Windows Analysis Report
New PO 127429.exe

Overview

General Information

Sample name: New PO 127429.exe
Analysis ID: 1543823
MD5: 94d6aa80c6757c59f58f642c4e78bcfc
SHA1: d3a359f25a9692934749a63035e1f13c71c521c6
SHA256: 00140ab45e4fcbba5f1b52f3058a8ac015771eb60348617843ac7ca841b8bae9
Tags: exe
Infos:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Suricata IDS alerts for network traffic
Yara detected FormBook
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to detect sleep reduction / modifications
Drops VBS files to the startup folder
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: WScript or CScript Dropper
Switches to a custom stack to bypass stack traces
Tries to detect virtualization through RDTSC time measurements
Tries to resolve many domain names, but no domain seems valid
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
PE file contains an invalid checksum
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Uncommon Svchost Parent Process
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection
barindex
Found malware configuration
Source: 0000000C.00000002.2330599381.0000000000310000.00000040.80000000.00040000.00000000.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.f6b-crxy.top/cu29/"], "decoy": ["qidr.shop", "usinessaviationconsulting.net", "68716329.xyz", "nd-los.net", "ealthironcladguarantee.shop", "oftware-download-69354.bond", "48372305.top", "omeownershub.top", "mall-chilli.top", "ajakgoid.online", "ire-changer-53482.bond", "rugsrx.shop", "oyang123.info", "azino-forum-pro.online", "817715.rest", "layman.vip", "eb777.club", "ovatonica.net", "urgaslotvip.website", "inn-paaaa.buzz", "reativedreams.design", "upremehomes.shop", "ames-saaab.buzz", "phonelock.xyz", "ideandseekvacations.xyz", "77179ksuhr.top", "ental-bridges-87553.bond", "7win2.bet", "ainan.company", "5mwhs.top", "hopp9.top", "65fhgejd3.xyz", "olandopaintingllc.online", "n-wee.buzz", "reshcasinoinfo2.top", "5734.party", "qtbyj.live", "gil.lat", "siabgc4d.online", "fios.top", "sed-cars-89003.bond", "nlineschools-2507-001-sap.click", "upiloffatemotors.online", "ordf.top", "achhonglan.shop", "irex.info", "oursmile.vip", "leachlondonstore.online", "asukacro.online", "panish-classes-64045.bond", "apita.top", "srtio.xyz", "kdsclci.bond", "ochacha.sbs", "oldsteps.buzz", "yzq0n.top", "npostl.xyz", "ladder-cancer-symptoms-mine.sbs", "400725iimfyuj120.top", "3589.photo", "rasilhojenoticias.online", "ependableequipment.online", "itusbandar126.info", "ohns.app"]}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe ReversingLabs: Detection: 28%
Multi AV Scanner detection for submitted file
Source: New PO 127429.exe ReversingLabs: Detection: 28%
Yara detected FormBook
Source: Yara match File source: 3.2.svchost.exe.3b0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.subpredicate.exe.3020000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.subpredicate.exe.3020000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.subpredicate.exe.b30000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.subpredicate.exe.b30000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000C.00000002.2330599381.0000000000310000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.4569629328.0000000000620000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.4570251763.0000000002CE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.2231589301.00000000003B1000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2325079929.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.2231787989.00000000009B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2325776767.00000000009D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2327836661.0000000000F40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2291675436.0000000003020000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.2232255534.0000000000F50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.4570322313.0000000002D10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2162533053.0000000000B30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: New PO 127429.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: New PO 127429.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: Binary string: WWAHost.pdb source: svchost.exe, 00000003.00000002.2232939719.0000000004CC0000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 00000003.00000003.2231224412.0000000004E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.2231048518.0000000003300000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 00000005.00000002.4569716945.0000000000650000.00000040.80000000.00040000.00000000.sdmp
Source: Binary string: WWAHost.pdbUGP source: svchost.exe, 00000003.00000002.2232939719.0000000004CC0000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 00000003.00000003.2231224412.0000000004E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.2231048518.0000000003300000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 00000005.00000002.4569716945.0000000000650000.00000040.80000000.00040000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: subpredicate.exe, 00000002.00000003.2159303367.00000000040B0000.00000004.00001000.00020000.00000000.sdmp, subpredicate.exe, 00000002.00000003.2159492823.0000000004250000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.2163399323.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.2161769954.0000000000C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.2231901830.0000000000D9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.2231901830.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, WWAHost.exe, 00000005.00000002.4571145912.000000000377E000.00000040.00001000.00020000.00000000.sdmp, WWAHost.exe, 00000005.00000002.4571145912.00000000035E0000.00000040.00001000.00020000.00000000.sdmp, WWAHost.exe, 00000005.00000003.2234581135.0000000003431000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 00000005.00000003.2231987186.0000000003287000.00000004.00000020.00020000.00000000.sdmp, subpredicate.exe, 00000009.00000003.2289872805.0000000004040000.00000004.00001000.00020000.00000000.sdmp, subpredicate.exe, 00000009.00000003.2290520431.00000000041E0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2328642904.000000000359E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2290568190.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2328642904.0000000003400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2292396362.0000000003200000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000000C.00000002.2334320683.0000000004540000.00000040.00001000.00020000.00000000.sdmp, control.exe, 0000000C.00000002.2334320683.00000000046DE000.00000040.00001000.00020000.00000000.sdmp, control.exe, 0000000C.00000003.2325054368.00000000041D0000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000000C.00000003.2327955879.000000000438F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: control.pdb source: svchost.exe, 0000000B.00000003.2324322977.0000000000C40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2324212356.0000000000C1B000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000000C.00000002.2333948575.00000000004F0000.00000040.80000000.00040000.00000000.sdmp
Source: Binary string: wntdll.pdb source: subpredicate.exe, 00000002.00000003.2159303367.00000000040B0000.00000004.00001000.00020000.00000000.sdmp, subpredicate.exe, 00000002.00000003.2159492823.0000000004250000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000003.00000003.2163399323.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.2161769954.0000000000C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.2231901830.0000000000D9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.2231901830.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, WWAHost.exe, 00000005.00000002.4571145912.000000000377E000.00000040.00001000.00020000.00000000.sdmp, WWAHost.exe, 00000005.00000002.4571145912.00000000035E0000.00000040.00001000.00020000.00000000.sdmp, WWAHost.exe, 00000005.00000003.2234581135.0000000003431000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 00000005.00000003.2231987186.0000000003287000.00000004.00000020.00020000.00000000.sdmp, subpredicate.exe, 00000009.00000003.2289872805.0000000004040000.00000004.00001000.00020000.00000000.sdmp, subpredicate.exe, 00000009.00000003.2290520431.00000000041E0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2328642904.000000000359E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2290568190.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2328642904.0000000003400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2292396362.0000000003200000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000000C.00000002.2334320683.0000000004540000.00000040.00001000.00020000.00000000.sdmp, control.exe, 0000000C.00000002.2334320683.00000000046DE000.00000040.00001000.00020000.00000000.sdmp, control.exe, 0000000C.00000003.2325054368.00000000041D0000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000000C.00000003.2327955879.000000000438F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: control.pdbUGP source: svchost.exe, 0000000B.00000003.2324322977.0000000000C40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2324212356.0000000000C1B000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000000C.00000002.2333948575.00000000004F0000.00000040.80000000.00040000.00000000.sdmp
Source: Binary string: svchost.pdb source: explorer.exe, 00000004.00000002.4583774603.0000000010B7F000.00000004.80000000.00040000.00000000.sdmp, WWAHost.exe, 00000005.00000002.4570454249.0000000002D9C000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 00000005.00000002.4571847507.0000000003B2F000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: svchost.pdbUGP source: explorer.exe, 00000004.00000002.4583774603.0000000010B7F000.00000004.80000000.00040000.00000000.sdmp, WWAHost.exe, 00000005.00000002.4570454249.0000000002D9C000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 00000005.00000002.4571847507.0000000003B2F000.00000004.10000000.00040000.00000000.sdmp
Source: C:\Users\user\Desktop\New PO 127429.exe Code function: 0_2_00452126 FindFirstFileW,Sleep,FindNextFileW,FindClose, 0_2_00452126
Source: C:\Users\user\Desktop\New PO 127429.exe Code function: 0_2_0045C999 FindFirstFileW,FindNextFileW,FindClose, 0_2_0045C999
Source: C:\Users\user\Desktop\New PO 127429.exe Code function: 0_2_00436ADE GetFileAttributesW,FindFirstFileW,FindClose, 0_2_00436ADE
Source: C:\Users\user\Desktop\New PO 127429.exe Code function: 0_2_00434BEE FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 0_2_00434BEE
Source: C:\Users\user\Desktop\New PO 127429.exe Code function: 0_2_0045DD7C FindFirstFileW,FindClose, 0_2_0045DD7C
Source: C:\Users\user\Desktop\New PO 127429.exe Code function: 0_2_0044BD29 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose, 0_2_0044BD29
Source: C:\Users\user\Desktop\New PO 127429.exe Code function: 0_2_00436D2D FindFirstFileW,CreateFileW,SetFileTime,CloseHandle,SetFileTime,CloseHandle, 0_2_00436D2D
Source: C:\Users\user\Desktop\New PO 127429.exe Code function: 0_2_00442E1F SetCurrentDirectoryW,FindFirstFileW,SetCurrentDirectoryW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 0_2_00442E1F
Source: C:\Users\user\Desktop\New PO 127429.exe Code function: 0_2_00475FE5 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, 0_2_00475FE5
Source: C:\Users\user\Desktop\New PO 127429.exe Code function: 0_2_0044BF8D _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose, 0_2_0044BF8D
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Code function: 2_2_00452126 FindFirstFileW,Sleep,FindNextFileW,FindClose, 2_2_00452126
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Code function: 2_2_0045C999 FindFirstFileW,FindNextFileW,FindClose, 2_2_0045C999
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Code function: 2_2_00436ADE GetFileAttributesW,FindFirstFileW,FindClose, 2_2_00436ADE
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Code function: 2_2_00434BEE FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 2_2_00434BEE
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Code function: 2_2_0045DD7C FindFirstFileW,FindClose, 2_2_0045DD7C
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Code function: 2_2_0044BD29 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose, 2_2_0044BD29
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Code function: 2_2_00436D2D FindFirstFileW,CreateFileW,SetFileTime,CloseHandle,SetFileTime,CloseHandle, 2_2_00436D2D
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Code function: 2_2_00442E1F SetCurrentDirectoryW,FindFirstFileW,SetCurrentDirectoryW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 2_2_00442E1F
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Code function: 2_2_00475FE5 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, 2_2_00475FE5
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Code function: 2_2_0044BF8D _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose, 2_2_0044BF8D
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Windows\SysWOW64\svchost.exe Code function: 4x nop then pop ebx 3_2_003B7B22

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2031412 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.6:49984 -> 85.13.166.18:80
Source: Network traffic Suricata IDS: 2031449 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.6:49984 -> 85.13.166.18:80
Source: Network traffic Suricata IDS: 2031453 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.6:49984 -> 85.13.166.18:80
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.f6b-crxy.top/cu29/
Tries to resolve many domain names, but no domain seems valid
Source: unknown DNS traffic detected: query: www.ainan.company replaycode: Name error (3)
Source: unknown DNS traffic detected: query: www.itusbandar126.info replaycode: Name error (3)
Source: unknown DNS traffic detected: query: www.nlineschools-2507-001-sap.click replaycode: Name error (3)
Source: unknown DNS traffic detected: query: www.ajakgoid.online replaycode: Name error (3)
Source: unknown DNS traffic detected: query: www.siabgc4d.online replaycode: Name error (3)
Source: unknown DNS traffic detected: query: www.48372305.top replaycode: Name error (3)
Source: unknown DNS traffic detected: query: www.f6b-crxy.top replaycode: Name error (3)
Source: unknown DNS traffic detected: query: www.oursmile.vip replaycode: Name error (3)
Source: unknown DNS traffic detected: query: www.olandopaintingllc.online replaycode: Name error (3)
Source: unknown DNS traffic detected: query: www.inn-paaaa.buzz replaycode: Name error (3)
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /cu29/?u6Zt=IwPUjMyQOkFzpF8yWccrKmKp5P8dDDiJJg1OEW3Oajc2fvmWhIoIvoJUZNgnCDylQV65J9tAeA==&kR-l=xP68RjTX HTTP/1.1Host: www.irex.infoConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: NMM-ASD-02742FriedersdorfHauptstrasse68DE NMM-ASD-02742FriedersdorfHauptstrasse68DE
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Users\user\Desktop\New PO 127429.exe Code function: 0_2_0044289D InternetQueryDataAvailable,InternetReadFile, 0_2_0044289D
Source: global traffic HTTP traffic detected: GET /cu29/?u6Zt=IwPUjMyQOkFzpF8yWccrKmKp5P8dDDiJJg1OEW3Oajc2fvmWhIoIvoJUZNgnCDylQV65J9tAeA==&kR-l=xP68RjTX HTTP/1.1Host: www.irex.infoConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic DNS traffic detected: DNS query: www.oursmile.vip
Source: global traffic DNS traffic detected: DNS query: www.ainan.company
Source: global traffic DNS traffic detected: DNS query: www.inn-paaaa.buzz
Source: global traffic DNS traffic detected: DNS query: www.nlineschools-2507-001-sap.click
Source: global traffic DNS traffic detected: DNS query: www.irex.info
Source: global traffic DNS traffic detected: DNS query: www.olandopaintingllc.online
Source: global traffic DNS traffic detected: DNS query: www.f6b-crxy.top
Source: global traffic DNS traffic detected: DNS query: www.siabgc4d.online
Source: global traffic DNS traffic detected: DNS query: www.itusbandar126.info
Source: global traffic DNS traffic detected: DNS query: www.48372305.top
Source: global traffic DNS traffic detected: DNS query: www.ajakgoid.online
