Windows Analysis Report
Export Shipment Documents 72335.exe

Overview

General Information

Sample name: Export Shipment Documents 72335.exe
Analysis ID: 1543817
MD5: 27a6e3019a7a5a253389de68dd9afda9
SHA1: 1da9db209c723c15e687712ac20d5f334f74dcd8
SHA256: 91123f6fc1ac1580e1e358365eb9b10a5137cc96ea7039a284d3926923aed4a3
Tags: exeFormbook
Infos:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to detect sleep reduction / modifications
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Query firmware table information (likely to detect VMs)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Switches to a custom stack to bypass stack traces
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
One or more processes crash
PE file contains an invalid checksum
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection
barindex
Found malware configuration
Source: 00000004.00000002.2705169707.0000000002B20000.00000040.10000000.00040000.00000000.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.uhy-key.xyz/ms84/"], "decoy": ["ecurity-ukgaxq.xyz", "45ee.top", "risiddivinayaka.net", "tizip-skill.xyz", "ostcanadantet.top", "764.xyz", "oco188rtp.xyz", "lobalacessory.shop", "qcq-serve.xyz", "dameth.top", "arge-eycert.xyz", "yzwj-she.xyz", "bgfrp-plant.xyz", "emesiartwork.net", "rcw-hotel.xyz", "loor-dfqzpi.xyz", "vidence-zvkkln.xyz", "oisthuchoyarura.shop", "959108ttltxfm842.top", "apzcc-both.xyz", "duxrib.xyz", "ridging-solutions-llc.net", "ower-gxkwaa.xyz", "elicorebiopharma.net", "hlut-government.xyz", "outh-kejj.xyz", "dslot88b.click", "xfetchbesnowsblacher.shop", "all888.xyz", "erform-tgap.xyz", "ixiaopu.top", "eiqiqikj.top", "antuljiwa.click", "vqq-national.xyz", "rilseguloseheating.shop", "uney.xyz", "ord-km241124sdaqrwqsssafqw.xyz", "uiejosdarksumdauts.shop", "aby-qwjqlg.xyz", "xcoy-product.xyz", "ressure-pkdpy.xyz", "5syp.xyz", "lue-kuukf.xyz", "ccording-pqzu.xyz", "elieve-nrrv.xyz", "ltimatraceglow.pro", "dgnmu-over.xyz", "ittlepawprints.app", "agieworld.xyz", "vvfu-break.xyz", "taff-ltpugj.xyz", "kn510v1.top", "oolhervelegerus.shop", "mployee-jkmmz.xyz", "4750.africa", "weetlive.lat", "achebrand.shop", "uistnanciesnefast.cfd", "isten-fwogs.xyz", "cmk-billion.xyz", "981gnk.top", "ge-zgnfu.xyz", "unwaleheathyhibbing.cfd", "ikigorakos.net"]}
Multi AV Scanner detection for submitted file
Source: Export Shipment Documents 72335.exe ReversingLabs: Detection: 36%
Yara detected FormBook
Source: Yara match File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Export Shipment Documents 72335.exe.1680000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Export Shipment Documents 72335.exe.1680000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000002.2705169707.0000000002B20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.1500557511.0000000003670000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1445854829.0000000001680000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2698343206.0000000002490000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2705537393.0000000002B50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.1500520804.0000000003640000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.1499670028.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 99.9% probability
Machine Learning detection for sample
Source: Export Shipment Documents 72335.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: Export Shipment Documents 72335.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: Binary string: wntdll.pdbUGP source: Export Shipment Documents 72335.exe, 00000000.00000003.1444022587.00000000045B0000.00000004.00001000.00020000.00000000.sdmp, Export Shipment Documents 72335.exe, 00000000.00000003.1440621009.0000000004750000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1500842270.0000000003800000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1444202047.0000000003400000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1445947770.0000000003600000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1500842270.000000000399E000.00000040.00001000.00020000.00000000.sdmp, help.exe, 00000004.00000003.1500086455.00000000029E8000.00000004.00000020.00020000.00000000.sdmp, help.exe, 00000004.00000002.2709904609.0000000002EFE000.00000040.00001000.00020000.00000000.sdmp, help.exe, 00000004.00000002.2709904609.0000000002D60000.00000040.00001000.00020000.00000000.sdmp, help.exe, 00000004.00000003.1501711079.0000000002BB7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: Export Shipment Documents 72335.exe, 00000000.00000003.1444022587.00000000045B0000.00000004.00001000.00020000.00000000.sdmp, Export Shipment Documents 72335.exe, 00000000.00000003.1440621009.0000000004750000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000002.1500842270.0000000003800000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1444202047.0000000003400000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1445947770.0000000003600000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1500842270.000000000399E000.00000040.00001000.00020000.00000000.sdmp, help.exe, help.exe, 00000004.00000003.1500086455.00000000029E8000.00000004.00000020.00020000.00000000.sdmp, help.exe, 00000004.00000002.2709904609.0000000002EFE000.00000040.00001000.00020000.00000000.sdmp, help.exe, 00000004.00000002.2709904609.0000000002D60000.00000040.00001000.00020000.00000000.sdmp, help.exe, 00000004.00000003.1501711079.0000000002BB7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: help.pdbGCTL source: svchost.exe, 00000002.00000002.1500301030.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1500323144.0000000003212000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1500590168.00000000036A0000.00000040.10000000.00040000.00000000.sdmp, help.exe, 00000004.00000002.2698010994.0000000000470000.00000040.80000000.00040000.00000000.sdmp
Source: Binary string: svchost.pdb source: explorer.exe, 00000003.00000002.2325206022.000000001004F000.00000004.80000000.00040000.00000000.sdmp, help.exe, 00000004.00000002.2715096234.00000000032AF000.00000004.10000000.00040000.00000000.sdmp, help.exe, 00000004.00000002.2699334682.00000000028F0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2725318929.000000000A5BF000.00000004.80000000.00040000.00000000.sdmp
Source: Binary string: help.pdb source: svchost.exe, 00000002.00000002.1500301030.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1500323144.0000000003212000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1500590168.00000000036A0000.00000040.10000000.00040000.00000000.sdmp, help.exe, 00000004.00000002.2698010994.0000000000470000.00000040.80000000.00040000.00000000.sdmp
Source: Binary string: svchost.pdbUGP source: explorer.exe, 00000003.00000002.2325206022.000000001004F000.00000004.80000000.00040000.00000000.sdmp, help.exe, 00000004.00000002.2715096234.00000000032AF000.00000004.10000000.00040000.00000000.sdmp, help.exe, 00000004.00000002.2699334682.00000000028F0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2725318929.000000000A5BF000.00000004.80000000.00040000.00000000.sdmp
Source: C:\Users\user\Desktop\Export Shipment Documents 72335.exe Code function: 0_2_00452126 FindFirstFileW,Sleep,FindNextFileW,FindClose, 0_2_00452126
Source: C:\Users\user\Desktop\Export Shipment Documents 72335.exe Code function: 0_2_0045C999 FindFirstFileW,FindNextFileW,FindClose, 0_2_0045C999
Source: C:\Users\user\Desktop\Export Shipment Documents 72335.exe Code function: 0_2_00436ADE GetFileAttributesW,FindFirstFileW,FindClose, 0_2_00436ADE
Source: C:\Users\user\Desktop\Export Shipment Documents 72335.exe Code function: 0_2_00434BEE FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 0_2_00434BEE
Source: C:\Users\user\Desktop\Export Shipment Documents 72335.exe Code function: 0_2_0045DD7C FindFirstFileW,FindClose, 0_2_0045DD7C
Source: C:\Users\user\Desktop\Export Shipment Documents 72335.exe Code function: 0_2_0044BD29 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose, 0_2_0044BD29
Source: C:\Users\user\Desktop\Export Shipment Documents 72335.exe Code function: 0_2_00436D2D FindFirstFileW,CreateFileW,SetFileTime,CloseHandle,SetFileTime,CloseHandle, 0_2_00436D2D
Source: C:\Users\user\Desktop\Export Shipment Documents 72335.exe Code function: 0_2_00442E1F SetCurrentDirectoryW,FindFirstFileW,SetCurrentDirectoryW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 0_2_00442E1F
Source: C:\Users\user\Desktop\Export Shipment Documents 72335.exe Code function: 0_2_00475FE5 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, 0_2_00475FE5
Source: C:\Users\user\Desktop\Export Shipment Documents 72335.exe Code function: 0_2_0044BF8D _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose, 0_2_0044BF8D

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2031412 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.8:49737 -> 13.248.252.114:80
Source: Network traffic Suricata IDS: 2031449 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.8:49737 -> 13.248.252.114:80
Source: Network traffic Suricata IDS: 2031453 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.8:49737 -> 13.248.252.114:80
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 13.248.252.114 80
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.uhy-key.xyz/ms84/
Performs DNS queries to domains with low reputation
Source: DNS query: www.oco188rtp.xyz
Source: DNS query: www.764.xyz
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /ms84/?Ol=aRGCqGqS1KJ0su+wMD27827GGXC+f5XXSoOX4ZczOgd3c4vi/ATBZdGOzoSN7qN/kVlO&tFQp=YP7xkZXxyhq HTTP/1.1Host: www.764.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 13.248.252.114 13.248.252.114
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: AMAZON-02US AMAZON-02US
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Users\user\Desktop\Export Shipment Documents 72335.exe Code function: 0_2_0044289D InternetQueryDataAvailable,InternetReadFile, 0_2_0044289D
Source: global traffic HTTP traffic detected: GET /ms84/?Ol=aRGCqGqS1KJ0su+wMD27827GGXC+f5XXSoOX4ZczOgd3c4vi/ATBZdGOzoSN7qN/kVlO&tFQp=YP7xkZXxyhq HTTP/1.1Host: www.764.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic DNS traffic detected: DNS query: www.unwaleheathyhibbing.cfd
Source: global traffic DNS traffic detected: DNS query: www.oco188rtp.xyz
Source: global traffic DNS traffic detected: DNS query: api.msn.com
Source: global traffic DNS traffic detected: DNS query: www.ikigorakos.net
Source: global traffic DNS traffic detected: DNS query: www.764.xyz
Source: explorer.exe, 00000003.00000000.1452754587.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2312821972.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2312821972.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1452754587.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2380782792.0000000008C7E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2381542057.0000000008C86000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2723546942.0000000008C7E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: explorer.exe, 00000003.00000000.1452754587.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2312821972.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2312821972.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1452754587.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2380782792.0000000008C7E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2381542057.0000000008C86000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2723546942.0000000008C7E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: explorer.exe, 00000003.00000000.1452754587.0000000009237000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1452754587.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2312821972.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2312821972.0000000009237000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2312821972.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1452754587.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2380782792.0000000008C7E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2381542057.0000000008C86000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2723546942.0000000008C7E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: explorer.exe, 0000000D.00000002.2717021958.00000000051DA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ns.adobe.c
Source: explorer.exe, 00000003.00000000.1449366182.0000000004405000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2305363181.0000000004405000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ns.adobeS
Source: explorer.exe, 00000003.00000000.1452754587.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2312821972.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2312821972.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1452754587.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2380782792.0000000008C7E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2381542057.0000000008C86000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2723546942.0000000008C7E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: explorer.exe, 00000003.00000002.2312821972.00000000090DA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1452754587.00000000090DA000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: explorer.exe, 00000003.00000002.2311311149.0000000007720000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.1451101286.0000000007710000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000002.2300984786.0000000002C80000.00000002.00000001.00040000.00000000.sdmp String found in binary or memory: http://schemas.micro
Source: explorer.exe, 0000000D.00000002.2730594093.000000000D05A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.5syp.xyz
Source: explorer.exe, 0000000D.00000002.2730594093.000000000D05A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.5syp.xyz/ms84/
Source: explorer.exe, 0000000D.00000002.2730594093.000000000D05A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.5syp.xyz/ms84/www.kn510v1.top
Source: explorer.exe, 0000000D.00000002.2730594093.000000000D05A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.5syp.xyzReferer:
Source: explorer.exe, 0000000D.00000002.2730594093.000000000D05A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.764.xyz
Source: explorer.exe, 0000000D.00000002.2730594093.000000000D05A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.764.xyz/ms84/
Source: explorer.exe, 0000000D.00000002.2730594093.000000000D05A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.764.xyz/ms84/www.taff-ltpugj.xyz
Source: explorer.exe, 0000000D.00000002.2730594093.000000000D05A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.764.xyzReferer:
Source: explorer.exe, 0000000D.00000002.2730594093.000000000D05A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.aby-qwjqlg.xyz
Source: explorer.exe, 0000000D.00000002.2730594093.000000000D05A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.aby-qwjqlg.xyz/ms84/
Source: explorer.exe, 0000000D.00000002.2730594093.000000000D05A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.aby-qwjqlg.xyz/ms84/www.ittlepawprints.app
Source: explorer.exe, 0000000D.00000002.2730594093.000000000D05A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.aby-qwjqlg.xyzReferer:
Source: explorer.exe, 00000003.00000002.2302335267.0000000003010000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.agieworld.xyz
Source: explorer.exe, 00000003.00000002.2302335267.0000000003010000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.agieworld.xyz/ms84/
Source: explorer.exe, 00000003.00000002.2302335267.0000000003010000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.agieworld.xyz/ms84/www.ixiaopu.top
Source: explorer.exe, 00000003.00000002.2302335267.0000000003010000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.agieworld.xyzReferer:
Source: explorer.exe, 00000003.00000002.2308475424.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1449924932.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: explorer.exe, 00000003.00000002.2302335267.0000000003010000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2730594093.000000000D05A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.duxrib.xyz
Source: explorer.exe, 0000000D.00000002.2730594093.000000000D05A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.duxrib.xyz/ms84/
Source: explorer.exe, 00000003.00000002.2302335267.0000000003010000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.duxrib.xyz/ms84/www.hlut-government.xyz
Source: explorer.exe, 00000003.00000002.2302335267.0000000003010000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2730594093.000000000D05A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.duxrib.xyzReferer:
Source: explorer.exe, 0000000D.00000002.2730594093.000000000D05A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.ecurity-ukgaxq.xyz
Source: explorer.exe, 0000000D.00000002.2730594093.000000000D05A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.ecurity-ukgaxq.xyz/ms84/
Source: explorer.exe, 0000000D.00000002.2730594093.000000000D05A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.ecurity-ukgaxq.xyz/ms84/www.oco188rtp.xyz
Source: explorer.exe, 0000000D.00000002.2730594093.000000000D05A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.ecurity-ukgaxq.xyzReferer:
Source: explorer.exe, 00000003.00000002.2302335267.0000000003010000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.elieve-nrrv.xyz
Source: explorer.exe, 00000003.00000002.2302335267.0000000003010000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.elieve-nrrv.xyz/ms84/
Source: explorer.exe, 00000003.00000002.2302335267.0000000003010000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.elieve-nrrv.xyz/ms84/www.outh-kejj.xyz
Source: explorer.exe, 00000003.00000002.2302335267.0000000003010000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.elieve-nrrv.xyzReferer:
Source: explorer.exe, 00000003.00000002.2302335267.0000000003010000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.emesiartwork.net
Source: explorer.exe, 00000003.00000002.2302335267.0000000003010000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.emesiartwork.net/ms84/
Source: explorer.exe, 00000003.00000002.2302335267.0000000003010000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.emesiartwork.net/ms84/www.risiddivinayaka.net
Source: explorer.exe, 00000003.00000002.2302335267.0000000003010000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.emesiartwork.netReferer:
Source: explorer.exe, 00000003.00000002.2302335267.0000000003010000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.erform-tgap.xyz
Source: explorer.exe, 00000003.00000002.2302335267.0000000003010000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.erform-tgap.xyz/ms84/
Source: explorer.exe, 00000003.00000002.2302335267.0000000003010000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.erform-tgap.xyz/ms84/www.agieworld.xyz
Source: explorer.exe, 00000003.00000002.2302335267.0000000003010000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.erform-tgap.xyzReferer:
Source: explorer.exe, 00000003.00000002.2302335267.0000000003010000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.hlut-government.xyz
Source: explorer.exe, 00000003.00000002.2302335267.0000000003010000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.hlut-government.xyz/ms84/
Source: explorer.exe, 00000003.00000002.2302335267.0000000003010000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.hlut-government.xyz/ms84/www.emesiartwork.net
Source: explorer.exe, 00000003.00000002.2302335267.0000000003010000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.hlut-government.xyzReferer:
Source: explorer.exe, 0000000D.00000002.2730594093.000000000D05A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.ikigorakos.net
Source: explorer.exe, 0000000D.00000002.2730594093.000000000D05A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.ikigorakos.net/ms84/
Source: explorer.exe, 0000000D.00000002.2730594093.000000000D05A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.ikigorakos.net/ms84/www.764.xyz
Source: explorer.exe, 0000000D.00000002.2730594093.000000000D05A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.ikigorakos.netReferer:
Source: explorer.exe, 0000000D.00000002.2730594093.000000000D05A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.ittlepawprints.app
Source: explorer.exe, 0000000D.00000002.2730594093.000000000D05A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.ittlepawprints.app/ms84/
Source: explorer.exe, 0000000D.00000002.2730594093.000000000D05A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.ittlepawprints.app/ms84/www.vqq-national.xyz
Source: explorer.exe, 0000000D.00000002.2730594093.000000000D05A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.ittlepawprints.appReferer:
Source: explorer.exe, 00000003.00000002.2302335267.0000000003010000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.ixiaopu.top
Source: explorer.exe, 00000003.00000002.2302335267.0000000003010000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.ixiaopu.top/ms84/
Source: explorer.exe, 00000003.00000002.2302335267.0000000003010000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.ixiaopu.top/ms84/www.vqq-national.xyz
Source: explorer.exe, 00000003.00000002.2302335267.0000000003010000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.ixiaopu.topReferer:
Source: explorer.exe, 0000000D.00000002.2730594093.000000000D05A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.kn510v1.top
Source: explorer.exe, 0000000D.00000002.2730594093.000000000D05A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.kn510v1.top/ms84/
Source: explorer.exe, 0000000D.00000002.2730594093.000000000D05A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.kn510v1.top/ms84/www.duxrib.xyz
Source: explorer.exe, 0000000D.00000002.2730594093.000000000D05A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.kn510v1.topReferer:
Source: explorer.exe, 00000003.00000000.1452754587.0000000009237000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2312821972.0000000009237000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.microsoft.c
Source: explorer.exe, 00000003.00000002.2302335267.0000000003010000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.mployee-jkmmz.xyz
Source: explorer.exe, 00000003.00000002.2302335267.0000000003010000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.mployee-jkmmz.xyz/ms84/
Source: explorer.exe, 00000003.00000002.2302335267.0000000003010000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.mployee-jkmmz.xyzReferer:
Source: explorer.exe, 00000003.00000002.2302335267.0000000003010000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2730594093.000000000D05A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.oco188rtp.xyz
Source: explorer.exe, 00000003.00000002.2302335267.0000000003010000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2730594093.000000000D05A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.oco188rtp.xyz/ms84/
Source: explorer.exe, 00000003.00000002.2302335267.0000000003010000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.oco188rtp.xyz/ms84/www.duxrib.xyz
Source: explorer.exe, 0000000D.00000002.2730594093.000000000D05A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.oco188rtp.xyz/ms84/www.uiejosdarksumdauts.shop
Source: explorer.exe, 00000003.00000002.2302335267.0000000003010000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2730594093.000000000D05A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.oco188rtp.xyzReferer:
Source: explorer.exe, 00000003.00000002.2302335267.0000000003010000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.outh-kejj.xyz
Source: explorer.exe, 00000003.00000002.2302335267.0000000003010000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.outh-kejj.xyz/ms84/
Source: explorer.exe, 00000003.00000002.2302335267.0000000003010000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.outh-kejj.xyz/ms84/www.mployee-jkmmz.xyz
Source: explorer.exe, 00000003.00000002.2302335267.0000000003010000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.outh-kejj.xyzReferer:
Source: explorer.exe, 0000000D.00000002.2730594093.000000000D05A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.ridging-solutions-llc.net
Source: explorer.exe, 0000000D.00000002.2730594093.000000000D05A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.ridging-solutions-llc.net/ms84/
Source: explorer.exe, 0000000D.00000002.2730594093.000000000D05A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.ridging-solutions-llc.net/ms84/www.uhy-key.xyz
Source: explorer.exe, 0000000D.00000002.2730594093.000000000D05A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.ridging-solutions-llc.netReferer:
Source: explorer.exe, 00000003.00000002.2302335267.0000000003010000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.rilseguloseheating.shop
Source: explorer.exe, 00000003.00000002.2302335267.0000000003010000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.rilseguloseheating.shop/ms84/
Source: explorer.exe, 00000003.00000002.2302335267.0000000003010000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.rilseguloseheating.shop/ms84/www.erform-tgap.xyz
Source: explorer.exe, 00000003.00000002.2302335267.0000000003010000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.rilseguloseheating.shopReferer:
Source: explorer.exe, 00000003.00000002.2302335267.0000000003010000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.risiddivinayaka.net
Source: explorer.exe, 00000003.00000002.2302335267.0000000003010000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.risiddivinayaka.net/ms84/
Source: explorer.exe, 00000003.00000002.2302335267.0000000003010000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.risiddivinayaka.net/ms84/www.uhy-key.xyz
Source: explorer.exe, 00000003.00000002.2302335267.0000000003010000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.risiddivinayaka.netReferer:
Source: explorer.exe, 0000000D.00000002.2730594093.000000000D05A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.taff-ltpugj.xyz
Source: explorer.exe, 0000000D.00000002.2730594093.000000000D05A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.taff-ltpugj.xyz/ms84/
Source: explorer.exe, 0000000D.00000002.2730594093.000000000D05A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.taff-ltpugj.xyz/ms84/www.yzwj-she.xyz
Source: explorer.exe, 0000000D.00000002.2730594093.000000000D05A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.taff-ltpugj.xyzReferer:
Source: explorer.exe, 00000003.00000002.2302335267.0000000003010000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2730594093.000000000D05A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.uhy-key.xyz
Source: explorer.exe, 00000003.00000002.2302335267.0000000003010000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2730594093.000000000D05A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.uhy-key.xyz/ms84/
