Windows Analysis Report
Document.exe

Overview

General Information

Sample name: Document.exe
Analysis ID: 1543822
MD5: 8128f92e759ef0399a73d001b78bf37e
SHA1: 64d435e7ca1c98ea6e1b5818d6cc8d0dad22db7d
SHA256: 2d1d21fefaccdde89b759234f18ed79ea0a8a631c15be4f93fe3106f7fe6abe6
Tags: exe
Infos:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected FormBook
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to detect sleep reduction / modifications
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Switches to a custom stack to bypass stack traces
Tries to detect virtualization through RDTSC time measurements
Tries to resolve many domain names, but no domain seems valid
Uses netstat to query active network connections and open ports
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
PE file contains an invalid checksum
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection
barindex
Found malware configuration
Source: 00000004.00000002.4511611873.0000000000A20000.00000004.00000800.00020000.00000000.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.280.vip/n04s/"], "decoy": ["imberstimedtinter.cfd", "ttfr44solutionschesapeake.pro", "kkas.xyz", "sk-frby.xyz", "ptowing.net", "jzimq-community.xyz", "ressoncrookencruller.cfd", "amedana.click", "ravamarketing.tech", "udfa-speech.xyz", "ose-bdbzsg.xyz", "alsiuuarsiau.xyz", "fgiopa.xyz", "15501.pro", "tart-ewlon.xyz", "kjjf-company.xyz", "araldschauer.shop", "wet25.vip", "armostfavorgaivn.cfd", "ompa77.click", "oldier-nkosi.xyz", "ouchs.xyz", "eovk-how.xyz", "pirutznekg.top", "oeda-ssa.xyz", "airobi77.cfd", "oldplay.click", "tzai-space.xyz", "ateslotular.xyz", "okavuxentid.xyz", "53924.pink", "trrttfjftw.top", "ofdkd-determine.xyz", "tudy-hwcd.xyz", "apavalley.directory", "gnbft-top.xyz", "rislyhallyhanced.cfd", "ostcanadantyg.top", "nowmass.top", "ccspt.net", "j4yt2.vip", "2bmarketingwebinarshub.today", "endkos.family", "espond-yvctq.xyz", "odnotaba.website", "3526592.xyz", "ist-sxyu.xyz", "eat-tyfp.xyz", "ndividual-liqkc.xyz", "om-trackeg.top", "fogatoshadufsshimkus.cfd", "etinfin8y.click", "reeremovebg.top", "5388205.top", "nterest-phvfi.xyz", "rodutos-corporais.today", "cteruvyyn.xyz", "ember-kwmapz.xyz", "xggc-others.xyz", "fyigh-on.xyz", "c578.top", "adtv-wfj.xyz", "afin10.shop", "ecbsb.team"]}
Multi AV Scanner detection for submitted file
Source: Document.exe ReversingLabs: Detection: 18%
Yara detected FormBook
Source: Yara match File source: 2.2.svchost.exe.24e0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Document.exe.1680000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Document.exe.1680000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000002.4511611873.0000000000A20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2128868177.00000000025D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2128415255.00000000024E1000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.4511505699.00000000009D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2072442337.0000000001680000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.4511034633.0000000000330000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2129518729.0000000002E40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: Document.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: Document.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: Binary string: netstat.pdbGCTL source: svchost.exe, 00000002.00000002.2129553717.0000000002E70000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 00000002.00000003.2127082535.000000000281B000.00000004.00000020.00020000.00000000.sdmp, NETSTAT.EXE, 00000004.00000002.4511892010.0000000000BF0000.00000040.80000000.00040000.00000000.sdmp
Source: Binary string: netstat.pdb source: svchost.exe, 00000002.00000002.2129553717.0000000002E70000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 00000002.00000003.2127082535.000000000281B000.00000004.00000020.00020000.00000000.sdmp, NETSTAT.EXE, NETSTAT.EXE, 00000004.00000002.4511892010.0000000000BF0000.00000040.80000000.00040000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: Document.exe, 00000000.00000003.2066594072.0000000004020000.00000004.00001000.00020000.00000000.sdmp, Document.exe, 00000000.00000003.2062844599.00000000041C0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2069360139.0000000002B00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2129694151.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2071591572.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2129694151.000000000309E000.00000040.00001000.00020000.00000000.sdmp, NETSTAT.EXE, 00000004.00000002.4512023196.0000000002F4E000.00000040.00001000.00020000.00000000.sdmp, NETSTAT.EXE, 00000004.00000003.2127517092.0000000000A26000.00000004.00000020.00020000.00000000.sdmp, NETSTAT.EXE, 00000004.00000002.4512023196.0000000002DB0000.00000040.00001000.00020000.00000000.sdmp, NETSTAT.EXE, 00000004.00000003.2130189837.0000000002C02000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: Document.exe, 00000000.00000003.2066594072.0000000004020000.00000004.00001000.00020000.00000000.sdmp, Document.exe, 00000000.00000003.2062844599.00000000041C0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.2069360139.0000000002B00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2129694151.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2071591572.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2129694151.000000000309E000.00000040.00001000.00020000.00000000.sdmp, NETSTAT.EXE, NETSTAT.EXE, 00000004.00000002.4512023196.0000000002F4E000.00000040.00001000.00020000.00000000.sdmp, NETSTAT.EXE, 00000004.00000003.2127517092.0000000000A26000.00000004.00000020.00020000.00000000.sdmp, NETSTAT.EXE, 00000004.00000002.4512023196.0000000002DB0000.00000040.00001000.00020000.00000000.sdmp, NETSTAT.EXE, 00000004.00000003.2130189837.0000000002C02000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: svchost.pdb source: explorer.exe, 00000003.00000002.4525816573.0000000010DCF000.00000004.80000000.00040000.00000000.sdmp, NETSTAT.EXE, 00000004.00000002.4511279774.00000000007A1000.00000004.00000020.00020000.00000000.sdmp, NETSTAT.EXE, 00000004.00000002.4512835848.00000000032FF000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: svchost.pdbUGP source: explorer.exe, 00000003.00000002.4525816573.0000000010DCF000.00000004.80000000.00040000.00000000.sdmp, NETSTAT.EXE, 00000004.00000002.4511279774.00000000007A1000.00000004.00000020.00020000.00000000.sdmp, NETSTAT.EXE, 00000004.00000002.4512835848.00000000032FF000.00000004.10000000.00040000.00000000.sdmp
Source: C:\Users\user\Desktop\Document.exe Code function: 0_2_00452126 FindFirstFileW,Sleep,FindNextFileW,FindClose, 0_2_00452126
Source: C:\Users\user\Desktop\Document.exe Code function: 0_2_0045C999 FindFirstFileW,FindNextFileW,FindClose, 0_2_0045C999
Source: C:\Users\user\Desktop\Document.exe Code function: 0_2_00436ADE GetFileAttributesW,FindFirstFileW,FindClose, 0_2_00436ADE
Source: C:\Users\user\Desktop\Document.exe Code function: 0_2_00434BEE FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 0_2_00434BEE
Source: C:\Users\user\Desktop\Document.exe Code function: 0_2_0045DD7C FindFirstFileW,FindClose, 0_2_0045DD7C
Source: C:\Users\user\Desktop\Document.exe Code function: 0_2_0044BD29 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose, 0_2_0044BD29
Source: C:\Users\user\Desktop\Document.exe Code function: 0_2_00436D2D FindFirstFileW,CreateFileW,SetFileTime,CloseHandle,SetFileTime,CloseHandle, 0_2_00436D2D
Source: C:\Users\user\Desktop\Document.exe Code function: 0_2_00442E1F SetCurrentDirectoryW,FindFirstFileW,SetCurrentDirectoryW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 0_2_00442E1F
Source: C:\Users\user\Desktop\Document.exe Code function: 0_2_00475FE5 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, 0_2_00475FE5
Source: C:\Users\user\Desktop\Document.exe Code function: 0_2_0044BF8D _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose, 0_2_0044BF8D
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Windows\SysWOW64\svchost.exe Code function: 4x nop then pop edi 2_2_024F6CAF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 4x nop then pop edi 2_2_024F7D3B
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4x nop then pop edi 4_2_00346CAF
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4x nop then pop edi 4_2_00347D3B

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2031412 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.5:49979 -> 170.33.13.246:80
Source: Network traffic Suricata IDS: 2031449 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.5:49979 -> 170.33.13.246:80
Source: Network traffic Suricata IDS: 2031453 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.5:49979 -> 170.33.13.246:80
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.280.vip/n04s/
Performs DNS queries to domains with low reputation
Source: DNS query: www.okavuxentid.xyz
Source: DNS query: www.eat-tyfp.xyz
Source: DNS query: www.ist-sxyu.xyz
Source: DNS query: www.sk-frby.xyz
Source: DNS query: www.ofdkd-determine.xyz
Source: DNS query: www.gnbft-top.xyz
Source: DNS query: www.adtv-wfj.xyz
Tries to resolve many domain names, but no domain seems valid
Source: unknown DNS traffic detected: query: www.eat-tyfp.xyz replaycode: Name error (3)
Source: unknown DNS traffic detected: query: www.ompa77.click replaycode: Name error (3)
Source: unknown DNS traffic detected: query: www.rislyhallyhanced.cfd replaycode: Name error (3)
Source: unknown DNS traffic detected: query: www.15501.pro replaycode: Name error (3)
Source: unknown DNS traffic detected: query: www.sk-frby.xyz replaycode: Name error (3)
Source: unknown DNS traffic detected: query: www.reeremovebg.top replaycode: Name error (3)
Source: unknown DNS traffic detected: query: www.adtv-wfj.xyz replaycode: Name error (3)
Source: unknown DNS traffic detected: query: www.ofdkd-determine.xyz replaycode: Name error (3)
Source: unknown DNS traffic detected: query: www.gnbft-top.xyz replaycode: Name error (3)
Source: unknown DNS traffic detected: query: www.ist-sxyu.xyz replaycode: Name error (3)
Source: unknown DNS traffic detected: query: www.okavuxentid.xyz replaycode: Name error (3)
Uses netstat to query active network connections and open ports
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\NETSTAT.EXE "C:\Windows\SysWOW64\NETSTAT.EXE"
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Users\user\Desktop\Document.exe Code function: 0_2_0044289D InternetQueryDataAvailable,InternetReadFile, 0_2_0044289D
Source: global traffic DNS traffic detected: DNS query: www.rislyhallyhanced.cfd
Source: global traffic DNS traffic detected: DNS query: www.ompa77.click
Source: global traffic DNS traffic detected: DNS query: www.okavuxentid.xyz
Source: global traffic DNS traffic detected: DNS query: www.eat-tyfp.xyz
Source: global traffic DNS traffic detected: DNS query: www.ist-sxyu.xyz
Source: global traffic DNS traffic detected: DNS query: www.sk-frby.xyz
Source: global traffic DNS traffic detected: DNS query: www.15501.pro
Source: global traffic DNS traffic detected: DNS query: www.ofdkd-determine.xyz
Source: global traffic DNS traffic detected: DNS query: www.gnbft-top.xyz
Source: global traffic DNS traffic detected: DNS query: www.280.vip
Source: global traffic DNS traffic detected: DNS query: www.reeremovebg.top
Source: global traffic DNS traffic detected: DNS query: www.adtv-wfj.xyz
Source: explorer.exe, 00000003.00000003.3844318744.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4518460304.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2079597130.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3844318744.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2079597130.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4518460304.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: explorer.exe, 00000003.00000000.2074375814.0000000000F13000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4511082472.0000000000F13000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.v
Source: explorer.exe, 00000003.00000003.3844318744.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4518460304.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2079597130.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3844318744.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2079597130.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4518460304.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: explorer.exe, 00000003.00000003.3844318744.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4518460304.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2079597130.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3844318744.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2079597130.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4518460304.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: explorer.exe, 00000003.00000003.3844318744.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4518460304.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2079597130.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3844318744.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2079597130.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4518460304.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: explorer.exe, 00000003.00000002.4518460304.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3844318744.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2079597130.00000000099C0000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: explorer.exe, 00000003.00000000.2078514387.0000000008890000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.2078472980.0000000008870000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.2077830564.0000000007DC0000.00000002.00000001.00040000.00000000.sdmp String found in binary or memory: http://schemas.micro
Source: explorer.exe, 00000003.00000003.3847898750.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3100810025.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4513111248.0000000003540000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.15501.pro
Source: explorer.exe, 00000003.00000003.3847898750.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3100810025.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4513111248.0000000003540000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.15501.pro/n04s/
Source: explorer.exe, 00000003.00000003.3847898750.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3100810025.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4513111248.0000000003540000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.15501.pro/n04s/www.ofdkd-determine.xyz
Source: explorer.exe, 00000003.00000003.3847898750.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3100810025.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4513111248.0000000003540000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.15501.proReferer:
Source: explorer.exe, 00000003.00000003.3847898750.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3100810025.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4513111248.0000000003540000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.280.vip
Source: explorer.exe, 00000003.00000003.3847898750.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3100810025.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4513111248.0000000003540000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.280.vip/n04s/
Source: explorer.exe, 00000003.00000003.3847898750.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3100810025.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4513111248.0000000003540000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.280.vip/n04s/www.reeremovebg.top
Source: explorer.exe, 00000003.00000003.3847898750.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3100810025.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4513111248.0000000003540000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.280.vipReferer:
Source: explorer.exe, 00000003.00000003.3847898750.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3100810025.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4513111248.0000000003540000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.adtv-wfj.xyz
Source: explorer.exe, 00000003.00000003.3847898750.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3100810025.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4513111248.0000000003540000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.adtv-wfj.xyz/n04s/
Source: explorer.exe, 00000003.00000003.3847898750.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3100810025.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4513111248.0000000003540000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.adtv-wfj.xyz/n04s/www.etinfin8y.click
Source: explorer.exe, 00000003.00000003.3847898750.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3100810025.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4513111248.0000000003540000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.adtv-wfj.xyzReferer:
Source: explorer.exe, 00000003.00000003.3847898750.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3100810025.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4513111248.0000000003540000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.amedana.click
Source: explorer.exe, 00000003.00000003.3847898750.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3100810025.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4513111248.0000000003540000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.amedana.click/n04s/
Source: explorer.exe, 00000003.00000003.3847898750.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3100810025.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4513111248.0000000003540000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.amedana.click/n04s/x
Source: explorer.exe, 00000003.00000003.3847898750.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3100810025.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4513111248.0000000003540000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.amedana.clickReferer:
Source: explorer.exe, 00000003.00000000.2083213710.000000000C81C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3100496365.000000000C85F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: explorer.exe, 00000003.00000003.3847898750.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3100810025.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4513111248.0000000003540000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.eat-tyfp.xyz
Source: explorer.exe, 00000003.00000003.3847898750.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3100810025.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4513111248.0000000003540000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.eat-tyfp.xyz/n04s/
Source: explorer.exe, 00000003.00000003.3847898750.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3100810025.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4513111248.0000000003540000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.eat-tyfp.xyz/n04s/www.ist-sxyu.xyz
Source: explorer.exe, 00000003.00000003.3847898750.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3100810025.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4513111248.0000000003540000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.eat-tyfp.xyzReferer:
Source: explorer.exe, 00000003.00000003.3847898750.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3100810025.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4513111248.0000000003540000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.eovk-how.xyz
Source: explorer.exe, 00000003.00000003.3847898750.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3100810025.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4513111248.0000000003540000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.eovk-how.xyz/n04s/