Source: explorer.exe, 00000004.00000002.4575434129.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2178974001.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2178974001.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4575434129.000000000978C000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: explorer.exe, 00000004.00000002.4575434129.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2178974001.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2178974001.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4575434129.000000000978C000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: explorer.exe, 00000004.00000002.4575434129.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2178974001.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2178974001.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4575434129.000000000978C000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: explorer.exe, 00000004.00000002.4575434129.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2178974001.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2178974001.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4575434129.000000000978C000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: explorer.exe, 00000004.00000002.4575434129.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2178974001.000000000962B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: explorer.exe, 00000004.00000000.2177613587.0000000007B60000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.2166078667.00000000028A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.2177583011.0000000007B50000.00000002.00000001.00040000.00000000.sdmp String found in binary or memory: http://schemas.micro
Source: explorer.exe, 00000004.00000003.2980682313.000000000C4C8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4580339736.000000000C4C9000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.400725iimfyuj120.top
Source: explorer.exe, 00000004.00000003.2980682313.000000000C4C8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4580339736.000000000C4C9000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.400725iimfyuj120.top/cu29/
Source: explorer.exe, 00000004.00000003.2980682313.000000000C4C8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4580339736.000000000C4C9000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.400725iimfyuj120.top/cu29/www.5mwhs.top
Source: explorer.exe, 00000004.00000003.2980682313.000000000C4C8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4580339736.000000000C4C9000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.400725iimfyuj120.topReferer:
Source: explorer.exe, 00000004.00000003.2980682313.000000000C4C8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4580339736.000000000C4C9000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.48372305.top
Source: explorer.exe, 00000004.00000003.2980682313.000000000C4C8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4580339736.000000000C4C9000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.48372305.top/cu29/
Source: explorer.exe, 00000004.00000003.2980682313.000000000C4C8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4580339736.000000000C4C9000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.48372305.top/cu29/www.ajakgoid.online
Source: explorer.exe, 00000004.00000003.2980682313.000000000C4C8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4580339736.000000000C4C9000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.48372305.topReferer:
Source: explorer.exe, 00000004.00000003.2980682313.000000000C4C8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4580339736.000000000C4C9000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.5mwhs.top
Source: explorer.exe, 00000004.00000003.2980682313.000000000C4C8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4580339736.000000000C4C9000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.5mwhs.top/cu29/
Source: explorer.exe, 00000004.00000003.2980682313.000000000C4C8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4580339736.000000000C4C9000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.5mwhs.top/cu29/www.qidr.shop
Source: explorer.exe, 00000004.00000003.2980682313.000000000C4C8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4580339736.000000000C4C9000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.5mwhs.topReferer:
Source: explorer.exe, 00000004.00000003.2980682313.000000000C4C8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4580339736.000000000C4C9000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.ainan.company
Source: explorer.exe, 00000004.00000003.2980682313.000000000C4C8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4580339736.000000000C4C9000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.ainan.company/cu29/
Source: explorer.exe, 00000004.00000003.2980682313.000000000C4C8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4580339736.000000000C4C9000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.ainan.company/cu29/www.inn-paaaa.buzz
Source: explorer.exe, 00000004.00000003.2980682313.000000000C4C8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4580339736.000000000C4C9000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.ainan.companyReferer:
Source: explorer.exe, 00000004.00000003.2980682313.000000000C4C8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4580339736.000000000C4C9000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.ajakgoid.online
Source: explorer.exe, 00000004.00000003.2980682313.000000000C4C8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4580339736.000000000C4C9000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.ajakgoid.online/cu29/
Source: explorer.exe, 00000004.00000003.2980682313.000000000C4C8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4580339736.000000000C4C9000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.ajakgoid.online/cu29/www.400725iimfyuj120.top
Source: explorer.exe, 00000004.00000003.2980682313.000000000C4C8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4580339736.000000000C4C9000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.ajakgoid.onlineReferer:
Source: explorer.exe, 00000004.00000003.2980682313.000000000C4C8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4580339736.000000000C4C9000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.azino-forum-pro.online
Source: explorer.exe, 00000004.00000002.4580339736.000000000C4C9000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.azino-forum-pro.online/cu29/
Source: explorer.exe, 00000004.00000003.2980682313.000000000C4C8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4580339736.000000000C4C9000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.azino-forum-pro.onlineReferer:
Source: explorer.exe, 00000004.00000003.2980682313.000000000C4C8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4580339736.000000000C4C9000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.f6b-crxy.top
Source: explorer.exe, 00000004.00000003.2980682313.000000000C4C8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4580339736.000000000C4C9000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.f6b-crxy.top/cu29/
Source: explorer.exe, 00000004.00000003.2980682313.000000000C4C8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4580339736.000000000C4C9000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.f6b-crxy.top/cu29/www.siabgc4d.online
Source: explorer.exe, 00000004.00000003.2980682313.000000000C4C8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4580339736.000000000C4C9000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.f6b-crxy.topReferer:
Source: explorer.exe, 00000004.00000003.2980682313.000000000C4C8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4580339736.000000000C4C9000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.inn-paaaa.buzz
Source: explorer.exe, 00000004.00000003.2980682313.000000000C4C8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4580339736.000000000C4C9000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.inn-paaaa.buzz/cu29/
Source: explorer.exe, 00000004.00000003.2980682313.000000000C4C8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4580339736.000000000C4C9000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.inn-paaaa.buzz/cu29/www.nlineschools-2507-001-sap.click
Source: explorer.exe, 00000004.00000003.2980682313.000000000C4C8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4580339736.000000000C4C9000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.inn-paaaa.buzzReferer:
Source: explorer.exe, 00000004.00000003.2980682313.000000000C4C8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4580339736.000000000C4C9000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.irex.info
Source: explorer.exe, 00000004.00000003.2980682313.000000000C4C8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4580339736.000000000C4C9000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.irex.info/cu29/
Source: explorer.exe, 00000004.00000003.2980682313.000000000C4C8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4580339736.000000000C4C9000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.irex.info/cu29/www.olandopaintingllc.online
Source: explorer.exe, 00000004.00000003.2980682313.000000000C4C8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4580339736.000000000C4C9000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.irex.infoReferer:
Source: explorer.exe, 00000004.00000003.2980682313.000000000C4C8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4580339736.000000000C4C9000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.itusbandar126.info
Source: explorer.exe, 00000004.00000003.2980682313.000000000C4C8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4580339736.000000000C4C9000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.itusbandar126.info/cu29/
Source: explorer.exe, 00000004.00000003.2980682313.000000000C4C8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4580339736.000000000C4C9000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.itusbandar126.info/cu29/www.48372305.top
Source: explorer.exe, 00000004.00000003.2980682313.000000000C4C8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4580339736.000000000C4C9000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.itusbandar126.infoReferer:
Source: explorer.exe, 00000004.00000003.2980682313.000000000C4C8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4580339736.000000000C4C9000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.nlineschools-2507-001-sap.click
Source: explorer.exe, 00000004.00000003.2980682313.000000000C4C8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4580339736.000000000C4C9000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.nlineschools-2507-001-sap.click/cu29/
Source: explorer.exe, 00000004.00000003.2980682313.000000000C4C8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4580339736.000000000C4C9000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.nlineschools-2507-001-sap.click/cu29/www.irex.info
Source: explorer.exe, 00000004.00000003.2980682313.000000000C4C8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4580339736.000000000C4C9000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.nlineschools-2507-001-sap.clickReferer:
Source: explorer.exe, 00000004.00000003.2980682313.000000000C4C8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4580339736.000000000C4C9000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.olandopaintingllc.online
Source: explorer.exe, 00000004.00000003.2980682313.000000000C4C8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4580339736.000000000C4C9000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.olandopaintingllc.online/cu29/
Source: explorer.exe, 00000004.00000003.2980682313.000000000C4C8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4580339736.000000000C4C9000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.olandopaintingllc.online/cu29/www.srtio.xyz
Source: explorer.exe, 00000004.00000003.2980682313.000000000C4C8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4580339736.000000000C4C9000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.olandopaintingllc.onlineReferer:
Source: explorer.exe, 00000004.00000003.2980682313.000000000C4C8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4580339736.000000000C4C9000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.oursmile.vip
Source: explorer.exe, 00000004.00000003.2980682313.000000000C4C8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4580339736.000000000C4C9000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.oursmile.vip/cu29/
Source: explorer.exe, 00000004.00000003.2980682313.000000000C4C8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4580339736.000000000C4C9000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.oursmile.vip/cu29/www.ainan.company
Source: explorer.exe, 00000004.00000003.2980682313.000000000C4C8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4580339736.000000000C4C9000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.oursmile.vipReferer:
Source: explorer.exe, 00000004.00000003.2980682313.000000000C4C8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4580339736.000000000C4C9000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.qidr.shop
Source: explorer.exe, 00000004.00000003.2980682313.000000000C4C8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4580339736.000000000C4C9000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.qidr.shop/cu29/
Source: explorer.exe, 00000004.00000003.2980682313.000000000C4C8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4580339736.000000000C4C9000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.qidr.shop/cu29/www.azino-forum-pro.online
Source: explorer.exe, 00000004.00000003.2980682313.000000000C4C8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4580339736.000000000C4C9000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.qidr.shopReferer:
Source: explorer.exe, 00000004.00000003.2980682313.000000000C4C8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4580339736.000000000C4C9000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.siabgc4d.online
Source: explorer.exe, 00000004.00000003.2980682313.000000000C4C8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4580339736.000000000C4C9000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.siabgc4d.online/cu29/
Source: explorer.exe, 00000004.00000003.2980682313.000000000C4C8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4580339736.000000000C4C9000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.siabgc4d.online/cu29/www.itusbandar126.info
Source: explorer.exe, 00000004.00000003.2980682313.000000000C4C8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4580339736.000000000C4C9000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.siabgc4d.onlineReferer:
Source: explorer.exe, 00000004.00000003.2980682313.000000000C4C8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4580339736.000000000C4C9000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.srtio.xyz
Source: explorer.exe, 00000004.00000003.2980682313.000000000C4C8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4580339736.000000000C4C9000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.srtio.xyz/cu29/
Source: explorer.exe, 00000004.00000003.2980682313.000000000C4C8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4580339736.000000000C4C9000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.srtio.xyz/cu29/www.f6b-crxy.top
Source: explorer.exe, 00000004.00000003.2980682313.000000000C4C8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4580339736.000000000C4C9000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.srtio.xyzReferer:
Source: explorer.exe, 00000004.00000000.2179503898.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4576072203.00000000099AB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp
Source: explorer.exe, 00000004.00000002.4579146683.000000000BFDF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2182557419.000000000BFDF000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 00000004.00000002.4575434129.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2178974001.000000000962B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 00000004.00000002.4575434129.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2178974001.000000000962B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/I
Source: explorer.exe, 00000004.00000002.4575434129.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2178974001.000000000973C000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 00000004.00000002.4575434129.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2178974001.000000000962B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?