Source: explorer.exe, 0000000D.00000002.2730594093.000000000D05A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.uhy-key.xyz/ms84/www.ecurity-ukgaxq.xyz
Source: explorer.exe, 00000003.00000002.2302335267.0000000003010000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.uhy-key.xyz/ms84/www.rilseguloseheating.shop
Source: explorer.exe, 00000003.00000002.2302335267.0000000003010000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2730594093.000000000D05A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.uhy-key.xyzReferer:
Source: explorer.exe, 0000000D.00000002.2730594093.000000000D05A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.uiejosdarksumdauts.shop
Source: explorer.exe, 0000000D.00000002.2730594093.000000000D05A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.uiejosdarksumdauts.shop/ms84/
Source: explorer.exe, 0000000D.00000002.2730594093.000000000D05A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.uiejosdarksumdauts.shop/ms84/www.aby-qwjqlg.xyz
Source: explorer.exe, 0000000D.00000002.2730594093.000000000D05A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.uiejosdarksumdauts.shopReferer:
Source: explorer.exe, 00000003.00000002.2302335267.0000000003010000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.unwaleheathyhibbing.cfd
Source: explorer.exe, 00000003.00000002.2302335267.0000000003010000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.unwaleheathyhibbing.cfd/ms84/
Source: explorer.exe, 00000003.00000002.2302335267.0000000003010000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.unwaleheathyhibbing.cfd/ms84/www.oco188rtp.xyz
Source: explorer.exe, 00000003.00000002.2302335267.0000000003010000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.unwaleheathyhibbing.cfdReferer:
Source: explorer.exe, 00000003.00000002.2302335267.0000000003010000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2730594093.000000000D05A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.vqq-national.xyz
Source: explorer.exe, 00000003.00000002.2302335267.0000000003010000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2730594093.000000000D05A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.vqq-national.xyz/ms84/
Source: explorer.exe, 00000003.00000002.2302335267.0000000003010000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.vqq-national.xyz/ms84/www.xcoy-product.xyz
Source: explorer.exe, 0000000D.00000002.2730594093.000000000D05A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.vqq-national.xyz/ms84/www.xfetchbesnowsblacher.shop
Source: explorer.exe, 00000003.00000002.2302335267.0000000003010000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2730594093.000000000D05A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.vqq-national.xyzReferer:
Source: explorer.exe, 00000003.00000002.2302335267.0000000003010000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.xcoy-product.xyz
Source: explorer.exe, 00000003.00000002.2302335267.0000000003010000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.xcoy-product.xyz/ms84/
Source: explorer.exe, 00000003.00000002.2302335267.0000000003010000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.xcoy-product.xyz/ms84/www.elieve-nrrv.xyz
Source: explorer.exe, 00000003.00000002.2302335267.0000000003010000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.xcoy-product.xyzReferer:
Source: explorer.exe, 0000000D.00000002.2730594093.000000000D05A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.xfetchbesnowsblacher.shop
Source: explorer.exe, 0000000D.00000002.2730594093.000000000D05A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.xfetchbesnowsblacher.shop/ms84/
Source: explorer.exe, 0000000D.00000002.2730594093.000000000D05A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.xfetchbesnowsblacher.shop/ms84/www.5syp.xyz
Source: explorer.exe, 0000000D.00000002.2730594093.000000000D05A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.xfetchbesnowsblacher.shopReferer:
Source: explorer.exe, 0000000D.00000002.2730594093.000000000D05A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.yzwj-she.xyz
Source: explorer.exe, 0000000D.00000002.2730594093.000000000D05A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.yzwj-she.xyz/ms84/
Source: explorer.exe, 0000000D.00000002.2730594093.000000000D05A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.yzwj-she.xyz/ms84/www.ridging-solutions-llc.net
Source: explorer.exe, 0000000D.00000002.2730594093.000000000D05A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.yzwj-she.xyzReferer:
Source: explorer.exe, 00000003.00000002.2320722901.000000000BC80000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1456860332.000000000BC80000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp
Source: explorer.exe, 00000003.00000002.2320722901.000000000BC80000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1456860332.000000000BC80000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 00000003.00000002.2320722901.000000000BC80000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1456860332.000000000BC80000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://android.notify.windows.com/iOSA4
Source: explorer.exe, 00000003.00000002.2320722901.000000000BC80000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1456860332.000000000BC80000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://android.notify.windows.com/iOSd
Source: explorer.exe, 00000003.00000002.2308475424.000000000702D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1449924932.000000000702D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2723546942.0000000008C45000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2380782792.0000000008C5A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 0000000D.00000002.2723546942.0000000008C7E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 00000003.00000002.2312821972.00000000090DA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1452754587.00000000090DA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2721754963.0000000008AF6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2381674257.0000000008B2D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2380904338.0000000008B2D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2462247931.0000000008AF6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2452028557.0000000008AF6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2456330575.0000000008AF6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2385694566.0000000008B2D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2384419569.0000000008B2D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?
Source: explorer.exe, 00000003.00000002.2308475424.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1449924932.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2394374677.0000000007C0E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2313833385.0000000007C22000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2308454458.0000000007C0E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2310122163.0000000007C22000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2312392123.0000000007C0E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2354337486.0000000007C22000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2718527037.0000000007C0E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=0E948A694F8C48079B908C8EA9DDF9EA&timeOut=5000&oc
Source: explorer.exe, 00000003.00000002.2312821972.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1452754587.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2308475424.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1449924932.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2394374677.0000000007C0E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2313833385.0000000007C22000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2394374677.0000000007BA0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2308454458.0000000007C0E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2310122163.0000000007C22000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2718527037.0000000007B87000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2312392123.0000000007C0E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2354337486.0000000007C22000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2718527037.0000000007C0E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
Source: explorer.exe, 00000003.00000002.2312821972.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1452754587.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2721754963.0000000008AF6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2381674257.0000000008B2D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2380904338.0000000008B2D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2462247931.0000000008AF6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2452028557.0000000008AF6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2456330575.0000000008AF6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2385694566.0000000008B2D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2384419569.0000000008B2D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://arc.msn.com
Source: explorer.exe, 0000000D.00000002.2718527037.0000000007C0E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
Source: explorer.exe, 0000000D.00000002.2718527037.0000000007C0E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/MostlyClearNight.svg
Source: explorer.exe, 00000003.00000002.2308475424.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1449924932.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2394374677.0000000007C0E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2313833385.0000000007C22000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2308454458.0000000007C0E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2310122163.0000000007C22000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2312392123.0000000007C0E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2354337486.0000000007C22000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2718527037.0000000007C0E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/recordhigh.svg
Source: explorer.exe, 00000003.00000002.2308475424.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1449924932.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2394374677.0000000007C0E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2313833385.0000000007C22000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2308454458.0000000007C0E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2310122163.0000000007C22000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2312392123.0000000007C0E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2354337486.0000000007C22000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2718527037.0000000007C0E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/taskbar/animation/WeatherInsights/WeatherInsi
Source: explorer.exe, 0000000D.00000003.2394374677.0000000007C0E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2313833385.0000000007C22000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2308454458.0000000007C0E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2310122163.0000000007C22000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2312392123.0000000007C0E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2354337486.0000000007C22000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2718527037.0000000007C0E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod
Source: explorer.exe, 0000000D.00000003.2394374677.0000000007C0E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2308454458.0000000007C0E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2312392123.0000000007C0E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.
Source: explorer.exe, 0000000D.00000003.2308454458.0000000007C0E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2310122163.0000000007C22000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13D4or
Source: explorer.exe, 0000000D.00000003.2308454458.0000000007C0E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2310122163.0000000007C22000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13D4or-dark
Source: explorer.exe, 0000000D.00000003.2308454458.0000000007C0E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2310122163.0000000007C22000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2C0
Source: explorer.exe, 0000000D.00000003.2308454458.0000000007C0E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2310122163.0000000007C22000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2C0-dark
Source: explorer.exe, 00000003.00000002.2308475424.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1449924932.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2394374677.0000000007C0E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2313833385.0000000007C22000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2308454458.0000000007C0E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2310122163.0000000007C22000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2312392123.0000000007C0E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2354337486.0000000007C22000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2718527037.0000000007C0E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
Source: explorer.exe, 00000003.00000002.2308475424.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1449924932.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2394374677.0000000007C0E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2313833385.0000000007C22000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2308454458.0000000007C0E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2310122163.0000000007C22000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2312392123.0000000007C0E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2354337486.0000000007C22000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2718527037.0000000007C0E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
Source: explorer.exe, 0000000D.00000003.2310122163.0000000007C22000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2312392123.0000000007C0E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2354337486.0000000007C22000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2718527037.0000000007C0E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT
Source: explorer.exe, 0000000D.00000003.2310122163.0000000007C22000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2312392123.0000000007C0E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2354337486.0000000007C22000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2718527037.0000000007C0E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT-dark
Source: explorer.exe, 0000000D.00000003.2308454458.0000000007C0E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2310122163.0000000007C22000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gAVf
Source: explorer.exe, 0000000D.00000003.2308454458.0000000007C0E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2310122163.0000000007C22000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gAVf-dark
Source: explorer.exe, 00000003.00000002.2308475424.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1449924932.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2394374677.0000000007C0E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2313833385.0000000007C22000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2308454458.0000000007C0E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2310122163.0000000007C22000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2312392123.0000000007C0E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2354337486.0000000007C22000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2718527037.0000000007C0E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gF9k
Source: explorer.exe, 00000003.00000002.2308475424.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1449924932.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2394374677.0000000007C0E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2313833385.0000000007C22000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2308454458.0000000007C0E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2310122163.0000000007C22000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2312392123.0000000007C0E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2354337486.0000000007C22000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2718527037.0000000007C0E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gF9k-dark
Source: explorer.exe, 00000003.00000002.2308475424.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1449924932.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2394374677.0000000007C0E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2313833385.0000000007C22000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2308454458.0000000007C0E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2310122163.0000000007C22000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2312392123.0000000007C0E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2354337486.0000000007C22000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2718527037.0000000007C0E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKBA
Source: explorer.exe, 00000003.00000002.2308475424.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1449924932.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2394374677.0000000007C0E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2313833385.0000000007C22000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2308454458.0000000007C0E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2310122163.0000000007C22000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2312392123.0000000007C0E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2354337486.0000000007C22000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2718527037.0000000007C0E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKBA-dark
Source: explorer.exe, 0000000D.00000003.2308454458.0000000007C0E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2310122163.0000000007C22000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gRoO
Source: explorer.exe, 0000000D.00000003.2308454458.0000000007C0E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2310122163.0000000007C22000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gRoO-dark
Source: explorer.exe, 0000000D.00000003.2394374677.0000000007C0E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2308454458.0000000007C0E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2312392123.0000000007C0E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2718527037.0000000007C0E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13glsK
Source: explorer.exe, 0000000D.00000003.2394374677.0000000007C0E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2308454458.0000000007C0E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2312392123.0000000007C0E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2718527037.0000000007C0E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13glsK-dark
Source: explorer.exe, 00000003.00000002.2320722901.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1456860332.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2381542057.0000000008C97000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2380782792.0000000008C97000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://excel.office.com
Source: explorer.exe, 00000003.00000002.2308475424.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1449924932.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2394374677.0000000007C0E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2313833385.0000000007C22000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2308454458.0000000007C0E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2310122163.0000000007C22000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2312392123.0000000007C0E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2354337486.0000000007C22000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2718527037.0000000007C0E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA11f7Wa.img
Source: explorer.exe, 0000000D.00000003.2308454458.0000000007C0E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2310122163.0000000007C22000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA12I8qo.img
Source: explorer.exe, 00000003.00000002.2308475424.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1449924932.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2394374677.0000000007C0E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2313833385.0000000007C22000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2308454458.0000000007C0E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2310122163.0000000007C22000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2312392123.0000000007C0E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2354337486.0000000007C22000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2718527037.0000000007C0E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
Source: explorer.exe, 0000000D.00000003.2308454458.0000000007C0E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2310122163.0000000007C22000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1aNvHg.img
Source: explorer.exe, 00000003.00000002.2308475424.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1449924932.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2394374677.0000000007C0E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2313833385.0000000007C22000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2308454458.0000000007C0E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2310122163.0000000007C22000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2312392123.0000000007C0E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2354337486.0000000007C22000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2718527037.0000000007C0E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1b2aMG.img
Source: explorer.exe, 00000003.00000002.2308475424.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1449924932.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2394374677.0000000007C0E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2313833385.0000000007C22000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2308454458.0000000007C0E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2310122163.0000000007C22000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2312392123.0000000007C0E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2354337486.0000000007C22000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2718527037.0000000007C0E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1bjET8.img
Source: explorer.exe, 00000003.00000002.2308475424.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1449924932.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2394374677.0000000007C0E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2313833385.0000000007C22000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2308454458.0000000007C0E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2310122163.0000000007C22000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2312392123.0000000007C0E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2354337486.0000000007C22000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2718527037.0000000007C0E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1hGNsX.img
Source: explorer.exe, 0000000D.00000003.2310122163.0000000007C22000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1hHW7F.img
Source: explorer.exe, 0000000D.00000003.2394374677.0000000007C0E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2313833385.0000000007C22000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2308454458.0000000007C0E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2310122163.0000000007C22000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2312392123.0000000007C0E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2354337486.0000000007C22000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2718527037.0000000007C0E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAI3F0b.img
Source: explorer.exe, 0000000D.00000003.2394374677.0000000007C0E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2313833385.0000000007C22000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2308454458.0000000007C0E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2310122163.0000000007C22000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2312392123.0000000007C0E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2354337486.0000000007C22000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2718527037.0000000007C0E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAMVTYz.img
Source: explorer.exe, 0000000D.00000003.2308454458.0000000007C0E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2310122163.0000000007C22000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAP2QJd.img
Source: explorer.exe, 0000000D.00000003.2310122163.0000000007C22000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAQk7ql.img
Source: explorer.exe, 00000003.00000002.2308475424.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1449924932.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2394374677.0000000007C0E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2313833385.0000000007C22000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2308454458.0000000007C0E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2310122163.0000000007C22000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2312392123.0000000007C0E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2354337486.0000000007C22000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2718527037.0000000007C0E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAT0qC2.img
Source: explorer.exe, 0000000D.00000003.2312392123.0000000007C0E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBCKy3W.img
Source: explorer.exe, 0000000D.00000003.2310122163.0000000007C22000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2312392123.0000000007C0E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2354337486.0000000007C22000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2718527037.0000000007C0E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBNvr53.img
