D7E0 mov ecx, dword ptr fs:[00000030h] 2_2_03B3D7E0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B527ED mov eax, dword ptr fs:[00000030h] 2_2_03B527ED
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B527ED mov eax, dword ptr fs:[00000030h] 2_2_03B527ED
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B527ED mov eax, dword ptr fs:[00000030h] 2_2_03B527ED
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B3C7C0 mov eax, dword ptr fs:[00000030h] 2_2_03B3C7C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B357C0 mov eax, dword ptr fs:[00000030h] 2_2_03B357C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B357C0 mov eax, dword ptr fs:[00000030h] 2_2_03B357C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B357C0 mov eax, dword ptr fs:[00000030h] 2_2_03B357C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C037B6 mov eax, dword ptr fs:[00000030h] 2_2_03C037B6
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BB07C3 mov eax, dword ptr fs:[00000030h] 2_2_03BB07C3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B29730 mov eax, dword ptr fs:[00000030h] 2_2_03B29730
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B29730 mov eax, dword ptr fs:[00000030h] 2_2_03B29730
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B65734 mov eax, dword ptr fs:[00000030h] 2_2_03B65734
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B3973A mov eax, dword ptr fs:[00000030h] 2_2_03B3973A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B3973A mov eax, dword ptr fs:[00000030h] 2_2_03B3973A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C03749 mov eax, dword ptr fs:[00000030h] 2_2_03C03749
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B6273C mov eax, dword ptr fs:[00000030h] 2_2_03B6273C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B6273C mov ecx, dword ptr fs:[00000030h] 2_2_03B6273C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B6273C mov eax, dword ptr fs:[00000030h] 2_2_03B6273C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BAC730 mov eax, dword ptr fs:[00000030h] 2_2_03BAC730
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BEF72E mov eax, dword ptr fs:[00000030h] 2_2_03BEF72E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B33720 mov eax, dword ptr fs:[00000030h] 2_2_03B33720
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B4F720 mov eax, dword ptr fs:[00000030h] 2_2_03B4F720
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B4F720 mov eax, dword ptr fs:[00000030h] 2_2_03B4F720
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B4F720 mov eax, dword ptr fs:[00000030h] 2_2_03B4F720
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BF972B mov eax, dword ptr fs:[00000030h] 2_2_03BF972B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B6C720 mov eax, dword ptr fs:[00000030h] 2_2_03B6C720
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B6C720 mov eax, dword ptr fs:[00000030h] 2_2_03B6C720
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B30710 mov eax, dword ptr fs:[00000030h] 2_2_03B30710
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B60710 mov eax, dword ptr fs:[00000030h] 2_2_03B60710
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B6F71F mov eax, dword ptr fs:[00000030h] 2_2_03B6F71F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B6F71F mov eax, dword ptr fs:[00000030h] 2_2_03B6F71F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B37703 mov eax, dword ptr fs:[00000030h] 2_2_03B37703
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B35702 mov eax, dword ptr fs:[00000030h] 2_2_03B35702
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B35702 mov eax, dword ptr fs:[00000030h] 2_2_03B35702
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B6C700 mov eax, dword ptr fs:[00000030h] 2_2_03B6C700
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B38770 mov eax, dword ptr fs:[00000030h] 2_2_03B38770
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B40770 mov eax, dword ptr fs:[00000030h] 2_2_03B40770
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B40770 mov eax, dword ptr fs:[00000030h] 2_2_03B40770
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B40770 mov eax, dword ptr fs:[00000030h] 2_2_03B40770
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B40770 mov eax, dword ptr fs:[00000030h] 2_2_03B40770
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B40770 mov eax, dword ptr fs:[00000030h] 2_2_03B40770
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B40770 mov eax, dword ptr fs:[00000030h] 2_2_03B40770
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B40770 mov eax, dword ptr fs:[00000030h] 2_2_03B40770