Source: explorer.exe, 00000004.00000002.4573173816.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2176487486.00000000073E5000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=435B7A89D7D74BDF801F2DA188906BAF&timeOut=5000&oc
Source: explorer.exe, 00000004.00000002.4575434129.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2178974001.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4573173816.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2176487486.00000000073E5000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
Source: explorer.exe, 00000004.00000002.4575434129.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2178974001.000000000973C000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://arc.msn.com
Source: explorer.exe, 00000004.00000000.2176487486.00000000073E5000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
Source: explorer.exe, 00000004.00000000.2176487486.00000000073E5000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehwh2.svg
Source: explorer.exe, 00000004.00000000.2176487486.00000000073E5000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
Source: explorer.exe, 00000004.00000000.2176487486.00000000073E5000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
Source: explorer.exe, 00000004.00000002.4573173816.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2176487486.00000000073E5000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMhz
Source: explorer.exe, 00000004.00000002.4573173816.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2176487486.00000000073E5000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMhz-dark
Source: explorer.exe, 00000004.00000003.2980811348.000000000C086000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4579146683.000000000C048000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2182557419.000000000C048000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://excel.office.com-
Source: explorer.exe, 00000004.00000000.2176487486.00000000073E5000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
Source: explorer.exe, 00000004.00000002.4573173816.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2176487486.00000000073E5000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAzME7S.img
Source: explorer.exe, 00000004.00000003.2980811348.000000000C086000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4579146683.000000000C048000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2182557419.000000000C048000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://outlook.come
Source: explorer.exe, 00000004.00000002.4579146683.000000000BFEF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2182557419.000000000BFEF000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://powerpoint.office.comEMd
Source: explorer.exe, 00000004.00000002.4573173816.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2176487486.00000000073E5000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000004.00000002.4573173816.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2176487486.00000000073E5000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000004.00000000.2179503898.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4576072203.00000000099AB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://wns.windows.com/e
Source: explorer.exe, 00000004.00000003.2980811348.000000000C086000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4579146683.000000000C048000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2182557419.000000000C048000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://word.office.comM
Source: explorer.exe, 00000004.00000002.4573173816.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2176487486.00000000073E5000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/10-things-rich-people-never-buy-and-you-shouldn-t-ei
Source: explorer.exe, 00000004.00000002.4573173816.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2176487486.00000000073E5000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/money-matters-changing-institution-of-marriage/ar-AA
Source: explorer.exe, 00000004.00000002.4573173816.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2176487486.00000000073E5000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/money/realestate/why-this-florida-city-is-a-safe-haven-from-hurricanes/ar-
Source: explorer.exe, 00000004.00000002.4573173816.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2176487486.00000000073E5000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/money/savingandinvesting/americans-average-net-worth-by-age/ar-AA1h4ngF
Source: explorer.exe, 00000004.00000002.4573173816.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2176487486.00000000073E5000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/politics/how-donald-trump-helped-kari-lake-become-arizona-s-and-ameri
Source: explorer.exe, 00000004.00000002.4573173816.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2176487486.00000000073E5000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/politics/kevin-mccarthy-s-ouster-as-house-speaker-could-cost-gop-its-
Source: explorer.exe, 00000004.00000002.4573173816.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2176487486.00000000073E5000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/politics/republicans-already-barred-trump-from-being-speaker-of-the-h
Source: explorer.exe, 00000004.00000002.4573173816.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2176487486.00000000073E5000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/politics/trump-campaign-says-he-raised-more-than-45-million-in-3rd-qu
Source: explorer.exe, 00000004.00000002.4573173816.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2176487486.00000000073E5000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/technology/a-federal-emergency-alert-will-be-sent-to-us-phones-nation
Source: explorer.exe, 00000004.00000002.4573173816.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2176487486.00000000073E5000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/us/biden-administration-waives-26-federal-laws-to-allow-border-wall-c
Source: explorer.exe, 00000004.00000002.4573173816.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2176487486.00000000073E5000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-the
Source: explorer.exe, 00000004.00000002.4573173816.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2176487486.00000000073E5000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/world/us-supplies-ukraine-with-a-million-rounds-of-ammunition-seized-
Source: explorer.exe, 00000004.00000002.4573173816.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2176487486.00000000073E5000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/travel/news/you-can-t-beat-bobby-flay-s-phoenix-airport-restaurant-one-of-
Source: explorer.exe, 00000004.00000002.4573173816.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2176487486.00000000073E5000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/weather/topstories/california-s-reservoirs-runneth-over-in-astounding-reve
Source: explorer.exe, 00000004.00000002.4573173816.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2176487486.00000000073E5000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com:443/en-us/feed
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\New PO 127429.exe Code function: 0_2_0046C5D0 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard, 0_2_0046C5D0
Contains functionality to modify clipboard data
Source: C:\Users\user\Desktop\New PO 127429.exe Code function: 0_2_00459FFF OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard, 0_2_00459FFF
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Code function: 2_2_00459FFF OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard, 2_2_00459FFF
Contains functionality to read the clipboard data
Source: C:\Users\user\Desktop\New PO 127429.exe Code function: 0_2_0046C5D0 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard, 0_2_0046C5D0
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\Desktop\New PO 127429.exe Code function: 0_2_00456354 GetCursorPos,ScreenToClient,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetWindowLongW, 0_2_00456354
Potential key logger detected (key state polling based)
Source: C:\Users\user\Desktop\New PO 127429.exe Code function: 0_2_0047C08E SendMessageW,DefDlgProcW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,GetWindowLongW,SendMessageW,SendMessageW,SendMessageW,_wcsncpy,SendMessageW,SendMessageW,SendMessageW,InvalidateRect,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW, 0_2_0047C08E
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Code function: 2_2_0047C08E SendMessageW,DefDlgProcW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,GetWindowLongW,SendMessageW,SendMessageW,SendMessageW,_wcsncpy,SendMessageW,SendMessageW,SendMessageW,InvalidateRect,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW, 2_2_0047C08E

E-Banking Fraud
barindex
Yara detected FormBook
Source: Yara match File source: 3.2.svchost.exe.3b0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.subpredicate.exe.3020000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.subpredicate.exe.3020000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.subpredicate.exe.b30000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.subpredicate.exe.b30000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000C.00000002.2330599381.0000000000310000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.4569629328.0000000000620000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.4570251763.0000000002CE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.2231589301.00000000003B1000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2325079929.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.2231787989.00000000009B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2325776767.00000000009D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2327836661.0000000000F40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2291675436.0000000003020000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.2232255534.0000000000F50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.4570322313.0000000002D10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2162533053.0000000000B30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 3.2.svchost.exe.3b0000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 3.2.svchost.exe.3b0000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.2.svchost.exe.3b0000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 11.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 11.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 11.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 9.2.subpredicate.exe.3020000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 9.2.subpredicate.exe.3020000.1.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 9.2.subpredicate.exe.3020000.1.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 9.2.subpredicate.exe.3020000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 9.2.subpredicate.exe.3020000.1.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 9.2.subpredicate.exe.3020000.1.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.subpredicate.exe.b30000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 2.2.subpredicate.exe.b30000.1.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.subpredicate.exe.b30000.1.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 11.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 11.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 11.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.subpredicate.exe.b30000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 2.2.subpredicate.exe.b30000.1.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.subpredicate.exe.b30000.1.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000C.00000002.2330599381.0000000000310000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000C.00000002.2330599381.0000000000310000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000C.00000002.2330599381.0000000000310000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.4569629328.0000000000620000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000002.4569629328.0000000000620000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.4569629328.0000000000620000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.4570251763.0000000002CE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000002.4570251763.0000000002CE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.4570251763.0000000002CE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.2231589301.00000000003B1000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000003.00000002.2231589301.00000000003B1000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.2231589301.00000000003B1000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.2325079929.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000B.00000002.2325079929.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000002.2325079929.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.2231787989.00000000009B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000003.00000002.2231787989.00000000009B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.2231787989.00000000009B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.2325776767.00000000009D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000B.00000002.2325776767.00000000009D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000002.2325776767.00000000009D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.2327836661.0000000000F40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000B.00000002.2327836661.0000000000F40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000002.2327836661.0000000000F40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.2291675436.0000000003020000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000009.00000002.2291675436.0000000003020000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.2291675436.0000000003020000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.4582113332.000000000FECA000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_772cc62d Author: unknown
Source: 00000003.00000002.2232255534.0000000000F50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000003.00000002.2232255534.0000000000F50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.2232255534.0000000000F50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.4570322313.0000000002D10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000002.4570322313.0000000002D10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.4570322313.0000000002D10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.2162533053.0000000000B30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.2162533053.0000000000B30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.2162533053.0000000000B30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: subpredicate.exe PID: 4328, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: svchost.exe PID: 3604, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: explorer.exe PID: 4004, type: MEMORYSTR Matched rule: Semi-Auto-generated - file ironshell.php.txt Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