Source: explorer.exe, 00000003.00000002.2308475424.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1449924932.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2394374677.0000000007C0E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2313833385.0000000007C22000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2308454458.0000000007C0E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2310122163.0000000007C22000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2312392123.0000000007C0E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2354337486.0000000007C22000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2718527037.0000000007C0E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBYTL1i.img
Source: explorer.exe, 00000003.00000002.2320722901.000000000BC80000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1456860332.000000000BC80000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://java.co
Source: explorer.exe, 00000003.00000002.2320722901.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1456860332.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://outlook.com
Source: explorer.exe, 0000000D.00000003.2380307173.0000000008CA2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://outlook.comng
Source: explorer.exe, 00000003.00000002.2320722901.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1456860332.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://powerpoint.office.comer
Source: explorer.exe, 0000000D.00000003.2394374677.0000000007C0E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2313833385.0000000007C22000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2308454458.0000000007C0E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2310122163.0000000007C22000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2312392123.0000000007C0E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2354337486.0000000007C22000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2718527037.0000000007C0E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://th.bi
Source: explorer.exe, 00000003.00000002.2308475424.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1449924932.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2394374677.0000000007C0E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2313833385.0000000007C22000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2308454458.0000000007C0E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2310122163.0000000007C22000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2312392123.0000000007C0E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2354337486.0000000007C22000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2718527037.0000000007C0E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://upload.wikimedia.org/wikipedia/commons/thumb/8/84/Zealandia-Continent_map_en.svg/1870px-Zeal
Source: explorer.exe, 00000003.00000002.2308475424.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1449924932.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2394374677.0000000007C0E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2313833385.0000000007C22000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2308454458.0000000007C0E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2310122163.0000000007C22000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2312392123.0000000007C0E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2354337486.0000000007C22000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2718527037.0000000007C0E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000003.00000002.2308475424.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1449924932.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2394374677.0000000007C0E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2313833385.0000000007C22000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2308454458.0000000007C0E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2310122163.0000000007C22000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2312392123.0000000007C0E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2354337486.0000000007C22000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2718527037.0000000007C0E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000003.00000000.1456860332.000000000BDF5000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://wns.windows.com/EM0
Source: explorer.exe, 00000003.00000002.2320722901.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1456860332.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://word.office.com48
Source: explorer.exe, 0000000D.00000003.2380307173.0000000008CA2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://word.office.comT;=
Source: explorer.exe, 0000000D.00000003.2310122163.0000000007C22000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/health/other/say-goodbye-to-the-covid-19-vaccination-card/ar-AA1hHYLu
Source: explorer.exe, 0000000D.00000003.2310122163.0000000007C22000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2312392123.0000000007C0E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2354337486.0000000007C22000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2718527037.0000000007C0E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/money/careersandeducation/student-loan-debt-forgiveness-arrives-for-some-b
Source: explorer.exe, 0000000D.00000003.2310122163.0000000007C22000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2312392123.0000000007C0E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2354337486.0000000007C22000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2718527037.0000000007C0E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/money/markets/costco-is-seeing-a-gold-rush-what-s-behind-the-demand-for-it
Source: explorer.exe, 0000000D.00000003.2308454458.0000000007C0E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/money/news/11-things-you-should-not-do-in-retirement/vi-AA1hH9Jz
Source: explorer.exe, 00000003.00000002.2308475424.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1449924932.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2394374677.0000000007C0E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2313833385.0000000007C22000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2308454458.0000000007C0E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2310122163.0000000007C22000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2312392123.0000000007C0E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2354337486.0000000007C22000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2718527037.0000000007C0E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/the-big-3-mistakes-financial-advisors-say-that-the-1
Source: explorer.exe, 00000003.00000002.2308475424.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1449924932.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2394374677.0000000007C0E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2313833385.0000000007C22000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2308454458.0000000007C0E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2310122163.0000000007C22000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2312392123.0000000007C0E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2354337486.0000000007C22000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2718527037.0000000007C0E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/the-no-1-phrase-people-who-are-good-at-small-talk-al
Source: explorer.exe, 0000000D.00000003.2308454458.0000000007C0E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2310122163.0000000007C22000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/politics/judge-erupts-at-trump-s-lawyers-for-wasting-time-with-ridicu
Source: explorer.exe, 00000003.00000002.2308475424.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1449924932.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2394374677.0000000007C0E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2313833385.0000000007C22000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2308454458.0000000007C0E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2310122163.0000000007C22000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2312392123.0000000007C0E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2354337486.0000000007C22000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2718527037.0000000007C0E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/politics/kinzinger-has-theory-about-who-next-house-speaker-will-be/vi
Source: explorer.exe, 00000003.00000002.2308475424.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1449924932.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2394374677.0000000007C0E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2313833385.0000000007C22000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2308454458.0000000007C0E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2310122163.0000000007C22000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2312392123.0000000007C0E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2354337486.0000000007C22000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2718527037.0000000007C0E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-the
Source: explorer.exe, 00000003.00000002.2308475424.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1449924932.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2394374677.0000000007C0E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2313833385.0000000007C22000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2308454458.0000000007C0E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2310122163.0000000007C22000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2312392123.0000000007C0E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2354337486.0000000007C22000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2718527037.0000000007C0E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/sports/other/predicting-what-the-pac-12-would-look-like-after-expansion-wi
Source: explorer.exe, 00000003.00000002.2308475424.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1449924932.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2394374677.0000000007C0E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2313833385.0000000007C22000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2308454458.0000000007C0E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2310122163.0000000007C22000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2312392123.0000000007C0E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2354337486.0000000007C22000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2718527037.0000000007C0E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/sports/other/simone-biles-leads-u-s-women-s-team-to-seventh-straight-world
Source: explorer.exe, 00000003.00000002.2308475424.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1449924932.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2394374677.0000000007C0E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2313833385.0000000007C22000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2308454458.0000000007C0E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2310122163.0000000007C22000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2312392123.0000000007C0E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2354337486.0000000007C22000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2718527037.0000000007C0E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/sports/other/washington-state-ad-asks-ncaa-for-compassion-and-understandin
Source: explorer.exe, 00000003.00000002.2308475424.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1449924932.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2394374677.0000000007C0E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2313833385.0000000007C22000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2308454458.0000000007C0E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2310122163.0000000007C22000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2312392123.0000000007C0E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2354337486.0000000007C22000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2718527037.0000000007C0E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/weather/topstories/accuweather-el-ni
Source: explorer.exe, 00000003.00000002.2308475424.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1449924932.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2394374677.0000000007C0E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2313833385.0000000007C22000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2308454458.0000000007C0E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2310122163.0000000007C22000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2312392123.0000000007C0E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2354337486.0000000007C22000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2718527037.0000000007C0E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/weather/topstories/first-map-of-earth-s-lost-continent-has-been-published/
Source: explorer.exe, 0000000D.00000003.2310122163.0000000007C22000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/weather/topstories/here-s-who-could-see-above-average-snowfall-this-winter
Source: explorer.exe, 00000003.00000002.2308475424.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1449924932.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2394374677.0000000007C0E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2313833385.0000000007C22000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2308454458.0000000007C0E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2310122163.0000000007C22000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2312392123.0000000007C0E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2354337486.0000000007C22000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2718527037.0000000007C0E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/weather/topstories/stop-planting-new-forests-scientists-say/ar-AA1hFI09
Source: explorer.exe, 00000003.00000002.2308475424.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1449924932.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2394374677.0000000007C0E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2313833385.0000000007C22000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2308454458.0000000007C0E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2310122163.0000000007C22000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2312392123.0000000007C0E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2354337486.0000000007C22000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2718527037.0000000007C0E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/weather/topstories/us-winter-forecast-for-the-2023-2024-season/ar-AA1hGINt
Source: explorer.exe, 00000003.00000002.2308475424.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1449924932.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2394374677.0000000007C0E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2313833385.0000000007C22000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2308454458.0000000007C0E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2310122163.0000000007C22000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2312392123.0000000007C0E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2354337486.0000000007C22000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2718527037.0000000007C0E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com:443/en-us/feed
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\Export Shipment Documents 72335.exe Code function: 0_2_0046C5D0 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard, 0_2_0046C5D0
Contains functionality to modify clipboard data
Source: C:\Users\user\Desktop\Export Shipment Documents 72335.exe Code function: 0_2_00459FFF OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard, 0_2_00459FFF
Contains functionality to read the clipboard data
Source: C:\Users\user\Desktop\Export Shipment Documents 72335.exe Code function: 0_2_0046C5D0 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard, 0_2_0046C5D0
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\Desktop\Export Shipment Documents 72335.exe Code function: 0_2_00456354 GetCursorPos,ScreenToClient,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetWindowLongW, 0_2_00456354
Potential key logger detected (key state polling based)
Source: C:\Users\user\Desktop\Export Shipment Documents 72335.exe Code function: 0_2_0047C08E SendMessageW,DefDlgProcW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,GetWindowLongW,SendMessageW,SendMessageW,SendMessageW,_wcsncpy,SendMessageW,SendMessageW,SendMessageW,InvalidateRect,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW, 0_2_0047C08E

E-Banking Fraud
barindex
Yara detected FormBook
Source: Yara match File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Export Shipment Documents 72335.exe.1680000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Export Shipment Documents 72335.exe.1680000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000002.2705169707.0000000002B20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.1500557511.0000000003670000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1445854829.0000000001680000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2698343206.0000000002490000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2705537393.0000000002B50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.1500520804.0000000003640000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.1499670028.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.Export Shipment Documents 72335.exe.1680000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0.2.Export Shipment Documents 72335.exe.1680000.1.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.Export Shipment Documents 72335.exe.1680000.1.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.Export Shipment Documents 72335.exe.1680000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0.2.Export Shipment Documents 72335.exe.1680000.1.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.Export Shipment Documents 72335.exe.1680000.1.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.2705169707.0000000002B20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.2705169707.0000000002B20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.2705169707.0000000002B20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000002.2736322839.000000000D654000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_772cc62d Author: unknown
Source: 00000002.00000002.1500557511.0000000003670000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.1500557511.0000000003670000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.1500557511.0000000003670000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.1445854829.0000000001680000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000000.00000002.1445854829.0000000001680000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.1445854829.0000000001680000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.2698343206.0000000002490000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.2698343206.0000000002490000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.2698343206.0000000002490000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.2325642731.0000000010D87000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_772cc62d Author: unknown
Source: 00000004.00000002.2705537393.0000000002B50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.2705537393.0000000002B50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.2705537393.0000000002B50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.1500520804.0000000003640000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.1500520804.0000000003640000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.1500520804.0000000003640000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.1499670028.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.1499670028.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.1499670028.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: Export Shipment Documents 72335.exe PID: 7404, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: svchost.exe PID: 7472, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: help.exe PID: 7516, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: Export Shipment Documents 72335.exe
Contains functionality to call native functions
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0041A320 NtCreateFile, 2_2_0041A320
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0041A3D0 NtReadFile, 2_2_0041A3D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0041A450 NtClose, 2_2_0041A450
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0041A500 NtAllocateVirtualMemory, 2_2_0041A500
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0041A3CB NtReadFile, 2_2_0041A3CB
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0041A4FA NtAllocateVirtualMemory, 2_2_0041A4FA
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03872BF0 NtAllocateVirtualMemory,LdrInitializeThunk, 2_2_03872BF0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03872B60 NtClose,LdrInitializeThunk, 2_2_03872B60
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03872AD0 NtReadFile,LdrInitializeThunk, 2_2_03872AD0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03872F90 NtProtectVirtualMemory,LdrInitializeThunk, 2_2_03872F90
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03872FB0 NtResumeThread,LdrInitializeThunk, 2_2_03872FB0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03872FE0 NtCreateFile,LdrInitializeThunk, 2_2_03872FE0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03872F30 NtCreateSection,LdrInitializeThunk, 2_2_03872F30
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03872E80 NtReadVirtualMemory,LdrInitializeThunk, 2_2_03872E80
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03872EA0 NtAdjustPrivilegesToken,LdrInitializeThunk, 2_2_03872EA0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03872DD0 NtDelayExecution,LdrInitializeThunk, 2_2_03872DD0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03872DF0 NtQuerySystemInformation,LdrInitializeThunk, 2_2_03872DF0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03872D10 NtMapViewOfSection,LdrInitializeThunk, 2_2_03872D10
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03872D30 NtUnmapViewOfSection,LdrInitializeThunk, 2_2_03872D30
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03872CA0 NtQueryInformationToken,LdrInitializeThunk, 2_2_03872CA0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03872C70 NtFreeVirtualMemory,LdrInitializeThunk, 2_2_03872C70
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03874340 NtSetContextThread, 2_2_03874340
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03874650 NtSuspendThread, 2_2_03874650
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03872B80 NtQueryInformationFile, 2_2_03872B80
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03872BA0 NtEnumerateValueKey, 2_2_03872BA0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03872BE0 NtQueryValueKey, 2_2_03872BE0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03872AB0 NtWaitForSingleObject, 2_2_03872AB0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03872AF0 NtWriteFile, 2_2_03872AF0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03872FA0 NtQuerySection, 2_2_03872FA0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03872F60 NtCreateProcessEx, 2_2_03872F60
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03872EE0 NtQueueApcThread, 2_2_03872EE0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03872E30 NtWriteVirtualMemory, 2_2_03872E30
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03872DB0 NtEnumerateKey, 2_2_03872DB0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03872D00 NtSetInformationFile, 2_2_03872D00
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03872CC0 NtQueryVirtualMemory, 2_2_03872CC0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03872CF0 NtOpenProcess, 2_2_03872CF0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03872C00 NtQueryInformationProcess, 2_2_03872C00
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03872C60 NtCreateKey, 2_2_03872C60
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03873090 NtSetValueKey, 2_2_03873090
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03873010 NtOpenDirectoryObject, 2_2_03873010
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038735C0 NtCreateMutant, 2_2_038735C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038739B0 NtGetContextThread, 2_2_038739B0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03873D10 NtOpenProcessToken, 2_2_03873D10
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03873D70 NtOpenThread, 2_2_03873D70
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_037AA036 NtQueryInformationProcess,NtSuspendThread,NtSetContextThread,NtQueueApcThread,NtResumeThread,NtClose, 2_2_037AA036
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_037AA042 NtQueryInformationProcess, 2_2_037AA042
Source: C:\Windows\explorer.exe Code function: 3_2_10D70E12 NtProtectVirtualMemory, 3_2_10D70E12
Source: C:\Windows\explorer.exe Code function: 3_2_10D6F232 NtCreateFile, 3_2_10D6F232
Source: C:\Windows\explorer.exe Code function: 3_2_10D70E0A NtProtectVirtualMemory, 3_2_10D70E0A
Source: C:\Windows\SysWOW64\help.exe Code function: 4_2_02DD2AD0 NtReadFile,LdrInitializeThunk, 4_2_02DD2AD0
Source: C:\Windows\SysWOW64\help.exe Code function: 4_2_02DD2BF0 NtAllocateVirtualMemory,LdrInitializeThunk, 4_2_02DD2BF0
Source: C:\Windows\SysWOW64\help.exe Code function: 4_2_02DD2BE0 NtQueryValueKey,LdrInitializeThunk, 4_2_02DD2BE0
Source: C:\Windows\SysWOW64\help.exe Code function: 4_2_02DD2B60 NtClose,LdrInitializeThunk, 4_2_02DD2B60
Source: C:\Windows\SysWOW64\help.exe Code function: 4_2_02DD2EA0 NtAdjustPrivilegesToken,LdrInitializeThunk, 4_2_02DD2EA0
Source: C:\Windows\SysWOW64\help.exe Code function: 4_2_02DD2FE0 NtCreateFile,LdrInitializeThunk, 4_2_02DD2FE0
Source: C:\Windows\SysWOW64\help.exe Code function: 4_2_02DD2F30 NtCreateSection,LdrInitializeThunk, 4_2_02DD2F30
Source: C:\Windows\SysWOW64\help.exe Code function: 4_2_02DD2CA0 NtQueryInformationToken,LdrInitializeThunk, 4_2_02DD2CA0
Source: C:\Windows\SysWOW64\help.exe Code function: 4_2_02DD2C70 NtFreeVirtualMemory,LdrInitializeThunk, 4_2_02DD2C70
Source: C:\Windows\SysWOW64\help.exe Code function: 4_2_02DD2C60 NtCreateKey,LdrInitializeThunk, 4_2_02DD2C60
Source: C:\Windows\SysWOW64\help.exe Code function: 4_2_02DD2DD0 NtDelayExecution,LdrInitializeThunk, 4_2_02DD2DD0
Source: C:\Windows\SysWOW64\help.exe Code function: 4_2_02DD2DF0 NtQuerySystemInformation,LdrInitializeThunk, 4_2_02DD2DF0
Source: C:\Windows\SysWOW64\help.exe Code function: 4_2_02DD2D10 NtMapViewOfSection,LdrInitializeThunk, 4_2_02DD2D10