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B40770 mov eax, dword ptr fs:[00000030h] 2_2_03B40770
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B40770 mov eax, dword ptr fs:[00000030h] 2_2_03B40770
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B40770 mov eax, dword ptr fs:[00000030h] 2_2_03B40770
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B40770 mov eax, dword ptr fs:[00000030h] 2_2_03B40770
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B40770 mov eax, dword ptr fs:[00000030h] 2_2_03B40770
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B2B765 mov eax, dword ptr fs:[00000030h] 2_2_03B2B765
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B2B765 mov eax, dword ptr fs:[00000030h] 2_2_03B2B765
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B2B765 mov eax, dword ptr fs:[00000030h] 2_2_03B2B765
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B2B765 mov eax, dword ptr fs:[00000030h] 2_2_03B2B765
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B30750 mov eax, dword ptr fs:[00000030h] 2_2_03B30750
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B72750 mov eax, dword ptr fs:[00000030h] 2_2_03B72750
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B72750 mov eax, dword ptr fs:[00000030h] 2_2_03B72750
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BB4755 mov eax, dword ptr fs:[00000030h] 2_2_03BB4755
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B43740 mov eax, dword ptr fs:[00000030h] 2_2_03B43740
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B43740 mov eax, dword ptr fs:[00000030h] 2_2_03B43740
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B43740 mov eax, dword ptr fs:[00000030h] 2_2_03B43740
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B6674D mov esi, dword ptr fs:[00000030h] 2_2_03B6674D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B6674D mov eax, dword ptr fs:[00000030h] 2_2_03B6674D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B6674D mov eax, dword ptr fs:[00000030h] 2_2_03B6674D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C0B73C mov eax, dword ptr fs:[00000030h] 2_2_03C0B73C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C0B73C mov eax, dword ptr fs:[00000030h] 2_2_03C0B73C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C0B73C mov eax, dword ptr fs:[00000030h] 2_2_03C0B73C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03C0B73C mov eax, dword ptr fs:[00000030h] 2_2_03C0B73C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B276B2 mov eax, dword ptr fs:[00000030h] 2_2_03B276B2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B276B2 mov eax, dword ptr fs:[00000030h] 2_2_03B276B2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B276B2 mov eax, dword ptr fs:[00000030h] 2_2_03B276B2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B666B0 mov eax, dword ptr fs:[00000030h] 2_2_03B666B0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B6C6A6 mov eax, dword ptr fs:[00000030h] 2_2_03B6C6A6
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B2D6AA mov eax, dword ptr fs:[00000030h] 2_2_03B2D6AA
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B2D6AA mov eax, dword ptr fs:[00000030h] 2_2_03B2D6AA
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B34690 mov eax, dword ptr fs:[00000030h] 2_2_03B34690
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B34690 mov eax, dword ptr fs:[00000030h] 2_2_03B34690
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BB368C mov eax, dword ptr fs:[00000030h] 2_2_03BB368C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BB368C mov eax, dword ptr fs:[00000030h] 2_2_03BB368C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BB368C mov eax, dword ptr fs:[00000030h] 2_2_03BB368C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BB368C mov eax, dword ptr fs:[00000030h] 2_2_03BB368C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BAE6F2 mov eax, dword ptr fs:[00000030h] 2_2_03BAE6F2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BAE6F2 mov eax, dword ptr fs:[00000030h] 2_2_03BAE6F2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BAE6F2 mov eax, dword ptr fs:[00000030h] 2_2_03BAE6F2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BAE6F2 mov eax, dword ptr fs:[00000030h] 2_2_03BAE6F2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BB06F1 mov eax, dword ptr fs:[00000030h] 2_2_03BB06F1
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BB06F1 mov eax, dword ptr fs:[00000030h] 2_2_03BB06F1
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BED6F0 mov eax, dword ptr fs:[00000030h] 2_2_03BED6F0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BC36EE mov eax, dword ptr fs:[00000030h] 2_2_03BC36EE