Source: explorer.exe, 00000003.00000003.3847898750.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3100810025.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4513111248.0000000003540000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.eovk-how.xyz/n04s/www.amedana.click
Source: explorer.exe, 00000003.00000003.3847898750.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3100810025.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4513111248.0000000003540000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.eovk-how.xyzReferer:
Source: explorer.exe, 00000003.00000003.3847898750.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3100810025.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4513111248.0000000003540000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.etinfin8y.click
Source: explorer.exe, 00000003.00000003.3847898750.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3100810025.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4513111248.0000000003540000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.etinfin8y.click/n04s/
Source: explorer.exe, 00000003.00000003.3847898750.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3100810025.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4513111248.0000000003540000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.etinfin8y.click/n04s/www.fgiopa.xyz
Source: explorer.exe, 00000003.00000003.3847898750.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3100810025.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4513111248.0000000003540000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.etinfin8y.clickReferer:
Source: explorer.exe, 00000003.00000003.3847898750.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3100810025.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4513111248.0000000003540000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.fgiopa.xyz
Source: explorer.exe, 00000003.00000003.3847898750.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3100810025.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4513111248.0000000003540000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.fgiopa.xyz/n04s/
Source: explorer.exe, 00000003.00000003.3847898750.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3100810025.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4513111248.0000000003540000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.fgiopa.xyz/n04s/www.eovk-how.xyz
Source: explorer.exe, 00000003.00000003.3847898750.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3100810025.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4513111248.0000000003540000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.fgiopa.xyzReferer:
Source: explorer.exe, 00000003.00000003.3847898750.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3100810025.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4513111248.0000000003540000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.gnbft-top.xyz
Source: explorer.exe, 00000003.00000003.3847898750.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3100810025.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4513111248.0000000003540000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.gnbft-top.xyz/n04s/
Source: explorer.exe, 00000003.00000003.3847898750.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3100810025.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4513111248.0000000003540000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.gnbft-top.xyz/n04s/www.280.vip
Source: explorer.exe, 00000003.00000003.3847898750.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3100810025.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4513111248.0000000003540000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.gnbft-top.xyzReferer:
Source: explorer.exe, 00000003.00000003.3847898750.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3100810025.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4513111248.0000000003540000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.ist-sxyu.xyz
Source: explorer.exe, 00000003.00000003.3847898750.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3100810025.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4513111248.0000000003540000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.ist-sxyu.xyz/n04s/
Source: explorer.exe, 00000003.00000003.3847898750.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3100810025.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4513111248.0000000003540000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.ist-sxyu.xyz/n04s/www.sk-frby.xyz
Source: explorer.exe, 00000003.00000003.3847898750.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3100810025.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4513111248.0000000003540000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.ist-sxyu.xyzReferer:
Source: explorer.exe, 00000003.00000003.3847898750.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3100810025.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4513111248.0000000003540000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.ofdkd-determine.xyz
Source: explorer.exe, 00000003.00000003.3847898750.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3100810025.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4513111248.0000000003540000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.ofdkd-determine.xyz/n04s/
Source: explorer.exe, 00000003.00000003.3847898750.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3100810025.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4513111248.0000000003540000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.ofdkd-determine.xyz/n04s/www.gnbft-top.xyz
Source: explorer.exe, 00000003.00000003.3847898750.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3100810025.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4513111248.0000000003540000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.ofdkd-determine.xyzReferer:
Source: explorer.exe, 00000003.00000003.3847898750.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3100810025.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4513111248.0000000003540000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.okavuxentid.xyz
Source: explorer.exe, 00000003.00000003.3847898750.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3100810025.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4513111248.0000000003540000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.okavuxentid.xyz/n04s/
Source: explorer.exe, 00000003.00000003.3847898750.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3100810025.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4513111248.0000000003540000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.okavuxentid.xyz/n04s/www.eat-tyfp.xyz
Source: explorer.exe, 00000003.00000003.3847898750.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3100810025.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4513111248.0000000003540000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.okavuxentid.xyzReferer:
Source: explorer.exe, 00000003.00000003.3847898750.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3100810025.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4513111248.0000000003540000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.ompa77.click
Source: explorer.exe, 00000003.00000003.3847898750.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3100810025.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4513111248.0000000003540000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.ompa77.click/n04s/
Source: explorer.exe, 00000003.00000003.3847898750.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3100810025.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4513111248.0000000003540000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.ompa77.click/n04s/www.okavuxentid.xyz
Source: explorer.exe, 00000003.00000003.3847898750.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3100810025.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4513111248.0000000003540000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.ompa77.clickReferer:
Source: explorer.exe, 00000003.00000003.3847898750.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3100810025.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4513111248.0000000003540000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.reeremovebg.top
Source: explorer.exe, 00000003.00000003.3847898750.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3100810025.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4513111248.0000000003540000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.reeremovebg.top/n04s/
Source: explorer.exe, 00000003.00000003.3847898750.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3100810025.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4513111248.0000000003540000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.reeremovebg.top/n04s/www.adtv-wfj.xyz
Source: explorer.exe, 00000003.00000003.3847898750.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3100810025.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4513111248.0000000003540000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.reeremovebg.topReferer:
Source: explorer.exe, 00000003.00000003.3847898750.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3100810025.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4513111248.0000000003540000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.rislyhallyhanced.cfd
Source: explorer.exe, 00000003.00000003.3847898750.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3100810025.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4513111248.0000000003540000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.rislyhallyhanced.cfd/n04s/
Source: explorer.exe, 00000003.00000003.3847898750.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3100810025.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4513111248.0000000003540000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.rislyhallyhanced.cfd/n04s/www.ompa77.click
Source: explorer.exe, 00000003.00000003.3847898750.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3100810025.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4513111248.0000000003540000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.rislyhallyhanced.cfdReferer:
Source: explorer.exe, 00000003.00000003.3847898750.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3100810025.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4513111248.0000000003540000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.sk-frby.xyz
Source: explorer.exe, 00000003.00000003.3847898750.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3100810025.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4513111248.0000000003540000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.sk-frby.xyz/n04s/
Source: explorer.exe, 00000003.00000003.3847898750.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3100810025.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4513111248.0000000003540000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.sk-frby.xyz/n04s/www.15501.pro
Source: explorer.exe, 00000003.00000003.3847898750.0000000003540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3100810025.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4513111248.0000000003540000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.sk-frby.xyzReferer:
Source: explorer.exe, 00000003.00000000.2082466154.000000000C4DC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4522312092.000000000C4DC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe
Source: explorer.exe, 00000003.00000000.2076890852.00000000076F8000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 00000003.00000003.3844318744.0000000009ADB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4518460304.0000000009ADB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2079597130.0000000009ADB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 00000003.00000002.4515309976.0000000007637000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2076890852.0000000007637000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 00000003.00000003.3095701518.00000000035FA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2075435734.00000000035FA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4513111248.00000000035FA000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://arc.msn.coml
Source: explorer.exe, 00000003.00000002.4519451099.0000000009C22000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2079597130.0000000009BA1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3101602705.0000000009C21000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3095067217.0000000009BA1000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://excel.office.com
Source: explorer.exe, 00000003.00000000.2079597130.0000000009BA1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3100237961.0000000009C92000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4519509128.0000000009C96000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3095067217.0000000009BA1000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://outlook.com
Source: explorer.exe, 00000003.00000000.2082466154.000000000C460000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4522312092.000000000C460000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://powerpoint.office.comcember
Source: explorer.exe, 00000003.00000002.4518460304.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3844318744.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2079597130.00000000099C0000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://wns.windows.com/)s
Source: explorer.exe, 00000003.00000002.4518460304.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3844318744.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2079597130.00000000099C0000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://word.office.comon
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\Document.exe Code function: 0_2_0046C5D0 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard, 0_2_0046C5D0
Contains functionality to modify clipboard data
Source: C:\Users\user\Desktop\Document.exe Code function: 0_2_00459FFF OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard, 0_2_00459FFF
Contains functionality to read the clipboard data
Source: C:\Users\user\Desktop\Document.exe Code function: 0_2_0046C5D0 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard, 0_2_0046C5D0
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\Desktop\Document.exe Code function: 0_2_00456354 GetCursorPos,ScreenToClient,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetWindowLongW, 0_2_00456354
Potential key logger detected (key state polling based)
Source: C:\Users\user\Desktop\Document.exe Code function: 0_2_0047C08E SendMessageW,DefDlgProcW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,GetWindowLongW,SendMessageW,SendMessageW,SendMessageW,_wcsncpy,SendMessageW,SendMessageW,SendMessageW,InvalidateRect,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW, 0_2_0047C08E

E-Banking Fraud
barindex
Yara detected FormBook
Source: Yara match File source: 2.2.svchost.exe.24e0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Document.exe.1680000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Document.exe.1680000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000002.4511611873.0000000000A20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2128868177.00000000025D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2128415255.00000000024E1000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.4511505699.00000000009D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2072442337.0000000001680000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.4511034633.0000000000330000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2129518729.0000000002E40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 2.2.svchost.exe.24e0000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 2.2.svchost.exe.24e0000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.svchost.exe.24e0000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.Document.exe.1680000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0.2.Document.exe.1680000.1.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.Document.exe.1680000.1.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.Document.exe.1680000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0.2.Document.exe.1680000.1.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.Document.exe.1680000.1.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.4526277083.0000000011619000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_772cc62d Author: unknown
Source: 00000004.00000002.4511611873.0000000000A20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.4511611873.0000000000A20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.4511611873.0000000000A20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.2128868177.00000000025D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.2128868177.00000000025D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.2128868177.00000000025D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.2128415255.00000000024E1000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.2128415255.00000000024E1000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.2128415255.00000000024E1000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.4511505699.00000000009D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.4511505699.00000000009D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.4511505699.00000000009D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.2072442337.0000000001680000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000000.00000002.2072442337.0000000001680000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.2072442337.0000000001680000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.4511034633.0000000000330000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.4511034633.0000000000330000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.4511034633.0000000000330000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.2129518729.0000000002E40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.2129518729.0000000002E40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.2129518729.0000000002E40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: Document.exe PID: 3504, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: svchost.exe PID: 3964, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: NETSTAT.EXE PID: 5512, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: Document.exe
Contains functionality to call native functions
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F72AD0 NtReadFile,LdrInitializeThunk, 2_2_02F72AD0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F72BF0 NtAllocateVirtualMemory,LdrInitializeThunk, 2_2_02F72BF0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F72B60 NtClose,LdrInitializeThunk, 2_2_02F72B60
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F72EA0 NtAdjustPrivilegesToken,LdrInitializeThunk, 2_2_02F72EA0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F72E80 NtReadVirtualMemory,LdrInitializeThunk, 2_2_02F72E80
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F72FE0 NtCreateFile,LdrInitializeThunk, 2_2_02F72FE0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F72FB0 NtResumeThread,LdrInitializeThunk, 2_2_02F72FB0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F72F90 NtProtectVirtualMemory,LdrInitializeThunk, 2_2_02F72F90
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F72F30 NtCreateSection,LdrInitializeThunk, 2_2_02F72F30
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F72CA0 NtQueryInformationToken,LdrInitializeThunk, 2_2_02F72CA0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F72C70 NtFreeVirtualMemory,LdrInitializeThunk, 2_2_02F72C70