Source: C:\Windows\SysWOW64\help.exe Code function: 4_2_02DD35C0 NtCreateMutant,LdrInitializeThunk, 4_2_02DD35C0
Source: C:\Windows\SysWOW64\help.exe Code function: 4_2_02DD4340 NtSetContextThread, 4_2_02DD4340
Source: C:\Windows\SysWOW64\help.exe Code function: 4_2_02DD4650 NtSuspendThread, 4_2_02DD4650
Source: C:\Windows\SysWOW64\help.exe Code function: 4_2_02DD2AF0 NtWriteFile, 4_2_02DD2AF0
Source: C:\Windows\SysWOW64\help.exe Code function: 4_2_02DD2AB0 NtWaitForSingleObject, 4_2_02DD2AB0
Source: C:\Windows\SysWOW64\help.exe Code function: 4_2_02DD2B80 NtQueryInformationFile, 4_2_02DD2B80
Source: C:\Windows\SysWOW64\help.exe Code function: 4_2_02DD2BA0 NtEnumerateValueKey, 4_2_02DD2BA0
Source: C:\Windows\SysWOW64\help.exe Code function: 4_2_02DD2EE0 NtQueueApcThread, 4_2_02DD2EE0
Source: C:\Windows\SysWOW64\help.exe Code function: 4_2_02DD2E80 NtReadVirtualMemory, 4_2_02DD2E80
Source: C:\Windows\SysWOW64\help.exe Code function: 4_2_02DD2E30 NtWriteVirtualMemory, 4_2_02DD2E30
Source: C:\Windows\SysWOW64\help.exe Code function: 4_2_02DD2F90 NtProtectVirtualMemory, 4_2_02DD2F90
Source: C:\Windows\SysWOW64\help.exe Code function: 4_2_02DD2FB0 NtResumeThread, 4_2_02DD2FB0
Source: C:\Windows\SysWOW64\help.exe Code function: 4_2_02DD2FA0 NtQuerySection, 4_2_02DD2FA0
Source: C:\Windows\SysWOW64\help.exe Code function: 4_2_02DD2F60 NtCreateProcessEx, 4_2_02DD2F60
Source: C:\Windows\SysWOW64\help.exe Code function: 4_2_02DD2CC0 NtQueryVirtualMemory, 4_2_02DD2CC0
Source: C:\Windows\SysWOW64\help.exe Code function: 4_2_02DD2CF0 NtOpenProcess, 4_2_02DD2CF0
Source: C:\Windows\SysWOW64\help.exe Code function: 4_2_02DD2C00 NtQueryInformationProcess, 4_2_02DD2C00
Source: C:\Windows\SysWOW64\help.exe Code function: 4_2_02DD2DB0 NtEnumerateKey, 4_2_02DD2DB0
Source: C:\Windows\SysWOW64\help.exe Code function: 4_2_02DD2D00 NtSetInformationFile, 4_2_02DD2D00
Source: C:\Windows\SysWOW64\help.exe Code function: 4_2_02DD2D30 NtUnmapViewOfSection, 4_2_02DD2D30
Source: C:\Windows\SysWOW64\help.exe Code function: 4_2_02DD3090 NtSetValueKey, 4_2_02DD3090
Source: C:\Windows\SysWOW64\help.exe Code function: 4_2_02DD3010 NtOpenDirectoryObject, 4_2_02DD3010
Source: C:\Windows\SysWOW64\help.exe Code function: 4_2_02DD39B0 NtGetContextThread, 4_2_02DD39B0
Source: C:\Windows\SysWOW64\help.exe Code function: 4_2_02DD3D70 NtOpenThread, 4_2_02DD3D70
Source: C:\Windows\SysWOW64\help.exe Code function: 4_2_02DD3D10 NtOpenProcessToken, 4_2_02DD3D10
Source: C:\Windows\SysWOW64\help.exe Code function: 4_2_024AA320 NtCreateFile, 4_2_024AA320
Source: C:\Windows\SysWOW64\help.exe Code function: 4_2_024AA3D0 NtReadFile, 4_2_024AA3D0
Source: C:\Windows\SysWOW64\help.exe Code function: 4_2_024AA450 NtClose, 4_2_024AA450
Source: C:\Windows\SysWOW64\help.exe Code function: 4_2_024AA500 NtAllocateVirtualMemory, 4_2_024AA500
Source: C:\Windows\SysWOW64\help.exe Code function: 4_2_024AA3CB NtReadFile, 4_2_024AA3CB
Source: C:\Windows\SysWOW64\help.exe Code function: 4_2_024AA4FA NtAllocateVirtualMemory, 4_2_024AA4FA
Source: C:\Windows\SysWOW64\help.exe Code function: 4_2_02C59BAF NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtUnmapViewOfSection,NtClose, 4_2_02C59BAF
Source: C:\Windows\SysWOW64\help.exe Code function: 4_2_02C5A036 NtQueryInformationProcess,NtSuspendThread,NtSetContextThread,NtQueueApcThread,NtResumeThread, 4_2_02C5A036
Source: C:\Windows\SysWOW64\help.exe Code function: 4_2_02C59BB2 NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 4_2_02C59BB2
Source: C:\Windows\SysWOW64\help.exe Code function: 4_2_02C5A042 NtQueryInformationProcess, 4_2_02C5A042
Contains functionality to communicate with device drivers
Source: C:\Users\user\Desktop\Export Shipment Documents 72335.exe Code function: 0_2_00434D50: GetFullPathNameW,__swprintf,_wcslen,_wcslen,_wcslen,CreateDirectoryW,CreateFileW,_memset,_wcslen,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle, 0_2_00434D50
Contains functionality to launch a process as a different user
Source: C:\Users\user\Desktop\Export Shipment Documents 72335.exe Code function: 0_2_004461ED _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,_wcsncpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock, 0_2_004461ED
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\Export Shipment Documents 72335.exe Code function: 0_2_004364AA GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState, 0_2_004364AA
Detected potential crypto function
Source: C:\Users\user\Desktop\Export Shipment Documents 72335.exe Code function: 0_2_00412038 0_2_00412038
Source: C:\Users\user\Desktop\Export Shipment Documents 72335.exe Code function: 0_2_00427161 0_2_00427161
Source: C:\Users\user\Desktop\Export Shipment Documents 72335.exe Code function: 0_2_0047E1FA 0_2_0047E1FA
Source: C:\Users\user\Desktop\Export Shipment Documents 72335.exe Code function: 0_2_004212BE 0_2_004212BE
Source: C:\Users\user\Desktop\Export Shipment Documents 72335.exe Code function: 0_2_00443390 0_2_00443390
Source: C:\Users\user\Desktop\Export Shipment Documents 72335.exe Code function: 0_2_00443391 0_2_00443391
Source: C:\Users\user\Desktop\Export Shipment Documents 72335.exe Code function: 0_2_0041A46B 0_2_0041A46B
Source: C:\Users\user\Desktop\Export Shipment Documents 72335.exe Code function: 0_2_0041240C 0_2_0041240C
Source: C:\Users\user\Desktop\Export Shipment Documents 72335.exe Code function: 0_2_00446566 0_2_00446566
Source: C:\Users\user\Desktop\Export Shipment Documents 72335.exe Code function: 0_2_004045E0 0_2_004045E0
Source: C:\Users\user\Desktop\Export Shipment Documents 72335.exe Code function: 0_2_0041D750 0_2_0041D750
Source: C:\Users\user\Desktop\Export Shipment Documents 72335.exe Code function: 0_2_004037E0 0_2_004037E0
Source: C:\Users\user\Desktop\Export Shipment Documents 72335.exe Code function: 0_2_00427859 0_2_00427859
Source: C:\Users\user\Desktop\Export Shipment Documents 72335.exe Code function: 0_2_00412818 0_2_00412818
Source: C:\Users\user\Desktop\Export Shipment Documents 72335.exe Code function: 0_2_0040F890 0_2_0040F890
Source: C:\Users\user\Desktop\Export Shipment Documents 72335.exe Code function: 0_2_0042397B 0_2_0042397B
Source: C:\Users\user\Desktop\Export Shipment Documents 72335.exe Code function: 0_2_00409A40 0_2_00409A40
Source: C:\Users\user\Desktop\Export Shipment Documents 72335.exe Code function: 0_2_00411B63 0_2_00411B63
Source: C:\Users\user\Desktop\Export Shipment Documents 72335.exe Code function: 0_2_0047CBF0 0_2_0047CBF0
Source: C:\Users\user\Desktop\Export Shipment Documents 72335.exe Code function: 0_2_0044EBBC 0_2_0044EBBC
Source: C:\Users\user\Desktop\Export Shipment Documents 72335.exe Code function: 0_2_00412C38 0_2_00412C38
Source: C:\Users\user\Desktop\Export Shipment Documents 72335.exe Code function: 0_2_0044ED9A 0_2_0044ED9A
Source: C:\Users\user\Desktop\Export Shipment Documents 72335.exe Code function: 0_2_00423EBF 0_2_00423EBF
Source: C:\Users\user\Desktop\Export Shipment Documents 72335.exe Code function: 0_2_00424F70 0_2_00424F70
Source: C:\Users\user\Desktop\Export Shipment Documents 72335.exe Code function: 0_2_0041AF0D 0_2_0041AF0D
Source: C:\Users\user\Desktop\Export Shipment Documents 72335.exe Code function: 0_2_03FE6640 0_2_03FE6640
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0041E027 2_2_0041E027
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00401030 2_2_00401030
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0041E13D 2_2_0041E13D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0041DC62 2_2_0041DC62
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0041D563 2_2_0041D563
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0041EDCE 2_2_0041EDCE
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00402D90 2_2_00402D90
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00409E4B 2_2_00409E4B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00409E50 2_2_00409E50
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0041DE6D 2_2_0041DE6D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00402FB0 2_2_00402FB0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0384E3F0 2_2_0384E3F0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039003E6 2_2_039003E6
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038FA352 2_2_038FA352
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038C02C0 2_2_038C02C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038E0274 2_2_038E0274
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038F41A2 2_2_038F41A2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039001AA 2_2_039001AA
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038F81CC 2_2_038F81CC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03830100 2_2_03830100
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038DA118 2_2_038DA118
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038C8158 2_2_038C8158
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038D2000 2_2_038D2000
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0383C7C0 2_2_0383C7C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03864750 2_2_03864750
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03840770 2_2_03840770
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0385C6E0 2_2_0385C6E0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03900591 2_2_03900591
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03840535 2_2_03840535
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038EE4F6 2_2_038EE4F6
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038E4420 2_2_038E4420
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038F2446 2_2_038F2446
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038F6BD7 2_2_038F6BD7
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038FAB40 2_2_038FAB40
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0383EA80 2_2_0383EA80
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038429A0 2_2_038429A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0390A9A6 2_2_0390A9A6
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03856962 2_2_03856962
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038268B8 2_2_038268B8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0386E8F0 2_2_0386E8F0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0384A840 2_2_0384A840
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03842840 2_2_03842840
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038BEFA0 2_2_038BEFA0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03832FC8 2_2_03832FC8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0384CFE0 2_2_0384CFE0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03882F28 2_2_03882F28
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03860F30 2_2_03860F30
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038E2F30 2_2_038E2F30
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038B4F40 2_2_038B4F40
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03852E90 2_2_03852E90
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038FCE93 2_2_038FCE93
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038FEEDB 2_2_038FEEDB
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038FEE26 2_2_038FEE26
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03840E59 2_2_03840E59
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03858DBF 2_2_03858DBF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0383ADE0 2_2_0383ADE0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0384AD00 2_2_0384AD00
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038DCD1F 2_2_038DCD1F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038E0CB5 2_2_038E0CB5
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03830CF2 2_2_03830CF2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03840C00 2_2_03840C00
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0388739A 2_2_0388739A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038F132D 2_2_038F132D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0382D34C 2_2_0382D34C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038452A0 2_2_038452A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0385B2C0 2_2_0385B2C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038E12ED 2_2_038E12ED
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0384B1B0 2_2_0384B1B0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0387516C 2_2_0387516C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0382F172 2_2_0382F172
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0390B16B 2_2_0390B16B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038EF0CC 2_2_038EF0CC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038470C0 2_2_038470C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038F70E9 2_2_038F70E9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038FF0E0 2_2_038FF0E0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038FF7B0 2_2_038FF7B0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038F16CC 2_2_038F16CC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03885630 2_2_03885630
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038DD5B0 2_2_038DD5B0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039095C3 2_2_039095C3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038F7571 2_2_038F7571
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038FF43F 2_2_038FF43F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03831460 2_2_03831460
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0385FB80 2_2_0385FB80
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038B5BF0 2_2_038B5BF0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0387DBF9 2_2_0387DBF9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038FFB76 2_2_038FFB76
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038DDAAC 2_2_038DDAAC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03885AA0 2_2_03885AA0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038E1AA3 2_2_038E1AA3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038EDAC6 2_2_038EDAC6
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038FFA49 2_2_038FFA49
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038F7A46 2_2_038F7A46
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038B3A6C 2_2_038B3A6C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038D5910 2_2_038D5910
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03849950 2_2_03849950
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0385B950 2_2_0385B950
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038438E0 2_2_038438E0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038AD800 2_2_038AD800
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03841F92 2_2_03841F92
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038FFFB1 2_2_038FFFB1
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03803FD2 2_2_03803FD2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03803FD5 2_2_03803FD5
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038FFF09 2_2_038FFF09
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03849EB0 2_2_03849EB0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0385FDC0 2_2_0385FDC0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03843D40 2_2_03843D40
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038F1D5A 2_2_038F1D5A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038F7D73 2_2_038F7D73
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038FFCF2 2_2_038FFCF2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038B9C32 2_2_038B9C32
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_037AA036 2_2_037AA036
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_037AB232 2_2_037AB232
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_037A1082 2_2_037A1082
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_037AE5CD 2_2_037AE5CD
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_037A5B32 2_2_037A5B32
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_037A5B30 2_2_037A5B30
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_037A8912 2_2_037A8912
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_037A2D02 2_2_037A2D02
Source: C:\Windows\explorer.exe Code function: 3_2_0ECCF232 3_2_0ECCF232
Source: C:\Windows\explorer.exe Code function: 3_2_0ECC9B30 3_2_0ECC9B30
Source: C:\Windows\explorer.exe Code function: 3_2_0ECC9B32 3_2_0ECC9B32
Source: C:\Windows\explorer.exe Code function: 3_2_0ECC5082 3_2_0ECC5082
Source: C:\Windows\explorer.exe Code function: 3_2_0ECCE036 3_2_0ECCE036
Source: C:\Windows\explorer.exe Code function: 3_2_0ECD25CD 3_2_0ECD25CD
Source: C:\Windows\explorer.exe Code function: 3_2_0ECC6D02 3_2_0ECC6D02
Source: C:\Windows\explorer.exe Code function: 3_2_0ECCC912 3_2_0ECCC912
Source: C:\Windows\explorer.exe Code function: 3_2_10D6F232 3_2_10D6F232
Source: C:\Windows\explorer.exe Code function: 3_2_10D65082 3_2_10D65082
Source: C:\Windows\explorer.exe Code function: 3_2_10D6E036 3_2_10D6E036
Source: C:\Windows\explorer.exe Code function: 3_2_10D725CD 3_2_10D725CD
Source: C:\Windows\explorer.exe Code function: 3_2_10D6C912 3_2_10D6C912
Source: C:\Windows\explorer.exe Code function: 3_2_10D66D02 3_2_10D66D02
Source: C:\Windows\explorer.exe Code function: 3_2_10D69B32 3_2_10D69B32
Source: C:\Windows\explorer.exe Code function: 3_2_10D69B30 3_2_10D69B30
Source: C:\Windows\SysWOW64\help.exe Code function: 4_2_02E202C0 4_2_02E202C0
Source: C:\Windows\SysWOW64\help.exe Code function: 4_2_02E40274 4_2_02E40274
Source: C:\Windows\SysWOW64\help.exe Code function: 4_2_02E603E6 4_2_02E603E6
Source: C:\Windows\SysWOW64\help.exe Code function: 4_2_02DAE3F0 4_2_02DAE3F0
Source: C:\Windows\SysWOW64\help.exe Code function: 4_2_02E5A352 4_2_02E5A352
Source: C:\Windows\SysWOW64\help.exe Code function: 4_2_02E32000 4_2_02E32000
Source: C:\Windows\SysWOW64\help.exe Code function: 4_2_02E581CC 4_2_02E581CC
Source: C:\Windows\SysWOW64\help.exe Code function: 4_2_02E601AA 4_2_02E601AA
Source: C:\Windows\SysWOW64\help.exe Code function: 4_2_02E28158 4_2_02E28158
Source: C:\Windows\SysWOW64\help.exe Code function: 4_2_02D90100 4_2_02D90100
Source: C:\Windows\SysWOW64\help.exe Code function: 4_2_02E3A118 4_2_02E3A118
Source: C:\Windows\SysWOW64\help.exe Code function: 4_2_02DBC6E0 4_2_02DBC6E0
Source: C:\Windows\SysWOW64\help.exe Code function: 4_2_02D9C7C0 4_2_02D9C7C0
Source: C:\Windows\SysWOW64\help.exe Code function: 4_2_02DC4750 4_2_02DC4750
Source: C:\Windows\SysWOW64\help.exe Code function: 4_2_02DA0770 4_2_02DA0770
Source: C:\Windows\SysWOW64\help.exe Code function: 4_2_02E4E4F6 4_2_02E4E4F6
Source: C:\Windows\SysWOW64\help.exe Code function: 4_2_02E52446 4_2_02E52446
Source: C:\Windows\SysWOW64\help.exe Code function: 4_2_02E44420 4_2_02E44420
Source: C:\Windows\SysWOW64\help.exe Code function: 4_2_02E60591 4_2_02E60591
Source: C:\Windows\SysWOW64\help.exe Code function: 4_2_02DA0535 4_2_02DA0535
Source: C:\Windows\SysWOW64\help.exe Code function: 4_2_02D9EA80 4_2_02D9EA80
Source: C:\Windows\SysWOW64\help.exe Code function: 4_2_02E56BD7 4_2_02E56BD7
Source: C:\Windows\SysWOW64\help.exe Code function: 4_2_02E5AB40 4_2_02E5AB40
Source: C:\Windows\SysWOW64\help.exe Code function: 4_2_02DCE8F0 4_2_02DCE8F0
Source: C:\Windows\SysWOW64\help.exe Code function: 4_2_02D868B8 4_2_02D868B8
Source: C:\Windows\SysWOW64\help.exe Code function: 4_2_02DA2840 4_2_02DA2840
Source: C:\Windows\SysWOW64\help.exe Code function: 4_2_02DAA840 4_2_02DAA840
Source: C:\Windows\SysWOW64\help.exe Code function: 4_2_02E6A9A6 4_2_02E6A9A6
Source: C:\Windows\SysWOW64\help.exe Code function: 4_2_02DA29A0 4_2_02DA29A0
Source: C:\Windows\SysWOW64\help.exe Code function: 4_2_02DB6962 4_2_02DB6962
Source: C:\Windows\SysWOW64\help.exe Code function: 4_2_02E5EEDB 4_2_02E5EEDB
Source: C:\Windows\SysWOW64\help.exe Code function: 4_2_02DB2E90 4_2_02DB2E90
Source: C:\Windows\SysWOW64\help.exe Code function: 4_2_02E5CE93 4_2_02E5CE93
Source: C:\Windows\SysWOW64\help.exe Code function: 4_2_02DA0E59 4_2_02DA0E59
Source: C:\Windows\SysWOW64\help.exe Code function: 4_2_02E5EE26 4_2_02E5EE26
Source: C:\Windows\SysWOW64\help.exe Code function: 4_2_02D92FC8 4_2_02D92FC8
Source: C:\Windows\SysWOW64\help.exe Code function: 4_2_02DACFE0 4_2_02DACFE0
Source: C:\Windows\SysWOW64\help.exe Code function: 4_2_02E1EFA0 4_2_02E1EFA0
Source: C:\Windows\SysWOW64\help.exe Code function: 4_2_02E14F40 4_2_02E14F40
Source: C:\Windows\SysWOW64\help.exe Code function: 4_2_02E42F30 4_2_02E42F30
Source: C:\Windows\SysWOW64\help.exe Code function: 4_2_02DC0F30 4_2_02DC0F30
Source: C:\Windows\SysWOW64\help.exe Code function: 4_2_02DE2F28 4_2_02DE2F28
Source: C:\Windows\SysWOW64\help.exe Code function: 4_2_02D90CF2 4_2_02D90CF2
Source: C:\Windows\SysWOW64\help.exe Code function: 4_2_02E40CB5 4_2_02E40CB5
Source: C:\Windows\SysWOW64\help.exe Code function: 4_2_02DA0C00 4_2_02DA0C00
Source: C:\Windows\SysWOW64\help.exe Code function: 4_2_02D9ADE0 4_2_02D9ADE0
Source: C:\Windows\SysWOW64\help.exe Code function: 4_2_02DB8DBF 4_2_02DB8DBF
Source: C:\Windows\SysWOW64\help.exe Code function: 4_2_02DAAD00 4_2_02DAAD00
Source: C:\Windows\SysWOW64\help.exe Code function: 4_2_02E3CD1F 4_2_02E3CD1F
Source: C:\Windows\SysWOW64\help.exe Code function: 4_2_02E412ED 4_2_02E412ED
Source: C:\Windows\SysWOW64\help.exe Code function: 4_2_02DBB2C0 4_2_02DBB2C0
Source: C:\Windows\SysWOW64\help.exe Code function: 4_2_02DA52A0 4_2_02DA52A0
Source: C:\Windows\SysWOW64\help.exe Code function: 4_2_02DE739A 4_2_02DE739A
Source: C:\Windows\SysWOW64\help.exe Code function: 4_2_02D8D34C 4_2_02D8D34C
Source: C:\Windows\SysWOW64\help.exe Code function: 4_2_02E5132D 4_2_02E5132D
Source: C:\Windows\SysWOW64\help.exe Code function: 4_2_02E5F0E0 4_2_02E5F0E0
Source: C:\Windows\SysWOW64\help.exe Code function: 4_2_02E570E9 4_2_02E570E9
Source: C:\Windows\SysWOW64\help.exe Code function: 4_2_02DA70C0 4_2_02DA70C0
Source: C:\Windows\SysWOW64\help.exe Code function: 4_2_02E4F0CC 4_2_02E4F0CC
Source: C:\Windows\SysWOW64\help.exe Code function: 4_2_02DAB1B0 4_2_02DAB1B0
Source: C:\Windows\SysWOW64\help.exe Code function: 4_2_02E6B16B 4_2_02E6B16B
Source: C:\Windows\SysWOW64\help.exe Code function: 4_2_02D8F172 4_2_02D8F172
Source: C:\Windows\SysWOW64\help.exe Code function: 4_2_02DD516C 4_2_02DD516C
Source: C:\Windows\SysWOW64\help.exe Code function: 4_2_02E516CC 4_2_02E516CC
Source: C:\Windows\SysWOW64\help.exe Code function: 4_2_02E5F7B0 4_2_02E5F7B0
Source: C:\Windows\SysWOW64\help.exe Code function: 4_2_02D91460 4_2_02D91460
Source: C:\Windows\SysWOW64\help.exe Code function: 4_2_02E5F43F 4_2_02E5F43F
Source: C:\Windows\SysWOW64\help.exe Code function: 4_2_02E3D5B0 4_2_02E3D5B0
Source: C:\Windows\SysWOW64\help.exe Code function: 4_2_02E57571 4_2_02E57571
Source: C:\Windows\SysWOW64\help.exe Code function: 4_2_02E4DAC6 4_2_02E4DAC6
Source: C:\Windows\SysWOW64\help.exe Code function: 4_2_02E41AA3 4_2_02E41AA3
Source: C:\Windows\SysWOW64\help.exe Code function: 4_2_02E3DAAC 4_2_02E3DAAC
Source: C:\Windows\SysWOW64\help.exe Code function: 4_2_02DE5AA0 4_2_02DE5AA0
Source: C:\Windows\SysWOW64\help.exe Code function: 4_2_02E13A6C 4_2_02E13A6C
Source: C:\Windows\SysWOW64\help.exe Code function: 4_2_02E57A46 4_2_02E57A46
Source: C:\Windows\SysWOW64\help.exe Code function: 4_2_02E5FA49 4_2_02E5FA49
Source: C:\Windows\SysWOW64\help.exe Code function: 4_2_02E15BF0 4_2_02E15BF0
Source: C:\Windows\SysWOW64\help.exe Code function: 4_2_02DDDBF9 4_2_02DDDBF9
Source: C:\Windows\SysWOW64\help.exe Code function: 4_2_02DBFB80 4_2_02DBFB80
Source: C:\Windows\SysWOW64\help.exe Code function: 4_2_02E5FB76 4_2_02E5FB76
Source: C:\Windows\SysWOW64\help.exe Code function: 4_2_02DA38E0 4_2_02DA38E0
Source: C:\Windows\SysWOW64\help.exe Code function: 4_2_02E0D800 4_2_02E0D800
Source: C:\Windows\SysWOW64\help.exe Code function: 4_2_02DA9950 4_2_02DA9950
Source: C:\Windows\SysWOW64\help.exe Code function: 4_2_02DBB950 4_2_02DBB950
Source: C:\Windows\SysWOW64\help.exe Code function: 4_2_02E35910 4_2_02E35910
Source: C:\Windows\SysWOW64\help.exe Code function: 4_2_02DA9EB0 4_2_02DA9EB0
Source: C:\Windows\SysWOW64\help.exe Code function: 4_2_02DA1F92 4_2_02DA1F92
Source: C:\Windows\SysWOW64\help.exe Code function: 4_2_02E5FFB1 4_2_02E5FFB1
Source: C:\Windows\SysWOW64\help.exe Code function: 4_2_02E5FF09 4_2_02E5FF09
Source: C:\Windows\SysWOW64\help.exe Code function: 4_2_02E5FCF2 4_2_02E5FCF2
Source: C:\Windows\SysWOW64\help.exe Code function: 4_2_02E19C32 4_2_02E19C32
Source: C:\Windows\SysWOW64\help.exe Code function: 4_2_02DBFDC0 4_2_02DBFDC0
Source: C:\Windows\SysWOW64\help.exe Code function: 4_2_02E57D73 4_2_02E57D73
Source: C:\Windows\SysWOW64\help.exe Code function: 4_2_02DA3D40 4_2_02DA3D40
Source: C:\Windows\SysWOW64\help.exe Code function: 4_2_02E51D5A 4_2_02E51D5A
Source: C:\Windows\SysWOW64\help.exe Code function: 4_2_024AE027 4_2_024AE027
Source: C:\Windows\SysWOW64\help.exe Code function: 4_2_024AE13D 4_2_024AE13D
Source: C:\Windows\SysWOW64\help.exe Code function: 4_2_024AD563 4_2_024AD563
Source: C:\Windows\SysWOW64\help.exe Code function: 4_2_02499E4B 4_2_02499E4B
Source: C:\Windows\SysWOW64\help.exe Code function: 4_2_02499E50 4_2_02499E50
Source: C:\Windows\SysWOW64\help.exe Code function: 4_2_024ADE6D 4_2_024ADE6D
Source: C:\Windows\SysWOW64\help.exe Code function: 4_2_02492FB0 4_2_02492FB0
Source: C:\Windows\SysWOW64\help.exe Code function: 4_2_024ADC62 4_2_024ADC62
Source: C:\Windows\SysWOW64\help.exe Code function: 4_2_024AEDCE 4_2_024AEDCE
Source: C:\Windows\SysWOW64\help.exe Code function: 4_2_02492D90 4_2_02492D90
Source: C:\Windows\SysWOW64\help.exe Code function: 4_2_02C5A036 4_2_02C5A036
Source: C:\Windows\SysWOW64\help.exe Code function: 4_2_02C5B232 4_2_02C5B232
Source: C:\Windows\SysWOW64\help.exe Code function: 4_2_02C55B30 4_2_02C55B30
Source: C:\Windows\SysWOW64\help.exe Code function: 4_2_02C55B32 4_2_02C55B32
Source: C:\Windows\SysWOW64\help.exe Code function: 4_2_02C51082 4_2_02C51082
Source: C:\Windows\SysWOW64\help.exe Code function: 4_2_02C58912 4_2_02C58912
Source: C:\Windows\SysWOW64\help.exe Code function: 4_2_02C5E5CD 4_2_02C5E5CD
Source: C:\Windows\SysWOW64\help.exe Code function: 4_2_02C52D02 4_2_02C52D02
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\Export Shipment Documents 72335.exe Code function: String function: 00445975 appears 65 times
Source: C:\Users\user\Desktop\Export Shipment Documents 72335.exe Code function: String function: 0041171A appears 37 times
Source: C:\Users\user\Desktop\Export Shipment Documents 72335.exe Code function: String function: 0041718C appears 45 times
Source: C:\Users\user\Desktop\Export Shipment Documents 72335.exe Code function: String function: 0040E6D0 appears 35 times
Source: C:\Windows\SysWOW64\svchost.exe Code function: String function: 03887E54 appears 111 times
Source: C:\Windows\SysWOW64\svchost.exe Code function: String function: 038AEA12 appears 86 times