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BC36EE mov eax, dword ptr fs:[00000030h] 2_2_03BC36EE
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BC36EE mov eax, dword ptr fs:[00000030h] 2_2_03BC36EE
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BC36EE mov eax, dword ptr fs:[00000030h] 2_2_03BC36EE
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BC36EE mov eax, dword ptr fs:[00000030h] 2_2_03BC36EE
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BC36EE mov eax, dword ptr fs:[00000030h] 2_2_03BC36EE
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B5D6E0 mov eax, dword ptr fs:[00000030h] 2_2_03B5D6E0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B5D6E0 mov eax, dword ptr fs:[00000030h] 2_2_03B5D6E0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B6A6C7 mov ebx, dword ptr fs:[00000030h] 2_2_03B6A6C7
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B6A6C7 mov eax, dword ptr fs:[00000030h] 2_2_03B6A6C7
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B3B6C0 mov eax, dword ptr fs:[00000030h] 2_2_03B3B6C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B3B6C0 mov eax, dword ptr fs:[00000030h] 2_2_03B3B6C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B3B6C0 mov eax, dword ptr fs:[00000030h] 2_2_03B3B6C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B3B6C0 mov eax, dword ptr fs:[00000030h] 2_2_03B3B6C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B3B6C0 mov eax, dword ptr fs:[00000030h] 2_2_03B3B6C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B3B6C0 mov eax, dword ptr fs:[00000030h] 2_2_03B3B6C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BF16CC mov eax, dword ptr fs:[00000030h] 2_2_03BF16CC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BF16CC mov eax, dword ptr fs:[00000030h] 2_2_03BF16CC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BF16CC mov eax, dword ptr fs:[00000030h] 2_2_03BF16CC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BF16CC mov eax, dword ptr fs:[00000030h] 2_2_03BF16CC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03BEF6C7 mov eax, dword ptr fs:[00000030h] 2_2_03BEF6C7
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B616CF mov eax, dword ptr fs:[00000030h] 2_2_03B616CF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B4E627 mov eax, dword ptr fs:[00000030h] 2_2_03B4E627
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B2F626 mov eax, dword ptr fs:[00000030h] 2_2_03B2F626
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B2F626 mov eax, dword ptr fs:[00000030h] 2_2_03B2F626
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B2F626 mov eax, dword ptr fs:[00000030h] 2_2_03B2F626
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B2F626 mov eax, dword ptr fs:[00000030h] 2_2_03B2F626
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B2F626 mov eax, dword ptr fs:[00000030h] 2_2_03B2F626
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B2F626 mov eax, dword ptr fs:[00000030h] 2_2_03B2F626
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B2F626 mov eax, dword ptr fs:[00000030h] 2_2_03B2F626
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B2F626 mov eax, dword ptr fs:[00000030h] 2_2_03B2F626
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B2F626 mov eax, dword ptr fs:[00000030h] 2_2_03B2F626
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B66620 mov eax, dword ptr fs:[00000030h] 2_2_03B66620
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B68620 mov eax, dword ptr fs:[00000030h] 2_2_03B68620
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B3262C mov eax, dword ptr fs:[00000030h] 2_2_03B3262C
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\PAID CA2686+CA2687+CA2688.exe Code function: 0_2_00426DA1 CreateFileW,__lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock, 0_2_00426DA1
Enables debug privileges
Source: C:\Windows\SysWOW64\svchost.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\PAID CA2686+CA2687+CA2688.exe Code function: 0_2_0042202E SetUnhandledExceptionFilter, 0_2_0042202E
Source: C:\Users\user\Desktop\PAID CA2686+CA2687+CA2688.exe Code function: 0_2_004230F5 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_004230F5
Source: C:\Users\user\Desktop\PAID CA2686+CA2687+CA2688.exe Code function: 0_2_00417D93 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00417D93
Source: C:\Users\user\Desktop\PAID CA2686+CA2687+CA2688.exe Code function: 0_2_00421FA7 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00421FA7
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Code function: 1_2_0042202E SetUnhandledExceptionFilter, 1_2_0042202E