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F72DF0 NtQuerySystemInformation,LdrInitializeThunk, 2_2_02F72DF0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F72DD0 NtDelayExecution,LdrInitializeThunk, 2_2_02F72DD0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F72D30 NtUnmapViewOfSection,LdrInitializeThunk, 2_2_02F72D30
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F72D10 NtMapViewOfSection,LdrInitializeThunk, 2_2_02F72D10
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F74340 NtSetContextThread, 2_2_02F74340
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F74650 NtSuspendThread, 2_2_02F74650
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F72AF0 NtWriteFile, 2_2_02F72AF0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F72AB0 NtWaitForSingleObject, 2_2_02F72AB0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F72BE0 NtQueryValueKey, 2_2_02F72BE0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F72BA0 NtEnumerateValueKey, 2_2_02F72BA0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F72B80 NtQueryInformationFile, 2_2_02F72B80
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F72EE0 NtQueueApcThread, 2_2_02F72EE0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F72E30 NtWriteVirtualMemory, 2_2_02F72E30
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F72FA0 NtQuerySection, 2_2_02F72FA0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F72F60 NtCreateProcessEx, 2_2_02F72F60
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F72CF0 NtOpenProcess, 2_2_02F72CF0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F72CC0 NtQueryVirtualMemory, 2_2_02F72CC0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F72C60 NtCreateKey, 2_2_02F72C60
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F72C00 NtQueryInformationProcess, 2_2_02F72C00
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F72DB0 NtEnumerateKey, 2_2_02F72DB0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F72D00 NtSetInformationFile, 2_2_02F72D00
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F73090 NtSetValueKey, 2_2_02F73090
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F73010 NtOpenDirectoryObject, 2_2_02F73010
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F735C0 NtCreateMutant, 2_2_02F735C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F739B0 NtGetContextThread, 2_2_02F739B0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F73D70 NtOpenThread, 2_2_02F73D70
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F73D10 NtOpenProcessToken, 2_2_02F73D10
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_024FA320 NtCreateFile, 2_2_024FA320
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_024FA3D0 NtReadFile, 2_2_024FA3D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_024FA450 NtClose, 2_2_024FA450
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_024FA500 NtAllocateVirtualMemory, 2_2_024FA500
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_024FA3CB NtReadFile, 2_2_024FA3CB
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_024FA44A NtClose, 2_2_024FA44A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_024FA4FA NtAllocateVirtualMemory, 2_2_024FA4FA
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02E8A036 NtQueryInformationProcess,NtSuspendThread,NtSetContextThread,NtQueueApcThread,NtResumeThread,NtClose, 2_2_02E8A036
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02E8A042 NtQueryInformationProcess, 2_2_02E8A042
Source: C:\Windows\explorer.exe Code function: 3_2_11601232 NtCreateFile, 3_2_11601232
Source: C:\Windows\explorer.exe Code function: 3_2_11602E12 NtProtectVirtualMemory, 3_2_11602E12
Source: C:\Windows\explorer.exe Code function: 3_2_11602E0A NtProtectVirtualMemory, 3_2_11602E0A
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E22AD0 NtReadFile,LdrInitializeThunk, 4_2_02E22AD0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E22BE0 NtQueryValueKey,LdrInitializeThunk, 4_2_02E22BE0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E22BF0 NtAllocateVirtualMemory,LdrInitializeThunk, 4_2_02E22BF0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E22B60 NtClose,LdrInitializeThunk, 4_2_02E22B60
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E22EA0 NtAdjustPrivilegesToken,LdrInitializeThunk, 4_2_02E22EA0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E22FE0 NtCreateFile,LdrInitializeThunk, 4_2_02E22FE0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E22F30 NtCreateSection,LdrInitializeThunk, 4_2_02E22F30
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E22CA0 NtQueryInformationToken,LdrInitializeThunk, 4_2_02E22CA0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E22C60 NtCreateKey,LdrInitializeThunk, 4_2_02E22C60
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E22C70 NtFreeVirtualMemory,LdrInitializeThunk, 4_2_02E22C70
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E22DF0 NtQuerySystemInformation,LdrInitializeThunk, 4_2_02E22DF0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E22DD0 NtDelayExecution,LdrInitializeThunk, 4_2_02E22DD0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E22D10 NtMapViewOfSection,LdrInitializeThunk, 4_2_02E22D10
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E235C0 NtCreateMutant,LdrInitializeThunk, 4_2_02E235C0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E24340 NtSetContextThread, 4_2_02E24340
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E24650 NtSuspendThread, 4_2_02E24650
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E22AF0 NtWriteFile, 4_2_02E22AF0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E22AB0 NtWaitForSingleObject, 4_2_02E22AB0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E22BA0 NtEnumerateValueKey, 4_2_02E22BA0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E22B80 NtQueryInformationFile, 4_2_02E22B80
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E22EE0 NtQueueApcThread, 4_2_02E22EE0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E22E80 NtReadVirtualMemory, 4_2_02E22E80
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E22E30 NtWriteVirtualMemory, 4_2_02E22E30
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E22FA0 NtQuerySection, 4_2_02E22FA0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E22FB0 NtResumeThread, 4_2_02E22FB0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E22F90 NtProtectVirtualMemory, 4_2_02E22F90
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E22F60 NtCreateProcessEx, 4_2_02E22F60
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E22CF0 NtOpenProcess, 4_2_02E22CF0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E22CC0 NtQueryVirtualMemory, 4_2_02E22CC0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E22C00 NtQueryInformationProcess, 4_2_02E22C00
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E22DB0 NtEnumerateKey, 4_2_02E22DB0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E22D30 NtUnmapViewOfSection, 4_2_02E22D30
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E22D00 NtSetInformationFile, 4_2_02E22D00
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E23090 NtSetValueKey, 4_2_02E23090
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E23010 NtOpenDirectoryObject, 4_2_02E23010
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E239B0 NtGetContextThread, 4_2_02E239B0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E23D70 NtOpenThread, 4_2_02E23D70
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E23D10 NtOpenProcessToken, 4_2_02E23D10
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_0034A320 NtCreateFile, 4_2_0034A320
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_0034A3D0 NtReadFile, 4_2_0034A3D0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_0034A450 NtClose, 4_2_0034A450
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_0034A500 NtAllocateVirtualMemory, 4_2_0034A500
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_0034A3CB NtReadFile, 4_2_0034A3CB
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_0034A44A NtClose, 4_2_0034A44A
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_0034A4FA NtAllocateVirtualMemory, 4_2_0034A4FA
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_00AFA036 NtQueryInformationProcess,NtSuspendThread,NtSetContextThread,NtQueueApcThread,NtResumeThread, 4_2_00AFA036
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_00AF9BAF NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtUnmapViewOfSection,NtClose, 4_2_00AF9BAF
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_00AFA042 NtQueryInformationProcess, 4_2_00AFA042
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_00AF9BB2 NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 4_2_00AF9BB2
Contains functionality to communicate with device drivers
Source: C:\Users\user\Desktop\Document.exe Code function: 0_2_00434D50: GetFullPathNameW,__swprintf,_wcslen,_wcslen,_wcslen,CreateDirectoryW,CreateFileW,_memset,_wcslen,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle, 0_2_00434D50
Contains functionality to launch a process as a different user
Source: C:\Users\user\Desktop\Document.exe Code function: 0_2_004461ED _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,_wcsncpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock, 0_2_004461ED
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\Document.exe Code function: 0_2_004364AA GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState, 0_2_004364AA
Detected potential crypto function
Source: C:\Users\user\Desktop\Document.exe Code function: 0_2_00409A40 0_2_00409A40
Source: C:\Users\user\Desktop\Document.exe Code function: 0_2_00412038 0_2_00412038
Source: C:\Users\user\Desktop\Document.exe Code function: 0_2_00427161 0_2_00427161
Source: C:\Users\user\Desktop\Document.exe Code function: 0_2_0047E1FA 0_2_0047E1FA
Source: C:\Users\user\Desktop\Document.exe Code function: 0_2_004212BE 0_2_004212BE
Source: C:\Users\user\Desktop\Document.exe Code function: 0_2_00443390 0_2_00443390
Source: C:\Users\user\Desktop\Document.exe Code function: 0_2_00443391 0_2_00443391
Source: C:\Users\user\Desktop\Document.exe Code function: 0_2_0041A46B 0_2_0041A46B
Source: C:\Users\user\Desktop\Document.exe Code function: 0_2_0041240C 0_2_0041240C
Source: C:\Users\user\Desktop\Document.exe Code function: 0_2_00446566 0_2_00446566
Source: C:\Users\user\Desktop\Document.exe Code function: 0_2_004045E0 0_2_004045E0
Source: C:\Users\user\Desktop\Document.exe Code function: 0_2_0041D750 0_2_0041D750
Source: C:\Users\user\Desktop\Document.exe Code function: 0_2_004037E0 0_2_004037E0
Source: C:\Users\user\Desktop\Document.exe Code function: 0_2_00427859 0_2_00427859
Source: C:\Users\user\Desktop\Document.exe Code function: 0_2_00412818 0_2_00412818
Source: C:\Users\user\Desktop\Document.exe Code function: 0_2_0040F890 0_2_0040F890
Source: C:\Users\user\Desktop\Document.exe Code function: 0_2_0042397B 0_2_0042397B
Source: C:\Users\user\Desktop\Document.exe Code function: 0_2_00411B63 0_2_00411B63
Source: C:\Users\user\Desktop\Document.exe Code function: 0_2_0047CBF0 0_2_0047CBF0
Source: C:\Users\user\Desktop\Document.exe Code function: 0_2_0044EBBC 0_2_0044EBBC
Source: C:\Users\user\Desktop\Document.exe Code function: 0_2_00412C38 0_2_00412C38
Source: C:\Users\user\Desktop\Document.exe Code function: 0_2_0044ED9A 0_2_0044ED9A
Source: C:\Users\user\Desktop\Document.exe Code function: 0_2_00423EBF 0_2_00423EBF
Source: C:\Users\user\Desktop\Document.exe Code function: 0_2_00424F70 0_2_00424F70
Source: C:\Users\user\Desktop\Document.exe Code function: 0_2_0041AF0D 0_2_0041AF0D
Source: C:\Users\user\Desktop\Document.exe Code function: 0_2_03DB6510 0_2_03DB6510
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FC02C0 2_2_02FC02C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FE0274 2_2_02FE0274
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_030003E6 2_2_030003E6
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F4E3F0 2_2_02F4E3F0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FFA352 2_2_02FFA352
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_030001AA 2_2_030001AA
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FD2000 2_2_02FD2000
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FF81CC 2_2_02FF81CC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FF41A2 2_2_02FF41A2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FC8158 2_2_02FC8158
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FDA118 2_2_02FDA118
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F30100 2_2_02F30100
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F5C6E0 2_2_02F5C6E0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F3C7C0 2_2_02F3C7C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F40770 2_2_02F40770
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F64750 2_2_02F64750
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FEE4F6 2_2_02FEE4F6
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03000591 2_2_03000591
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FF2446 2_2_02FF2446
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FE4420 2_2_02FE4420
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F40535 2_2_02F40535
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F3EA80 2_2_02F3EA80
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FF6BD7 2_2_02FF6BD7
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FFAB40 2_2_02FFAB40
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F6E8F0 2_2_02F6E8F0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F268B8 2_2_02F268B8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0300A9A6 2_2_0300A9A6
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F4A840 2_2_02F4A840
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F42840 2_2_02F42840
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F429A0 2_2_02F429A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F56962 2_2_02F56962
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FFEEDB 2_2_02FFEEDB
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F52E90 2_2_02F52E90
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FFCE93 2_2_02FFCE93
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F40E59 2_2_02F40E59
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FFEE26 2_2_02FFEE26
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F4CFE0 2_2_02F4CFE0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F32FC8 2_2_02F32FC8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FBEFA0 2_2_02FBEFA0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FB4F40 2_2_02FB4F40
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F60F30 2_2_02F60F30
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FE2F30 2_2_02FE2F30
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F82F28 2_2_02F82F28
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F30CF2 2_2_02F30CF2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FE0CB5 2_2_02FE0CB5
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F40C00 2_2_02F40C00
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F3ADE0 2_2_02F3ADE0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F58DBF 2_2_02F58DBF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FDCD1F 2_2_02FDCD1F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F4AD00 2_2_02F4AD00
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FE12ED 2_2_02FE12ED
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F5B2C0 2_2_02F5B2C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F452A0 2_2_02F452A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F8739A 2_2_02F8739A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F2D34C 2_2_02F2D34C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FF132D 2_2_02FF132D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FF70E9 2_2_02FF70E9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FFF0E0 2_2_02FFF0E0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FEF0CC 2_2_02FEF0CC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F470C0 2_2_02F470C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0300B16B 2_2_0300B16B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F4B1B0 2_2_02F4B1B0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F2F172 2_2_02F2F172
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F7516C 2_2_02F7516C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FF16CC 2_2_02FF16CC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F85630 2_2_02F85630
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FFF7B0 2_2_02FFF7B0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F31460 2_2_02F31460
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FFF43F 2_2_02FFF43F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_030095C3 2_2_030095C3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FDD5B0 2_2_02FDD5B0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FF7571 2_2_02FF7571
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FEDAC6 2_2_02FEDAC6
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FDDAAC 2_2_02FDDAAC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F85AA0 2_2_02F85AA0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FE1AA3 2_2_02FE1AA3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FB3A6C 2_2_02FB3A6C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FFFA49 2_2_02FFFA49
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FF7A46 2_2_02FF7A46
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FB5BF0 2_2_02FB5BF0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F7DBF9 2_2_02F7DBF9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F5FB80 2_2_02F5FB80
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FFFB76 2_2_02FFFB76
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F438E0 2_2_02F438E0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FAD800 2_2_02FAD800
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F49950 2_2_02F49950
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F5B950 2_2_02F5B950
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FD5910 2_2_02FD5910
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F49EB0 2_2_02F49EB0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F03FD2 2_2_02F03FD2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F03FD5 2_2_02F03FD5
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FFFFB1 2_2_02FFFFB1
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F41F92 2_2_02F41F92
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FFFF09 2_2_02FFFF09
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FFFCF2 2_2_02FFFCF2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FB9C32 2_2_02FB9C32
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F5FDC0 2_2_02F5FDC0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FF7D73 2_2_02FF7D73
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FF1D5A 2_2_02FF1D5A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F43D40 2_2_02F43D40
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_024FE6EF 2_2_024FE6EF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_024E2FB0 2_2_024E2FB0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_024E2D87 2_2_024E2D87
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_024E2D90 2_2_024E2D90
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_024E1030 2_2_024E1030
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_024FD7AC 2_2_024FD7AC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_024FDA38 2_2_024FDA38
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_024E9E50 2_2_024E9E50
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02E8A036 2_2_02E8A036
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02E8B232 2_2_02E8B232
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02E81082 2_2_02E81082
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02E8E5CD 2_2_02E8E5CD
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02E85B30 2_2_02E85B30
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02E85B32 2_2_02E85B32
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02E88912 2_2_02E88912