Source: C:\Windows\SysWOW64\svchost.exe Code function: String function: 0382B970 appears 280 times
Source: C:\Windows\SysWOW64\svchost.exe Code function: String function: 038BF290 appears 105 times
Source: C:\Windows\SysWOW64\svchost.exe Code function: String function: 03875130 appears 58 times
Source: C:\Windows\SysWOW64\help.exe Code function: String function: 02E1F290 appears 105 times
Source: C:\Windows\SysWOW64\help.exe Code function: String function: 02D8B970 appears 275 times
Source: C:\Windows\SysWOW64\help.exe Code function: String function: 02DE7E54 appears 102 times
Source: C:\Windows\SysWOW64\help.exe Code function: String function: 02DD5130 appears 58 times
Source: C:\Windows\SysWOW64\help.exe Code function: String function: 02E0EA12 appears 86 times
One or more processes crash
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 4084 -s 7096
Sample file is different than original file name gathered from version info
Source: Export Shipment Documents 72335.exe, 00000000.00000003.1439553526.00000000046D3000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs Export Shipment Documents 72335.exe
Source: Export Shipment Documents 72335.exe, 00000000.00000003.1443724257.000000000487D000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs Export Shipment Documents 72335.exe
Uses 32bit PE files
Source: Export Shipment Documents 72335.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Yara signature match
Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.Export Shipment Documents 72335.exe.1680000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0.2.Export Shipment Documents 72335.exe.1680000.1.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.Export Shipment Documents 72335.exe.1680000.1.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.Export Shipment Documents 72335.exe.1680000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0.2.Export Shipment Documents 72335.exe.1680000.1.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.Export Shipment Documents 72335.exe.1680000.1.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.2705169707.0000000002B20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.2705169707.0000000002B20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.2705169707.0000000002B20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000002.2736322839.000000000D654000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_772cc62d os = windows, severity = x86, creation_date = 2022-05-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8343b5d02d74791ba2d5d52d19a759f761de2b5470d935000bc27ea6c0633f5, id = 772cc62d-345c-42d8-97ab-f67e447ddca4, last_modified = 2022-07-18
Source: 00000002.00000002.1500557511.0000000003670000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.1500557511.0000000003670000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.1500557511.0000000003670000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.1445854829.0000000001680000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000000.00000002.1445854829.0000000001680000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.1445854829.0000000001680000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.2698343206.0000000002490000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.2698343206.0000000002490000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.2698343206.0000000002490000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.2325642731.0000000010D87000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_772cc62d os = windows, severity = x86, creation_date = 2022-05-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8343b5d02d74791ba2d5d52d19a759f761de2b5470d935000bc27ea6c0633f5, id = 772cc62d-345c-42d8-97ab-f67e447ddca4, last_modified = 2022-07-18
Source: 00000004.00000002.2705537393.0000000002B50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.2705537393.0000000002B50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.2705537393.0000000002B50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.1500520804.0000000003640000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.1500520804.0000000003640000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.1500520804.0000000003640000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.1499670028.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.1499670028.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.1499670028.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: Export Shipment Documents 72335.exe PID: 7404, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: svchost.exe PID: 7472, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: help.exe PID: 7516, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: explorer.exe, 0000000D.00000002.2718527037.0000000007B87000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ;.VBp
Source: classification engine Classification label: mal100.troj.evad.winEXE@10/8@5/1
Source: C:\Users\user\Desktop\Export Shipment Documents 72335.exe Code function: 0_2_0044AF5C GetLastError,FormatMessageW, 0_2_0044AF5C
Source: C:\Users\user\Desktop\Export Shipment Documents 72335.exe Code function: 0_2_00464422 OpenProcess,GetLastError,GetLastError,GetCurrentThread,OpenThreadToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,AdjustTokenPrivileges,GetLastError,OpenProcess,AdjustTokenPrivileges,CloseHandle,TerminateProcess,GetLastError,CloseHandle, 0_2_00464422
Source: C:\Users\user\Desktop\Export Shipment Documents 72335.exe Code function: 0_2_004364AA GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState, 0_2_004364AA
Source: C:\Users\user\Desktop\Export Shipment Documents 72335.exe Code function: 0_2_0045D517 SetErrorMode,GetDiskFreeSpaceW,GetLastError,SetErrorMode, 0_2_0045D517
Source: C:\Users\user\Desktop\Export Shipment Documents 72335.exe Code function: 0_2_0043701F CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,__wsplitpath,_wcscat,__wcsicoll,CloseHandle, 0_2_0043701F
Source: C:\Users\user\Desktop\Export Shipment Documents 72335.exe Code function: 0_2_0047A999 OleInitialize,CLSIDFromProgID,CoCreateInstance,CoInitializeSecurity,_memset,_wcslen,_memset,CoCreateInstanceEx,CoSetProxyBlanket, 0_2_0047A999
Source: C:\Users\user\Desktop\Export Shipment Documents 72335.exe Code function: 0_2_0043614F __swprintf,__swprintf,__wcsicoll,FindResourceW,LoadResource,LockResource,FindResourceW,LoadResource,SizeofResource,LockResource,CreateIconFromResourceEx, 0_2_0043614F
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000012.db Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7584:120:WilError_03
Source: C:\Windows\System32\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4084
Source: C:\Users\user\Desktop\Export Shipment Documents 72335.exe File created: C:\Users\user\AppData\Local\Temp\parters Jump to behavior
Source: C:\Windows\SysWOW64\help.exe Process created: C:\Windows\explorer.exe
Source: C:\Users\user\Desktop\Export Shipment Documents 72335.exe Command line argument: Wu 0_2_0040D7F0
Source: Export Shipment Documents 72335.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Export Shipment Documents 72335.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\Export Shipment Documents 72335.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: Export Shipment Documents 72335.exe ReversingLabs: Detection: 36%
Source: C:\Users\user\Desktop\Export Shipment Documents 72335.exe File read: C:\Users\user\Desktop\Export Shipment Documents 72335.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Export Shipment Documents 72335.exe "C:\Users\user\Desktop\Export Shipment Documents 72335.exe"
Source: C:\Users\user\Desktop\Export Shipment Documents 72335.exe Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Export Shipment Documents 72335.exe"
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\help.exe "C:\Windows\SysWOW64\help.exe"
Source: C:\Windows\SysWOW64\help.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\SysWOW64\svchost.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 4084 -s 7096
Source: C:\Windows\SysWOW64\help.exe Process created: C:\Windows\explorer.exe explorer.exe
Source: C:\Users\user\Desktop\Export Shipment Documents 72335.exe Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Export Shipment Documents 72335.exe" Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\help.exe "C:\Windows\SysWOW64\help.exe" Jump to behavior
Source: C:\Windows\SysWOW64\help.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\SysWOW64\svchost.exe" Jump to behavior
Source: C:\Users\user\Desktop\Export Shipment Documents 72335.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\Export Shipment Documents 72335.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\Desktop\Export Shipment Documents 72335.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\Export Shipment Documents 72335.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\Export Shipment Documents 72335.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\Export Shipment Documents 72335.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\Export Shipment Documents 72335.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\Export Shipment Documents 72335.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\Export Shipment Documents 72335.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\Export Shipment Documents 72335.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\Export Shipment Documents 72335.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: windows.cloudstore.schema.shell.dll Jump to behavior
Source: C:\Windows\SysWOW64\help.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: aepic.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: twinapi.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: twinapi.appcore.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ninput.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: starttiledata.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: usermgrcli.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: idstore.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: windows.applicationmodel.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: usermgrproxy.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: appxdeploymentclient.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: wlidprov.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: windows.cloudstore.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: sndvolsso.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: mmdevapi.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: devobj.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: windows.staterepositoryclient.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: appextension.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: windows.ui.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: windowmanagementapi.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: inputhost.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: dcomp.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: windows.cloudstore.schema.shell.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: resourcepolicyclient.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: d3d10warp.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: dxcore.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: d2d1.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: cldapi.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: fltlib.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: dataexchange.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: tiledatarepository.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: staterepository.core.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: windows.staterepository.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: explorerframe.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: windows.staterepositorycore.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: mrmcorer.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: languageoverlayutil.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: bcp47mrm.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: twinui.pcshell.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: wincorlib.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: cdp.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: dsreg.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: thumbcache.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: windows.immersiveshell.serviceprovider.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: photometadatahandler.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ntshrui.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: cscapi.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: linkinfo.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ehstorshell.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: cscui.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: provsvc.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: twinui.appcore.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: twinui.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: pdh.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: applicationframe.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: rmclient.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: holographicextensions.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: virtualmonitormanager.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: resourcepolicyclient.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: windows.ui.immersive.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: abovelockapphost.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: npsm.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: windows.shell.bluelightreduction.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: windows.web.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: mscms.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: coloradapterclient.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: windows.internal.signals.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: tdh.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: windows.staterepositorybroker.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: mfplat.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: rtworkq.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: taskflowdataengine.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: structuredquery.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: actxprxy.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: stobject.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: wmiclnt.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: workfoldersshell.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: windows.fileexplorer.common.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: windows.system.launcher.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: windows.security.authentication.web.core.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: windows.shell.servicehostbuilder.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: windows.data.activities.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: windows.internal.ui.shell.windowtabmanager.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: notificationcontrollerps.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: windows.devices.enumeration.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: windows.globalization.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: icu.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: mswb7.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: devdispitemprovider.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: windows.networking.connectivity.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: windows.ui.core.textinput.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: uianimation.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: windowsudk.shellcommon.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: dictationmanager.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: npmproxy.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: pcshellcommonproxystub.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: cryptngc.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: cflapi.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: execmodelproxy.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: shellcommoncommonproxystub.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: daxexec.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: container.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: uiautomationcore.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: capabilityaccessmanagerclient.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: samlib.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: batmeter.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: inputswitch.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: es.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: prnfldr.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: windows.ui.shell.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: wpnclient.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: dxp.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: shdocvw.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: syncreg.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: atlthunk.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: actioncenter.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: wevtapi.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: audioses.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: wscinterop.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: wscapi.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: werconcpl.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: framedynos.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: wer.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: hcproviders.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: dusmapi.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: pnidui.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: mobilenetworking.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: netprofm.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: networkuxbroker.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ethernetmediamanager.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: wlanapi.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: storageusage.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: fhcfg.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: efsutil.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: dsrole.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: windows.internal.system.userprofile.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ncsi.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: cloudexperiencehostbroker.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: credui.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: dui70.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: wdscore.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: dbgcore.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: wpdshserviceobj.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: portabledevicetypes.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: portabledeviceapi.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: cscobj.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: srchadmin.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: windows.storage.search.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: synccenter.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: imapi2.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ieproxy.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: bluetoothapis.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: bluetoothapis.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: settingsync.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: settingsynccore.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: wpnapps.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: msxml6.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: windows.ui.xaml.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: windowsinternal.composableshell.desktophosting.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: uiamanager.dll Jump to behavior
Source: C:\Users\user\Desktop\Export Shipment Documents 72335.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: Export Shipment Documents 72335.exe Static file information: File size 1092621 > 1048576
Source: Binary string: wntdll.pdbUGP source: Export Shipment Documents 72335.exe, 00000000.00000003.1444022587.00000000045B0000.00000004.00001000.00020000.00000000.sdmp, Export Shipment Documents 72335.exe, 00000000.00000003.1440621009.0000000004750000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1500842270.0000000003800000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1444202047.0000000003400000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1445947770.0000000003600000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1500842270.000000000399E000.00000040.00001000.00020000.00000000.sdmp, help.exe, 00000004.00000003.1500086455.00000000029E8000.00000004.00000020.00020000.00000000.sdmp, help.exe, 00000004.00000002.2709904609.0000000002EFE000.00000040.00001000.00020000.00000000.sdmp, help.exe, 00000004.00000002.2709904609.0000000002D60000.00000040.00001000.00020000.00000000.sdmp, help.exe, 00000004.00000003.1501711079.0000000002BB7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: Export Shipment Documents 72335.exe, 00000000.00000003.1444022587.00000000045B0000.00000004.00001000.00020000.00000000.sdmp, Export Shipment Documents 72335.exe, 00000000.00000003.1440621009.0000000004750000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000002.1500842270.0000000003800000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1444202047.0000000003400000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1445947770.0000000003600000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1500842270.000000000399E000.00000040.00001000.00020000.00000000.sdmp, help.exe, help.exe, 00000004.00000003.1500086455.00000000029E8000.00000004.00000020.00020000.00000000.sdmp, help.exe, 00000004.00000002.2709904609.0000000002EFE000.00000040.00001000.00020000.00000000.sdmp, help.exe, 00000004.00000002.2709904609.0000000002D60000.00000040.00001000.00020000.00000000.sdmp, help.exe, 00000004.00000003.1501711079.0000000002BB7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: help.pdbGCTL source: svchost.exe, 00000002.00000002.1500301030.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1500323144.0000000003212000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1500590168.00000000036A0000.00000040.10000000.00040000.00000000.sdmp, help.exe, 00000004.00000002.2698010994.0000000000470000.00000040.80000000.00040000.00000000.sdmp
Source: Binary string: svchost.pdb source: explorer.exe, 00000003.00000002.2325206022.000000001004F000.00000004.80000000.00040000.00000000.sdmp, help.exe, 00000004.00000002.2715096234.00000000032AF000.00000004.10000000.00040000.00000000.sdmp, help.exe, 00000004.00000002.2699334682.00000000028F0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2725318929.000000000A5BF000.00000004.80000000.00040000.00000000.sdmp
Source: Binary string: help.pdb source: svchost.exe, 00000002.00000002.1500301030.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1500323144.0000000003212000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1500590168.00000000036A0000.00000040.10000000.00040000.00000000.sdmp, help.exe, 00000004.00000002.2698010994.0000000000470000.00000040.80000000.00040000.00000000.sdmp
Source: Binary string: svchost.pdbUGP source: explorer.exe, 00000003.00000002.2325206022.000000001004F000.00000004.80000000.00040000.00000000.sdmp, help.exe, 00000004.00000002.2715096234.00000000032AF000.00000004.10000000.00040000.00000000.sdmp, help.exe, 00000004.00000002.2699334682.00000000028F0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2725318929.000000000A5BF000.00000004.80000000.00040000.00000000.sdmp
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\Export Shipment Documents 72335.exe Code function: 0_2_0040EB70 LoadLibraryA,GetProcAddress, 0_2_0040EB70
PE file contains an invalid checksum
Source: Export Shipment Documents 72335.exe Static PE information: real checksum: 0xa2135 should be: 0x11212e
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Export Shipment Documents 72335.exe Code function: 0_2_004171D1 push ecx; ret 0_2_004171E4
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0041D475 push eax; ret 2_2_0041D4C8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0041D4C2 push eax; ret 2_2_0041D4C8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0041D4CB push eax; ret 2_2_0041D532
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0041D52C push eax; ret 2_2_0041D532
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0380225F pushad ; ret 2_2_038027F9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038027FA pushad ; ret 2_2_038027F9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038309AD push ecx; mov dword ptr [esp], ecx 2_2_038309B6
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0380283D push eax; iretd 2_2_03802858
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03801368 push eax; iretd 2_2_03801369
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_037AEB1E push esp; retn 0000h 2_2_037AEB1F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_037AEB02 push esp; retn 0000h 2_2_037AEB03
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_037AE9B5 push esp; retn 0000h 2_2_037AEAE7
Source: C:\Windows\explorer.exe Code function: 3_2_0ECD2B02 push esp; retn 0000h 3_2_0ECD2B03
Source: C:\Windows\explorer.exe Code function: 3_2_0ECD2B1E push esp; retn 0000h 3_2_0ECD2B1F
Source: C:\Windows\explorer.exe Code function: 3_2_0ECD29B5 push esp; retn 0000h 3_2_0ECD2AE7
Source: C:\Windows\explorer.exe Code function: 3_2_10D729B5 push esp; retn 0000h 3_2_10D72AE7
Source: C:\Windows\explorer.exe Code function: 3_2_10D72B1E push esp; retn 0000h 3_2_10D72B1F
Source: C:\Windows\explorer.exe Code function: 3_2_10D72B02 push esp; retn 0000h 3_2_10D72B03
Source: C:\Windows\SysWOW64\help.exe Code function: 4_2_02D909AD push ecx; mov dword ptr [esp], ecx 4_2_02D909B6
Source: C:\Windows\SysWOW64\help.exe Code function: 4_2_024AD475 push eax; ret 4_2_024AD4C8
Source: C:\Windows\SysWOW64\help.exe Code function: 4_2_024AD4CB push eax; ret 4_2_024AD532
Source: C:\Windows\SysWOW64\help.exe Code function: 4_2_024AD4C2 push eax; ret 4_2_024AD4C8