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Code function: 1_2_004230F5 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_004230F5
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Code function: 1_2_00417D93 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 1_2_00417D93
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Code function: 1_2_00421FA7 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 1_2_00421FA7

HIPS / PFW / Operating System Protection Evasion
barindex
Maps a DLL or memory area into another process
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: NULL target: C:\Windows\SysWOW64\systray.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: NULL target: C:\Windows\SysWOW64\systray.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe Section loaded: NULL target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: NULL target: C:\Windows\SysWOW64\msdt.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: NULL target: C:\Windows\SysWOW64\msdt.exe protection: execute and read and write Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Windows\SysWOW64\svchost.exe Thread register set: target process: 2580 Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe Thread register set: target process: 2580 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread register set: target process: 2580 Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Windows\SysWOW64\svchost.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Sample uses process hollowing technique
Source: C:\Windows\SysWOW64\svchost.exe Section unmapped: C:\Windows\SysWOW64\systray.exe base address: 60000 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section unmapped: C:\Windows\SysWOW64\msdt.exe base address: 310000 Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Memory written: C:\Windows\SysWOW64\svchost.exe base: 2F0D008 Jump to behavior
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Memory written: C:\Windows\SysWOW64\svchost.exe base: 2F0F008 Jump to behavior
Contains functionality to execute programs as a different user
Source: C:\Users\user\Desktop\PAID CA2686+CA2687+CA2688.exe Code function: 0_2_0043916A LogonUserW, 0_2_0043916A
Contains functionality to launch a program with higher privileges
Source: C:\Users\user\Desktop\PAID CA2686+CA2687+CA2688.exe Code function: 0_2_0040D6D0 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,GetForegroundWindow,ShellExecuteW, 0_2_0040D6D0
Contains functionality to simulate keystroke presses
Source: C:\Users\user\Desktop\PAID CA2686+CA2687+CA2688.exe Code function: 0_2_004375B0 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput, 0_2_004375B0
Contains functionality to simulate mouse events
Source: C:\Users\user\Desktop\PAID CA2686+CA2687+CA2688.exe Code function: 0_2_00436431 __wcsicoll,mouse_event,__wcsicoll,mouse_event, 0_2_00436431
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\PAID CA2686+CA2687+CA2688.exe" Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\SysWOW64\svchost.exe" Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe "C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe" Jump to behavior
Source: C:\Users\user\Desktop\PAID CA2686+CA2687+CA2688.exe Code function: 0_2_00445DD3 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity, 0_2_00445DD3
Source: PAID CA2686+CA2687+CA2688.exe, subpredicate.exe, explorer.exe, 00000003.00000002.4235696558.0000000009815000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1835273779.0000000009815000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000003.00000002.4229284000.00000000018A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.1830271773.00000000018A1000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progman
Source: PAID CA2686+CA2687+CA2688.exe, subpredicate.exe.0.dr Binary or memory string: @3PDASCRWINUPRWINDOWNLWINUPLWINDOWNSHIFTUPSHIFTDOWNALTUPALTDOWNCTRLUPCTRLDOWNMOUSE_XBUTTON2MOUSE_XBUTTON1MOUSE_MBUTTONMOUSE_RBUTTONMOUSE_LBUTTONLAUNCH_APP2LAUNCH_APP1LAUNCH_MEDIALAUNCH_MAILMEDIA_PLAY_PAUSEMEDIA_STOPMEDIA_PREVMEDIA_NEXTVOLUME_UPVOLUME_DOWNVOLUME_MUTEBROWSER_HOMEBROWSER_FAVORTIESBROWSER_SEARCHBROWSER_STOPBROWSER_REFRESHBROWSER_FORWARDBROWSER_BACKNUMPADENTERSLEEPRSHIFTLSHIFTRALTLALTRCTRLLCTRLAPPSKEYNUMPADDIVNUMPADDOTNUMPADSUBNUMPADADDNUMPADMULTNUMPAD9NUMPAD8NUMPAD7NUMPAD6NUMPAD5NUMPAD4NUMPAD3NUMPAD2NUMPAD1NUMPAD0CAPSLOCKPAUSEBREAKNUMLOCKSCROLLLOCKRWINLWINPRINTSCREENUPTABSPACERIGHTPGUPPGDNLEFTINSERTINSHOMEF12F11F10F9F8F7F6F5F4F3F2F1ESCAPEESCENTERENDDOWNDELETEDELBSBACKSPACEALTONOFF0%d%dShell_TrayWndExitScript Pausedblankinfoquestionstopwarning