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02E82D02 2_2_02E82D02
Source: C:\Windows\explorer.exe Code function: 3_2_10A13082 3_2_10A13082
Source: C:\Windows\explorer.exe Code function: 3_2_10A1C036 3_2_10A1C036
Source: C:\Windows\explorer.exe Code function: 3_2_10A205CD 3_2_10A205CD
Source: C:\Windows\explorer.exe Code function: 3_2_10A14D02 3_2_10A14D02
Source: C:\Windows\explorer.exe Code function: 3_2_10A1A912 3_2_10A1A912
Source: C:\Windows\explorer.exe Code function: 3_2_10A1D232 3_2_10A1D232
Source: C:\Windows\explorer.exe Code function: 3_2_10A17B30 3_2_10A17B30
Source: C:\Windows\explorer.exe Code function: 3_2_10A17B32 3_2_10A17B32
Source: C:\Windows\explorer.exe Code function: 3_2_11601232 3_2_11601232
Source: C:\Windows\explorer.exe Code function: 3_2_115FE912 3_2_115FE912
Source: C:\Windows\explorer.exe Code function: 3_2_115F8D02 3_2_115F8D02
Source: C:\Windows\explorer.exe Code function: 3_2_115FBB32 3_2_115FBB32
Source: C:\Windows\explorer.exe Code function: 3_2_115FBB30 3_2_115FBB30
Source: C:\Windows\explorer.exe Code function: 3_2_116045CD 3_2_116045CD
Source: C:\Windows\explorer.exe Code function: 3_2_11600036 3_2_11600036
Source: C:\Windows\explorer.exe Code function: 3_2_115F7082 3_2_115F7082
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_00BF1715 4_2_00BF1715
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_00BF2167 4_2_00BF2167
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E702C0 4_2_02E702C0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E90274 4_2_02E90274
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02EB03E6 4_2_02EB03E6
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02DFE3F0 4_2_02DFE3F0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02EAA352 4_2_02EAA352
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E82000 4_2_02E82000
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02EA81CC 4_2_02EA81CC
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02EB01AA 4_2_02EB01AA
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02EA41A2 4_2_02EA41A2
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E78158 4_2_02E78158
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02DE0100 4_2_02DE0100
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E8A118 4_2_02E8A118
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E0C6E0 4_2_02E0C6E0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02DEC7C0 4_2_02DEC7C0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02DF0770 4_2_02DF0770
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E14750 4_2_02E14750
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E9E4F6 4_2_02E9E4F6
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02EA2446 4_2_02EA2446
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E94420 4_2_02E94420
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02EB0591 4_2_02EB0591
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02DF0535 4_2_02DF0535
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02DEEA80 4_2_02DEEA80
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02EA6BD7 4_2_02EA6BD7
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02EAAB40 4_2_02EAAB40
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E1E8F0 4_2_02E1E8F0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02DD68B8 4_2_02DD68B8
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02DF2840 4_2_02DF2840
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02DFA840 4_2_02DFA840
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02EBA9A6 4_2_02EBA9A6
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02DF29A0 4_2_02DF29A0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E06962 4_2_02E06962
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02EAEEDB 4_2_02EAEEDB
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E02E90 4_2_02E02E90
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02EACE93 4_2_02EACE93
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02DF0E59 4_2_02DF0E59
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02EAEE26 4_2_02EAEE26
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02DE2FC8 4_2_02DE2FC8
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02DFCFE0 4_2_02DFCFE0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E6EFA0 4_2_02E6EFA0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E64F40 4_2_02E64F40
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E32F28 4_2_02E32F28
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E10F30 4_2_02E10F30
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E92F30 4_2_02E92F30
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02DE0CF2 4_2_02DE0CF2
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E90CB5 4_2_02E90CB5
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02DF0C00 4_2_02DF0C00
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02DEADE0 4_2_02DEADE0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E08DBF 4_2_02E08DBF
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02DFAD00 4_2_02DFAD00
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E8CD1F 4_2_02E8CD1F
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E912ED 4_2_02E912ED
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E0B2C0 4_2_02E0B2C0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02DF52A0 4_2_02DF52A0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E3739A 4_2_02E3739A
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02DDD34C 4_2_02DDD34C
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02EA132D 4_2_02EA132D
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02EA70E9 4_2_02EA70E9
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02EAF0E0 4_2_02EAF0E0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02DF70C0 4_2_02DF70C0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E9F0CC 4_2_02E9F0CC
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02DFB1B0 4_2_02DFB1B0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02EBB16B 4_2_02EBB16B
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E2516C 4_2_02E2516C
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02DDF172 4_2_02DDF172
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02EA16CC 4_2_02EA16CC
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E35630 4_2_02E35630
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02EAF7B0 4_2_02EAF7B0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02DE1460 4_2_02DE1460
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02EAF43F 4_2_02EAF43F
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02EB95C3 4_2_02EB95C3
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E8D5B0 4_2_02E8D5B0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02EA7571 4_2_02EA7571
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E9DAC6 4_2_02E9DAC6
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E35AA0 4_2_02E35AA0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E8DAAC 4_2_02E8DAAC
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E91AA3 4_2_02E91AA3
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E63A6C 4_2_02E63A6C
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02EAFA49 4_2_02EAFA49
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02EA7A46 4_2_02EA7A46
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E65BF0 4_2_02E65BF0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E2DBF9 4_2_02E2DBF9
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E0FB80 4_2_02E0FB80
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02EAFB76 4_2_02EAFB76
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02DF38E0 4_2_02DF38E0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E5D800 4_2_02E5D800
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02DF9950 4_2_02DF9950
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E0B950 4_2_02E0B950
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E85910 4_2_02E85910
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02DF9EB0 4_2_02DF9EB0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02DB3FD2 4_2_02DB3FD2
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02DB3FD5 4_2_02DB3FD5
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02DF1F92 4_2_02DF1F92
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02EAFFB1 4_2_02EAFFB1
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02EAFF09 4_2_02EAFF09
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02EAFCF2 4_2_02EAFCF2
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E69C32 4_2_02E69C32
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E0FDC0 4_2_02E0FDC0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02EA7D73 4_2_02EA7D73
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02DF3D40 4_2_02DF3D40
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02EA1D5A 4_2_02EA1D5A
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_0034E6EF 4_2_0034E6EF
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_0034D7AC 4_2_0034D7AC
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_0034DA38 4_2_0034DA38
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_00332D90 4_2_00332D90
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_00332D87 4_2_00332D87
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_00339E50 4_2_00339E50
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_00332FB0 4_2_00332FB0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_00AFA036 4_2_00AFA036
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_00AF1082 4_2_00AF1082
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_00AF8912 4_2_00AF8912
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_00AFB232 4_2_00AFB232
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_00AF5B32 4_2_00AF5B32
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_00AF5B30 4_2_00AF5B30
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_00AFE5CD 4_2_00AFE5CD
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_00AF2D02 4_2_00AF2D02
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\Document.exe Code function: String function: 00445975 appears 65 times
Source: C:\Users\user\Desktop\Document.exe Code function: String function: 0041171A appears 37 times
Source: C:\Users\user\Desktop\Document.exe Code function: String function: 0041718C appears 45 times
Source: C:\Users\user\Desktop\Document.exe Code function: String function: 0040E6D0 appears 35 times
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: String function: 02E5EA12 appears 86 times
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: String function: 02DDB970 appears 280 times
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: String function: 02E25130 appears 58 times
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: String function: 02E6F290 appears 105 times
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: String function: 02E37E54 appears 111 times
Source: C:\Windows\SysWOW64\svchost.exe Code function: String function: 02FAEA12 appears 86 times
Source: C:\Windows\SysWOW64\svchost.exe Code function: String function: 02FBF290 appears 105 times
Source: C:\Windows\SysWOW64\svchost.exe Code function: String function: 02F75130 appears 58 times
Source: C:\Windows\SysWOW64\svchost.exe Code function: String function: 02F87E54 appears 111 times
Source: C:\Windows\SysWOW64\svchost.exe Code function: String function: 02F2B970 appears 280 times
Sample file is different than original file name gathered from version info
Source: Document.exe, 00000000.00000003.2062844599.00000000042ED000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs Document.exe
Source: Document.exe, 00000000.00000003.2063485310.0000000004143000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs Document.exe
Uses 32bit PE files
Source: Document.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Yara signature match
Source: 2.2.svchost.exe.24e0000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 2.2.svchost.exe.24e0000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.svchost.exe.24e0000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.Document.exe.1680000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0.2.Document.exe.1680000.1.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.Document.exe.1680000.1.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.Document.exe.1680000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0.2.Document.exe.1680000.1.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.Document.exe.1680000.1.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.4526277083.0000000011619000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_772cc62d os = windows, severity = x86, creation_date = 2022-05-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8343b5d02d74791ba2d5d52d19a759f761de2b5470d935000bc27ea6c0633f5, id = 772cc62d-345c-42d8-97ab-f67e447ddca4, last_modified = 2022-07-18
Source: 00000004.00000002.4511611873.0000000000A20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.4511611873.0000000000A20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.4511611873.0000000000A20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.2128868177.00000000025D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.2128868177.00000000025D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.2128868177.00000000025D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.2128415255.00000000024E1000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.2128415255.00000000024E1000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.2128415255.00000000024E1000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.4511505699.00000000009D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.4511505699.00000000009D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.4511505699.00000000009D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.2072442337.0000000001680000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000000.00000002.2072442337.0000000001680000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.2072442337.0000000001680000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.4511034633.0000000000330000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.4511034633.0000000000330000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.4511034633.0000000000330000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.2129518729.0000000002E40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.2129518729.0000000002E40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.2129518729.0000000002E40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: Document.exe PID: 3504, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: svchost.exe PID: 3964, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: NETSTAT.EXE PID: 5512, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: classification engine Classification label: mal100.troj.evad.winEXE@8/1@13/0
Source: C:\Users\user\Desktop\Document.exe Code function: 0_2_0044AF5C GetLastError,FormatMessageW, 0_2_0044AF5C
Source: C:\Users\user\Desktop\Document.exe Code function: 0_2_00464422 OpenProcess,GetLastError,GetLastError,GetCurrentThread,OpenThreadToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,AdjustTokenPrivileges,GetLastError,OpenProcess,AdjustTokenPrivileges,CloseHandle,TerminateProcess,GetLastError,CloseHandle, 0_2_00464422
Source: C:\Users\user\Desktop\Document.exe Code function: 0_2_004364AA GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState, 0_2_004364AA
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_00BF1C89 GetCurrentProcess,OpenProcessToken,AdjustTokenPrivileges,CloseHandle, 4_2_00BF1C89
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_00BF1CFC GetCurrentProcess,OpenProcessToken,AdjustTokenPrivileges,CloseHandle, 4_2_00BF1CFC
Source: C:\Users\user\Desktop\Document.exe Code function: 0_2_0045D517 SetErrorMode,GetDiskFreeSpaceW,GetLastError,SetErrorMode, 0_2_0045D517
Source: C:\Users\user\Desktop\Document.exe Code function: 0_2_0043701F CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,__wsplitpath,_wcscat,__wcsicoll,CloseHandle, 0_2_0043701F
Source: C:\Users\user\Desktop\Document.exe Code function: 0_2_0047A999 OleInitialize,CLSIDFromProgID,CoCreateInstance,CoInitializeSecurity,_memset,_wcslen,_memset,CoCreateInstanceEx,CoSetProxyBlanket, 0_2_0047A999
Source: C:\Users\user\Desktop\Document.exe Code function: 0_2_0043614F __swprintf,__swprintf,__wcsicoll,FindResourceW,LoadResource,LockResource,FindResourceW,LoadResource,SizeofResource,LockResource,CreateIconFromResourceEx, 0_2_0043614F
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4564:120:WilError_03
Source: C:\Users\user\Desktop\Document.exe File created: C:\Users\user\AppData\Local\Temp\recomplete Jump to behavior
Source: Document.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Document.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\Document.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: Document.exe ReversingLabs: Detection: 18%
Source: C:\Users\user\Desktop\Document.exe File read: C:\Users\user\Desktop\Document.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Document.exe "C:\Users\user\Desktop\Document.exe"
Source: C:\Users\user\Desktop\Document.exe Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Document.exe"
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\NETSTAT.EXE "C:\Windows\SysWOW64\NETSTAT.EXE"
Source: C:\Windows\SysWOW64\NETSTAT.EXE Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\SysWOW64\svchost.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Document.exe Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Document.exe" Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\NETSTAT.EXE "C:\Windows\SysWOW64\NETSTAT.EXE" Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\SysWOW64\svchost.exe" Jump to behavior
Source: C:\Users\user\Desktop\Document.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\Document.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\Desktop\Document.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\Document.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\Document.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\Document.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\Document.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\Document.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\Document.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\Document.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\Document.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: windows.cloudstore.schema.shell.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: vcruntime140_1.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: msvcp140.dll Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE Section loaded: snmpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\Document.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: Document.exe Static file information: File size 1090929 > 1048576
Source: Binary string: netstat.pdbGCTL source: svchost.exe, 00000002.00000002.2129553717.0000000002E70000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 00000002.00000003.2127082535.000000000281B000.00000004.00000020.00020000.00000000.sdmp, NETSTAT.EXE, 00000004.00000002.4511892010.0000000000BF0000.00000040.80000000.00040000.00000000.sdmp