Source: Process Memory Space: WWAHost.exe PID: 6992, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: subpredicate.exe PID: 2436, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: svchost.exe PID: 5724, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: control.exe PID: 3196, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Source: C:\Windows\System32\wscript.exe COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8} Jump to behavior
Contains functionality to call native functions
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C72AD0 NtReadFile,LdrInitializeThunk, 3_2_00C72AD0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C72BF0 NtAllocateVirtualMemory,LdrInitializeThunk, 3_2_00C72BF0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C72B60 NtClose,LdrInitializeThunk, 3_2_00C72B60
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C72CA0 NtQueryInformationToken,LdrInitializeThunk, 3_2_00C72CA0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C72DD0 NtDelayExecution,LdrInitializeThunk, 3_2_00C72DD0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C72DF0 NtQuerySystemInformation,LdrInitializeThunk, 3_2_00C72DF0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C72D10 NtMapViewOfSection,LdrInitializeThunk, 3_2_00C72D10
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C72D30 NtUnmapViewOfSection,LdrInitializeThunk, 3_2_00C72D30
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C72E80 NtReadVirtualMemory,LdrInitializeThunk, 3_2_00C72E80
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C72EA0 NtAdjustPrivilegesToken,LdrInitializeThunk, 3_2_00C72EA0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C72FE0 NtCreateFile,LdrInitializeThunk, 3_2_00C72FE0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C72F90 NtProtectVirtualMemory,LdrInitializeThunk, 3_2_00C72F90
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C72FB0 NtResumeThread,LdrInitializeThunk, 3_2_00C72FB0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C72F30 NtCreateSection,LdrInitializeThunk, 3_2_00C72F30
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C74340 NtSetContextThread, 3_2_00C74340
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C74650 NtSuspendThread, 3_2_00C74650
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C72AF0 NtWriteFile, 3_2_00C72AF0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C72AB0 NtWaitForSingleObject, 3_2_00C72AB0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C72BE0 NtQueryValueKey, 3_2_00C72BE0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C72B80 NtQueryInformationFile, 3_2_00C72B80
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C72BA0 NtEnumerateValueKey, 3_2_00C72BA0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C72CC0 NtQueryVirtualMemory, 3_2_00C72CC0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C72CF0 NtOpenProcess, 3_2_00C72CF0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C72C60 NtCreateKey, 3_2_00C72C60
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C72C70 NtFreeVirtualMemory, 3_2_00C72C70
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C72C00 NtQueryInformationProcess, 3_2_00C72C00
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C72DB0 NtEnumerateKey, 3_2_00C72DB0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C72D00 NtSetInformationFile, 3_2_00C72D00
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C72EE0 NtQueueApcThread, 3_2_00C72EE0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C72E30 NtWriteVirtualMemory, 3_2_00C72E30
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C72FA0 NtQuerySection, 3_2_00C72FA0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C72F60 NtCreateProcessEx, 3_2_00C72F60
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C73090 NtSetValueKey, 3_2_00C73090
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C73010 NtOpenDirectoryObject, 3_2_00C73010
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C735C0 NtCreateMutant, 3_2_00C735C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C739B0 NtGetContextThread, 3_2_00C739B0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C73D70 NtOpenThread, 3_2_00C73D70
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C73D10 NtOpenProcessToken, 3_2_00C73D10
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_003CA320 NtCreateFile, 3_2_003CA320
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_003CA3D0 NtReadFile, 3_2_003CA3D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_003CA450 NtClose, 3_2_003CA450
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_003CA500 NtAllocateVirtualMemory, 3_2_003CA500
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_003CA31B NtCreateFile, 3_2_003CA31B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_003CA44A NtClose, 3_2_003CA44A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_003CA4FA NtAllocateVirtualMemory, 3_2_003CA4FA
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00F9A036 NtQueryInformationProcess,NtSuspendThread,NtSetContextThread,NtQueueApcThread,NtResumeThread,NtClose, 3_2_00F9A036
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00F9A042 NtQueryInformationProcess, 3_2_00F9A042
Source: C:\Windows\explorer.exe Code function: 4_2_0FEB2232 NtCreateFile, 4_2_0FEB2232
Source: C:\Windows\explorer.exe Code function: 4_2_0FEB3E12 NtProtectVirtualMemory, 4_2_0FEB3E12
Source: C:\Windows\explorer.exe Code function: 4_2_0FEB3E0A NtProtectVirtualMemory, 4_2_0FEB3E0A
Contains functionality to communicate with device drivers
Source: C:\Users\user\Desktop\New PO 127429.exe Code function: 0_2_00434D50: GetFullPathNameW,__swprintf,_wcslen,_wcslen,_wcslen,CreateDirectoryW,CreateFileW,_memset,_wcslen,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle, 0_2_00434D50
Contains functionality to launch a process as a different user
Source: C:\Users\user\Desktop\New PO 127429.exe Code function: 0_2_004461ED _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,_wcsncpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock, 0_2_004461ED
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\New PO 127429.exe Code function: 0_2_004364AA GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState, 0_2_004364AA
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Code function: 2_2_004364AA GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState, 2_2_004364AA
Detected potential crypto function
Source: C:\Users\user\Desktop\New PO 127429.exe Code function: 0_2_00409A40 0_2_00409A40
Source: C:\Users\user\Desktop\New PO 127429.exe Code function: 0_2_00412038 0_2_00412038
Source: C:\Users\user\Desktop\New PO 127429.exe Code function: 0_2_00427161 0_2_00427161
Source: C:\Users\user\Desktop\New PO 127429.exe Code function: 0_2_0047E1FA 0_2_0047E1FA
Source: C:\Users\user\Desktop\New PO 127429.exe Code function: 0_2_004212BE 0_2_004212BE
Source: C:\Users\user\Desktop\New PO 127429.exe Code function: 0_2_00443390 0_2_00443390
Source: C:\Users\user\Desktop\New PO 127429.exe Code function: 0_2_00443391 0_2_00443391
Source: C:\Users\user\Desktop\New PO 127429.exe Code function: 0_2_0041A46B 0_2_0041A46B
Source: C:\Users\user\Desktop\New PO 127429.exe Code function: 0_2_0041240C 0_2_0041240C
Source: C:\Users\user\Desktop\New PO 127429.exe Code function: 0_2_00446566 0_2_00446566
Source: C:\Users\user\Desktop\New PO 127429.exe Code function: 0_2_004045E0 0_2_004045E0
Source: C:\Users\user\Desktop\New PO 127429.exe Code function: 0_2_0041D750 0_2_0041D750
Source: C:\Users\user\Desktop\New PO 127429.exe Code function: 0_2_004037E0 0_2_004037E0
Source: C:\Users\user\Desktop\New PO 127429.exe Code function: 0_2_00427859 0_2_00427859
Source: C:\Users\user\Desktop\New PO 127429.exe Code function: 0_2_00412818 0_2_00412818
Source: C:\Users\user\Desktop\New PO 127429.exe Code function: 0_2_0040F890 0_2_0040F890
Source: C:\Users\user\Desktop\New PO 127429.exe Code function: 0_2_0042397B 0_2_0042397B
Source: C:\Users\user\Desktop\New PO 127429.exe Code function: 0_2_00411B63 0_2_00411B63
Source: C:\Users\user\Desktop\New PO 127429.exe Code function: 0_2_0047CBF0 0_2_0047CBF0
Source: C:\Users\user\Desktop\New PO 127429.exe Code function: 0_2_0044EBBC 0_2_0044EBBC
Source: C:\Users\user\Desktop\New PO 127429.exe Code function: 0_2_00412C38 0_2_00412C38
Source: C:\Users\user\Desktop\New PO 127429.exe Code function: 0_2_0044ED9A 0_2_0044ED9A
Source: C:\Users\user\Desktop\New PO 127429.exe Code function: 0_2_00423EBF 0_2_00423EBF
Source: C:\Users\user\Desktop\New PO 127429.exe Code function: 0_2_00424F70 0_2_00424F70
Source: C:\Users\user\Desktop\New PO 127429.exe Code function: 0_2_0041AF0D 0_2_0041AF0D
Source: C:\Users\user\Desktop\New PO 127429.exe Code function: 0_2_03EB5FD0 0_2_03EB5FD0
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Code function: 2_2_00409A40 2_2_00409A40
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Code function: 2_2_00412038 2_2_00412038
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Code function: 2_2_00427161 2_2_00427161
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Code function: 2_2_0047E1FA 2_2_0047E1FA
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Code function: 2_2_004212BE 2_2_004212BE
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Code function: 2_2_00443390 2_2_00443390
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Code function: 2_2_00443391 2_2_00443391
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Code function: 2_2_0041A46B 2_2_0041A46B
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Code function: 2_2_0041240C 2_2_0041240C
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Code function: 2_2_00446566 2_2_00446566
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Code function: 2_2_004045E0 2_2_004045E0
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Code function: 2_2_0041D750 2_2_0041D750
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Code function: 2_2_004037E0 2_2_004037E0
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Code function: 2_2_00427859 2_2_00427859
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Code function: 2_2_00412818 2_2_00412818
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Code function: 2_2_0040F890 2_2_0040F890
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Code function: 2_2_0042397B 2_2_0042397B
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Code function: 2_2_00411B63 2_2_00411B63
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Code function: 2_2_0047CBF0 2_2_0047CBF0
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Code function: 2_2_0044EBBC 2_2_0044EBBC
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Code function: 2_2_00412C38 2_2_00412C38
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Code function: 2_2_0044ED9A 2_2_0044ED9A
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Code function: 2_2_00423EBF 2_2_00423EBF
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Code function: 2_2_00424F70 2_2_00424F70
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Code function: 2_2_0041AF0D 2_2_0041AF0D
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Code function: 2_2_03E08178 2_2_03E08178
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CD2000 3_2_00CD2000
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CF81CC 3_2_00CF81CC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CF41A2 3_2_00CF41A2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00D001AA 3_2_00D001AA
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CC8158 3_2_00CC8158
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C30100 3_2_00C30100
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CDA118 3_2_00CDA118
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CC02C0 3_2_00CC02C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CE0274 3_2_00CE0274
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C4E3F0 3_2_00C4E3F0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00D003E6 3_2_00D003E6
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CFA352 3_2_00CFA352
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CEE4F6 3_2_00CEE4F6
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CF2446 3_2_00CF2446
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CE4420 3_2_00CE4420
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00D00591 3_2_00D00591
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C40535 3_2_00C40535
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C5C6E0 3_2_00C5C6E0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C3C7C0 3_2_00C3C7C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C64750 3_2_00C64750
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C40770 3_2_00C40770
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C6E8F0 3_2_00C6E8F0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C268B8 3_2_00C268B8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C4A840 3_2_00C4A840
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C42840 3_2_00C42840
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C429A0 3_2_00C429A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00D0A9A6 3_2_00D0A9A6
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C56962 3_2_00C56962
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C3EA80 3_2_00C3EA80
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CF6BD7 3_2_00CF6BD7
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CFAB40 3_2_00CFAB40
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C30CF2 3_2_00C30CF2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CE0CB5 3_2_00CE0CB5
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C40C00 3_2_00C40C00
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C3ADE0 3_2_00C3ADE0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C58DBF 3_2_00C58DBF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C4AD00 3_2_00C4AD00
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CDCD1F 3_2_00CDCD1F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CFEEDB 3_2_00CFEEDB
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C52E90 3_2_00C52E90
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CFCE93 3_2_00CFCE93
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C40E59 3_2_00C40E59
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CFEE26 3_2_00CFEE26
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C32FC8 3_2_00C32FC8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C4CFE0 3_2_00C4CFE0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CBEFA0 3_2_00CBEFA0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CB4F40 3_2_00CB4F40
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C82F28 3_2_00C82F28
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C60F30 3_2_00C60F30