Source: C:\Windows\SysWOW64\help.exe Code function: 4_2_024AD52C push eax; ret 4_2_024AD532
Source: C:\Windows\SysWOW64\help.exe Code function: 4_2_02C5EB02 push esp; retn 0000h 4_2_02C5EB03
Source: C:\Windows\SysWOW64\help.exe Code function: 4_2_02C5EB1E push esp; retn 0000h 4_2_02C5EB1F
Source: C:\Windows\SysWOW64\help.exe Code function: 4_2_02C5E9B5 push esp; retn 0000h 4_2_02C5EAE7
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\Desktop\Export Shipment Documents 72335.exe Code function: 0_2_004772DE IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed, 0_2_004772DE
Source: C:\Users\user\Desktop\Export Shipment Documents 72335.exe Code function: 0_2_004375B0 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput, 0_2_004375B0
Source: C:\Users\user\Desktop\Export Shipment Documents 72335.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\help.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Contains functionality to detect sleep reduction / modifications
Source: C:\Users\user\Desktop\Export Shipment Documents 72335.exe Code function: 0_2_00444078 0_2_00444078
Query firmware table information (likely to detect VMs)
Source: C:\Windows\explorer.exe System information queried: FirmwareTableInformation
Switches to a custom stack to bypass stack traces
Source: C:\Users\user\Desktop\Export Shipment Documents 72335.exe API/Special instruction interceptor: Address: 3FE6264
Source: C:\Windows\SysWOW64\svchost.exe API/Special instruction interceptor: Address: 7FFBCB7AD324
Source: C:\Windows\SysWOW64\svchost.exe API/Special instruction interceptor: Address: 7FFBCB7B0774
Source: C:\Windows\SysWOW64\svchost.exe API/Special instruction interceptor: Address: 7FFBCB7B0154
Source: C:\Windows\SysWOW64\svchost.exe API/Special instruction interceptor: Address: 7FFBCB7AD8A4
Source: C:\Windows\SysWOW64\svchost.exe API/Special instruction interceptor: Address: 7FFBCB7ADA44
Source: C:\Windows\SysWOW64\svchost.exe API/Special instruction interceptor: Address: 7FFBCB7AD1E4
Source: C:\Windows\SysWOW64\help.exe API/Special instruction interceptor: Address: 7FFBCB7AD324
Source: C:\Windows\SysWOW64\help.exe API/Special instruction interceptor: Address: 7FFBCB7B0774
Source: C:\Windows\SysWOW64\help.exe API/Special instruction interceptor: Address: 7FFBCB7AD944
Source: C:\Windows\SysWOW64\help.exe API/Special instruction interceptor: Address: 7FFBCB7AD504
Source: C:\Windows\SysWOW64\help.exe API/Special instruction interceptor: Address: 7FFBCB7AD544
Source: C:\Windows\SysWOW64\help.exe API/Special instruction interceptor: Address: 7FFBCB7AD1E4
Source: C:\Windows\SysWOW64\help.exe API/Special instruction interceptor: Address: 7FFBCB7B0154
Source: C:\Windows\SysWOW64\help.exe API/Special instruction interceptor: Address: 7FFBCB7AD8A4
Source: C:\Windows\SysWOW64\help.exe API/Special instruction interceptor: Address: 7FFBCB7ADA44
Tries to detect virtualization through RDTSC time measurements
Source: C:\Windows\SysWOW64\svchost.exe RDTSC instruction interceptor: First address: 409904 second address: 40990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\svchost.exe RDTSC instruction interceptor: First address: 409B6E second address: 409B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\help.exe RDTSC instruction interceptor: First address: 2499904 second address: 249990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\help.exe RDTSC instruction interceptor: First address: 2499B6E second address: 2499B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Contains capabilities to detect virtual machines
Source: C:\Windows\explorer.exe File opened / queried: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00409AA0 rdtsc 2_2_00409AA0
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 2095 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 7850 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: foregroundWindowGot 888 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: foregroundWindowGot 863 Jump to behavior
Source: C:\Windows\SysWOW64\help.exe Window / User API: threadDelayed 5442 Jump to behavior
Source: C:\Windows\SysWOW64\help.exe Window / User API: threadDelayed 4530 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: foregroundWindowGot 604
Source: C:\Windows\explorer.exe Window / User API: foregroundWindowGot 577
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\Export Shipment Documents 72335.exe API coverage: 3.2 %
Source: C:\Windows\SysWOW64\svchost.exe API coverage: 2.1 %
Source: C:\Windows\SysWOW64\help.exe API coverage: 2.3 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\explorer.exe TID: 7836 Thread sleep count: 2095 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 7836 Thread sleep time: -4190000s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 7836 Thread sleep count: 7850 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 7836 Thread sleep time: -15700000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\help.exe TID: 7656 Thread sleep count: 5442 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\help.exe TID: 7656 Thread sleep time: -10884000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\help.exe TID: 7656 Thread sleep count: 4530 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\help.exe TID: 7656 Thread sleep time: -9060000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\Export Shipment Documents 72335.exe Code function: 0_2_00452126 FindFirstFileW,Sleep,FindNextFileW,FindClose, 0_2_00452126
Source: C:\Users\user\Desktop\Export Shipment Documents 72335.exe Code function: 0_2_0045C999 FindFirstFileW,FindNextFileW,FindClose, 0_2_0045C999
Source: C:\Users\user\Desktop\Export Shipment Documents 72335.exe Code function: 0_2_00436ADE GetFileAttributesW,FindFirstFileW,FindClose, 0_2_00436ADE
Source: C:\Users\user\Desktop\Export Shipment Documents 72335.exe Code function: 0_2_00434BEE FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 0_2_00434BEE
Source: C:\Users\user\Desktop\Export Shipment Documents 72335.exe Code function: 0_2_0045DD7C FindFirstFileW,FindClose, 0_2_0045DD7C
Source: C:\Users\user\Desktop\Export Shipment Documents 72335.exe Code function: 0_2_0044BD29 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose, 0_2_0044BD29
Source: C:\Users\user\Desktop\Export Shipment Documents 72335.exe Code function: 0_2_00436D2D FindFirstFileW,CreateFileW,SetFileTime,CloseHandle,SetFileTime,CloseHandle, 0_2_00436D2D
Source: C:\Users\user\Desktop\Export Shipment Documents 72335.exe Code function: 0_2_00442E1F SetCurrentDirectoryW,FindFirstFileW,SetCurrentDirectoryW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 0_2_00442E1F
Source: C:\Users\user\Desktop\Export Shipment Documents 72335.exe Code function: 0_2_00475FE5 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, 0_2_00475FE5
Source: C:\Users\user\Desktop\Export Shipment Documents 72335.exe Code function: 0_2_0044BF8D _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose, 0_2_0044BF8D
Source: C:\Users\user\Desktop\Export Shipment Documents 72335.exe Code function: 0_2_0040E470 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo, 0_2_0040E470
Source: explorer.exe, 0000000D.00000003.2456141152.000000000D0FC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}8b}
Source: explorer.exe, 00000003.00000002.2312821972.0000000009330000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}F
Source: explorer.exe, 0000000D.00000003.2461594481.000000000D0B0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: War&Prod_VMware_`O
Source: explorer.exe, 0000000D.00000003.2462247931.0000000008A16000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _VMware_SATA_CD00#4&
Source: explorer.exe, 0000000D.00000003.2462247931.0000000008A16000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: BBSCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: explorer.exe, 0000000D.00000003.2380904338.0000000008A38000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: wsPVMware VMCI Bus Devicesdevicedesc%;VMware VMCI Bus Devicet\AppData\Local\M^|
Source: explorer.exe, 00000003.00000002.2299870409.0000000000A20000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMware SATA CD00=
Source: explorer.exe, 00000003.00000000.1452754587.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2312821972.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2381542057.0000000008C97000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2380782792.0000000008C97000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2723546942.0000000008C97000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: explorer.exe, 0000000D.00000002.2723546942.0000000008C97000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: l\\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000D.00000002.2730594093.000000000CDB0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: explorer.exe, 0000000D.00000003.2443619854.000000000D126000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000D.00000003.2462247931.0000000008A16000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 2VMware Virtual USB MouseJC:\Windows\System32\DDORes.dll,-2212
Source: explorer.exe, 00000003.00000002.2312821972.00000000090DA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1452754587.00000000090DA000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: explorer.exe, 0000000D.00000003.2384419569.0000000008B2D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: @oem2.infloc.vmwarebusdevicedescVMware VMCI Bus Deviceoem2.inf
Source: explorer.exe, 0000000D.00000003.2462247931.0000000008A16000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ;;SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 0000000D.00000003.2452028557.0000000008A37000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000
Source: explorer.exe, 00000003.00000000.1457929088.000000000C090000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}ata
Source: explorer.exe, 00000003.00000002.2312821972.00000000090DA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1452754587.00000000090DA000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWystem32\DriverStore\en\volume.inf_loc
Source: explorer.exe, 0000000D.00000002.2723546942.0000000008D1C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}#
Source: explorer.exe, 0000000D.00000003.2456141152.000000000D0B2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: War&Prod_VMware_
Source: explorer.exe, 00000003.00000002.2299870409.0000000000A20000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 00000003.00000002.2312821972.0000000009255000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: NXTcaVMWare
Source: explorer.exe, 0000000D.00000002.2730594093.000000000D05A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000\v
Source: explorer.exe, 0000000D.00000003.2461594481.000000000D0B0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:8
Source: explorer.exe, 0000000D.00000003.2384419569.0000000008B2D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000nf
Source: explorer.exe, 0000000D.00000002.2723546942.0000000008D1C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMware SATA CD00
Source: explorer.exe, 0000000D.00000002.2721754963.00000000089C2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: NXTVMWare
Source: explorer.exe, 00000003.00000000.1457929088.000000000C090000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}wy6`1
Source: explorer.exe, 0000000D.00000002.2698342567.0000000001254000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000e
Source: explorer.exe, 0000000D.00000003.2384419569.0000000008B2D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: NECVMWar VMware SATA CD00
Source: explorer.exe, 0000000D.00000003.2450436727.000000000D0AB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:
Source: explorer.exe, 0000000D.00000003.2315395164.0000000008A24000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: AGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000D.00000003.2450436727.000000000D0FC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000D.00000003.2462247931.0000000008A37000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2456330575.0000000008A37000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2721754963.0000000008A37000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2452028557.0000000008A37000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2384419569.0000000008A38000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2386953425.0000000008A38000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2380904338.0000000008A38000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWystem32\DriverStore\en-GB\msmouse.inf_loc
Source: explorer.exe, 0000000D.00000002.2723546942.0000000008C45000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2380782792.0000000008C5A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW@
Source: explorer.exe, 0000000D.00000003.2449663691.000000000D1E6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000D.00000002.2698342567.0000000001254000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: explorer.exe, 00000003.00000002.2312821972.0000000009330000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000003.00000002.2299870409.0000000000A20000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: C:\Windows\SysWOW64\svchost.exe Process information queried: ProcessInformation Jump to behavior
Checks if the current process is being debugged
Source: C:\Windows\SysWOW64\svchost.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\explorer.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\explorer.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\help.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00409AA0 rdtsc 2_2_00409AA0
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0040ACE0 LdrLoadDll, 2_2_0040ACE0
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Source: C:\Users\user\Desktop\Export Shipment Documents 72335.exe Code function: 0_2_0045A259 BlockInput, 0_2_0045A259
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\Export Shipment Documents 72335.exe Code function: 0_2_0040D6D0 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,GetForegroundWindow,ShellExecuteW, 0_2_0040D6D0
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\Export Shipment Documents 72335.exe Code function: 0_2_0040EB70 LoadLibraryA,GetProcAddress, 0_2_0040EB70
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\Export Shipment Documents 72335.exe Code function: 0_2_03FE6530 mov eax, dword ptr fs:[00000030h] 0_2_03FE6530
Source: C:\Users\user\Desktop\Export Shipment Documents 72335.exe Code function: 0_2_03FE64D0 mov eax, dword ptr fs:[00000030h] 0_2_03FE64D0
Source: C:\Users\user\Desktop\Export Shipment Documents 72335.exe Code function: 0_2_03FE4EC0 mov eax, dword ptr fs:[00000030h] 0_2_03FE4EC0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0382E388 mov eax, dword ptr fs:[00000030h] 2_2_0382E388
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0382E388 mov eax, dword ptr fs:[00000030h] 2_2_0382E388
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0382E388 mov eax, dword ptr fs:[00000030h] 2_2_0382E388
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0385438F mov eax, dword ptr fs:[00000030h] 2_2_0385438F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0385438F mov eax, dword ptr fs:[00000030h] 2_2_0385438F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03828397 mov eax, dword ptr fs:[00000030h] 2_2_03828397
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03828397 mov eax, dword ptr fs:[00000030h] 2_2_03828397
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03828397 mov eax, dword ptr fs:[00000030h] 2_2_03828397
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038EC3CD mov eax, dword ptr fs:[00000030h] 2_2_038EC3CD
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0383A3C0 mov eax, dword ptr fs:[00000030h] 2_2_0383A3C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0383A3C0 mov eax, dword ptr fs:[00000030h] 2_2_0383A3C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0383A3C0 mov eax, dword ptr fs:[00000030h] 2_2_0383A3C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0383A3C0 mov eax, dword ptr fs:[00000030h] 2_2_0383A3C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0383A3C0 mov eax, dword ptr fs:[00000030h] 2_2_0383A3C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0383A3C0 mov eax, dword ptr fs:[00000030h] 2_2_0383A3C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038383C0 mov eax, dword ptr fs:[00000030h] 2_2_038383C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038383C0 mov eax, dword ptr fs:[00000030h] 2_2_038383C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038383C0 mov eax, dword ptr fs:[00000030h] 2_2_038383C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038383C0 mov eax, dword ptr fs:[00000030h] 2_2_038383C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038B63C0 mov eax, dword ptr fs:[00000030h] 2_2_038B63C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038DE3DB mov eax, dword ptr fs:[00000030h] 2_2_038DE3DB
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038DE3DB mov eax, dword ptr fs:[00000030h] 2_2_038DE3DB
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038DE3DB mov ecx, dword ptr fs:[00000030h] 2_2_038DE3DB
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038DE3DB mov eax, dword ptr fs:[00000030h] 2_2_038DE3DB
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038D43D4 mov eax, dword ptr fs:[00000030h] 2_2_038D43D4
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038D43D4 mov eax, dword ptr fs:[00000030h] 2_2_038D43D4
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038403E9 mov eax, dword ptr fs:[00000030h] 2_2_038403E9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038403E9 mov eax, dword ptr fs:[00000030h] 2_2_038403E9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038403E9 mov eax, dword ptr fs:[00000030h] 2_2_038403E9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038403E9 mov eax, dword ptr fs:[00000030h] 2_2_038403E9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038403E9 mov eax, dword ptr fs:[00000030h] 2_2_038403E9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038403E9 mov eax, dword ptr fs:[00000030h] 2_2_038403E9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038403E9 mov eax, dword ptr fs:[00000030h] 2_2_038403E9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038403E9 mov eax, dword ptr fs:[00000030h] 2_2_038403E9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0384E3F0 mov eax, dword ptr fs:[00000030h] 2_2_0384E3F0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0384E3F0 mov eax, dword ptr fs:[00000030h] 2_2_0384E3F0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0384E3F0 mov eax, dword ptr fs:[00000030h] 2_2_0384E3F0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038663FF mov eax, dword ptr fs:[00000030h] 2_2_038663FF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0386A30B mov eax, dword ptr fs:[00000030h] 2_2_0386A30B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0386A30B mov eax, dword ptr fs:[00000030h] 2_2_0386A30B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0386A30B mov eax, dword ptr fs:[00000030h] 2_2_0386A30B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0382C310 mov ecx, dword ptr fs:[00000030h] 2_2_0382C310
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03850310 mov ecx, dword ptr fs:[00000030h] 2_2_03850310
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03908324 mov eax, dword ptr fs:[00000030h] 2_2_03908324
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03908324 mov ecx, dword ptr fs:[00000030h] 2_2_03908324
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03908324 mov eax, dword ptr fs:[00000030h] 2_2_03908324
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03908324 mov eax, dword ptr fs:[00000030h] 2_2_03908324
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h] 2_2_038B2349
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h] 2_2_038B2349
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h] 2_2_038B2349
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h] 2_2_038B2349
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h] 2_2_038B2349
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h] 2_2_038B2349
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h] 2_2_038B2349
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h] 2_2_038B2349
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h] 2_2_038B2349
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h] 2_2_038B2349
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h] 2_2_038B2349
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h] 2_2_038B2349
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h] 2_2_038B2349
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h] 2_2_038B2349
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h] 2_2_038B2349
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038B035C mov eax, dword ptr fs:[00000030h] 2_2_038B035C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038B035C mov eax, dword ptr fs:[00000030h] 2_2_038B035C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038B035C mov eax, dword ptr fs:[00000030h] 2_2_038B035C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038B035C mov ecx, dword ptr fs:[00000030h] 2_2_038B035C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038B035C mov eax, dword ptr fs:[00000030h] 2_2_038B035C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038B035C mov eax, dword ptr fs:[00000030h] 2_2_038B035C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038FA352 mov eax, dword ptr fs:[00000030h] 2_2_038FA352
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038D8350 mov ecx, dword ptr fs:[00000030h] 2_2_038D8350
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0390634F mov eax, dword ptr fs:[00000030h] 2_2_0390634F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038D437C mov eax, dword ptr fs:[00000030h] 2_2_038D437C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0386E284 mov eax, dword ptr fs:[00000030h] 2_2_0386E284
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0386E284 mov eax, dword ptr fs:[00000030h] 2_2_0386E284
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038B0283 mov eax, dword ptr fs:[00000030h] 2_2_038B0283
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038B0283 mov eax, dword ptr fs:[00000030h] 2_2_038B0283
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038B0283 mov eax, dword ptr fs:[00000030h] 2_2_038B0283
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038402A0 mov eax, dword ptr fs:[00000030h] 2_2_038402A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038402A0 mov eax, dword ptr fs:[00000030h] 2_2_038402A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038C62A0 mov eax, dword ptr fs:[00000030h] 2_2_038C62A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038C62A0 mov ecx, dword ptr fs:[00000030h] 2_2_038C62A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038C62A0 mov eax, dword ptr fs:[00000030h] 2_2_038C62A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038C62A0 mov eax, dword ptr fs:[00000030h] 2_2_038C62A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038C62A0 mov eax, dword ptr fs:[00000030h] 2_2_038C62A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038C62A0 mov eax, dword ptr fs:[00000030h] 2_2_038C62A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0383A2C3 mov eax, dword ptr fs:[00000030h] 2_2_0383A2C3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0383A2C3 mov eax, dword ptr fs:[00000030h] 2_2_0383A2C3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0383A2C3 mov eax, dword ptr fs:[00000030h] 2_2_0383A2C3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0383A2C3 mov eax, dword ptr fs:[00000030h] 2_2_0383A2C3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0383A2C3 mov eax, dword ptr fs:[00000030h] 2_2_0383A2C3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039062D6 mov eax, dword ptr fs:[00000030h] 2_2_039062D6
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038402E1 mov eax, dword ptr fs:[00000030h] 2_2_038402E1
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038402E1 mov eax, dword ptr fs:[00000030h] 2_2_038402E1
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038402E1 mov eax, dword ptr fs:[00000030h] 2_2_038402E1
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0382823B mov eax, dword ptr fs:[00000030h] 2_2_0382823B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038B8243 mov eax, dword ptr fs:[00000030h] 2_2_038B8243
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038B8243 mov ecx, dword ptr fs:[00000030h] 2_2_038B8243
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0390625D mov eax, dword ptr fs:[00000030h] 2_2_0390625D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0382A250 mov eax, dword ptr fs:[00000030h] 2_2_0382A250
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03836259 mov eax, dword ptr fs:[00000030h] 2_2_03836259
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038EA250 mov eax, dword ptr fs:[00000030h] 2_2_038EA250
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038EA250 mov eax, dword ptr fs:[00000030h] 2_2_038EA250
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03834260 mov eax, dword ptr fs:[00000030h] 2_2_03834260
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03834260 mov eax, dword ptr fs:[00000030h] 2_2_03834260
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03834260 mov eax, dword ptr fs:[00000030h] 2_2_03834260
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0382826B mov eax, dword ptr fs:[00000030h] 2_2_0382826B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038E0274 mov eax, dword ptr fs:[00000030h] 2_2_038E0274
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038E0274 mov eax, dword ptr fs:[00000030h] 2_2_038E0274
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038E0274 mov eax, dword ptr fs:[00000030h] 2_2_038E0274
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038E0274 mov eax, dword ptr fs:[00000030h] 2_2_038E0274
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038E0274 mov eax, dword ptr fs:[00000030h] 2_2_038E0274
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038E0274 mov eax, dword ptr fs:[00000030h] 2_2_038E0274
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038E0274 mov eax, dword ptr fs:[00000030h] 2_2_038E0274
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038E0274 mov eax, dword ptr fs:[00000030h] 2_2_038E0274
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038E0274 mov eax, dword ptr fs:[00000030h] 2_2_038E0274
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038E0274 mov eax, dword ptr fs:[00000030h] 2_2_038E0274
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038E0274 mov eax, dword ptr fs:[00000030h] 2_2_038E0274