Source: Binary string: netstat.pdb source: svchost.exe, 00000002.00000002.2129553717.0000000002E70000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 00000002.00000003.2127082535.000000000281B000.00000004.00000020.00020000.00000000.sdmp, NETSTAT.EXE, NETSTAT.EXE, 00000004.00000002.4511892010.0000000000BF0000.00000040.80000000.00040000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: Document.exe, 00000000.00000003.2066594072.0000000004020000.00000004.00001000.00020000.00000000.sdmp, Document.exe, 00000000.00000003.2062844599.00000000041C0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2069360139.0000000002B00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2129694151.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2071591572.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2129694151.000000000309E000.00000040.00001000.00020000.00000000.sdmp, NETSTAT.EXE, 00000004.00000002.4512023196.0000000002F4E000.00000040.00001000.00020000.00000000.sdmp, NETSTAT.EXE, 00000004.00000003.2127517092.0000000000A26000.00000004.00000020.00020000.00000000.sdmp, NETSTAT.EXE, 00000004.00000002.4512023196.0000000002DB0000.00000040.00001000.00020000.00000000.sdmp, NETSTAT.EXE, 00000004.00000003.2130189837.0000000002C02000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: Document.exe, 00000000.00000003.2066594072.0000000004020000.00000004.00001000.00020000.00000000.sdmp, Document.exe, 00000000.00000003.2062844599.00000000041C0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.2069360139.0000000002B00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2129694151.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2071591572.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2129694151.000000000309E000.00000040.00001000.00020000.00000000.sdmp, NETSTAT.EXE, NETSTAT.EXE, 00000004.00000002.4512023196.0000000002F4E000.00000040.00001000.00020000.00000000.sdmp, NETSTAT.EXE, 00000004.00000003.2127517092.0000000000A26000.00000004.00000020.00020000.00000000.sdmp, NETSTAT.EXE, 00000004.00000002.4512023196.0000000002DB0000.00000040.00001000.00020000.00000000.sdmp, NETSTAT.EXE, 00000004.00000003.2130189837.0000000002C02000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: svchost.pdb source: explorer.exe, 00000003.00000002.4525816573.0000000010DCF000.00000004.80000000.00040000.00000000.sdmp, NETSTAT.EXE, 00000004.00000002.4511279774.00000000007A1000.00000004.00000020.00020000.00000000.sdmp, NETSTAT.EXE, 00000004.00000002.4512835848.00000000032FF000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: svchost.pdbUGP source: explorer.exe, 00000003.00000002.4525816573.0000000010DCF000.00000004.80000000.00040000.00000000.sdmp, NETSTAT.EXE, 00000004.00000002.4511279774.00000000007A1000.00000004.00000020.00020000.00000000.sdmp, NETSTAT.EXE, 00000004.00000002.4512835848.00000000032FF000.00000004.10000000.00040000.00000000.sdmp
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\Document.exe Code function: 0_2_0040EB70 LoadLibraryA,GetProcAddress, 0_2_0040EB70
PE file contains an invalid checksum
Source: Document.exe Static PE information: real checksum: 0xa2135 should be: 0x10b2ff
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Document.exe Code function: 0_2_004171D1 push ecx; ret 0_2_004171E4
Source: C:\Users\user\Desktop\Document.exe Code function: 0_2_00490CC6 pushfd ; ret 0_2_00490CC9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F0225F pushad ; ret 2_2_02F027F9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F027FA pushad ; ret 2_2_02F027F9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F0283D push eax; iretd 2_2_02F02858
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F309AD push ecx; mov dword ptr [esp], ecx 2_2_02F309B6
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F01368 push eax; iretd 2_2_02F01369
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_024EE29C push ecx; ret 2_2_024EE2D3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_024FE872 push ebx; ret 2_2_024FE873
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_024ED3BC push esi; retf 2_2_024ED3BD
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_024F71A4 push ss; iretd 2_2_024F71A5
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_024FD475 push eax; ret 2_2_024FD4C8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_024FD4CB push eax; ret 2_2_024FD532
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_024FD4C2 push eax; ret 2_2_024FD4C8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_024FD52C push eax; ret 2_2_024FD532
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02E8EB02 push esp; retn 0000h 2_2_02E8EB03
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02E8EB1E push esp; retn 0000h 2_2_02E8EB1F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02E8E9B5 push esp; retn 0000h 2_2_02E8EAE7
Source: C:\Windows\explorer.exe Code function: 3_2_10A209B5 push esp; retn 0000h 3_2_10A20AE7
Source: C:\Windows\explorer.exe Code function: 3_2_10A20B02 push esp; retn 0000h 3_2_10A20B03
Source: C:\Windows\explorer.exe Code function: 3_2_10A20B1E push esp; retn 0000h 3_2_10A20B1F
Source: C:\Windows\explorer.exe Code function: 3_2_11604B02 push esp; retn 0000h 3_2_11604B03
Source: C:\Windows\explorer.exe Code function: 3_2_11604B1E push esp; retn 0000h 3_2_11604B1F
Source: C:\Windows\explorer.exe Code function: 3_2_116049B5 push esp; retn 0000h 3_2_11604AE7
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_00BF60DD push ecx; ret 4_2_00BF60F0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02DB225F pushad ; ret 4_2_02DB27F9
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02DB27FA pushad ; ret 4_2_02DB27F9
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02DB283D push eax; iretd 4_2_02DB2858
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02DE09AD push ecx; mov dword ptr [esp], ecx 4_2_02DE09B6
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02DB1368 push eax; iretd 4_2_02DB1369
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_003471A4 push ss; iretd 4_2_003471A5
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\Desktop\Document.exe Code function: 0_2_004772DE IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed, 0_2_004772DE
Source: C:\Users\user\Desktop\Document.exe Code function: 0_2_004375B0 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput, 0_2_004375B0
Source: C:\Users\user\Desktop\Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Contains functionality to detect sleep reduction / modifications
Source: C:\Users\user\Desktop\Document.exe Code function: 0_2_00444078 0_2_00444078
Switches to a custom stack to bypass stack traces
Source: C:\Users\user\Desktop\Document.exe API/Special instruction interceptor: Address: 3DB6134
Source: C:\Windows\SysWOW64\svchost.exe API/Special instruction interceptor: Address: 7FF8C88ED324
Source: C:\Windows\SysWOW64\svchost.exe API/Special instruction interceptor: Address: 7FF8C88F0774
Source: C:\Windows\SysWOW64\svchost.exe API/Special instruction interceptor: Address: 7FF8C88F0154
Source: C:\Windows\SysWOW64\svchost.exe API/Special instruction interceptor: Address: 7FF8C88ED8A4
Source: C:\Windows\SysWOW64\svchost.exe API/Special instruction interceptor: Address: 7FF8C88EDA44
Source: C:\Windows\SysWOW64\svchost.exe API/Special instruction interceptor: Address: 7FF8C88ED1E4
Source: C:\Windows\SysWOW64\NETSTAT.EXE API/Special instruction interceptor: Address: 7FF8C88ED324
Source: C:\Windows\SysWOW64\NETSTAT.EXE API/Special instruction interceptor: Address: 7FF8C88F0774
Source: C:\Windows\SysWOW64\NETSTAT.EXE API/Special instruction interceptor: Address: 7FF8C88ED944
Source: C:\Windows\SysWOW64\NETSTAT.EXE API/Special instruction interceptor: Address: 7FF8C88ED504
Source: C:\Windows\SysWOW64\NETSTAT.EXE API/Special instruction interceptor: Address: 7FF8C88ED544
Source: C:\Windows\SysWOW64\NETSTAT.EXE API/Special instruction interceptor: Address: 7FF8C88ED1E4
Source: C:\Windows\SysWOW64\NETSTAT.EXE API/Special instruction interceptor: Address: 7FF8C88F0154
Source: C:\Windows\SysWOW64\NETSTAT.EXE API/Special instruction interceptor: Address: 7FF8C88ED8A4
Source: C:\Windows\SysWOW64\NETSTAT.EXE API/Special instruction interceptor: Address: 7FF8C88EDA44
Tries to detect virtualization through RDTSC time measurements
Source: C:\Windows\SysWOW64\svchost.exe RDTSC instruction interceptor: First address: 24E9904 second address: 24E990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\svchost.exe RDTSC instruction interceptor: First address: 24E9B6E second address: 24E9B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\NETSTAT.EXE RDTSC instruction interceptor: First address: 339904 second address: 33990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\NETSTAT.EXE RDTSC instruction interceptor: First address: 339B6E second address: 339B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F7096E rdtsc 2_2_02F7096E
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 2006 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 7943 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: foregroundWindowGot 883 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: foregroundWindowGot 864 Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE Window / User API: threadDelayed 9794 Jump to behavior
Found decision node followed by non-executed suspicious APIs
Source: C:\Windows\explorer.exe Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\Document.exe API coverage: 3.3 %
Source: C:\Windows\SysWOW64\svchost.exe API coverage: 2.0 %
Source: C:\Windows\SysWOW64\NETSTAT.EXE API coverage: 2.0 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\explorer.exe TID: 7120 Thread sleep count: 2006 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 7120 Thread sleep time: -4012000s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 7120 Thread sleep count: 7943 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 7120 Thread sleep time: -15886000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE TID: 3944 Thread sleep count: 177 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE TID: 3944 Thread sleep time: -354000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE TID: 3944 Thread sleep count: 9794 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE TID: 3944 Thread sleep time: -19588000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\SysWOW64\NETSTAT.EXE Last function: Thread delayed
Source: C:\Windows\SysWOW64\NETSTAT.EXE Last function: Thread delayed
Source: C:\Users\user\Desktop\Document.exe Code function: 0_2_00452126 FindFirstFileW,Sleep,FindNextFileW,FindClose, 0_2_00452126
Source: C:\Users\user\Desktop\Document.exe Code function: 0_2_0045C999 FindFirstFileW,FindNextFileW,FindClose, 0_2_0045C999
Source: C:\Users\user\Desktop\Document.exe Code function: 0_2_00436ADE GetFileAttributesW,FindFirstFileW,FindClose, 0_2_00436ADE
Source: C:\Users\user\Desktop\Document.exe Code function: 0_2_00434BEE FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 0_2_00434BEE
Source: C:\Users\user\Desktop\Document.exe Code function: 0_2_0045DD7C FindFirstFileW,FindClose, 0_2_0045DD7C
Source: C:\Users\user\Desktop\Document.exe Code function: 0_2_0044BD29 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose, 0_2_0044BD29
Source: C:\Users\user\Desktop\Document.exe Code function: 0_2_00436D2D FindFirstFileW,CreateFileW,SetFileTime,CloseHandle,SetFileTime,CloseHandle, 0_2_00436D2D
Source: C:\Users\user\Desktop\Document.exe Code function: 0_2_00442E1F SetCurrentDirectoryW,FindFirstFileW,SetCurrentDirectoryW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 0_2_00442E1F
Source: C:\Users\user\Desktop\Document.exe Code function: 0_2_00475FE5 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, 0_2_00475FE5
Source: C:\Users\user\Desktop\Document.exe Code function: 0_2_0044BF8D _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose, 0_2_0044BF8D
Source: C:\Users\user\Desktop\Document.exe Code function: 0_2_0040E470 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo, 0_2_0040E470
Source: explorer.exe, 00000003.00000000.2076890852.00000000076F8000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}99105f770555d7dd
Source: explorer.exe, 00000003.00000003.3095067217.0000000009BA1000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
Source: explorer.exe, 00000003.00000003.3844318744.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4518460304.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2079597130.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW0r
Source: explorer.exe, 00000003.00000003.3095067217.0000000009BA1000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 00000003.00000003.3095067217.0000000009BA1000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: NXTcaVMWare
Source: explorer.exe, 00000003.00000003.3844318744.0000000009B41000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000%
Source: explorer.exe, 00000003.00000003.3095067217.0000000009BA1000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000003.00000000.2075435734.0000000003530000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware, Inc.
Source: explorer.exe, 00000003.00000003.3095067217.0000000009BA1000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000003.00000000.2075435734.0000000003530000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware-42 27 d9 2e dc 89 72 dX
Source: explorer.exe, 00000003.00000002.4511082472.0000000000F13000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000A
Source: explorer.exe, 00000003.00000000.2076890852.00000000076F8000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}^
Source: explorer.exe, 00000003.00000002.4518460304.0000000009B2C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2079597130.0000000009B2C000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000003.00000000.2075435734.0000000003530000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware, Inc.NoneVMware-42 27 d9 2e dc 89 72 dX
Source: explorer.exe, 00000003.00000000.2075435734.0000000003530000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware,p
Source: explorer.exe, 00000003.00000003.3095067217.0000000009BA1000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000_
Source: explorer.exe, 00000003.00000003.3095067217.0000000009BA1000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}0#{5-
Source: explorer.exe, 00000003.00000002.4511082472.0000000000F13000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: explorer.exe, 00000003.00000003.3844318744.0000000009B41000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000003.00000000.2076890852.000000000769A000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: C:\Windows\SysWOW64\svchost.exe Process information queried: ProcessInformation Jump to behavior
Checks if the current process is being debugged
Source: C:\Windows\SysWOW64\svchost.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F7096E rdtsc 2_2_02F7096E
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F72AD0 NtReadFile,LdrInitializeThunk, 2_2_02F72AD0
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Source: C:\Users\user\Desktop\Document.exe Code function: 0_2_0045A259 BlockInput, 0_2_0045A259
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\Document.exe Code function: 0_2_0040D6D0 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,GetForegroundWindow,ShellExecuteW, 0_2_0040D6D0
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\Document.exe Code function: 0_2_0040EB70 LoadLibraryA,GetProcAddress, 0_2_0040EB70
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\Document.exe Code function: 0_2_03DB63A0 mov eax, dword ptr fs:[00000030h] 0_2_03DB63A0
Source: C:\Users\user\Desktop\Document.exe Code function: 0_2_03DB6400 mov eax, dword ptr fs:[00000030h] 0_2_03DB6400
Source: C:\Users\user\Desktop\Document.exe Code function: 0_2_03DB4D50 mov eax, dword ptr fs:[00000030h] 0_2_03DB4D50
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F402E1 mov eax, dword ptr fs:[00000030h] 2_2_02F402E1
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F402E1 mov eax, dword ptr fs:[00000030h] 2_2_02F402E1
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F402E1 mov eax, dword ptr fs:[00000030h] 2_2_02F402E1
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03008324 mov eax, dword ptr fs:[00000030h] 2_2_03008324
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03008324 mov ecx, dword ptr fs:[00000030h] 2_2_03008324
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03008324 mov eax, dword ptr fs:[00000030h] 2_2_03008324
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03008324 mov eax, dword ptr fs:[00000030h] 2_2_03008324
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F3A2C3 mov eax, dword ptr fs:[00000030h] 2_2_02F3A2C3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F3A2C3 mov eax, dword ptr fs:[00000030h] 2_2_02F3A2C3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F3A2C3 mov eax, dword ptr fs:[00000030h] 2_2_02F3A2C3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F3A2C3 mov eax, dword ptr fs:[00000030h] 2_2_02F3A2C3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F3A2C3 mov eax, dword ptr fs:[00000030h] 2_2_02F3A2C3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0300634F mov eax, dword ptr fs:[00000030h] 2_2_0300634F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F402A0 mov eax, dword ptr fs:[00000030h] 2_2_02F402A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F402A0 mov eax, dword ptr fs:[00000030h] 2_2_02F402A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FC62A0 mov eax, dword ptr fs:[00000030h] 2_2_02FC62A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FC62A0 mov ecx, dword ptr fs:[00000030h] 2_2_02FC62A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FC62A0 mov eax, dword ptr fs:[00000030h] 2_2_02FC62A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FC62A0 mov eax, dword ptr fs:[00000030h] 2_2_02FC62A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FC62A0 mov eax, dword ptr fs:[00000030h] 2_2_02FC62A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FC62A0 mov eax, dword ptr fs:[00000030h] 2_2_02FC62A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F6E284 mov eax, dword ptr fs:[00000030h] 2_2_02F6E284
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F6E284 mov eax, dword ptr fs:[00000030h] 2_2_02F6E284
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FB0283 mov eax, dword ptr fs:[00000030h] 2_2_02FB0283
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FB0283 mov eax, dword ptr fs:[00000030h] 2_2_02FB0283
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FB0283 mov eax, dword ptr fs:[00000030h] 2_2_02FB0283
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FE0274 mov eax, dword ptr fs:[00000030h] 2_2_02FE0274
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FE0274 mov eax, dword ptr fs:[00000030h] 2_2_02FE0274
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FE0274 mov eax, dword ptr fs:[00000030h] 2_2_02FE0274
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FE0274 mov eax, dword ptr fs:[00000030h] 2_2_02FE0274
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FE0274 mov eax, dword ptr fs:[00000030h] 2_2_02FE0274
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FE0274 mov eax, dword ptr fs:[00000030h] 2_2_02FE0274
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FE0274 mov eax, dword ptr fs:[00000030h] 2_2_02FE0274
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FE0274 mov eax, dword ptr fs:[00000030h] 2_2_02FE0274
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FE0274 mov eax, dword ptr fs:[00000030h] 2_2_02FE0274
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FE0274 mov eax, dword ptr fs:[00000030h] 2_2_02FE0274
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FE0274 mov eax, dword ptr fs:[00000030h] 2_2_02FE0274
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FE0274 mov eax, dword ptr fs:[00000030h] 2_2_02FE0274
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F34260 mov eax, dword ptr fs:[00000030h] 2_2_02F34260
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F34260 mov eax, dword ptr fs:[00000030h] 2_2_02F34260
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F34260 mov eax, dword ptr fs:[00000030h] 2_2_02F34260
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F2826B mov eax, dword ptr fs:[00000030h] 2_2_02F2826B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F2A250 mov eax, dword ptr fs:[00000030h] 2_2_02F2A250
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F36259 mov eax, dword ptr fs:[00000030h] 2_2_02F36259
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FEA250 mov eax, dword ptr fs:[00000030h] 2_2_02FEA250
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FEA250 mov eax, dword ptr fs:[00000030h] 2_2_02FEA250