Source: explorer.exe, 00000003.00000002.4228788665.0000000001240000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1830000358.0000000001248000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 1Progman$
Source: explorer.exe, 00000003.00000002.4229284000.00000000018A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.1830271773.00000000018A1000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Source: explorer.exe, 00000003.00000002.4229284000.00000000018A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.1830271773.00000000018A1000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: }Program Manager
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\PAID CA2686+CA2687+CA2688.exe Code function: 0_2_00410D10 cpuid 0_2_00410D10
Source: C:\Users\user\Desktop\PAID CA2686+CA2687+CA2688.exe Code function: 0_2_004223BC GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 0_2_004223BC
Source: C:\Users\user\Desktop\PAID CA2686+CA2687+CA2688.exe Code function: 0_2_004711D2 GetUserNameW, 0_2_004711D2
Source: C:\Users\user\Desktop\PAID CA2686+CA2687+CA2688.exe Code function: 0_2_0042039F __invoke_watson,__get_daylight,__invoke_watson,__get_daylight,__invoke_watson,____lc_codepage_func,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,__invoke_watson,__invoke_watson, 0_2_0042039F
Source: C:\Users\user\Desktop\PAID CA2686+CA2687+CA2688.exe Code function: 0_2_0040E470 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo, 0_2_0040E470
Source: C:\Users\user\Desktop\PAID CA2686+CA2687+CA2688.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected FormBook
Source: Yara match File source: 12.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.subpredicate.exe.3b00000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.subpredicate.exe.2ca0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.subpredicate.exe.3b00000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.subpredicate.exe.2ca0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.1821424988.0000000002CA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.1891937275.0000000003A40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.4229145919.0000000004BF0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.1977797675.0000000003840000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.1943729283.0000000003B00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.1891494654.00000000031C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.1977867744.0000000003870000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.1985487468.0000000002830000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.4228922642.00000000031B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.4228627536.0000000002D80000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.1976601301.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.1891157084.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
OS version to string mapping found (often used in BOTs)
Source: subpredicate.exe.0.dr Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPWIN_2000InstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 6, 0USERPROFILEUSERDOMAINUSERDNSDOMAINDefaultGetSystemWow64DirectoryWSeDebugPrivilege:cdeclwinapistdcallnonestrwstrintbooluintlongulongdwordshortushortwordbyteubytebooleanfloatdoubleptrhwndhandlelresultlparamwparamint64uint64int_ptruint_ptrlong_ptrulong_ptrdword_ptridispatch64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYadvapi32.dllRegDeleteKeyExW+.-.+-\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]ISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXISTSEXPANDmsctls_statusbar321tooltips_class32AutoIt v3 GUI%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----
Source: subpredicate.exe Binary or memory string: WIN_XP
Source: subpredicate.exe Binary or memory string: WIN_XPe
Source: subpredicate.exe Binary or memory string: WIN_VISTA
Source: subpredicate.exe Binary or memory string: WIN_7

Remote Access Functionality
barindex
Yara detected FormBook