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CE2F30 3_2_00CE2F30
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CEF0CC 3_2_00CEF0CC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C470C0 3_2_00C470C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CF70E9 3_2_00CF70E9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CFF0E0 3_2_00CFF0E0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C4B1B0 3_2_00C4B1B0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C7516C 3_2_00C7516C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C2F172 3_2_00C2F172
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00D0B16B 3_2_00D0B16B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C5B2C0 3_2_00C5B2C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CE12ED 3_2_00CE12ED
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C452A0 3_2_00C452A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C8739A 3_2_00C8739A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C2D34C 3_2_00C2D34C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CF132D 3_2_00CF132D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C31460 3_2_00C31460
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CFF43F 3_2_00CFF43F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00D095C3 3_2_00D095C3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CDD5B0 3_2_00CDD5B0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CF7571 3_2_00CF7571
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CF16CC 3_2_00CF16CC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C85630 3_2_00C85630
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CFF7B0 3_2_00CFF7B0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C438E0 3_2_00C438E0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CAD800 3_2_00CAD800
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C49950 3_2_00C49950
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C5B950 3_2_00C5B950
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CD5910 3_2_00CD5910
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CEDAC6 3_2_00CEDAC6
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CDDAAC 3_2_00CDDAAC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C85AA0 3_2_00C85AA0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CE1AA3 3_2_00CE1AA3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CFFA49 3_2_00CFFA49
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CF7A46 3_2_00CF7A46
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CB3A6C 3_2_00CB3A6C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CB5BF0 3_2_00CB5BF0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C7DBF9 3_2_00C7DBF9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C5FB80 3_2_00C5FB80
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CFFB76 3_2_00CFFB76
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CFFCF2 3_2_00CFFCF2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CB9C32 3_2_00CB9C32
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C5FDC0 3_2_00C5FDC0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C43D40 3_2_00C43D40
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CF1D5A 3_2_00CF1D5A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CF7D73 3_2_00CF7D73
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C49EB0 3_2_00C49EB0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C03FD2 3_2_00C03FD2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C03FD5 3_2_00C03FD5
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C41F92 3_2_00C41F92
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CFFFB1 3_2_00CFFFB1
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CFFF09 3_2_00CFFF09
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_003CE77C 3_2_003CE77C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_003CED75 3_2_003CED75
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_003B2D90 3_2_003B2D90
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_003CEE8A 3_2_003CEE8A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_003B2FB0 3_2_003B2FB0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_003B1030 3_2_003B1030
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_003CD772 3_2_003CD772
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_003B9E50 3_2_003B9E50
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_003B9E4C 3_2_003B9E4C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00F9A036 3_2_00F9A036
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00F91082 3_2_00F91082
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00F9B232 3_2_00F9B232
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00F9E5CD 3_2_00F9E5CD
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00F98912 3_2_00F98912
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00F95B30 3_2_00F95B30
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00F95B32 3_2_00F95B32
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00F92D02 3_2_00F92D02
Source: C:\Windows\explorer.exe Code function: 4_2_0E1A1232 4_2_0E1A1232
Source: C:\Windows\explorer.exe Code function: 4_2_0E19BB30 4_2_0E19BB30
Source: C:\Windows\explorer.exe Code function: 4_2_0E19BB32 4_2_0E19BB32
Source: C:\Windows\explorer.exe Code function: 4_2_0E1A0036 4_2_0E1A0036
Source: C:\Windows\explorer.exe Code function: 4_2_0E197082 4_2_0E197082
Source: C:\Windows\explorer.exe Code function: 4_2_0E19E912 4_2_0E19E912
Source: C:\Windows\explorer.exe Code function: 4_2_0E198D02 4_2_0E198D02
Source: C:\Windows\explorer.exe Code function: 4_2_0E1A45CD 4_2_0E1A45CD
Source: C:\Windows\explorer.exe Code function: 4_2_0FEB2232 4_2_0FEB2232
Source: C:\Windows\explorer.exe Code function: 4_2_0FEB55CD 4_2_0FEB55CD
Source: C:\Windows\explorer.exe Code function: 4_2_0FEACB32 4_2_0FEACB32
Source: C:\Windows\explorer.exe Code function: 4_2_0FEACB30 4_2_0FEACB30
Source: C:\Windows\explorer.exe Code function: 4_2_0FEA9D02 4_2_0FEA9D02
Source: C:\Windows\explorer.exe Code function: 4_2_0FEAF912 4_2_0FEAF912
Source: C:\Windows\explorer.exe Code function: 4_2_0FEA8082 4_2_0FEA8082
Source: C:\Windows\explorer.exe Code function: 4_2_0FEB1036 4_2_0FEB1036
Source: C:\Windows\explorer.exe Code function: 4_2_103C6036 4_2_103C6036
Source: C:\Windows\explorer.exe Code function: 4_2_103BD082 4_2_103BD082
Source: C:\Windows\explorer.exe Code function: 4_2_103C4912 4_2_103C4912
Source: C:\Windows\explorer.exe Code function: 4_2_103BED02 4_2_103BED02
Source: C:\Windows\explorer.exe Code function: 4_2_103CA5CD 4_2_103CA5CD
Source: C:\Windows\explorer.exe Code function: 4_2_103C7232 4_2_103C7232
Source: C:\Windows\explorer.exe Code function: 4_2_103C1B30 4_2_103C1B30
Source: C:\Windows\explorer.exe Code function: 4_2_103C1B32 4_2_103C1B32
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\svchost.exe Code function: String function: 00C87E54 appears 111 times
Source: C:\Windows\SysWOW64\svchost.exe Code function: String function: 00CAEA12 appears 86 times
Source: C:\Windows\SysWOW64\svchost.exe Code function: String function: 00C2B970 appears 280 times
Source: C:\Windows\SysWOW64\svchost.exe Code function: String function: 00C75130 appears 58 times
Source: C:\Windows\SysWOW64\svchost.exe Code function: String function: 00CBF290 appears 105 times
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Code function: String function: 00445975 appears 65 times
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Code function: String function: 0041171A appears 37 times
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Code function: String function: 0041718C appears 45 times
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Code function: String function: 0040E6D0 appears 35 times
Source: C:\Users\user\Desktop\New PO 127429.exe Code function: String function: 00445975 appears 65 times
Source: C:\Users\user\Desktop\New PO 127429.exe Code function: String function: 0041171A appears 37 times
Source: C:\Users\user\Desktop\New PO 127429.exe Code function: String function: 0041718C appears 45 times
Source: C:\Users\user\Desktop\New PO 127429.exe Code function: String function: 0040E6D0 appears 35 times
Uses 32bit PE files
Source: New PO 127429.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Yara signature match
Source: 3.2.svchost.exe.3b0000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 3.2.svchost.exe.3b0000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.2.svchost.exe.3b0000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 11.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 11.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 11.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 9.2.subpredicate.exe.3020000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 9.2.subpredicate.exe.3020000.1.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 9.2.subpredicate.exe.3020000.1.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 9.2.subpredicate.exe.3020000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 9.2.subpredicate.exe.3020000.1.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 9.2.subpredicate.exe.3020000.1.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.subpredicate.exe.b30000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 2.2.subpredicate.exe.b30000.1.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.subpredicate.exe.b30000.1.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 11.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 11.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 11.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.subpredicate.exe.b30000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 2.2.subpredicate.exe.b30000.1.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.subpredicate.exe.b30000.1.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000C.00000002.2330599381.0000000000310000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000C.00000002.2330599381.0000000000310000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000C.00000002.2330599381.0000000000310000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.4569629328.0000000000620000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000002.4569629328.0000000000620000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.4569629328.0000000000620000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.4570251763.0000000002CE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000002.4570251763.0000000002CE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.4570251763.0000000002CE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.2231589301.00000000003B1000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000003.00000002.2231589301.00000000003B1000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.2231589301.00000000003B1000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000002.2325079929.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000B.00000002.2325079929.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000002.2325079929.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.2231787989.00000000009B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000003.00000002.2231787989.00000000009B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.2231787989.00000000009B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000002.2325776767.00000000009D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000B.00000002.2325776767.00000000009D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000002.2325776767.00000000009D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000002.2327836661.0000000000F40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000B.00000002.2327836661.0000000000F40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000002.2327836661.0000000000F40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.2291675436.0000000003020000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000009.00000002.2291675436.0000000003020000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.2291675436.0000000003020000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.4582113332.000000000FECA000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_772cc62d os = windows, severity = x86, creation_date = 2022-05-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8343b5d02d74791ba2d5d52d19a759f761de2b5470d935000bc27ea6c0633f5, id = 772cc62d-345c-42d8-97ab-f67e447ddca4, last_modified = 2022-07-18
Source: 00000003.00000002.2232255534.0000000000F50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000003.00000002.2232255534.0000000000F50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.2232255534.0000000000F50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.4570322313.0000000002D10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000002.4570322313.0000000002D10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.4570322313.0000000002D10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.2162533053.0000000000B30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.2162533053.0000000000B30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.2162533053.0000000000B30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: subpredicate.exe PID: 4328, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: svchost.exe PID: 3604, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: explorer.exe PID: 4004, type: MEMORYSTR Matched rule: ironshell_php author = Neo23x0 Yara BRG + customization by Stefan -dfate- Molls, description = Semi-Auto-generated - file ironshell.php.txt, hash = 8bfa2eeb8a3ff6afc619258e39fded56
Source: Process Memory Space: WWAHost.exe PID: 6992, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: subpredicate.exe PID: 2436, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: svchost.exe PID: 5724, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: control.exe PID: 3196, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: classification engine Classification label: mal100.troj.expl.evad.winEXE@276/4@11/1
Source: C:\Users\user\Desktop\New PO 127429.exe Code function: 0_2_0044AF5C GetLastError,FormatMessageW, 0_2_0044AF5C
Source: C:\Users\user\Desktop\New PO 127429.exe Code function: 0_2_00464422 OpenProcess,GetLastError,GetLastError,GetCurrentThread,OpenThreadToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,AdjustTokenPrivileges,GetLastError,OpenProcess,AdjustTokenPrivileges,CloseHandle,TerminateProcess,GetLastError,CloseHandle, 0_2_00464422
Source: C:\Users\user\Desktop\New PO 127429.exe Code function: 0_2_004364AA GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState, 0_2_004364AA
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Code function: 2_2_00464422 OpenProcess,GetLastError,GetLastError,GetCurrentThread,OpenThreadToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,AdjustTokenPrivileges,GetLastError,OpenProcess,AdjustTokenPrivileges,CloseHandle,TerminateProcess,GetLastError,CloseHandle, 2_2_00464422
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Code function: 2_2_004364AA GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState, 2_2_004364AA