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FB8243 mov eax, dword ptr fs:[00000030h] 2_2_02FB8243
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FB8243 mov ecx, dword ptr fs:[00000030h] 2_2_02FB8243
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F2823B mov eax, dword ptr fs:[00000030h] 2_2_02F2823B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F4E3F0 mov eax, dword ptr fs:[00000030h] 2_2_02F4E3F0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F4E3F0 mov eax, dword ptr fs:[00000030h] 2_2_02F4E3F0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F4E3F0 mov eax, dword ptr fs:[00000030h] 2_2_02F4E3F0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F663FF mov eax, dword ptr fs:[00000030h] 2_2_02F663FF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F403E9 mov eax, dword ptr fs:[00000030h] 2_2_02F403E9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F403E9 mov eax, dword ptr fs:[00000030h] 2_2_02F403E9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F403E9 mov eax, dword ptr fs:[00000030h] 2_2_02F403E9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F403E9 mov eax, dword ptr fs:[00000030h] 2_2_02F403E9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F403E9 mov eax, dword ptr fs:[00000030h] 2_2_02F403E9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F403E9 mov eax, dword ptr fs:[00000030h] 2_2_02F403E9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F403E9 mov eax, dword ptr fs:[00000030h] 2_2_02F403E9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F403E9 mov eax, dword ptr fs:[00000030h] 2_2_02F403E9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FDE3DB mov eax, dword ptr fs:[00000030h] 2_2_02FDE3DB
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FDE3DB mov eax, dword ptr fs:[00000030h] 2_2_02FDE3DB
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FDE3DB mov ecx, dword ptr fs:[00000030h] 2_2_02FDE3DB
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FDE3DB mov eax, dword ptr fs:[00000030h] 2_2_02FDE3DB
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FD43D4 mov eax, dword ptr fs:[00000030h] 2_2_02FD43D4
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FD43D4 mov eax, dword ptr fs:[00000030h] 2_2_02FD43D4
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FEC3CD mov eax, dword ptr fs:[00000030h] 2_2_02FEC3CD
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F3A3C0 mov eax, dword ptr fs:[00000030h] 2_2_02F3A3C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F3A3C0 mov eax, dword ptr fs:[00000030h] 2_2_02F3A3C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F3A3C0 mov eax, dword ptr fs:[00000030h] 2_2_02F3A3C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F3A3C0 mov eax, dword ptr fs:[00000030h] 2_2_02F3A3C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F3A3C0 mov eax, dword ptr fs:[00000030h] 2_2_02F3A3C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F3A3C0 mov eax, dword ptr fs:[00000030h] 2_2_02F3A3C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F383C0 mov eax, dword ptr fs:[00000030h] 2_2_02F383C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F383C0 mov eax, dword ptr fs:[00000030h] 2_2_02F383C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F383C0 mov eax, dword ptr fs:[00000030h] 2_2_02F383C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F383C0 mov eax, dword ptr fs:[00000030h] 2_2_02F383C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FB63C0 mov eax, dword ptr fs:[00000030h] 2_2_02FB63C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0300625D mov eax, dword ptr fs:[00000030h] 2_2_0300625D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F28397 mov eax, dword ptr fs:[00000030h] 2_2_02F28397
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F28397 mov eax, dword ptr fs:[00000030h] 2_2_02F28397
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F28397 mov eax, dword ptr fs:[00000030h] 2_2_02F28397
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F2E388 mov eax, dword ptr fs:[00000030h] 2_2_02F2E388
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F2E388 mov eax, dword ptr fs:[00000030h] 2_2_02F2E388
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F2E388 mov eax, dword ptr fs:[00000030h] 2_2_02F2E388
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F5438F mov eax, dword ptr fs:[00000030h] 2_2_02F5438F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F5438F mov eax, dword ptr fs:[00000030h] 2_2_02F5438F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FD437C mov eax, dword ptr fs:[00000030h] 2_2_02FD437C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FB035C mov eax, dword ptr fs:[00000030h] 2_2_02FB035C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FB035C mov eax, dword ptr fs:[00000030h] 2_2_02FB035C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FB035C mov eax, dword ptr fs:[00000030h] 2_2_02FB035C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FB035C mov ecx, dword ptr fs:[00000030h] 2_2_02FB035C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FB035C mov eax, dword ptr fs:[00000030h] 2_2_02FB035C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FB035C mov eax, dword ptr fs:[00000030h] 2_2_02FB035C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FFA352 mov eax, dword ptr fs:[00000030h] 2_2_02FFA352
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FD8350 mov ecx, dword ptr fs:[00000030h] 2_2_02FD8350
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FB2349 mov eax, dword ptr fs:[00000030h] 2_2_02FB2349
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FB2349 mov eax, dword ptr fs:[00000030h] 2_2_02FB2349
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FB2349 mov eax, dword ptr fs:[00000030h] 2_2_02FB2349
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FB2349 mov eax, dword ptr fs:[00000030h] 2_2_02FB2349
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FB2349 mov eax, dword ptr fs:[00000030h] 2_2_02FB2349
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FB2349 mov eax, dword ptr fs:[00000030h] 2_2_02FB2349
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FB2349 mov eax, dword ptr fs:[00000030h] 2_2_02FB2349
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FB2349 mov eax, dword ptr fs:[00000030h] 2_2_02FB2349
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FB2349 mov eax, dword ptr fs:[00000030h] 2_2_02FB2349
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FB2349 mov eax, dword ptr fs:[00000030h] 2_2_02FB2349
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FB2349 mov eax, dword ptr fs:[00000030h] 2_2_02FB2349
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FB2349 mov eax, dword ptr fs:[00000030h] 2_2_02FB2349
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FB2349 mov eax, dword ptr fs:[00000030h] 2_2_02FB2349
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FB2349 mov eax, dword ptr fs:[00000030h] 2_2_02FB2349
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FB2349 mov eax, dword ptr fs:[00000030h] 2_2_02FB2349
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_030062D6 mov eax, dword ptr fs:[00000030h] 2_2_030062D6
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F2C310 mov ecx, dword ptr fs:[00000030h] 2_2_02F2C310
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F50310 mov ecx, dword ptr fs:[00000030h] 2_2_02F50310
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F6A30B mov eax, dword ptr fs:[00000030h] 2_2_02F6A30B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F6A30B mov eax, dword ptr fs:[00000030h] 2_2_02F6A30B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F6A30B mov eax, dword ptr fs:[00000030h] 2_2_02F6A30B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F2C0F0 mov eax, dword ptr fs:[00000030h] 2_2_02F2C0F0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F720F0 mov ecx, dword ptr fs:[00000030h] 2_2_02F720F0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F2A0E3 mov ecx, dword ptr fs:[00000030h] 2_2_02F2A0E3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F380E9 mov eax, dword ptr fs:[00000030h] 2_2_02F380E9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FB60E0 mov eax, dword ptr fs:[00000030h] 2_2_02FB60E0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FB20DE mov eax, dword ptr fs:[00000030h] 2_2_02FB20DE
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FF60B8 mov eax, dword ptr fs:[00000030h] 2_2_02FF60B8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FF60B8 mov ecx, dword ptr fs:[00000030h] 2_2_02FF60B8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F280A0 mov eax, dword ptr fs:[00000030h] 2_2_02F280A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FC80A8 mov eax, dword ptr fs:[00000030h] 2_2_02FC80A8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03004164 mov eax, dword ptr fs:[00000030h] 2_2_03004164
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03004164 mov eax, dword ptr fs:[00000030h] 2_2_03004164
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F3208A mov eax, dword ptr fs:[00000030h] 2_2_02F3208A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F5C073 mov eax, dword ptr fs:[00000030h] 2_2_02F5C073
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F32050 mov eax, dword ptr fs:[00000030h] 2_2_02F32050
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FB6050 mov eax, dword ptr fs:[00000030h] 2_2_02FB6050
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FC6030 mov eax, dword ptr fs:[00000030h] 2_2_02FC6030
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F2A020 mov eax, dword ptr fs:[00000030h] 2_2_02F2A020
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F2C020 mov eax, dword ptr fs:[00000030h] 2_2_02F2C020
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F4E016 mov eax, dword ptr fs:[00000030h] 2_2_02F4E016
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F4E016 mov eax, dword ptr fs:[00000030h] 2_2_02F4E016
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F4E016 mov eax, dword ptr fs:[00000030h] 2_2_02F4E016
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F4E016 mov eax, dword ptr fs:[00000030h] 2_2_02F4E016
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_030061E5 mov eax, dword ptr fs:[00000030h] 2_2_030061E5
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FB4000 mov ecx, dword ptr fs:[00000030h] 2_2_02FB4000
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FD2000 mov eax, dword ptr fs:[00000030h] 2_2_02FD2000
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FD2000 mov eax, dword ptr fs:[00000030h] 2_2_02FD2000
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FD2000 mov eax, dword ptr fs:[00000030h] 2_2_02FD2000
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FD2000 mov eax, dword ptr fs:[00000030h] 2_2_02FD2000
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FD2000 mov eax, dword ptr fs:[00000030h] 2_2_02FD2000
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FD2000 mov eax, dword ptr fs:[00000030h] 2_2_02FD2000
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FD2000 mov eax, dword ptr fs:[00000030h] 2_2_02FD2000
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FD2000 mov eax, dword ptr fs:[00000030h] 2_2_02FD2000
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F601F8 mov eax, dword ptr fs:[00000030h] 2_2_02F601F8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FAE1D0 mov eax, dword ptr fs:[00000030h] 2_2_02FAE1D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FAE1D0 mov eax, dword ptr fs:[00000030h] 2_2_02FAE1D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FAE1D0 mov ecx, dword ptr fs:[00000030h] 2_2_02FAE1D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FAE1D0 mov eax, dword ptr fs:[00000030h] 2_2_02FAE1D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FAE1D0 mov eax, dword ptr fs:[00000030h] 2_2_02FAE1D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FF61C3 mov eax, dword ptr fs:[00000030h] 2_2_02FF61C3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FF61C3 mov eax, dword ptr fs:[00000030h] 2_2_02FF61C3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FB019F mov eax, dword ptr fs:[00000030h] 2_2_02FB019F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FB019F mov eax, dword ptr fs:[00000030h] 2_2_02FB019F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FB019F mov eax, dword ptr fs:[00000030h] 2_2_02FB019F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FB019F mov eax, dword ptr fs:[00000030h] 2_2_02FB019F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F2A197 mov eax, dword ptr fs:[00000030h] 2_2_02F2A197
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F2A197 mov eax, dword ptr fs:[00000030h] 2_2_02F2A197
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F2A197 mov eax, dword ptr fs:[00000030h] 2_2_02F2A197
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F70185 mov eax, dword ptr fs:[00000030h] 2_2_02F70185
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FEC188 mov eax, dword ptr fs:[00000030h] 2_2_02FEC188
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FEC188 mov eax, dword ptr fs:[00000030h] 2_2_02FEC188
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FD4180 mov eax, dword ptr fs:[00000030h] 2_2_02FD4180
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FD4180 mov eax, dword ptr fs:[00000030h] 2_2_02FD4180
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F2C156 mov eax, dword ptr fs:[00000030h] 2_2_02F2C156
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FC8158 mov eax, dword ptr fs:[00000030h] 2_2_02FC8158
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F36154 mov eax, dword ptr fs:[00000030h] 2_2_02F36154
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F36154 mov eax, dword ptr fs:[00000030h] 2_2_02F36154
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FC4144 mov eax, dword ptr fs:[00000030h] 2_2_02FC4144
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FC4144 mov eax, dword ptr fs:[00000030h] 2_2_02FC4144
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FC4144 mov ecx, dword ptr fs:[00000030h] 2_2_02FC4144
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FC4144 mov eax, dword ptr fs:[00000030h] 2_2_02FC4144
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FC4144 mov eax, dword ptr fs:[00000030h] 2_2_02FC4144
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F60124 mov eax, dword ptr fs:[00000030h] 2_2_02F60124
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FDA118 mov ecx, dword ptr fs:[00000030h] 2_2_02FDA118
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FDA118 mov eax, dword ptr fs:[00000030h] 2_2_02FDA118
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FDA118 mov eax, dword ptr fs:[00000030h] 2_2_02FDA118
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FDA118 mov eax, dword ptr fs:[00000030h] 2_2_02FDA118
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FF0115 mov eax, dword ptr fs:[00000030h] 2_2_02FF0115
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FDE10E mov eax, dword ptr fs:[00000030h] 2_2_02FDE10E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FDE10E mov ecx, dword ptr fs:[00000030h] 2_2_02FDE10E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FDE10E mov eax, dword ptr fs:[00000030h] 2_2_02FDE10E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FDE10E mov eax, dword ptr fs:[00000030h] 2_2_02FDE10E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FDE10E mov ecx, dword ptr fs:[00000030h] 2_2_02FDE10E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FDE10E mov eax, dword ptr fs:[00000030h] 2_2_02FDE10E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FDE10E mov eax, dword ptr fs:[00000030h] 2_2_02FDE10E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FDE10E mov ecx, dword ptr fs:[00000030h] 2_2_02FDE10E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FDE10E mov eax, dword ptr fs:[00000030h] 2_2_02FDE10E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FDE10E mov ecx, dword ptr fs:[00000030h] 2_2_02FDE10E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FAE6F2 mov eax, dword ptr fs:[00000030h] 2_2_02FAE6F2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FAE6F2 mov eax, dword ptr fs:[00000030h] 2_2_02FAE6F2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FAE6F2 mov eax, dword ptr fs:[00000030h] 2_2_02FAE6F2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FAE6F2 mov eax, dword ptr fs:[00000030h] 2_2_02FAE6F2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FB06F1 mov eax, dword ptr fs:[00000030h] 2_2_02FB06F1
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FB06F1 mov eax, dword ptr fs:[00000030h] 2_2_02FB06F1
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F6A6C7 mov ebx, dword ptr fs:[00000030h] 2_2_02F6A6C7
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F6A6C7 mov eax, dword ptr fs:[00000030h] 2_2_02F6A6C7
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F666B0 mov eax, dword ptr fs:[00000030h] 2_2_02F666B0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F6C6A6 mov eax, dword ptr fs:[00000030h] 2_2_02F6C6A6
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F34690 mov eax, dword ptr fs:[00000030h] 2_2_02F34690
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F34690 mov eax, dword ptr fs:[00000030h] 2_2_02F34690
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F62674 mov eax, dword ptr fs:[00000030h] 2_2_02F62674
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FF866E mov eax, dword ptr fs:[00000030h] 2_2_02FF866E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FF866E mov eax, dword ptr fs:[00000030h] 2_2_02FF866E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F6A660 mov eax, dword ptr fs:[00000030h] 2_2_02F6A660
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F6A660 mov eax, dword ptr fs:[00000030h] 2_2_02F6A660
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F4C640 mov eax, dword ptr fs:[00000030h] 2_2_02F4C640
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F4E627 mov eax, dword ptr fs:[00000030h] 2_2_02F4E627
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F66620 mov eax, dword ptr fs:[00000030h] 2_2_02F66620
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F68620 mov eax, dword ptr fs:[00000030h] 2_2_02F68620
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F3262C mov eax, dword ptr fs:[00000030h] 2_2_02F3262C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F72619 mov eax, dword ptr fs:[00000030h] 2_2_02F72619
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FAE609 mov eax, dword ptr fs:[00000030h] 2_2_02FAE609
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F4260B mov eax, dword ptr fs:[00000030h] 2_2_02F4260B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F4260B mov eax, dword ptr fs:[00000030h] 2_2_02F4260B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F4260B mov eax, dword ptr fs:[00000030h] 2_2_02F4260B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F4260B mov eax, dword ptr fs:[00000030h] 2_2_02F4260B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F4260B mov eax, dword ptr fs:[00000030h] 2_2_02F4260B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F4260B mov eax, dword ptr fs:[00000030h] 2_2_02F4260B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F4260B mov eax, dword ptr fs:[00000030h] 2_2_02F4260B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F347FB mov eax, dword ptr fs:[00000030h] 2_2_02F347FB
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F347FB mov eax, dword ptr fs:[00000030h] 2_2_02F347FB
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F527ED mov eax, dword ptr fs:[00000030h] 2_2_02F527ED
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F527ED mov eax, dword ptr fs:[00000030h] 2_2_02F527ED
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F527ED mov eax, dword ptr fs:[00000030h] 2_2_02F527ED
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FBE7E1 mov eax, dword ptr fs:[00000030h] 2_2_02FBE7E1