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038E0274 mov eax, dword ptr fs:[00000030h] 2_2_038E0274
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03870185 mov eax, dword ptr fs:[00000030h] 2_2_03870185
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038EC188 mov eax, dword ptr fs:[00000030h] 2_2_038EC188
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038EC188 mov eax, dword ptr fs:[00000030h] 2_2_038EC188
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038D4180 mov eax, dword ptr fs:[00000030h] 2_2_038D4180
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038D4180 mov eax, dword ptr fs:[00000030h] 2_2_038D4180
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038B019F mov eax, dword ptr fs:[00000030h] 2_2_038B019F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038B019F mov eax, dword ptr fs:[00000030h] 2_2_038B019F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038B019F mov eax, dword ptr fs:[00000030h] 2_2_038B019F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038B019F mov eax, dword ptr fs:[00000030h] 2_2_038B019F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0382A197 mov eax, dword ptr fs:[00000030h] 2_2_0382A197
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0382A197 mov eax, dword ptr fs:[00000030h] 2_2_0382A197
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0382A197 mov eax, dword ptr fs:[00000030h] 2_2_0382A197
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038F61C3 mov eax, dword ptr fs:[00000030h] 2_2_038F61C3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038F61C3 mov eax, dword ptr fs:[00000030h] 2_2_038F61C3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038AE1D0 mov eax, dword ptr fs:[00000030h] 2_2_038AE1D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038AE1D0 mov eax, dword ptr fs:[00000030h] 2_2_038AE1D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038AE1D0 mov ecx, dword ptr fs:[00000030h] 2_2_038AE1D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038AE1D0 mov eax, dword ptr fs:[00000030h] 2_2_038AE1D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038AE1D0 mov eax, dword ptr fs:[00000030h] 2_2_038AE1D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039061E5 mov eax, dword ptr fs:[00000030h] 2_2_039061E5
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038601F8 mov eax, dword ptr fs:[00000030h] 2_2_038601F8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038DE10E mov eax, dword ptr fs:[00000030h] 2_2_038DE10E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038DE10E mov ecx, dword ptr fs:[00000030h] 2_2_038DE10E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038DE10E mov eax, dword ptr fs:[00000030h] 2_2_038DE10E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038DE10E mov eax, dword ptr fs:[00000030h] 2_2_038DE10E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038DE10E mov ecx, dword ptr fs:[00000030h] 2_2_038DE10E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038DE10E mov eax, dword ptr fs:[00000030h] 2_2_038DE10E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038DE10E mov eax, dword ptr fs:[00000030h] 2_2_038DE10E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038DE10E mov ecx, dword ptr fs:[00000030h] 2_2_038DE10E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038DE10E mov eax, dword ptr fs:[00000030h] 2_2_038DE10E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038DE10E mov ecx, dword ptr fs:[00000030h] 2_2_038DE10E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038DA118 mov ecx, dword ptr fs:[00000030h] 2_2_038DA118
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038DA118 mov eax, dword ptr fs:[00000030h] 2_2_038DA118
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038DA118 mov eax, dword ptr fs:[00000030h] 2_2_038DA118
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038DA118 mov eax, dword ptr fs:[00000030h] 2_2_038DA118
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038F0115 mov eax, dword ptr fs:[00000030h] 2_2_038F0115
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03860124 mov eax, dword ptr fs:[00000030h] 2_2_03860124
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038C4144 mov eax, dword ptr fs:[00000030h] 2_2_038C4144
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038C4144 mov eax, dword ptr fs:[00000030h] 2_2_038C4144
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038C4144 mov ecx, dword ptr fs:[00000030h] 2_2_038C4144
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038C4144 mov eax, dword ptr fs:[00000030h] 2_2_038C4144
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038C4144 mov eax, dword ptr fs:[00000030h] 2_2_038C4144
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0382C156 mov eax, dword ptr fs:[00000030h] 2_2_0382C156
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038C8158 mov eax, dword ptr fs:[00000030h] 2_2_038C8158
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03836154 mov eax, dword ptr fs:[00000030h] 2_2_03836154
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03836154 mov eax, dword ptr fs:[00000030h] 2_2_03836154
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03904164 mov eax, dword ptr fs:[00000030h] 2_2_03904164
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03904164 mov eax, dword ptr fs:[00000030h] 2_2_03904164
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0383208A mov eax, dword ptr fs:[00000030h] 2_2_0383208A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038280A0 mov eax, dword ptr fs:[00000030h] 2_2_038280A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038C80A8 mov eax, dword ptr fs:[00000030h] 2_2_038C80A8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038F60B8 mov eax, dword ptr fs:[00000030h] 2_2_038F60B8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038F60B8 mov ecx, dword ptr fs:[00000030h] 2_2_038F60B8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038B20DE mov eax, dword ptr fs:[00000030h] 2_2_038B20DE
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0382A0E3 mov ecx, dword ptr fs:[00000030h] 2_2_0382A0E3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038380E9 mov eax, dword ptr fs:[00000030h] 2_2_038380E9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038B60E0 mov eax, dword ptr fs:[00000030h] 2_2_038B60E0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0382C0F0 mov eax, dword ptr fs:[00000030h] 2_2_0382C0F0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038720F0 mov ecx, dword ptr fs:[00000030h] 2_2_038720F0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038B4000 mov ecx, dword ptr fs:[00000030h] 2_2_038B4000
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038D2000 mov eax, dword ptr fs:[00000030h] 2_2_038D2000
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038D2000 mov eax, dword ptr fs:[00000030h] 2_2_038D2000
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038D2000 mov eax, dword ptr fs:[00000030h] 2_2_038D2000
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038D2000 mov eax, dword ptr fs:[00000030h] 2_2_038D2000
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038D2000 mov eax, dword ptr fs:[00000030h] 2_2_038D2000
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038D2000 mov eax, dword ptr fs:[00000030h] 2_2_038D2000
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038D2000 mov eax, dword ptr fs:[00000030h] 2_2_038D2000
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038D2000 mov eax, dword ptr fs:[00000030h] 2_2_038D2000
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0384E016 mov eax, dword ptr fs:[00000030h] 2_2_0384E016
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0384E016 mov eax, dword ptr fs:[00000030h] 2_2_0384E016
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0384E016 mov eax, dword ptr fs:[00000030h] 2_2_0384E016
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0384E016 mov eax, dword ptr fs:[00000030h] 2_2_0384E016
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0382A020 mov eax, dword ptr fs:[00000030h] 2_2_0382A020
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0382C020 mov eax, dword ptr fs:[00000030h] 2_2_0382C020
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038C6030 mov eax, dword ptr fs:[00000030h] 2_2_038C6030
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03832050 mov eax, dword ptr fs:[00000030h] 2_2_03832050
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038B6050 mov eax, dword ptr fs:[00000030h] 2_2_038B6050
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0385C073 mov eax, dword ptr fs:[00000030h] 2_2_0385C073
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038D678E mov eax, dword ptr fs:[00000030h] 2_2_038D678E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038307AF mov eax, dword ptr fs:[00000030h] 2_2_038307AF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038E47A0 mov eax, dword ptr fs:[00000030h] 2_2_038E47A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0383C7C0 mov eax, dword ptr fs:[00000030h] 2_2_0383C7C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038B07C3 mov eax, dword ptr fs:[00000030h] 2_2_038B07C3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038527ED mov eax, dword ptr fs:[00000030h] 2_2_038527ED
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038527ED mov eax, dword ptr fs:[00000030h] 2_2_038527ED
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038527ED mov eax, dword ptr fs:[00000030h] 2_2_038527ED
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038BE7E1 mov eax, dword ptr fs:[00000030h] 2_2_038BE7E1
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038347FB mov eax, dword ptr fs:[00000030h] 2_2_038347FB
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038347FB mov eax, dword ptr fs:[00000030h] 2_2_038347FB
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0386C700 mov eax, dword ptr fs:[00000030h] 2_2_0386C700
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03830710 mov eax, dword ptr fs:[00000030h] 2_2_03830710
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03860710 mov eax, dword ptr fs:[00000030h] 2_2_03860710
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0386C720 mov eax, dword ptr fs:[00000030h] 2_2_0386C720
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0386C720 mov eax, dword ptr fs:[00000030h] 2_2_0386C720
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0386273C mov eax, dword ptr fs:[00000030h] 2_2_0386273C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0386273C mov ecx, dword ptr fs:[00000030h] 2_2_0386273C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0386273C mov eax, dword ptr fs:[00000030h] 2_2_0386273C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038AC730 mov eax, dword ptr fs:[00000030h] 2_2_038AC730
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0386674D mov esi, dword ptr fs:[00000030h] 2_2_0386674D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0386674D mov eax, dword ptr fs:[00000030h] 2_2_0386674D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0386674D mov eax, dword ptr fs:[00000030h] 2_2_0386674D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03830750 mov eax, dword ptr fs:[00000030h] 2_2_03830750
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038BE75D mov eax, dword ptr fs:[00000030h] 2_2_038BE75D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03872750 mov eax, dword ptr fs:[00000030h] 2_2_03872750
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03872750 mov eax, dword ptr fs:[00000030h] 2_2_03872750
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038B4755 mov eax, dword ptr fs:[00000030h] 2_2_038B4755
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03838770 mov eax, dword ptr fs:[00000030h] 2_2_03838770
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03840770 mov eax, dword ptr fs:[00000030h] 2_2_03840770
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03840770 mov eax, dword ptr fs:[00000030h] 2_2_03840770
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03840770 mov eax, dword ptr fs:[00000030h] 2_2_03840770
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03840770 mov eax, dword ptr fs:[00000030h] 2_2_03840770
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03840770 mov eax, dword ptr fs:[00000030h] 2_2_03840770
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03840770 mov eax, dword ptr fs:[00000030h] 2_2_03840770
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03840770 mov eax, dword ptr fs:[00000030h] 2_2_03840770
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03840770 mov eax, dword ptr fs:[00000030h] 2_2_03840770
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03840770 mov eax, dword ptr fs:[00000030h] 2_2_03840770
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03840770 mov eax, dword ptr fs:[00000030h] 2_2_03840770
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03840770 mov eax, dword ptr fs:[00000030h] 2_2_03840770
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03840770 mov eax, dword ptr fs:[00000030h] 2_2_03840770
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03834690 mov eax, dword ptr fs:[00000030h] 2_2_03834690
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03834690 mov eax, dword ptr fs:[00000030h] 2_2_03834690
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0386C6A6 mov eax, dword ptr fs:[00000030h] 2_2_0386C6A6
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038666B0 mov eax, dword ptr fs:[00000030h] 2_2_038666B0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0386A6C7 mov ebx, dword ptr fs:[00000030h] 2_2_0386A6C7
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0386A6C7 mov eax, dword ptr fs:[00000030h] 2_2_0386A6C7
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038AE6F2 mov eax, dword ptr fs:[00000030h] 2_2_038AE6F2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038AE6F2 mov eax, dword ptr fs:[00000030h] 2_2_038AE6F2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038AE6F2 mov eax, dword ptr fs:[00000030h] 2_2_038AE6F2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038AE6F2 mov eax, dword ptr fs:[00000030h] 2_2_038AE6F2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038B06F1 mov eax, dword ptr fs:[00000030h] 2_2_038B06F1
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038B06F1 mov eax, dword ptr fs:[00000030h] 2_2_038B06F1
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038AE609 mov eax, dword ptr fs:[00000030h] 2_2_038AE609
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0384260B mov eax, dword ptr fs:[00000030h] 2_2_0384260B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0384260B mov eax, dword ptr fs:[00000030h] 2_2_0384260B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0384260B mov eax, dword ptr fs:[00000030h] 2_2_0384260B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0384260B mov eax, dword ptr fs:[00000030h] 2_2_0384260B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0384260B mov eax, dword ptr fs:[00000030h] 2_2_0384260B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0384260B mov eax, dword ptr fs:[00000030h] 2_2_0384260B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0384260B mov eax, dword ptr fs:[00000030h] 2_2_0384260B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03872619 mov eax, dword ptr fs:[00000030h] 2_2_03872619
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0384E627 mov eax, dword ptr fs:[00000030h] 2_2_0384E627
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03866620 mov eax, dword ptr fs:[00000030h] 2_2_03866620
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03868620 mov eax, dword ptr fs:[00000030h] 2_2_03868620
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0383262C mov eax, dword ptr fs:[00000030h] 2_2_0383262C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0384C640 mov eax, dword ptr fs:[00000030h] 2_2_0384C640
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038F866E mov eax, dword ptr fs:[00000030h] 2_2_038F866E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038F866E mov eax, dword ptr fs:[00000030h] 2_2_038F866E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0386A660 mov eax, dword ptr fs:[00000030h] 2_2_0386A660
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0386A660 mov eax, dword ptr fs:[00000030h] 2_2_0386A660
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03862674 mov eax, dword ptr fs:[00000030h] 2_2_03862674
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03832582 mov eax, dword ptr fs:[00000030h] 2_2_03832582
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03832582 mov ecx, dword ptr fs:[00000030h] 2_2_03832582
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03864588 mov eax, dword ptr fs:[00000030h] 2_2_03864588
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0386E59C mov eax, dword ptr fs:[00000030h] 2_2_0386E59C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038B05A7 mov eax, dword ptr fs:[00000030h] 2_2_038B05A7
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038B05A7 mov eax, dword ptr fs:[00000030h] 2_2_038B05A7
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038B05A7 mov eax, dword ptr fs:[00000030h] 2_2_038B05A7
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038545B1 mov eax, dword ptr fs:[00000030h] 2_2_038545B1
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038545B1 mov eax, dword ptr fs:[00000030h] 2_2_038545B1
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0386E5CF mov eax, dword ptr fs:[00000030h] 2_2_0386E5CF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0386E5CF mov eax, dword ptr fs:[00000030h] 2_2_0386E5CF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038365D0 mov eax, dword ptr fs:[00000030h] 2_2_038365D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0386A5D0 mov eax, dword ptr fs:[00000030h] 2_2_0386A5D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0386A5D0 mov eax, dword ptr fs:[00000030h] 2_2_0386A5D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0385E5E7 mov eax, dword ptr fs:[00000030h] 2_2_0385E5E7
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0385E5E7 mov eax, dword ptr fs:[00000030h] 2_2_0385E5E7
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0385E5E7 mov eax, dword ptr fs:[00000030h] 2_2_0385E5E7
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0385E5E7 mov eax, dword ptr fs:[00000030h] 2_2_0385E5E7
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0385E5E7 mov eax, dword ptr fs:[00000030h] 2_2_0385E5E7
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0385E5E7 mov eax, dword ptr fs:[00000030h] 2_2_0385E5E7
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0385E5E7 mov eax, dword ptr fs:[00000030h] 2_2_0385E5E7
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0385E5E7 mov eax, dword ptr fs:[00000030h] 2_2_0385E5E7
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038325E0 mov eax, dword ptr fs:[00000030h] 2_2_038325E0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0386C5ED mov eax, dword ptr fs:[00000030h] 2_2_0386C5ED
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0386C5ED mov eax, dword ptr fs:[00000030h] 2_2_0386C5ED
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038C6500 mov eax, dword ptr fs:[00000030h] 2_2_038C6500
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03904500 mov eax, dword ptr fs:[00000030h] 2_2_03904500
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03904500 mov eax, dword ptr fs:[00000030h] 2_2_03904500
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03904500 mov eax, dword ptr fs:[00000030h] 2_2_03904500
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03904500 mov eax, dword ptr fs:[00000030h] 2_2_03904500
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03904500 mov eax, dword ptr fs:[00000030h] 2_2_03904500
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03904500 mov eax, dword ptr fs:[00000030h] 2_2_03904500
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03904500 mov eax, dword ptr fs:[00000030h] 2_2_03904500
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03840535 mov eax, dword ptr fs:[00000030h] 2_2_03840535
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03840535 mov eax, dword ptr fs:[00000030h] 2_2_03840535
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03840535 mov eax, dword ptr fs:[00000030h] 2_2_03840535
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03840535 mov eax, dword ptr fs:[00000030h] 2_2_03840535
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03840535 mov eax, dword ptr fs:[00000030h] 2_2_03840535
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03840535 mov eax, dword ptr fs:[00000030h] 2_2_03840535
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0385E53E mov eax, dword ptr fs:[00000030h] 2_2_0385E53E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0385E53E mov eax, dword ptr fs:[00000030h] 2_2_0385E53E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0385E53E mov eax, dword ptr fs:[00000030h] 2_2_0385E53E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0385E53E mov eax, dword ptr fs:[00000030h] 2_2_0385E53E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0385E53E mov eax, dword ptr fs:[00000030h] 2_2_0385E53E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03838550 mov eax, dword ptr fs:[00000030h] 2_2_03838550
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03838550 mov eax, dword ptr fs:[00000030h] 2_2_03838550
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0386656A mov eax, dword ptr fs:[00000030h] 2_2_0386656A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0386656A mov eax, dword ptr fs:[00000030h] 2_2_0386656A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0386656A mov eax, dword ptr fs:[00000030h] 2_2_0386656A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038EA49A mov eax, dword ptr fs:[00000030h] 2_2_038EA49A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038364AB mov eax, dword ptr fs:[00000030h] 2_2_038364AB
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038644B0 mov ecx, dword ptr fs:[00000030h] 2_2_038644B0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038BA4B0 mov eax, dword ptr fs:[00000030h] 2_2_038BA4B0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038304E5 mov ecx, dword ptr fs:[00000030h] 2_2_038304E5
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03868402 mov eax, dword ptr fs:[00000030h] 2_2_03868402
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03868402 mov eax, dword ptr fs:[00000030h] 2_2_03868402
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03868402 mov eax, dword ptr fs:[00000030h] 2_2_03868402
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0382E420 mov eax, dword ptr fs:[00000030h] 2_2_0382E420
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0382E420 mov eax, dword ptr fs:[00000030h] 2_2_0382E420
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0382E420 mov eax, dword ptr fs:[00000030h] 2_2_0382E420
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0382C427 mov eax, dword ptr fs:[00000030h] 2_2_0382C427
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038B6420 mov eax, dword ptr fs:[00000030h] 2_2_038B6420
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038B6420 mov eax, dword ptr fs:[00000030h] 2_2_038B6420
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038B6420 mov eax, dword ptr fs:[00000030h] 2_2_038B6420
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038B6420 mov eax, dword ptr fs:[00000030h] 2_2_038B6420
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038B6420 mov eax, dword ptr fs:[00000030h] 2_2_038B6420
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038B6420 mov eax, dword ptr fs:[00000030h] 2_2_038B6420
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038B6420 mov eax, dword ptr fs:[00000030h] 2_2_038B6420
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0386A430 mov eax, dword ptr fs:[00000030h] 2_2_0386A430
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0386E443 mov eax, dword ptr fs:[00000030h] 2_2_0386E443
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0386E443 mov eax, dword ptr fs:[00000030h] 2_2_0386E443
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0386E443 mov eax, dword ptr fs:[00000030h] 2_2_0386E443
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0386E443 mov eax, dword ptr fs:[00000030h] 2_2_0386E443
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0386E443 mov eax, dword ptr fs:[00000030h] 2_2_0386E443
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0386E443 mov eax, dword ptr fs:[00000030h] 2_2_0386E443
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0386E443 mov eax, dword ptr fs:[00000030h] 2_2_0386E443
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0386E443 mov eax, dword ptr fs:[00000030h] 2_2_0386E443
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038EA456 mov eax, dword ptr fs:[00000030h] 2_2_038EA456
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0382645D mov eax, dword ptr fs:[00000030h] 2_2_0382645D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0385245A mov eax, dword ptr fs:[00000030h] 2_2_0385245A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038BC460 mov ecx, dword ptr fs:[00000030h] 2_2_038BC460
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0385A470 mov eax, dword ptr fs:[00000030h] 2_2_0385A470
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0385A470 mov eax, dword ptr fs:[00000030h] 2_2_0385A470
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0385A470 mov eax, dword ptr fs:[00000030h] 2_2_0385A470
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03840BBE mov eax, dword ptr fs:[00000030h] 2_2_03840BBE
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03840BBE mov eax, dword ptr fs:[00000030h] 2_2_03840BBE
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038E4BB0 mov eax, dword ptr fs:[00000030h] 2_2_038E4BB0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038E4BB0 mov eax, dword ptr fs:[00000030h] 2_2_038E4BB0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03850BCB mov eax, dword ptr fs:[00000030h] 2_2_03850BCB
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03850BCB mov eax, dword ptr fs:[00000030h] 2_2_03850BCB
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03850BCB mov eax, dword ptr fs:[00000030h] 2_2_03850BCB
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03830BCD mov eax, dword ptr fs:[00000030h] 2_2_03830BCD
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03830BCD mov eax, dword ptr fs:[00000030h] 2_2_03830BCD
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03830BCD mov eax, dword ptr fs:[00000030h] 2_2_03830BCD