Source: C:\Users\user\Desktop\New PO 127429.exe Code function: 0_2_0045D517 SetErrorMode,GetDiskFreeSpaceW,GetLastError,SetErrorMode, 0_2_0045D517
Source: C:\Users\user\Desktop\New PO 127429.exe Code function: 0_2_0043701F CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,__wsplitpath,_wcscat,__wcsicoll,CloseHandle, 0_2_0043701F
Source: C:\Users\user\Desktop\New PO 127429.exe Code function: 0_2_0047A999 OleInitialize,CLSIDFromProgID,CoCreateInstance,CoInitializeSecurity,_memset,_wcslen,_memset,CoCreateInstanceEx,CoSetProxyBlanket, 0_2_0047A999
Source: C:\Users\user\Desktop\New PO 127429.exe Code function: 0_2_0043614F __swprintf,__swprintf,__wcsicoll,FindResourceW,LoadResource,LockResource,FindResourceW,LoadResource,SizeofResource,LockResource,CreateIconFromResourceEx, 0_2_0043614F
Source: C:\Users\user\Desktop\New PO 127429.exe File created: C:\Users\user\AppData\Local\meshuggenah Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6540:120:WilError_03
Source: C:\Users\user\Desktop\New PO 127429.exe File created: C:\Users\user\AppData\Local\Temp\wherefore Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\subpredicate.vbs"
Source: C:\Users\user\Desktop\New PO 127429.exe Command line argument: #v 0_2_0040D7F0
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Command line argument: #v 2_2_0040D7F0
Source: New PO 127429.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\New PO 127429.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\New PO 127429.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: New PO 127429.exe ReversingLabs: Detection: 28%
Source: C:\Users\user\Desktop\New PO 127429.exe File read: C:\Users\user\Desktop\New PO 127429.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\New PO 127429.exe "C:\Users\user\Desktop\New PO 127429.exe"
Source: C:\Users\user\Desktop\New PO 127429.exe Process created: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe "C:\Users\user\Desktop\New PO 127429.exe"
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\New PO 127429.exe"
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\WWAHost.exe "C:\Windows\SysWOW64\WWAHost.exe"
Source: C:\Windows\SysWOW64\WWAHost.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\SysWOW64\svchost.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\subpredicate.vbs"
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe "C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe"
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe"
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\control.exe "C:\Windows\SysWOW64\control.exe"
Source: C:\Users\user\Desktop\New PO 127429.exe Process created: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe "C:\Users\user\Desktop\New PO 127429.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\New PO 127429.exe" Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\WWAHost.exe "C:\Windows\SysWOW64\WWAHost.exe" Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\subpredicate.vbs" Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\control.exe "C:\Windows\SysWOW64\control.exe" Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\SysWOW64\svchost.exe" Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe "C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe" Jump to behavior
Source: C:\Users\user\Desktop\New PO 127429.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\New PO 127429.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\Desktop\New PO 127429.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\New PO 127429.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\New PO 127429.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\New PO 127429.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\New PO 127429.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\New PO 127429.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\New PO 127429.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\New PO 127429.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\New PO 127429.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\New PO 127429.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\New PO 127429.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\New PO 127429.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: windows.cloudstore.schema.shell.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: smartscreenps.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: vcruntime140_1.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: msvcp140.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: vbscript.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrobj.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: mlang.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\New PO 127429.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: New PO 127429.exe Static file information: File size 1133297 > 1048576
Source: Binary string: WWAHost.pdb source: svchost.exe, 00000003.00000002.2232939719.0000000004CC0000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 00000003.00000003.2231224412.0000000004E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.2231048518.0000000003300000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 00000005.00000002.4569716945.0000000000650000.00000040.80000000.00040000.00000000.sdmp
Source: Binary string: WWAHost.pdbUGP source: svchost.exe, 00000003.00000002.2232939719.0000000004CC0000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 00000003.00000003.2231224412.0000000004E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.2231048518.0000000003300000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 00000005.00000002.4569716945.0000000000650000.00000040.80000000.00040000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: subpredicate.exe, 00000002.00000003.2159303367.00000000040B0000.00000004.00001000.00020000.00000000.sdmp, subpredicate.exe, 00000002.00000003.2159492823.0000000004250000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.2163399323.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.2161769954.0000000000C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.2231901830.0000000000D9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.2231901830.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, WWAHost.exe, 00000005.00000002.4571145912.000000000377E000.00000040.00001000.00020000.00000000.sdmp, WWAHost.exe, 00000005.00000002.4571145912.00000000035E0000.00000040.00001000.00020000.00000000.sdmp, WWAHost.exe, 00000005.00000003.2234581135.0000000003431000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 00000005.00000003.2231987186.0000000003287000.00000004.00000020.00020000.00000000.sdmp, subpredicate.exe, 00000009.00000003.2289872805.0000000004040000.00000004.00001000.00020000.00000000.sdmp, subpredicate.exe, 00000009.00000003.2290520431.00000000041E0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2328642904.000000000359E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2290568190.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2328642904.0000000003400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2292396362.0000000003200000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000000C.00000002.2334320683.0000000004540000.00000040.00001000.00020000.00000000.sdmp, control.exe, 0000000C.00000002.2334320683.00000000046DE000.00000040.00001000.00020000.00000000.sdmp, control.exe, 0000000C.00000003.2325054368.00000000041D0000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000000C.00000003.2327955879.000000000438F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: control.pdb source: svchost.exe, 0000000B.00000003.2324322977.0000000000C40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2324212356.0000000000C1B000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000000C.00000002.2333948575.00000000004F0000.00000040.80000000.00040000.00000000.sdmp
Source: Binary string: wntdll.pdb source: subpredicate.exe, 00000002.00000003.2159303367.00000000040B0000.00000004.00001000.00020000.00000000.sdmp, subpredicate.exe, 00000002.00000003.2159492823.0000000004250000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000003.00000003.2163399323.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.2161769954.0000000000C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.2231901830.0000000000D9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.2231901830.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, WWAHost.exe, 00000005.00000002.4571145912.000000000377E000.00000040.00001000.00020000.00000000.sdmp, WWAHost.exe, 00000005.00000002.4571145912.00000000035E0000.00000040.00001000.00020000.00000000.sdmp, WWAHost.exe, 00000005.00000003.2234581135.0000000003431000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 00000005.00000003.2231987186.0000000003287000.00000004.00000020.00020000.00000000.sdmp, subpredicate.exe, 00000009.00000003.2289872805.0000000004040000.00000004.00001000.00020000.00000000.sdmp, subpredicate.exe, 00000009.00000003.2290520431.00000000041E0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2328642904.000000000359E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2290568190.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2328642904.0000000003400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2292396362.0000000003200000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000000C.00000002.2334320683.0000000004540000.00000040.00001000.00020000.00000000.sdmp, control.exe, 0000000C.00000002.2334320683.00000000046DE000.00000040.00001000.00020000.00000000.sdmp, control.exe, 0000000C.00000003.2325054368.00000000041D0000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000000C.00000003.2327955879.000000000438F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: control.pdbUGP source: svchost.exe, 0000000B.00000003.2324322977.0000000000C40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2324212356.0000000000C1B000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000000C.00000002.2333948575.00000000004F0000.00000040.80000000.00040000.00000000.sdmp
Source: Binary string: svchost.pdb source: explorer.exe, 00000004.00000002.4583774603.0000000010B7F000.00000004.80000000.00040000.00000000.sdmp, WWAHost.exe, 00000005.00000002.4570454249.0000000002D9C000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 00000005.00000002.4571847507.0000000003B2F000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: svchost.pdbUGP source: explorer.exe, 00000004.00000002.4583774603.0000000010B7F000.00000004.80000000.00040000.00000000.sdmp, WWAHost.exe, 00000005.00000002.4570454249.0000000002D9C000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 00000005.00000002.4571847507.0000000003B2F000.00000004.10000000.00040000.00000000.sdmp
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\New PO 127429.exe Code function: 0_2_0040EB70 LoadLibraryA,GetProcAddress, 0_2_0040EB70
PE file contains an invalid checksum
Source: subpredicate.exe.0.dr Static PE information: real checksum: 0xa2135 should be: 0x119abe
Source: New PO 127429.exe Static PE information: real checksum: 0xa2135 should be: 0x119abe
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\New PO 127429.exe Code function: 0_2_004171D1 push ecx; ret 0_2_004171E4
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Code function: 2_2_004171D1 push ecx; ret 2_2_004171E4
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C0225F pushad ; ret 3_2_00C027F9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C027FA pushad ; ret 3_2_00C027F9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C0283D push eax; iretd 3_2_00C02858
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C309AD push ecx; mov dword ptr [esp], ecx 3_2_00C309B6
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C01065 push edi; ret 3_2_00C0108A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C01368 push eax; iretd 3_2_00C01369
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C018F5 push edx; iretd 3_2_00C01906
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_003CE77C push 2E339416h; ret 3_2_003CE842
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_003C6B24 push ss; retf 3_2_003C6B27
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_003CED53 push dword ptr [914FBFDDh]; ret 3_2_003CED74
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_003CD475 push eax; ret 3_2_003CD4C8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_003CD4CB push eax; ret 3_2_003CD532
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_003CD4C2 push eax; ret 3_2_003CD4C8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_003CD52C push eax; ret 3_2_003CD532
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_003C779C push esp; retf 3_2_003C779D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_003C794F push ss; ret 3_2_003C797F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_003C7993 push ss; ret 3_2_003C797F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00F9E9B5 push esp; retn 0000h 3_2_00F9EAE7
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00F9EB1E push esp; retn 0000h 3_2_00F9EB1F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00F9EB02 push esp; retn 0000h 3_2_00F9EB03
Source: C:\Windows\explorer.exe Code function: 4_2_0E1A4B1E push esp; retn 0000h 4_2_0E1A4B1F
Source: C:\Windows\explorer.exe Code function: 4_2_0E1A4B02 push esp; retn 0000h 4_2_0E1A4B03
Source: C:\Windows\explorer.exe Code function: 4_2_0E1A49B5 push esp; retn 0000h 4_2_0E1A4AE7
Source: C:\Windows\explorer.exe Code function: 4_2_0FEB59B5 push esp; retn 0000h 4_2_0FEB5AE7
Source: C:\Windows\explorer.exe Code function: 4_2_0FEB5B02 push esp; retn 0000h 4_2_0FEB5B03
Source: C:\Windows\explorer.exe Code function: 4_2_0FEB5B1E push esp; retn 0000h 4_2_0FEB5B1F
Source: C:\Windows\explorer.exe Code function: 4_2_103CA9B5 push esp; retn 0000h 4_2_103CAAE7
Source: C:\Windows\explorer.exe Code function: 4_2_103CAB1E push esp; retn 0000h 4_2_103CAB1F
Source: C:\Windows\explorer.exe Code function: 4_2_103CAB02 push esp; retn 0000h 4_2_103CAB03
Drops PE files
Source: C:\Users\user\Desktop\New PO 127429.exe File created: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Jump to dropped file

Boot Survival
barindex
Drops VBS files to the startup folder
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\subpredicate.vbs Jump to dropped file
Creates a start menu entry (Start Menu\Programs\Startup)
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\subpredicate.vbs Jump to behavior
Stores files to the Windows start menu directory
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\subpredicate.vbs Jump to behavior
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\Desktop\New PO 127429.exe Code function: 0_2_004772DE IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed, 0_2_004772DE
Source: C:\Users\user\Desktop\New PO 127429.exe Code function: 0_2_004375B0 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput, 0_2_004375B0
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Code function: 2_2_004772DE IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed, 2_2_004772DE