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F3C7C0 mov eax, dword ptr fs:[00000030h] 2_2_02F3C7C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FB07C3 mov eax, dword ptr fs:[00000030h] 2_2_02FB07C3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F307AF mov eax, dword ptr fs:[00000030h] 2_2_02F307AF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FE47A0 mov eax, dword ptr fs:[00000030h] 2_2_02FE47A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FD678E mov eax, dword ptr fs:[00000030h] 2_2_02FD678E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F38770 mov eax, dword ptr fs:[00000030h] 2_2_02F38770
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F40770 mov eax, dword ptr fs:[00000030h] 2_2_02F40770
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F40770 mov eax, dword ptr fs:[00000030h] 2_2_02F40770
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F40770 mov eax, dword ptr fs:[00000030h] 2_2_02F40770
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F40770 mov eax, dword ptr fs:[00000030h] 2_2_02F40770
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F40770 mov eax, dword ptr fs:[00000030h] 2_2_02F40770
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F40770 mov eax, dword ptr fs:[00000030h] 2_2_02F40770
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F40770 mov eax, dword ptr fs:[00000030h] 2_2_02F40770
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F40770 mov eax, dword ptr fs:[00000030h] 2_2_02F40770
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F40770 mov eax, dword ptr fs:[00000030h] 2_2_02F40770
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F40770 mov eax, dword ptr fs:[00000030h] 2_2_02F40770
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F40770 mov eax, dword ptr fs:[00000030h] 2_2_02F40770
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F40770 mov eax, dword ptr fs:[00000030h] 2_2_02F40770
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F30750 mov eax, dword ptr fs:[00000030h] 2_2_02F30750
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FBE75D mov eax, dword ptr fs:[00000030h] 2_2_02FBE75D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F72750 mov eax, dword ptr fs:[00000030h] 2_2_02F72750
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F72750 mov eax, dword ptr fs:[00000030h] 2_2_02F72750
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FB4755 mov eax, dword ptr fs:[00000030h] 2_2_02FB4755
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F6674D mov esi, dword ptr fs:[00000030h] 2_2_02F6674D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F6674D mov eax, dword ptr fs:[00000030h] 2_2_02F6674D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F6674D mov eax, dword ptr fs:[00000030h] 2_2_02F6674D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F6273C mov eax, dword ptr fs:[00000030h] 2_2_02F6273C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F6273C mov ecx, dword ptr fs:[00000030h] 2_2_02F6273C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F6273C mov eax, dword ptr fs:[00000030h] 2_2_02F6273C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FAC730 mov eax, dword ptr fs:[00000030h] 2_2_02FAC730
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F6C720 mov eax, dword ptr fs:[00000030h] 2_2_02F6C720
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F6C720 mov eax, dword ptr fs:[00000030h] 2_2_02F6C720
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F30710 mov eax, dword ptr fs:[00000030h] 2_2_02F30710
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F60710 mov eax, dword ptr fs:[00000030h] 2_2_02F60710
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F6C700 mov eax, dword ptr fs:[00000030h] 2_2_02F6C700
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03004500 mov eax, dword ptr fs:[00000030h] 2_2_03004500
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03004500 mov eax, dword ptr fs:[00000030h] 2_2_03004500
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03004500 mov eax, dword ptr fs:[00000030h] 2_2_03004500
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03004500 mov eax, dword ptr fs:[00000030h] 2_2_03004500
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03004500 mov eax, dword ptr fs:[00000030h] 2_2_03004500
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03004500 mov eax, dword ptr fs:[00000030h] 2_2_03004500
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03004500 mov eax, dword ptr fs:[00000030h] 2_2_03004500
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F304E5 mov ecx, dword ptr fs:[00000030h] 2_2_02F304E5
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F644B0 mov ecx, dword ptr fs:[00000030h] 2_2_02F644B0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FBA4B0 mov eax, dword ptr fs:[00000030h] 2_2_02FBA4B0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F364AB mov eax, dword ptr fs:[00000030h] 2_2_02F364AB
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FEA49A mov eax, dword ptr fs:[00000030h] 2_2_02FEA49A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F5A470 mov eax, dword ptr fs:[00000030h] 2_2_02F5A470
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F5A470 mov eax, dword ptr fs:[00000030h] 2_2_02F5A470
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F5A470 mov eax, dword ptr fs:[00000030h] 2_2_02F5A470
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FBC460 mov ecx, dword ptr fs:[00000030h] 2_2_02FBC460
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FEA456 mov eax, dword ptr fs:[00000030h] 2_2_02FEA456
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F2645D mov eax, dword ptr fs:[00000030h] 2_2_02F2645D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F5245A mov eax, dword ptr fs:[00000030h] 2_2_02F5245A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F6E443 mov eax, dword ptr fs:[00000030h] 2_2_02F6E443
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F6E443 mov eax, dword ptr fs:[00000030h] 2_2_02F6E443
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F6E443 mov eax, dword ptr fs:[00000030h] 2_2_02F6E443
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F6E443 mov eax, dword ptr fs:[00000030h] 2_2_02F6E443
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F6E443 mov eax, dword ptr fs:[00000030h] 2_2_02F6E443
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F6E443 mov eax, dword ptr fs:[00000030h] 2_2_02F6E443
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F6E443 mov eax, dword ptr fs:[00000030h] 2_2_02F6E443
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F6E443 mov eax, dword ptr fs:[00000030h] 2_2_02F6E443
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F6A430 mov eax, dword ptr fs:[00000030h] 2_2_02F6A430
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F2E420 mov eax, dword ptr fs:[00000030h] 2_2_02F2E420
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F2E420 mov eax, dword ptr fs:[00000030h] 2_2_02F2E420
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F2E420 mov eax, dword ptr fs:[00000030h] 2_2_02F2E420
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F2C427 mov eax, dword ptr fs:[00000030h] 2_2_02F2C427
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FB6420 mov eax, dword ptr fs:[00000030h] 2_2_02FB6420
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FB6420 mov eax, dword ptr fs:[00000030h] 2_2_02FB6420
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FB6420 mov eax, dword ptr fs:[00000030h] 2_2_02FB6420
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FB6420 mov eax, dword ptr fs:[00000030h] 2_2_02FB6420
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FB6420 mov eax, dword ptr fs:[00000030h] 2_2_02FB6420
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FB6420 mov eax, dword ptr fs:[00000030h] 2_2_02FB6420
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FB6420 mov eax, dword ptr fs:[00000030h] 2_2_02FB6420
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F68402 mov eax, dword ptr fs:[00000030h] 2_2_02F68402
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F68402 mov eax, dword ptr fs:[00000030h] 2_2_02F68402
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F68402 mov eax, dword ptr fs:[00000030h] 2_2_02F68402
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F5E5E7 mov eax, dword ptr fs:[00000030h] 2_2_02F5E5E7
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F5E5E7 mov eax, dword ptr fs:[00000030h] 2_2_02F5E5E7
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F5E5E7 mov eax, dword ptr fs:[00000030h] 2_2_02F5E5E7
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F5E5E7 mov eax, dword ptr fs:[00000030h] 2_2_02F5E5E7
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F5E5E7 mov eax, dword ptr fs:[00000030h] 2_2_02F5E5E7
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F5E5E7 mov eax, dword ptr fs:[00000030h] 2_2_02F5E5E7
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F5E5E7 mov eax, dword ptr fs:[00000030h] 2_2_02F5E5E7
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F5E5E7 mov eax, dword ptr fs:[00000030h] 2_2_02F5E5E7
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F325E0 mov eax, dword ptr fs:[00000030h] 2_2_02F325E0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F6C5ED mov eax, dword ptr fs:[00000030h] 2_2_02F6C5ED
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F6C5ED mov eax, dword ptr fs:[00000030h] 2_2_02F6C5ED
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F365D0 mov eax, dword ptr fs:[00000030h] 2_2_02F365D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F6A5D0 mov eax, dword ptr fs:[00000030h] 2_2_02F6A5D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F6A5D0 mov eax, dword ptr fs:[00000030h] 2_2_02F6A5D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F6E5CF mov eax, dword ptr fs:[00000030h] 2_2_02F6E5CF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F6E5CF mov eax, dword ptr fs:[00000030h] 2_2_02F6E5CF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F545B1 mov eax, dword ptr fs:[00000030h] 2_2_02F545B1
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F545B1 mov eax, dword ptr fs:[00000030h] 2_2_02F545B1
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FB05A7 mov eax, dword ptr fs:[00000030h] 2_2_02FB05A7
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FB05A7 mov eax, dword ptr fs:[00000030h] 2_2_02FB05A7
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FB05A7 mov eax, dword ptr fs:[00000030h] 2_2_02FB05A7
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F6E59C mov eax, dword ptr fs:[00000030h] 2_2_02F6E59C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F32582 mov eax, dword ptr fs:[00000030h] 2_2_02F32582
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F32582 mov ecx, dword ptr fs:[00000030h] 2_2_02F32582
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F64588 mov eax, dword ptr fs:[00000030h] 2_2_02F64588
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F6656A mov eax, dword ptr fs:[00000030h] 2_2_02F6656A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F6656A mov eax, dword ptr fs:[00000030h] 2_2_02F6656A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F6656A mov eax, dword ptr fs:[00000030h] 2_2_02F6656A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F38550 mov eax, dword ptr fs:[00000030h] 2_2_02F38550
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F38550 mov eax, dword ptr fs:[00000030h] 2_2_02F38550
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F40535 mov eax, dword ptr fs:[00000030h] 2_2_02F40535
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F40535 mov eax, dword ptr fs:[00000030h] 2_2_02F40535
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F40535 mov eax, dword ptr fs:[00000030h] 2_2_02F40535
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F40535 mov eax, dword ptr fs:[00000030h] 2_2_02F40535
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F40535 mov eax, dword ptr fs:[00000030h] 2_2_02F40535
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F40535 mov eax, dword ptr fs:[00000030h] 2_2_02F40535
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F5E53E mov eax, dword ptr fs:[00000030h] 2_2_02F5E53E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F5E53E mov eax, dword ptr fs:[00000030h] 2_2_02F5E53E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F5E53E mov eax, dword ptr fs:[00000030h] 2_2_02F5E53E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F5E53E mov eax, dword ptr fs:[00000030h] 2_2_02F5E53E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F5E53E mov eax, dword ptr fs:[00000030h] 2_2_02F5E53E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FC6500 mov eax, dword ptr fs:[00000030h] 2_2_02FC6500
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03004B00 mov eax, dword ptr fs:[00000030h] 2_2_03004B00
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F6AAEE mov eax, dword ptr fs:[00000030h] 2_2_02F6AAEE
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F6AAEE mov eax, dword ptr fs:[00000030h] 2_2_02F6AAEE
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F30AD0 mov eax, dword ptr fs:[00000030h] 2_2_02F30AD0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F64AD0 mov eax, dword ptr fs:[00000030h] 2_2_02F64AD0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F64AD0 mov eax, dword ptr fs:[00000030h] 2_2_02F64AD0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F86ACC mov eax, dword ptr fs:[00000030h] 2_2_02F86ACC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F86ACC mov eax, dword ptr fs:[00000030h] 2_2_02F86ACC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F86ACC mov eax, dword ptr fs:[00000030h] 2_2_02F86ACC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F38AA0 mov eax, dword ptr fs:[00000030h] 2_2_02F38AA0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F38AA0 mov eax, dword ptr fs:[00000030h] 2_2_02F38AA0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03002B57 mov eax, dword ptr fs:[00000030h] 2_2_03002B57
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03002B57 mov eax, dword ptr fs:[00000030h] 2_2_03002B57
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03002B57 mov eax, dword ptr fs:[00000030h] 2_2_03002B57
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03002B57 mov eax, dword ptr fs:[00000030h] 2_2_03002B57
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F86AA4 mov eax, dword ptr fs:[00000030h] 2_2_02F86AA4
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F68A90 mov edx, dword ptr fs:[00000030h] 2_2_02F68A90
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F3EA80 mov eax, dword ptr fs:[00000030h] 2_2_02F3EA80
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F3EA80 mov eax, dword ptr fs:[00000030h] 2_2_02F3EA80
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F3EA80 mov eax, dword ptr fs:[00000030h] 2_2_02F3EA80
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F3EA80 mov eax, dword ptr fs:[00000030h] 2_2_02F3EA80
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F3EA80 mov eax, dword ptr fs:[00000030h] 2_2_02F3EA80
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F3EA80 mov eax, dword ptr fs:[00000030h] 2_2_02F3EA80
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F3EA80 mov eax, dword ptr fs:[00000030h] 2_2_02F3EA80
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F3EA80 mov eax, dword ptr fs:[00000030h] 2_2_02F3EA80
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F3EA80 mov eax, dword ptr fs:[00000030h] 2_2_02F3EA80
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FACA72 mov eax, dword ptr fs:[00000030h] 2_2_02FACA72
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FACA72 mov eax, dword ptr fs:[00000030h] 2_2_02FACA72
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F6CA6F mov eax, dword ptr fs:[00000030h] 2_2_02F6CA6F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F6CA6F mov eax, dword ptr fs:[00000030h] 2_2_02F6CA6F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F6CA6F mov eax, dword ptr fs:[00000030h] 2_2_02F6CA6F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FDEA60 mov eax, dword ptr fs:[00000030h] 2_2_02FDEA60
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F36A50 mov eax, dword ptr fs:[00000030h] 2_2_02F36A50
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F36A50 mov eax, dword ptr fs:[00000030h] 2_2_02F36A50
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F36A50 mov eax, dword ptr fs:[00000030h] 2_2_02F36A50
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F36A50 mov eax, dword ptr fs:[00000030h] 2_2_02F36A50
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F36A50 mov eax, dword ptr fs:[00000030h] 2_2_02F36A50
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F36A50 mov eax, dword ptr fs:[00000030h] 2_2_02F36A50
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F36A50 mov eax, dword ptr fs:[00000030h] 2_2_02F36A50
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F40A5B mov eax, dword ptr fs:[00000030h] 2_2_02F40A5B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F40A5B mov eax, dword ptr fs:[00000030h] 2_2_02F40A5B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F54A35 mov eax, dword ptr fs:[00000030h] 2_2_02F54A35
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F54A35 mov eax, dword ptr fs:[00000030h] 2_2_02F54A35
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F6CA38 mov eax, dword ptr fs:[00000030h] 2_2_02F6CA38
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F6CA24 mov eax, dword ptr fs:[00000030h] 2_2_02F6CA24
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F5EA2E mov eax, dword ptr fs:[00000030h] 2_2_02F5EA2E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FBCA11 mov eax, dword ptr fs:[00000030h] 2_2_02FBCA11
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F38BF0 mov eax, dword ptr fs:[00000030h] 2_2_02F38BF0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F38BF0 mov eax, dword ptr fs:[00000030h] 2_2_02F38BF0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F38BF0 mov eax, dword ptr fs:[00000030h] 2_2_02F38BF0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F5EBFC mov eax, dword ptr fs:[00000030h] 2_2_02F5EBFC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FBCBF0 mov eax, dword ptr fs:[00000030h] 2_2_02FBCBF0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FDEBD0 mov eax, dword ptr fs:[00000030h] 2_2_02FDEBD0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F50BCB mov eax, dword ptr fs:[00000030h] 2_2_02F50BCB
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F50BCB mov eax, dword ptr fs:[00000030h] 2_2_02F50BCB
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F50BCB mov eax, dword ptr fs:[00000030h] 2_2_02F50BCB
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F30BCD mov eax, dword ptr fs:[00000030h] 2_2_02F30BCD
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F30BCD mov eax, dword ptr fs:[00000030h] 2_2_02F30BCD
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F30BCD mov eax, dword ptr fs:[00000030h] 2_2_02F30BCD
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F40BBE mov eax, dword ptr fs:[00000030h] 2_2_02F40BBE
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F40BBE mov eax, dword ptr fs:[00000030h] 2_2_02F40BBE
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FE4BB0 mov eax, dword ptr fs:[00000030h] 2_2_02FE4BB0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FE4BB0 mov eax, dword ptr fs:[00000030h] 2_2_02FE4BB0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03004A80 mov eax, dword ptr fs:[00000030h] 2_2_03004A80
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F2CB7E mov eax, dword ptr fs:[00000030h] 2_2_02F2CB7E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F28B50 mov eax, dword ptr fs:[00000030h] 2_2_02F28B50
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FDEB50 mov eax, dword ptr fs:[00000030h] 2_2_02FDEB50
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FE4B4B mov eax, dword ptr fs:[00000030h] 2_2_02FE4B4B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FE4B4B mov eax, dword ptr fs:[00000030h] 2_2_02FE4B4B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FC6B40 mov eax, dword ptr fs:[00000030h] 2_2_02FC6B40