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038DEBD0 mov eax, dword ptr fs:[00000030h] 2_2_038DEBD0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03838BF0 mov eax, dword ptr fs:[00000030h] 2_2_03838BF0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03838BF0 mov eax, dword ptr fs:[00000030h] 2_2_03838BF0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03838BF0 mov eax, dword ptr fs:[00000030h] 2_2_03838BF0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0385EBFC mov eax, dword ptr fs:[00000030h] 2_2_0385EBFC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038BCBF0 mov eax, dword ptr fs:[00000030h] 2_2_038BCBF0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03904B00 mov eax, dword ptr fs:[00000030h] 2_2_03904B00
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038AEB1D mov eax, dword ptr fs:[00000030h] 2_2_038AEB1D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038AEB1D mov eax, dword ptr fs:[00000030h] 2_2_038AEB1D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038AEB1D mov eax, dword ptr fs:[00000030h] 2_2_038AEB1D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038AEB1D mov eax, dword ptr fs:[00000030h] 2_2_038AEB1D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038AEB1D mov eax, dword ptr fs:[00000030h] 2_2_038AEB1D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038AEB1D mov eax, dword ptr fs:[00000030h] 2_2_038AEB1D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038AEB1D mov eax, dword ptr fs:[00000030h] 2_2_038AEB1D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038AEB1D mov eax, dword ptr fs:[00000030h] 2_2_038AEB1D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038AEB1D mov eax, dword ptr fs:[00000030h] 2_2_038AEB1D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0385EB20 mov eax, dword ptr fs:[00000030h] 2_2_0385EB20
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0385EB20 mov eax, dword ptr fs:[00000030h] 2_2_0385EB20
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038F8B28 mov eax, dword ptr fs:[00000030h] 2_2_038F8B28
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038F8B28 mov eax, dword ptr fs:[00000030h] 2_2_038F8B28
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038E4B4B mov eax, dword ptr fs:[00000030h] 2_2_038E4B4B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038E4B4B mov eax, dword ptr fs:[00000030h] 2_2_038E4B4B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03902B57 mov eax, dword ptr fs:[00000030h] 2_2_03902B57
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03902B57 mov eax, dword ptr fs:[00000030h] 2_2_03902B57
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03902B57 mov eax, dword ptr fs:[00000030h] 2_2_03902B57
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03902B57 mov eax, dword ptr fs:[00000030h] 2_2_03902B57
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038C6B40 mov eax, dword ptr fs:[00000030h] 2_2_038C6B40
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038C6B40 mov eax, dword ptr fs:[00000030h] 2_2_038C6B40
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038FAB40 mov eax, dword ptr fs:[00000030h] 2_2_038FAB40
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038D8B42 mov eax, dword ptr fs:[00000030h] 2_2_038D8B42
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03828B50 mov eax, dword ptr fs:[00000030h] 2_2_03828B50
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038DEB50 mov eax, dword ptr fs:[00000030h] 2_2_038DEB50
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0382CB7E mov eax, dword ptr fs:[00000030h] 2_2_0382CB7E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0383EA80 mov eax, dword ptr fs:[00000030h] 2_2_0383EA80
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0383EA80 mov eax, dword ptr fs:[00000030h] 2_2_0383EA80
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0383EA80 mov eax, dword ptr fs:[00000030h] 2_2_0383EA80
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0383EA80 mov eax, dword ptr fs:[00000030h] 2_2_0383EA80
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0383EA80 mov eax, dword ptr fs:[00000030h] 2_2_0383EA80
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0383EA80 mov eax, dword ptr fs:[00000030h] 2_2_0383EA80
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0383EA80 mov eax, dword ptr fs:[00000030h] 2_2_0383EA80
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0383EA80 mov eax, dword ptr fs:[00000030h] 2_2_0383EA80
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0383EA80 mov eax, dword ptr fs:[00000030h] 2_2_0383EA80
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03904A80 mov eax, dword ptr fs:[00000030h] 2_2_03904A80
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03868A90 mov edx, dword ptr fs:[00000030h] 2_2_03868A90
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03838AA0 mov eax, dword ptr fs:[00000030h] 2_2_03838AA0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03838AA0 mov eax, dword ptr fs:[00000030h] 2_2_03838AA0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03886AA4 mov eax, dword ptr fs:[00000030h] 2_2_03886AA4
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03886ACC mov eax, dword ptr fs:[00000030h] 2_2_03886ACC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03886ACC mov eax, dword ptr fs:[00000030h] 2_2_03886ACC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03886ACC mov eax, dword ptr fs:[00000030h] 2_2_03886ACC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03830AD0 mov eax, dword ptr fs:[00000030h] 2_2_03830AD0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03864AD0 mov eax, dword ptr fs:[00000030h] 2_2_03864AD0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03864AD0 mov eax, dword ptr fs:[00000030h] 2_2_03864AD0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0386AAEE mov eax, dword ptr fs:[00000030h] 2_2_0386AAEE
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0386AAEE mov eax, dword ptr fs:[00000030h] 2_2_0386AAEE
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038BCA11 mov eax, dword ptr fs:[00000030h] 2_2_038BCA11
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0386CA24 mov eax, dword ptr fs:[00000030h] 2_2_0386CA24
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0385EA2E mov eax, dword ptr fs:[00000030h] 2_2_0385EA2E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03854A35 mov eax, dword ptr fs:[00000030h] 2_2_03854A35
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03854A35 mov eax, dword ptr fs:[00000030h] 2_2_03854A35
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0386CA38 mov eax, dword ptr fs:[00000030h] 2_2_0386CA38
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03836A50 mov eax, dword ptr fs:[00000030h] 2_2_03836A50
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03836A50 mov eax, dword ptr fs:[00000030h] 2_2_03836A50
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03836A50 mov eax, dword ptr fs:[00000030h] 2_2_03836A50
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03836A50 mov eax, dword ptr fs:[00000030h] 2_2_03836A50
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03836A50 mov eax, dword ptr fs:[00000030h] 2_2_03836A50
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03836A50 mov eax, dword ptr fs:[00000030h] 2_2_03836A50
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03836A50 mov eax, dword ptr fs:[00000030h] 2_2_03836A50
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03840A5B mov eax, dword ptr fs:[00000030h] 2_2_03840A5B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03840A5B mov eax, dword ptr fs:[00000030h] 2_2_03840A5B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0386CA6F mov eax, dword ptr fs:[00000030h] 2_2_0386CA6F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0386CA6F mov eax, dword ptr fs:[00000030h] 2_2_0386CA6F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0386CA6F mov eax, dword ptr fs:[00000030h] 2_2_0386CA6F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038DEA60 mov eax, dword ptr fs:[00000030h] 2_2_038DEA60
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038ACA72 mov eax, dword ptr fs:[00000030h] 2_2_038ACA72
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038ACA72 mov eax, dword ptr fs:[00000030h] 2_2_038ACA72
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038429A0 mov eax, dword ptr fs:[00000030h] 2_2_038429A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038429A0 mov eax, dword ptr fs:[00000030h] 2_2_038429A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038429A0 mov eax, dword ptr fs:[00000030h] 2_2_038429A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038429A0 mov eax, dword ptr fs:[00000030h] 2_2_038429A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038429A0 mov eax, dword ptr fs:[00000030h] 2_2_038429A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038429A0 mov eax, dword ptr fs:[00000030h] 2_2_038429A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038429A0 mov eax, dword ptr fs:[00000030h] 2_2_038429A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038429A0 mov eax, dword ptr fs:[00000030h] 2_2_038429A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038429A0 mov eax, dword ptr fs:[00000030h] 2_2_038429A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038429A0 mov eax, dword ptr fs:[00000030h] 2_2_038429A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038429A0 mov eax, dword ptr fs:[00000030h] 2_2_038429A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038429A0 mov eax, dword ptr fs:[00000030h] 2_2_038429A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038429A0 mov eax, dword ptr fs:[00000030h] 2_2_038429A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038309AD mov eax, dword ptr fs:[00000030h] 2_2_038309AD
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038309AD mov eax, dword ptr fs:[00000030h] 2_2_038309AD
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038B89B3 mov esi, dword ptr fs:[00000030h] 2_2_038B89B3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038B89B3 mov eax, dword ptr fs:[00000030h] 2_2_038B89B3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038B89B3 mov eax, dword ptr fs:[00000030h] 2_2_038B89B3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038C69C0 mov eax, dword ptr fs:[00000030h] 2_2_038C69C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0383A9D0 mov eax, dword ptr fs:[00000030h] 2_2_0383A9D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0383A9D0 mov eax, dword ptr fs:[00000030h] 2_2_0383A9D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0383A9D0 mov eax, dword ptr fs:[00000030h] 2_2_0383A9D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0383A9D0 mov eax, dword ptr fs:[00000030h] 2_2_0383A9D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0383A9D0 mov eax, dword ptr fs:[00000030h] 2_2_0383A9D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0383A9D0 mov eax, dword ptr fs:[00000030h] 2_2_0383A9D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038649D0 mov eax, dword ptr fs:[00000030h] 2_2_038649D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038FA9D3 mov eax, dword ptr fs:[00000030h] 2_2_038FA9D3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038BE9E0 mov eax, dword ptr fs:[00000030h] 2_2_038BE9E0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038629F9 mov eax, dword ptr fs:[00000030h] 2_2_038629F9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038629F9 mov eax, dword ptr fs:[00000030h] 2_2_038629F9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038AE908 mov eax, dword ptr fs:[00000030h] 2_2_038AE908
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038AE908 mov eax, dword ptr fs:[00000030h] 2_2_038AE908
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038BC912 mov eax, dword ptr fs:[00000030h] 2_2_038BC912
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03828918 mov eax, dword ptr fs:[00000030h] 2_2_03828918
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03828918 mov eax, dword ptr fs:[00000030h] 2_2_03828918
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038B892A mov eax, dword ptr fs:[00000030h] 2_2_038B892A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038C892B mov eax, dword ptr fs:[00000030h] 2_2_038C892B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038B0946 mov eax, dword ptr fs:[00000030h] 2_2_038B0946
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03904940 mov eax, dword ptr fs:[00000030h] 2_2_03904940
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03856962 mov eax, dword ptr fs:[00000030h] 2_2_03856962
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03856962 mov eax, dword ptr fs:[00000030h] 2_2_03856962
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03856962 mov eax, dword ptr fs:[00000030h] 2_2_03856962
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0387096E mov eax, dword ptr fs:[00000030h] 2_2_0387096E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0387096E mov edx, dword ptr fs:[00000030h] 2_2_0387096E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0387096E mov eax, dword ptr fs:[00000030h] 2_2_0387096E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038D4978 mov eax, dword ptr fs:[00000030h] 2_2_038D4978
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038D4978 mov eax, dword ptr fs:[00000030h] 2_2_038D4978
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038BC97C mov eax, dword ptr fs:[00000030h] 2_2_038BC97C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03830887 mov eax, dword ptr fs:[00000030h] 2_2_03830887
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038BC89D mov eax, dword ptr fs:[00000030h] 2_2_038BC89D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0385E8C0 mov eax, dword ptr fs:[00000030h] 2_2_0385E8C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_039008C0 mov eax, dword ptr fs:[00000030h] 2_2_039008C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038FA8E4 mov eax, dword ptr fs:[00000030h] 2_2_038FA8E4
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0386C8F9 mov eax, dword ptr fs:[00000030h] 2_2_0386C8F9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0386C8F9 mov eax, dword ptr fs:[00000030h] 2_2_0386C8F9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_038BC810 mov eax, dword ptr fs:[00000030h] 2_2_038BC810
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03852835 mov eax, dword ptr fs:[00000030h] 2_2_03852835
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03852835 mov eax, dword ptr fs:[00000030h] 2_2_03852835
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03852835 mov eax, dword ptr fs:[00000030h] 2_2_03852835
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\Export Shipment Documents 72335.exe Code function: 0_2_00426DA1 CreateFileW,__lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock, 0_2_00426DA1
Enables debug privileges
Source: C:\Windows\SysWOW64\svchost.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\Export Shipment Documents 72335.exe Code function: 0_2_0042202E SetUnhandledExceptionFilter, 0_2_0042202E
Source: C:\Users\user\Desktop\Export Shipment Documents 72335.exe Code function: 0_2_004230F5 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_004230F5
Source: C:\Users\user\Desktop\Export Shipment Documents 72335.exe Code function: 0_2_00417D93 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00417D93
Source: C:\Users\user\Desktop\Export Shipment Documents 72335.exe Code function: 0_2_00421FA7 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00421FA7

HIPS / PFW / Operating System Protection Evasion
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 13.248.252.114 80
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\Export Shipment Documents 72335.exe Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: NULL target: C:\Windows\SysWOW64\help.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: NULL target: C:\Windows\SysWOW64\help.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\help.exe Section loaded: NULL target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\help.exe Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\help.exe Section loaded: NULL target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\help.exe Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Windows\SysWOW64\svchost.exe Thread register set: target process: 4084 Jump to behavior
Source: C:\Windows\SysWOW64\help.exe Thread register set: target process: 4084 Jump to behavior
Source: C:\Windows\SysWOW64\help.exe Thread register set: target process: 3636 Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Windows\SysWOW64\svchost.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Sample uses process hollowing technique
Source: C:\Windows\SysWOW64\svchost.exe Section unmapped: C:\Windows\SysWOW64\help.exe base address: 470000 Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\Desktop\Export Shipment Documents 72335.exe Memory written: C:\Windows\SysWOW64\svchost.exe base: 2CD0008 Jump to behavior
Contains functionality to execute programs as a different user
Source: C:\Users\user\Desktop\Export Shipment Documents 72335.exe Code function: 0_2_0043916A LogonUserW, 0_2_0043916A
Contains functionality to launch a program with higher privileges
Source: C:\Users\user\Desktop\Export Shipment Documents 72335.exe Code function: 0_2_0040D6D0 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,GetForegroundWindow,ShellExecuteW, 0_2_0040D6D0
Contains functionality to simulate keystroke presses
Source: C:\Users\user\Desktop\Export Shipment Documents 72335.exe Code function: 0_2_004375B0 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput, 0_2_004375B0
Contains functionality to simulate mouse events
Source: C:\Users\user\Desktop\Export Shipment Documents 72335.exe Code function: 0_2_00436431 __wcsicoll,mouse_event,__wcsicoll,mouse_event, 0_2_00436431
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Export Shipment Documents 72335.exe Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Export Shipment Documents 72335.exe" Jump to behavior
Source: C:\Windows\SysWOW64\help.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\SysWOW64\svchost.exe" Jump to behavior
Source: C:\Users\user\Desktop\Export Shipment Documents 72335.exe Code function: 0_2_00445DD3 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity, 0_2_00445DD3
Source: explorer.exe, 0000000D.00000003.2354337486.0000000007CAB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2394374677.0000000007CAB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2718527037.0000000007CAB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Progman|K
Source: Export Shipment Documents 72335.exe, explorer.exe, 00000003.00000000.1449709277.00000000044D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1448331055.0000000001090000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.1452754587.000000000936E000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000003.00000000.1448331055.0000000001090000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.1448058321.0000000000A20000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2299870409.0000000000A20000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Progman
Source: explorer.exe, 0000000D.00000002.2698342567.0000000001230000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: *Progman#
Source: explorer.exe, 00000003.00000000.1448331055.0000000001090000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: 0Program Manager
Source: Export Shipment Documents 72335.exe Binary or memory string: @3PDASCRWINUPRWINDOWNLWINUPLWINDOWNSHIFTUPSHIFTDOWNALTUPALTDOWNCTRLUPCTRLDOWNMOUSE_XBUTTON2MOUSE_XBUTTON1MOUSE_MBUTTONMOUSE_RBUTTONMOUSE_LBUTTONLAUNCH_APP2LAUNCH_APP1LAUNCH_MEDIALAUNCH_MAILMEDIA_PLAY_PAUSEMEDIA_STOPMEDIA_PREVMEDIA_NEXTVOLUME_UPVOLUME_DOWNVOLUME_MUTEBROWSER_HOMEBROWSER_FAVORTIESBROWSER_SEARCHBROWSER_STOPBROWSER_REFRESHBROWSER_FORWARDBROWSER_BACKNUMPADENTERSLEEPRSHIFTLSHIFTRALTLALTRCTRLLCTRLAPPSKEYNUMPADDIVNUMPADDOTNUMPADSUBNUMPADADDNUMPADMULTNUMPAD9NUMPAD8NUMPAD7NUMPAD6NUMPAD5NUMPAD4NUMPAD3NUMPAD2NUMPAD1NUMPAD0CAPSLOCKPAUSEBREAKNUMLOCKSCROLLLOCKRWINLWINPRINTSCREENUPTABSPACERIGHTPGUPPGDNLEFTINSERTINSHOMEF12F11F10F9F8F7F6F5F4F3F2F1ESCAPEESCENTERENDDOWNDELETEDELBSBACKSPACEALTONOFF0%d%dShell_TrayWndExitScript Pausedblankinfoquestionstopwarning
Source: explorer.exe, 00000003.00000000.1448331055.0000000001090000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Source: explorer.exe, 00000003.00000000.1452754587.000000000936E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2312821972.000000000936E000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Shell_TrayWnd]1Q
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\Export Shipment Documents 72335.exe Code function: 0_2_00410D10 cpuid 0_2_00410D10
Source: C:\Users\user\Desktop\Export Shipment Documents 72335.exe Code function: 0_2_004223BC GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 0_2_004223BC
Source: C:\Users\user\Desktop\Export Shipment Documents 72335.exe Code function: 0_2_004711D2 GetUserNameW, 0_2_004711D2
Source: C:\Users\user\Desktop\Export Shipment Documents 72335.exe Code function: 0_2_0042039F __invoke_watson,__get_daylight,__invoke_watson,__get_daylight,__invoke_watson,____lc_codepage_func,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,__invoke_watson,__invoke_watson, 0_2_0042039F
Source: C:\Users\user\Desktop\Export Shipment Documents 72335.exe Code function: 0_2_0040E470 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo, 0_2_0040E470

Stealing of Sensitive Information
barindex
Yara detected FormBook
Source: Yara match File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Export Shipment Documents 72335.exe.1680000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Export Shipment Documents 72335.exe.1680000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000002.2705169707.0000000002B20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.1500557511.0000000003670000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1445854829.0000000001680000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2698343206.0000000002490000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2705537393.0000000002B50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.1500520804.0000000003640000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.1499670028.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
OS version to string mapping found (often used in BOTs)
Source: Export Shipment Documents 72335.exe Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPWIN_2000InstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 6, 0USERPROFILEUSERDOMAINUSERDNSDOMAINDefaultGetSystemWow64DirectoryWSeDebugPrivilege:cdeclwinapistdcallnonestrwstrintbooluintlongulongdwordshortushortwordbyteubytebooleanfloatdoubleptrhwndhandlelresultlparamwparamint64uint64int_ptruint_ptrlong_ptrulong_ptrdword_ptridispatch64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYadvapi32.dllRegDeleteKeyExW+.-.+-\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]ISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXISTSEXPANDmsctls_statusbar321tooltips_class32AutoIt v3 GUI%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----
Source: Export Shipment Documents 72335.exe Binary or memory string: WIN_XP
Source: Export Shipment Documents 72335.exe Binary or memory string: WIN_XPe
Source: Export Shipment Documents 72335.exe Binary or memory string: WIN_VISTA
Source: Export Shipment Documents 72335.exe Binary or memory string: WIN_7

Remote Access Functionality
barindex
Yara detected FormBook
Source: Yara match File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Export Shipment Documents 72335.exe.1680000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Export Shipment Documents 72335.exe.1680000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000002.2705169707.0000000002B20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.1500557511.0000000003670000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1445854829.0000000001680000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2698343206.0000000002490000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2705537393.0000000002B50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.1500520804.0000000003640000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.1499670028.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\Desktop\Export Shipment Documents 72335.exe Code function: 0_2_004741BB socket,WSAGetLastError,bind,WSAGetLastError,closesocket, 0_2_004741BB
Source: C:\Users\user\Desktop\Export Shipment Documents 72335.exe Code function: 0_2_0046483C socket,WSAGetLastError,bind,WSAGetLastError,listen,WSAGetLastError,closesocket, 0_2_0046483C
Source: C:\Users\user\Desktop\Export Shipment Documents 72335.exe Code function: 0_2_0047AD92 OleInitialize,_wcslen,CreateBindCtx,MkParseDisplayName,CLSIDFromProgID,GetActiveObject, 0_2_0047AD92
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1543817 Sample: Export Shipment Documents 7... Startdate: 28/10/2024 Architecture: WINDOWS Score: 100 32 www.oco188rtp.xyz 2->32 34 www.764.xyz 2->34 36 3 other IPs or domains 2->36 40 Suricata IDS alerts for network traffic 2->40 42 Found malware configuration 2->42 44 Malicious sample detected (through community Yara rule) 2->44 48 8 other signatures 2->48 11 Export Shipment Documents 72335.exe 1 2->11         started        signatures3 46 Performs DNS queries to domains with low reputation 34->46 process4 signatures5 62 Writes to foreign memory regions 11->62 64 Maps a DLL or memory area into another process 11->64 14 svchost.exe 11->14         started        process6 signatures7 66 Modifies the context of a thread in another process (thread injection) 14->66 68 Maps a DLL or memory area into another process 14->68 70 Sample uses process hollowing technique 14->70 72 3 other signatures 14->72 17 explorer.exe 26 1 14->17 injected process8 process9 19 help.exe 17->19         started        22 WerFault.exe 21 17->22         started        signatures10 50 Modifies the context of a thread in another process (thread injection) 19->50 52 Maps a DLL or memory area into another process 19->52 54 Tries to detect virtualization through RDTSC time measurements 19->54 56 Switches to a custom stack to bypass stack traces 19->56 24 explorer.exe 31 127 19->24         started        28 cmd.exe 1 19->28         started        process11 dnsIp12 38 www.764.xyz 13.248.252.114, 49737, 80 AMAZON-02US United States 24->38 58 System process connects to network (likely due to code injection or exploit) 24->58 60 Query firmware table information (likely to detect VMs) 24->60 30 conhost.exe 28->30         started        signatures13 process14
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
13.248.252.114
 www.764.xyz United States
16509 AMAZON-02US true

Contacted Domains

Name IP Active
www.764.xyz 13.248.252.114 true
www.unwaleheathyhibbing.cfd unknown unknown
www.ikigorakos.net unknown unknown
www.oco188rtp.xyz unknown unknown
api.msn.com unknown unknown