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Code function: 2_2_004375B0 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput, 2_2_004375B0
Source: C:\Users\user\Desktop\New PO 127429.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Contains functionality to detect sleep reduction / modifications
Source: C:\Users\user\Desktop\New PO 127429.exe Code function: 0_2_00444078 0_2_00444078
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Code function: 2_2_00444078 2_2_00444078
Switches to a custom stack to bypass stack traces
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe API/Special instruction interceptor: Address: 3E07D9C
Source: C:\Windows\SysWOW64\svchost.exe API/Special instruction interceptor: Address: 7FFDB442D324
Source: C:\Windows\SysWOW64\svchost.exe API/Special instruction interceptor: Address: 7FFDB4430774
Source: C:\Windows\SysWOW64\svchost.exe API/Special instruction interceptor: Address: 7FFDB4430154
Source: C:\Windows\SysWOW64\svchost.exe API/Special instruction interceptor: Address: 7FFDB442D8A4
Source: C:\Windows\SysWOW64\svchost.exe API/Special instruction interceptor: Address: 7FFDB442DA44
Source: C:\Windows\SysWOW64\svchost.exe API/Special instruction interceptor: Address: 7FFDB442D1E4
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe API/Special instruction interceptor: Address: 3E36404
Source: C:\Windows\SysWOW64\WWAHost.exe API/Special instruction interceptor: Address: 7FFDB442D324
Source: C:\Windows\SysWOW64\WWAHost.exe API/Special instruction interceptor: Address: 7FFDB4430774
Source: C:\Windows\SysWOW64\WWAHost.exe API/Special instruction interceptor: Address: 7FFDB442D944
Source: C:\Windows\SysWOW64\WWAHost.exe API/Special instruction interceptor: Address: 7FFDB442D504
Source: C:\Windows\SysWOW64\WWAHost.exe API/Special instruction interceptor: Address: 7FFDB442D544
Source: C:\Windows\SysWOW64\WWAHost.exe API/Special instruction interceptor: Address: 7FFDB442D1E4
Source: C:\Windows\SysWOW64\WWAHost.exe API/Special instruction interceptor: Address: 7FFDB4430154
Source: C:\Windows\SysWOW64\WWAHost.exe API/Special instruction interceptor: Address: 7FFDB442D8A4
Source: C:\Windows\SysWOW64\WWAHost.exe API/Special instruction interceptor: Address: 7FFDB442DA44
Tries to detect virtualization through RDTSC time measurements
Source: C:\Windows\SysWOW64\svchost.exe RDTSC instruction interceptor: First address: 3B9904 second address: 3B990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\svchost.exe RDTSC instruction interceptor: First address: 3B9B6E second address: 3B9B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\WWAHost.exe RDTSC instruction interceptor: First address: 629904 second address: 62990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\WWAHost.exe RDTSC instruction interceptor: First address: 629B6E second address: 629B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\svchost.exe RDTSC instruction interceptor: First address: 409904 second address: 40990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\svchost.exe RDTSC instruction interceptor: First address: 409B6E second address: 409B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\control.exe RDTSC instruction interceptor: First address: 319904 second address: 31990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\control.exe RDTSC instruction interceptor: First address: 319B6E second address: 319B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C7096E rdtsc 3_2_00C7096E
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 9767 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: foregroundWindowGot 788 Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe Window / User API: threadDelayed 9833 Jump to behavior
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\New PO 127429.exe API coverage: 3.3 %
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe API coverage: 3.5 %
Source: C:\Windows\SysWOW64\svchost.exe API coverage: 2.0 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\explorer.exe TID: 1060 Thread sleep time: -19534000s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 1060 Thread sleep time: -348000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe TID: 4196 Thread sleep count: 138 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe TID: 4196 Thread sleep time: -276000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe TID: 4196 Thread sleep count: 9833 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe TID: 4196 Thread sleep time: -19666000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\SysWOW64\WWAHost.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\WWAHost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\New PO 127429.exe Code function: 0_2_00452126 FindFirstFileW,Sleep,FindNextFileW,FindClose, 0_2_00452126
Source: C:\Users\user\Desktop\New PO 127429.exe Code function: 0_2_0045C999 FindFirstFileW,FindNextFileW,FindClose, 0_2_0045C999
Source: C:\Users\user\Desktop\New PO 127429.exe Code function: 0_2_00436ADE GetFileAttributesW,FindFirstFileW,FindClose, 0_2_00436ADE
Source: C:\Users\user\Desktop\New PO 127429.exe Code function: 0_2_00434BEE FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 0_2_00434BEE
Source: C:\Users\user\Desktop\New PO 127429.exe Code function: 0_2_0045DD7C FindFirstFileW,FindClose, 0_2_0045DD7C
Source: C:\Users\user\Desktop\New PO 127429.exe Code function: 0_2_0044BD29 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose, 0_2_0044BD29
Source: C:\Users\user\Desktop\New PO 127429.exe Code function: 0_2_00436D2D FindFirstFileW,CreateFileW,SetFileTime,CloseHandle,SetFileTime,CloseHandle, 0_2_00436D2D
Source: C:\Users\user\Desktop\New PO 127429.exe Code function: 0_2_00442E1F SetCurrentDirectoryW,FindFirstFileW,SetCurrentDirectoryW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 0_2_00442E1F
Source: C:\Users\user\Desktop\New PO 127429.exe Code function: 0_2_00475FE5 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, 0_2_00475FE5
Source: C:\Users\user\Desktop\New PO 127429.exe Code function: 0_2_0044BF8D _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose, 0_2_0044BF8D
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Code function: 2_2_00452126 FindFirstFileW,Sleep,FindNextFileW,FindClose, 2_2_00452126
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Code function: 2_2_0045C999 FindFirstFileW,FindNextFileW,FindClose, 2_2_0045C999
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Code function: 2_2_00436ADE GetFileAttributesW,FindFirstFileW,FindClose, 2_2_00436ADE
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Code function: 2_2_00434BEE FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 2_2_00434BEE
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Code function: 2_2_0045DD7C FindFirstFileW,FindClose, 2_2_0045DD7C
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Code function: 2_2_0044BD29 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose, 2_2_0044BD29
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Code function: 2_2_00436D2D FindFirstFileW,CreateFileW,SetFileTime,CloseHandle,SetFileTime,CloseHandle, 2_2_00436D2D
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Code function: 2_2_00442E1F SetCurrentDirectoryW,FindFirstFileW,SetCurrentDirectoryW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 2_2_00442E1F
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Code function: 2_2_00475FE5 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, 2_2_00475FE5
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Code function: 2_2_0044BF8D _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose, 2_2_0044BF8D
Source: C:\Users\user\Desktop\New PO 127429.exe Code function: 0_2_0040E470 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo, 0_2_0040E470
Source: wscript.exe, 00000008.00000003.2264964575.0000022FEB386000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}8b}\
Source: explorer.exe, 00000004.00000002.4575434129.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2178974001.000000000962B000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWystem32\DriverStore\en-US\msmouse.inf_locv
Source: explorer.exe, 00000004.00000000.2179503898.00000000097F3000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 00000004.00000002.4575434129.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2178974001.000000000973C000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWws
Source: explorer.exe, 00000004.00000002.4576072203.00000000098AD000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}RoamingCom
Source: explorer.exe, 00000004.00000002.4575434129.0000000009605000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: NXTVMWare
Source: explorer.exe, 00000004.00000000.2183564496.000000000C474000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: &me#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94
Source: explorer.exe, 00000004.00000002.4569861643.0000000000D99000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: #CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000004.00000002.4569861643.0000000000D99000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000W
Source: explorer.exe, 00000004.00000000.2178974001.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4575434129.000000000978C000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: wscript.exe, 00000008.00000003.2264964575.0000022FEB386000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: explorer.exe, 00000004.00000000.2176487486.00000000073E5000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: explorer.exe, 00000004.00000002.4576072203.00000000098AD000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}lnkramW6
Source: explorer.exe, 00000004.00000002.4569861643.0000000000D99000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: explorer.exe, 00000004.00000002.4576072203.00000000098AD000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000
Source: explorer.exe, 00000004.00000002.4569861643.0000000000D99000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: C:\Windows\SysWOW64\svchost.exe Process information queried: ProcessInformation Jump to behavior
Checks if the current process is being debugged
Source: C:\Windows\SysWOW64\svchost.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\control.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C7096E rdtsc 3_2_00C7096E
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C72AD0 NtReadFile,LdrInitializeThunk, 3_2_00C72AD0
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Source: C:\Users\user\Desktop\New PO 127429.exe Code function: 0_2_0045A259 BlockInput, 0_2_0045A259
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\New PO 127429.exe Code function: 0_2_0040D6D0 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,GetForegroundWindow,ShellExecuteW, 0_2_0040D6D0
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\New PO 127429.exe Code function: 0_2_0040EB70 LoadLibraryA,GetProcAddress, 0_2_0040EB70
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\New PO 127429.exe Code function: 0_2_03EB47F0 mov eax, dword ptr fs:[00000030h] 0_2_03EB47F0
Source: C:\Users\user\Desktop\New PO 127429.exe Code function: 0_2_03EB5EC0 mov eax, dword ptr fs:[00000030h] 0_2_03EB5EC0
Source: C:\Users\user\Desktop\New PO 127429.exe Code function: 0_2_03EB5E60 mov eax, dword ptr fs:[00000030h] 0_2_03EB5E60
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Code function: 2_2_03E08068 mov eax, dword ptr fs:[00000030h] 2_2_03E08068
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Code function: 2_2_03E08008 mov eax, dword ptr fs:[00000030h] 2_2_03E08008
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Code function: 2_2_03E06998 mov eax, dword ptr fs:[00000030h] 2_2_03E06998
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CB20DE mov eax, dword ptr fs:[00000030h] 3_2_00CB20DE
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C2A0E3 mov ecx, dword ptr fs:[00000030h] 3_2_00C2A0E3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C380E9 mov eax, dword ptr fs:[00000030h] 3_2_00C380E9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CB60E0 mov eax, dword ptr fs:[00000030h] 3_2_00CB60E0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C2C0F0 mov eax, dword ptr fs:[00000030h] 3_2_00C2C0F0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C720F0 mov ecx, dword ptr fs:[00000030h] 3_2_00C720F0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C3208A mov eax, dword ptr fs:[00000030h] 3_2_00C3208A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C280A0 mov eax, dword ptr fs:[00000030h] 3_2_00C280A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CC80A8 mov eax, dword ptr fs:[00000030h] 3_2_00CC80A8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CF60B8 mov eax, dword ptr fs:[00000030h] 3_2_00CF60B8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CF60B8 mov ecx, dword ptr fs:[00000030h] 3_2_00CF60B8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C32050 mov eax, dword ptr fs:[00000030h] 3_2_00C32050
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CB6050 mov eax, dword ptr fs:[00000030h] 3_2_00CB6050
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C5C073 mov eax, dword ptr fs:[00000030h] 3_2_00C5C073
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CB4000 mov ecx, dword ptr fs:[00000030h] 3_2_00CB4000
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CD2000 mov eax, dword ptr fs:[00000030h] 3_2_00CD2000
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CD2000 mov eax, dword ptr fs:[00000030h] 3_2_00CD2000
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CD2000 mov eax, dword ptr fs:[00000030h] 3_2_00CD2000
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CD2000 mov eax, dword ptr fs:[00000030h] 3_2_00CD2000
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CD2000 mov eax, dword ptr fs:[00000030h] 3_2_00CD2000
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CD2000 mov eax, dword ptr fs:[00000030h] 3_2_00CD2000
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CD2000 mov eax, dword ptr fs:[00000030h] 3_2_00CD2000
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CD2000 mov eax, dword ptr fs:[00000030h] 3_2_00CD2000
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C4E016 mov eax, dword ptr fs:[00000030h] 3_2_00C4E016
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C4E016 mov eax, dword ptr fs:[00000030h] 3_2_00C4E016
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C4E016 mov eax, dword ptr fs:[00000030h] 3_2_00C4E016
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C4E016 mov eax, dword ptr fs:[00000030h] 3_2_00C4E016
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C2A020 mov eax, dword ptr fs:[00000030h] 3_2_00C2A020
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C2C020 mov eax, dword ptr fs:[00000030h] 3_2_00C2C020
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CC6030 mov eax, dword ptr fs:[00000030h] 3_2_00CC6030