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FC6B40 mov eax, dword ptr fs:[00000030h] 2_2_02FC6B40
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FFAB40 mov eax, dword ptr fs:[00000030h] 2_2_02FFAB40
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FD8B42 mov eax, dword ptr fs:[00000030h] 2_2_02FD8B42
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F5EB20 mov eax, dword ptr fs:[00000030h] 2_2_02F5EB20
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F5EB20 mov eax, dword ptr fs:[00000030h] 2_2_02F5EB20
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FF8B28 mov eax, dword ptr fs:[00000030h] 2_2_02FF8B28
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FF8B28 mov eax, dword ptr fs:[00000030h] 2_2_02FF8B28
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FAEB1D mov eax, dword ptr fs:[00000030h] 2_2_02FAEB1D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FAEB1D mov eax, dword ptr fs:[00000030h] 2_2_02FAEB1D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FAEB1D mov eax, dword ptr fs:[00000030h] 2_2_02FAEB1D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FAEB1D mov eax, dword ptr fs:[00000030h] 2_2_02FAEB1D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FAEB1D mov eax, dword ptr fs:[00000030h] 2_2_02FAEB1D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FAEB1D mov eax, dword ptr fs:[00000030h] 2_2_02FAEB1D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FAEB1D mov eax, dword ptr fs:[00000030h] 2_2_02FAEB1D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FAEB1D mov eax, dword ptr fs:[00000030h] 2_2_02FAEB1D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FAEB1D mov eax, dword ptr fs:[00000030h] 2_2_02FAEB1D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F6C8F9 mov eax, dword ptr fs:[00000030h] 2_2_02F6C8F9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F6C8F9 mov eax, dword ptr fs:[00000030h] 2_2_02F6C8F9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FFA8E4 mov eax, dword ptr fs:[00000030h] 2_2_02FFA8E4
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F5E8C0 mov eax, dword ptr fs:[00000030h] 2_2_02F5E8C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03004940 mov eax, dword ptr fs:[00000030h] 2_2_03004940
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FBC89D mov eax, dword ptr fs:[00000030h] 2_2_02FBC89D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F30887 mov eax, dword ptr fs:[00000030h] 2_2_02F30887
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FBE872 mov eax, dword ptr fs:[00000030h] 2_2_02FBE872
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FBE872 mov eax, dword ptr fs:[00000030h] 2_2_02FBE872
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FC6870 mov eax, dword ptr fs:[00000030h] 2_2_02FC6870
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FC6870 mov eax, dword ptr fs:[00000030h] 2_2_02FC6870
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F60854 mov eax, dword ptr fs:[00000030h] 2_2_02F60854
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F34859 mov eax, dword ptr fs:[00000030h] 2_2_02F34859
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F34859 mov eax, dword ptr fs:[00000030h] 2_2_02F34859
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F42840 mov ecx, dword ptr fs:[00000030h] 2_2_02F42840
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F52835 mov eax, dword ptr fs:[00000030h] 2_2_02F52835
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F52835 mov eax, dword ptr fs:[00000030h] 2_2_02F52835
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F52835 mov eax, dword ptr fs:[00000030h] 2_2_02F52835
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F52835 mov ecx, dword ptr fs:[00000030h] 2_2_02F52835
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F52835 mov eax, dword ptr fs:[00000030h] 2_2_02F52835
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F52835 mov eax, dword ptr fs:[00000030h] 2_2_02F52835
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F6A830 mov eax, dword ptr fs:[00000030h] 2_2_02F6A830
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FD483A mov eax, dword ptr fs:[00000030h] 2_2_02FD483A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FD483A mov eax, dword ptr fs:[00000030h] 2_2_02FD483A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FBC810 mov eax, dword ptr fs:[00000030h] 2_2_02FBC810
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F629F9 mov eax, dword ptr fs:[00000030h] 2_2_02F629F9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F629F9 mov eax, dword ptr fs:[00000030h] 2_2_02F629F9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FBE9E0 mov eax, dword ptr fs:[00000030h] 2_2_02FBE9E0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F3A9D0 mov eax, dword ptr fs:[00000030h] 2_2_02F3A9D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F3A9D0 mov eax, dword ptr fs:[00000030h] 2_2_02F3A9D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F3A9D0 mov eax, dword ptr fs:[00000030h] 2_2_02F3A9D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F3A9D0 mov eax, dword ptr fs:[00000030h] 2_2_02F3A9D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F3A9D0 mov eax, dword ptr fs:[00000030h] 2_2_02F3A9D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F3A9D0 mov eax, dword ptr fs:[00000030h] 2_2_02F3A9D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F649D0 mov eax, dword ptr fs:[00000030h] 2_2_02F649D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FFA9D3 mov eax, dword ptr fs:[00000030h] 2_2_02FFA9D3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FC69C0 mov eax, dword ptr fs:[00000030h] 2_2_02FC69C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FB89B3 mov esi, dword ptr fs:[00000030h] 2_2_02FB89B3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FB89B3 mov eax, dword ptr fs:[00000030h] 2_2_02FB89B3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FB89B3 mov eax, dword ptr fs:[00000030h] 2_2_02FB89B3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F429A0 mov eax, dword ptr fs:[00000030h] 2_2_02F429A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F429A0 mov eax, dword ptr fs:[00000030h] 2_2_02F429A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F429A0 mov eax, dword ptr fs:[00000030h] 2_2_02F429A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F429A0 mov eax, dword ptr fs:[00000030h] 2_2_02F429A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F429A0 mov eax, dword ptr fs:[00000030h] 2_2_02F429A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F429A0 mov eax, dword ptr fs:[00000030h] 2_2_02F429A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F429A0 mov eax, dword ptr fs:[00000030h] 2_2_02F429A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F429A0 mov eax, dword ptr fs:[00000030h] 2_2_02F429A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F429A0 mov eax, dword ptr fs:[00000030h] 2_2_02F429A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F429A0 mov eax, dword ptr fs:[00000030h] 2_2_02F429A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F429A0 mov eax, dword ptr fs:[00000030h] 2_2_02F429A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F429A0 mov eax, dword ptr fs:[00000030h] 2_2_02F429A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F429A0 mov eax, dword ptr fs:[00000030h] 2_2_02F429A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F309AD mov eax, dword ptr fs:[00000030h] 2_2_02F309AD
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F309AD mov eax, dword ptr fs:[00000030h] 2_2_02F309AD
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FD4978 mov eax, dword ptr fs:[00000030h] 2_2_02FD4978
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FD4978 mov eax, dword ptr fs:[00000030h] 2_2_02FD4978
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FBC97C mov eax, dword ptr fs:[00000030h] 2_2_02FBC97C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02F56962 mov eax, dword ptr fs:[00000030h] 2_2_02F56962
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\Document.exe Code function: 0_2_00426DA1 CreateFileW,__lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock, 0_2_00426DA1
Enables debug privileges
Source: C:\Windows\SysWOW64\svchost.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\Document.exe Code function: 0_2_0042202E SetUnhandledExceptionFilter, 0_2_0042202E
Source: C:\Users\user\Desktop\Document.exe Code function: 0_2_004230F5 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_004230F5
Source: C:\Users\user\Desktop\Document.exe Code function: 0_2_00417D93 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00417D93
Source: C:\Users\user\Desktop\Document.exe Code function: 0_2_00421FA7 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00421FA7
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_00BF5C30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 4_2_00BF5C30
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_00BF5DC0 SetUnhandledExceptionFilter, 4_2_00BF5DC0

HIPS / PFW / Operating System Protection Evasion
barindex
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\Document.exe Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: NULL target: C:\Windows\SysWOW64\NETSTAT.EXE protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: NULL target: C:\Windows\SysWOW64\NETSTAT.EXE protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE Section loaded: NULL target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Windows\SysWOW64\svchost.exe Thread register set: target process: 1028 Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE Thread register set: target process: 1028 Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Windows\SysWOW64\svchost.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Sample uses process hollowing technique
Source: C:\Windows\SysWOW64\svchost.exe Section unmapped: C:\Windows\SysWOW64\NETSTAT.EXE base address: BF0000 Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\Desktop\Document.exe Memory written: C:\Windows\SysWOW64\svchost.exe base: 359008 Jump to behavior
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: memset,OpenProcess,K32GetModuleBaseNameW,CompareStringW,CompareStringW,GetSystemDirectoryW,LoadLibraryExW,GetProcAddress,K32GetModuleBaseNameW,CloseHandle,LocalFree,FreeLibrary, svchost.exe 4_2_00BF38D2
Contains functionality to execute programs as a different user
Source: C:\Users\user\Desktop\Document.exe Code function: 0_2_0043916A LogonUserW, 0_2_0043916A
Contains functionality to launch a program with higher privileges
Source: C:\Users\user\Desktop\Document.exe Code function: 0_2_0040D6D0 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,GetForegroundWindow,ShellExecuteW, 0_2_0040D6D0
Contains functionality to simulate keystroke presses
Source: C:\Users\user\Desktop\Document.exe Code function: 0_2_004375B0 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput, 0_2_004375B0
Contains functionality to simulate mouse events
Source: C:\Users\user\Desktop\Document.exe Code function: 0_2_00436431 __wcsicoll,mouse_event,__wcsicoll,mouse_event, 0_2_00436431
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Document.exe Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Document.exe" Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\SysWOW64\svchost.exe" Jump to behavior
Source: C:\Users\user\Desktop\Document.exe Code function: 0_2_00445DD3 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity, 0_2_00445DD3
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_00BF58B6 AllocateAndInitializeSid,CheckTokenMembership,FreeSid, 4_2_00BF58B6
Source: explorer.exe, 00000003.00000002.4519451099.0000000009C22000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2079597130.0000000009BA1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3101602705.0000000009C21000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Shell_TrayWnd=
Source: explorer.exe, 00000003.00000000.2074889655.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000002.4511963639.0000000001731000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Program Manager
Source: Document.exe, explorer.exe, 00000003.00000000.2074889655.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000002.4514844569.0000000004B00000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4511963639.0000000001731000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000003.00000000.2074889655.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000002.4511963639.0000000001731000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progman
Source: Document.exe Binary or memory string: @3PDASCRWINUPRWINDOWNLWINUPLWINDOWNSHIFTUPSHIFTDOWNALTUPALTDOWNCTRLUPCTRLDOWNMOUSE_XBUTTON2MOUSE_XBUTTON1MOUSE_MBUTTONMOUSE_RBUTTONMOUSE_LBUTTONLAUNCH_APP2LAUNCH_APP1LAUNCH_MEDIALAUNCH_MAILMEDIA_PLAY_PAUSEMEDIA_STOPMEDIA_PREVMEDIA_NEXTVOLUME_UPVOLUME_DOWNVOLUME_MUTEBROWSER_HOMEBROWSER_FAVORTIESBROWSER_SEARCHBROWSER_STOPBROWSER_REFRESHBROWSER_FORWARDBROWSER_BACKNUMPADENTERSLEEPRSHIFTLSHIFTRALTLALTRCTRLLCTRLAPPSKEYNUMPADDIVNUMPADDOTNUMPADSUBNUMPADADDNUMPADMULTNUMPAD9NUMPAD8NUMPAD7NUMPAD6NUMPAD5NUMPAD4NUMPAD3NUMPAD2NUMPAD1NUMPAD0CAPSLOCKPAUSEBREAKNUMLOCKSCROLLLOCKRWINLWINPRINTSCREENUPTABSPACERIGHTPGUPPGDNLEFTINSERTINSHOMEF12F11F10F9F8F7F6F5F4F3F2F1ESCAPEESCENTERENDDOWNDELETEDELBSBACKSPACEALTONOFF0%d%dShell_TrayWndExitScript Pausedblankinfoquestionstopwarning
Source: explorer.exe, 00000003.00000000.2074889655.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000002.4511963639.0000000001731000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Source: explorer.exe, 00000003.00000000.2074375814.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4511082472.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: PProgman
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\Document.exe Code function: 0_2_00410D10 cpuid 0_2_00410D10
Source: C:\Users\user\Desktop\Document.exe Code function: 0_2_004223BC GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 0_2_004223BC
Source: C:\Users\user\Desktop\Document.exe Code function: 0_2_004711D2 GetUserNameW, 0_2_004711D2
Source: C:\Users\user\Desktop\Document.exe Code function: 0_2_0040E470 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo, 0_2_0040E470

Stealing of Sensitive Information
barindex
Yara detected FormBook
Source: Yara match File source: 2.2.svchost.exe.24e0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Document.exe.1680000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Document.exe.1680000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000002.4511611873.0000000000A20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2128868177.00000000025D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2128415255.00000000024E1000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.4511505699.00000000009D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2072442337.0000000001680000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.4511034633.0000000000330000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2129518729.0000000002E40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
OS version to string mapping found (often used in BOTs)
Source: Document.exe Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPWIN_2000InstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 6, 0USERPROFILEUSERDOMAINUSERDNSDOMAINDefaultGetSystemWow64DirectoryWSeDebugPrivilege:cdeclwinapistdcallnonestrwstrintbooluintlongulongdwordshortushortwordbyteubytebooleanfloatdoubleptrhwndhandlelresultlparamwparamint64uint64int_ptruint_ptrlong_ptrulong_ptrdword_ptridispatch64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYadvapi32.dllRegDeleteKeyExW+.-.+-\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]ISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXISTSEXPANDmsctls_statusbar321tooltips_class32AutoIt v3 GUI%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----
Source: Document.exe Binary or memory string: WIN_XP
Source: Document.exe Binary or memory string: WIN_XPe
Source: Document.exe Binary or memory string: WIN_VISTA
Source: Document.exe Binary or memory string: WIN_7

Remote Access Functionality
barindex
Yara detected FormBook
Source: Yara match File source: 2.2.svchost.exe.24e0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Document.exe.1680000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Document.exe.1680000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000002.4511611873.0000000000A20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2128868177.00000000025D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2128415255.00000000024E1000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.4511505699.00000000009D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2072442337.0000000001680000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.4511034633.0000000000330000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2129518729.0000000002E40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\Desktop\Document.exe Code function: 0_2_004741BB socket,WSAGetLastError,bind,WSAGetLastError,closesocket, 0_2_004741BB
Source: C:\Users\user\Desktop\Document.exe Code function: 0_2_0046483C socket,WSAGetLastError,bind,WSAGetLastError,listen,WSAGetLastError,closesocket, 0_2_0046483C
Source: C:\Users\user\Desktop\Document.exe Code function: 0_2_0047AD92 OleInitialize,_wcslen,CreateBindCtx,MkParseDisplayName,CLSIDFromProgID,GetActiveObject, 0_2_0047AD92
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_00BF4B96 fprintf,GetUdpStatisticsEx,GetIpStatisticsEx,SnmpUtilMemAlloc,fprintf,fprintf,SnmpUtilMemFree,fprintf,fprintf,SnmpUtilMemAlloc,SnmpUtilOidCpy,SnmpUtilVarBindFree,SnmpUtilVarBindFree,SnmpUtilVarBindFree,SnmpUtilVarBindFree,GetIcmpStatisticsEx,GetTcpStatisticsEx, 4_2_00BF4B96
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1543822 Sample: Document.exe Startdate: 28/10/2024 Architecture: WINDOWS Score: 100 27 www.sk-frby.xyz 2->27 29 www.okavuxentid.xyz 2->29 31 11 other IPs or domains 2->31 35 Suricata IDS alerts for network traffic 2->35 37 Found malware configuration 2->37 39 Malicious sample detected (through community Yara rule) 2->39 43 7 other signatures 2->43 11 Document.exe 1 2->11         started        signatures3 41 Performs DNS queries to domains with low reputation 29->41 process4 signatures5 53 Writes to foreign memory regions 11->53 55 Maps a DLL or memory area into another process 11->55 57 Switches to a custom stack to bypass stack traces 11->57 59 Contains functionality to detect sleep reduction / modifications 11->59 14 svchost.exe 11->14         started        process6 signatures7 61 Modifies the context of a thread in another process (thread injection) 14->61 63 Maps a DLL or memory area into another process 14->63 65 Sample uses process hollowing technique 14->65 67 3 other signatures 14->67 17 explorer.exe 91 1 14->17 injected process8 signatures9 33 Uses netstat to query active network connections and open ports 17->33 20 NETSTAT.EXE 17->20         started        process10 signatures11 45 Modifies the context of a thread in another process (thread injection) 20->45 47 Maps a DLL or memory area into another process 20->47 49 Tries to detect virtualization through RDTSC time measurements 20->49 51 Switches to a custom stack to bypass stack traces 20->51 23 cmd.exe 1 20->23         started        process12 process13 25 conhost.exe 23->25         started       
No contacted IP infos

Contacted Domains

Name IP Active
overdue.aliyun.com 170.33.13.246 true
www.eat-tyfp.xyz unknown unknown
www.reeremovebg.top unknown unknown
www.ompa77.click unknown unknown
www.sk-frby.xyz unknown unknown
www.280.vip unknown unknown
www.adtv-wfj.xyz unknown unknown
www.15501.pro unknown unknown
www.ist-sxyu.xyz unknown unknown
www.gnbft-top.xyz unknown unknown
www.rislyhallyhanced.cfd unknown unknown
www.ofdkd-determine.xyz unknown unknown
www.okavuxentid.xyz unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
www.280.vip/n04s/ true
    		unknown