Source: Yara match File source: 12.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.subpredicate.exe.3b00000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.subpredicate.exe.2ca0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.subpredicate.exe.3b00000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.subpredicate.exe.2ca0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.1821424988.0000000002CA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.1891937275.0000000003A40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.4229145919.0000000004BF0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.1977797675.0000000003840000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.1943729283.0000000003B00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.1891494654.00000000031C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.1977867744.0000000003870000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.1985487468.0000000002830000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.4228922642.00000000031B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.4228627536.0000000002D80000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.1976601301.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.1891157084.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\Desktop\PAID CA2686+CA2687+CA2688.exe Code function: 0_2_004741BB socket,WSAGetLastError,bind,WSAGetLastError,closesocket, 0_2_004741BB
Source: C:\Users\user\Desktop\PAID CA2686+CA2687+CA2688.exe Code function: 0_2_0046483C socket,WSAGetLastError,bind,WSAGetLastError,listen,WSAGetLastError,closesocket, 0_2_0046483C
Source: C:\Users\user\Desktop\PAID CA2686+CA2687+CA2688.exe Code function: 0_2_0047AD92 OleInitialize,_wcslen,CreateBindCtx,MkParseDisplayName,CLSIDFromProgID,GetActiveObject, 0_2_0047AD92
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Code function: 1_2_004741BB socket,WSAGetLastError,bind,WSAGetLastError,closesocket, 1_2_004741BB
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Code function: 1_2_0046483C socket,WSAGetLastError,bind,WSAGetLastError,listen,WSAGetLastError,closesocket, 1_2_0046483C
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Code function: 1_2_0047AD92 OleInitialize,_wcslen,CreateBindCtx,MkParseDisplayName,CLSIDFromProgID,GetActiveObject, 1_2_0047AD92
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1543813 Sample: PAID CA2686+CA2687+CA2688.exe Startdate: 28/10/2024 Architecture: WINDOWS Score: 100 47 www.68716329.xyz 2->47 49 www.65fhgejd3.xyz 2->49 51 10 other IPs or domains 2->51 65 Found malware configuration 2->65 67 Malicious sample detected (through community Yara rule) 2->67 69 Multi AV Scanner detection for submitted file 2->69 73 8 other signatures 2->73 12 PAID CA2686+CA2687+CA2688.exe 3 2->12         started        signatures3 71 Performs DNS queries to domains with low reputation 49->71 process4 file5 43 C:\Users\user\AppData\...\subpredicate.exe, PE32 12->43 dropped 15 subpredicate.exe 1 12->15         started        process6 file7 45 C:\Users\user\AppData\...\subpredicate.vbs, data 15->45 dropped 53 Multi AV Scanner detection for dropped file 15->53 55 Machine Learning detection for dropped file 15->55 57 Drops VBS files to the startup folder 15->57 59 4 other signatures 15->59 19 svchost.exe 15->19         started        signatures8 process9 signatures10 75 Modifies the context of a thread in another process (thread injection) 19->75 77 Maps a DLL or memory area into another process 19->77 79 Sample uses process hollowing technique 19->79 81 3 other signatures 19->81 22 explorer.exe 60 1 19->22 injected process11 process12 24 wscript.exe 1 22->24         started        27 systray.exe 22->27         started        29 msdt.exe 22->29         started        31 3 other processes 22->31 signatures13 89 Windows Scripting host queries suspicious COM object (likely to drop second stage) 24->89 33 subpredicate.exe 24->33         started        91 Modifies the context of a thread in another process (thread injection) 27->91 93 Maps a DLL or memory area into another process 27->93 95 Tries to detect virtualization through RDTSC time measurements 27->95 97 Switches to a custom stack to bypass stack traces 27->97 36 cmd.exe 1 27->36         started        process14 signatures15 61 Writes to foreign memory regions 33->61 63 Maps a DLL or memory area into another process 33->63 38 svchost.exe 33->38         started        41 conhost.exe 36->41         started        process16 signatures17 83 Modifies the context of a thread in another process (thread injection) 38->83 85 Maps a DLL or memory area into another process 38->85 87 Sample uses process hollowing technique 38->87
No contacted IP infos

Contacted Domains

Name IP Active
www.eb777.club unknown unknown
www.ependableequipment.online unknown unknown
www.ovatonica.net unknown unknown
www.f6b-crxy.top unknown unknown
www.olandopaintingllc.online unknown unknown
www.65fhgejd3.xyz unknown unknown
www.qidr.shop unknown unknown
www.ealthironcladguarantee.shop unknown unknown
www.3589.photo unknown unknown
www.achhonglan.shop unknown unknown
www.68716329.xyz unknown unknown
www.yzq0n.top unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
www.f6b-crxy.top/cu29/ true
    		unknown