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CF61C3 mov eax, dword ptr fs:[00000030h] 3_2_00CF61C3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CF61C3 mov eax, dword ptr fs:[00000030h] 3_2_00CF61C3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CAE1D0 mov eax, dword ptr fs:[00000030h] 3_2_00CAE1D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CAE1D0 mov eax, dword ptr fs:[00000030h] 3_2_00CAE1D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CAE1D0 mov ecx, dword ptr fs:[00000030h] 3_2_00CAE1D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CAE1D0 mov eax, dword ptr fs:[00000030h] 3_2_00CAE1D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CAE1D0 mov eax, dword ptr fs:[00000030h] 3_2_00CAE1D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00D061E5 mov eax, dword ptr fs:[00000030h] 3_2_00D061E5
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C601F8 mov eax, dword ptr fs:[00000030h] 3_2_00C601F8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C70185 mov eax, dword ptr fs:[00000030h] 3_2_00C70185
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CEC188 mov eax, dword ptr fs:[00000030h] 3_2_00CEC188
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CEC188 mov eax, dword ptr fs:[00000030h] 3_2_00CEC188
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CD4180 mov eax, dword ptr fs:[00000030h] 3_2_00CD4180
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CD4180 mov eax, dword ptr fs:[00000030h] 3_2_00CD4180
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CB019F mov eax, dword ptr fs:[00000030h] 3_2_00CB019F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CB019F mov eax, dword ptr fs:[00000030h] 3_2_00CB019F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CB019F mov eax, dword ptr fs:[00000030h] 3_2_00CB019F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CB019F mov eax, dword ptr fs:[00000030h] 3_2_00CB019F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C2A197 mov eax, dword ptr fs:[00000030h] 3_2_00C2A197
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C2A197 mov eax, dword ptr fs:[00000030h] 3_2_00C2A197
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C2A197 mov eax, dword ptr fs:[00000030h] 3_2_00C2A197
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CC4144 mov eax, dword ptr fs:[00000030h] 3_2_00CC4144
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CC4144 mov eax, dword ptr fs:[00000030h] 3_2_00CC4144
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CC4144 mov ecx, dword ptr fs:[00000030h] 3_2_00CC4144
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CC4144 mov eax, dword ptr fs:[00000030h] 3_2_00CC4144
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CC4144 mov eax, dword ptr fs:[00000030h] 3_2_00CC4144
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C2C156 mov eax, dword ptr fs:[00000030h] 3_2_00C2C156
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CC8158 mov eax, dword ptr fs:[00000030h] 3_2_00CC8158
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C36154 mov eax, dword ptr fs:[00000030h] 3_2_00C36154
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C36154 mov eax, dword ptr fs:[00000030h] 3_2_00C36154
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00D04164 mov eax, dword ptr fs:[00000030h] 3_2_00D04164
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00D04164 mov eax, dword ptr fs:[00000030h] 3_2_00D04164
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CDE10E mov eax, dword ptr fs:[00000030h] 3_2_00CDE10E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CDE10E mov ecx, dword ptr fs:[00000030h] 3_2_00CDE10E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CDE10E mov eax, dword ptr fs:[00000030h] 3_2_00CDE10E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CDE10E mov eax, dword ptr fs:[00000030h] 3_2_00CDE10E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CDE10E mov ecx, dword ptr fs:[00000030h] 3_2_00CDE10E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CDE10E mov eax, dword ptr fs:[00000030h] 3_2_00CDE10E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CDE10E mov eax, dword ptr fs:[00000030h] 3_2_00CDE10E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CDE10E mov ecx, dword ptr fs:[00000030h] 3_2_00CDE10E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CDE10E mov eax, dword ptr fs:[00000030h] 3_2_00CDE10E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CDE10E mov ecx, dword ptr fs:[00000030h] 3_2_00CDE10E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CDA118 mov ecx, dword ptr fs:[00000030h] 3_2_00CDA118
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CDA118 mov eax, dword ptr fs:[00000030h] 3_2_00CDA118
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CDA118 mov eax, dword ptr fs:[00000030h] 3_2_00CDA118
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CDA118 mov eax, dword ptr fs:[00000030h] 3_2_00CDA118
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CF0115 mov eax, dword ptr fs:[00000030h] 3_2_00CF0115
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C60124 mov eax, dword ptr fs:[00000030h] 3_2_00C60124
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C3A2C3 mov eax, dword ptr fs:[00000030h] 3_2_00C3A2C3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C3A2C3 mov eax, dword ptr fs:[00000030h] 3_2_00C3A2C3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C3A2C3 mov eax, dword ptr fs:[00000030h] 3_2_00C3A2C3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C3A2C3 mov eax, dword ptr fs:[00000030h] 3_2_00C3A2C3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C3A2C3 mov eax, dword ptr fs:[00000030h] 3_2_00C3A2C3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00D062D6 mov eax, dword ptr fs:[00000030h] 3_2_00D062D6
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C402E1 mov eax, dword ptr fs:[00000030h] 3_2_00C402E1
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C402E1 mov eax, dword ptr fs:[00000030h] 3_2_00C402E1
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C402E1 mov eax, dword ptr fs:[00000030h] 3_2_00C402E1
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C6E284 mov eax, dword ptr fs:[00000030h] 3_2_00C6E284
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C6E284 mov eax, dword ptr fs:[00000030h] 3_2_00C6E284
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CB0283 mov eax, dword ptr fs:[00000030h] 3_2_00CB0283
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CB0283 mov eax, dword ptr fs:[00000030h] 3_2_00CB0283
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CB0283 mov eax, dword ptr fs:[00000030h] 3_2_00CB0283
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CC62A0 mov eax, dword ptr fs:[00000030h] 3_2_00CC62A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CC62A0 mov ecx, dword ptr fs:[00000030h] 3_2_00CC62A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CC62A0 mov eax, dword ptr fs:[00000030h] 3_2_00CC62A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CC62A0 mov eax, dword ptr fs:[00000030h] 3_2_00CC62A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CC62A0 mov eax, dword ptr fs:[00000030h] 3_2_00CC62A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CC62A0 mov eax, dword ptr fs:[00000030h] 3_2_00CC62A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CB8243 mov eax, dword ptr fs:[00000030h] 3_2_00CB8243
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CB8243 mov ecx, dword ptr fs:[00000030h] 3_2_00CB8243
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00D0625D mov eax, dword ptr fs:[00000030h] 3_2_00D0625D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C2A250 mov eax, dword ptr fs:[00000030h] 3_2_00C2A250
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C36259 mov eax, dword ptr fs:[00000030h] 3_2_00C36259
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CEA250 mov eax, dword ptr fs:[00000030h] 3_2_00CEA250
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CEA250 mov eax, dword ptr fs:[00000030h] 3_2_00CEA250
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C34260 mov eax, dword ptr fs:[00000030h] 3_2_00C34260
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C34260 mov eax, dword ptr fs:[00000030h] 3_2_00C34260
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C34260 mov eax, dword ptr fs:[00000030h] 3_2_00C34260
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C2826B mov eax, dword ptr fs:[00000030h] 3_2_00C2826B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CE0274 mov eax, dword ptr fs:[00000030h] 3_2_00CE0274
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CE0274 mov eax, dword ptr fs:[00000030h] 3_2_00CE0274
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CE0274 mov eax, dword ptr fs:[00000030h] 3_2_00CE0274
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CE0274 mov eax, dword ptr fs:[00000030h] 3_2_00CE0274
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CE0274 mov eax, dword ptr fs:[00000030h] 3_2_00CE0274
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CE0274 mov eax, dword ptr fs:[00000030h] 3_2_00CE0274
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CE0274 mov eax, dword ptr fs:[00000030h] 3_2_00CE0274
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CE0274 mov eax, dword ptr fs:[00000030h] 3_2_00CE0274
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CE0274 mov eax, dword ptr fs:[00000030h] 3_2_00CE0274
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CE0274 mov eax, dword ptr fs:[00000030h] 3_2_00CE0274
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CE0274 mov eax, dword ptr fs:[00000030h] 3_2_00CE0274
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CE0274 mov eax, dword ptr fs:[00000030h] 3_2_00CE0274
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C2823B mov eax, dword ptr fs:[00000030h] 3_2_00C2823B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CEC3CD mov eax, dword ptr fs:[00000030h] 3_2_00CEC3CD
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C3A3C0 mov eax, dword ptr fs:[00000030h] 3_2_00C3A3C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C3A3C0 mov eax, dword ptr fs:[00000030h] 3_2_00C3A3C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C3A3C0 mov eax, dword ptr fs:[00000030h] 3_2_00C3A3C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C3A3C0 mov eax, dword ptr fs:[00000030h] 3_2_00C3A3C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C3A3C0 mov eax, dword ptr fs:[00000030h] 3_2_00C3A3C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C3A3C0 mov eax, dword ptr fs:[00000030h] 3_2_00C3A3C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C383C0 mov eax, dword ptr fs:[00000030h] 3_2_00C383C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C383C0 mov eax, dword ptr fs:[00000030h] 3_2_00C383C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C383C0 mov eax, dword ptr fs:[00000030h] 3_2_00C383C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C383C0 mov eax, dword ptr fs:[00000030h] 3_2_00C383C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CB63C0 mov eax, dword ptr fs:[00000030h] 3_2_00CB63C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CDE3DB mov eax, dword ptr fs:[00000030h] 3_2_00CDE3DB
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CDE3DB mov eax, dword ptr fs:[00000030h] 3_2_00CDE3DB
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CDE3DB mov ecx, dword ptr fs:[00000030h] 3_2_00CDE3DB
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CDE3DB mov eax, dword ptr fs:[00000030h] 3_2_00CDE3DB
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CD43D4 mov eax, dword ptr fs:[00000030h] 3_2_00CD43D4
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CD43D4 mov eax, dword ptr fs:[00000030h] 3_2_00CD43D4
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C403E9 mov eax, dword ptr fs:[00000030h] 3_2_00C403E9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C403E9 mov eax, dword ptr fs:[00000030h] 3_2_00C403E9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C403E9 mov eax, dword ptr fs:[00000030h] 3_2_00C403E9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C403E9 mov eax, dword ptr fs:[00000030h] 3_2_00C403E9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C403E9 mov eax, dword ptr fs:[00000030h] 3_2_00C403E9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C403E9 mov eax, dword ptr fs:[00000030h] 3_2_00C403E9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C403E9 mov eax, dword ptr fs:[00000030h] 3_2_00C403E9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C403E9 mov eax, dword ptr fs:[00000030h] 3_2_00C403E9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C4E3F0 mov eax, dword ptr fs:[00000030h] 3_2_00C4E3F0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C4E3F0 mov eax, dword ptr fs:[00000030h] 3_2_00C4E3F0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C4E3F0 mov eax, dword ptr fs:[00000030h] 3_2_00C4E3F0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C663FF mov eax, dword ptr fs:[00000030h] 3_2_00C663FF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C2E388 mov eax, dword ptr fs:[00000030h] 3_2_00C2E388
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C2E388 mov eax, dword ptr fs:[00000030h] 3_2_00C2E388
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C2E388 mov eax, dword ptr fs:[00000030h] 3_2_00C2E388
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C5438F mov eax, dword ptr fs:[00000030h] 3_2_00C5438F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C5438F mov eax, dword ptr fs:[00000030h] 3_2_00C5438F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C28397 mov eax, dword ptr fs:[00000030h] 3_2_00C28397
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C28397 mov eax, dword ptr fs:[00000030h] 3_2_00C28397
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C28397 mov eax, dword ptr fs:[00000030h] 3_2_00C28397
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CB2349 mov eax, dword ptr fs:[00000030h] 3_2_00CB2349
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CB2349 mov eax, dword ptr fs:[00000030h] 3_2_00CB2349
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CB2349 mov eax, dword ptr fs:[00000030h] 3_2_00CB2349
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CB2349 mov eax, dword ptr fs:[00000030h] 3_2_00CB2349
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CB2349 mov eax, dword ptr fs:[00000030h] 3_2_00CB2349
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CB2349 mov eax, dword ptr fs:[00000030h] 3_2_00CB2349
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CB2349 mov eax, dword ptr fs:[00000030h] 3_2_00CB2349
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CB2349 mov eax, dword ptr fs:[00000030h] 3_2_00CB2349
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CB2349 mov eax, dword ptr fs:[00000030h] 3_2_00CB2349
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CB2349 mov eax, dword ptr fs:[00000030h] 3_2_00CB2349
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CB2349 mov eax, dword ptr fs:[00000030h] 3_2_00CB2349
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CB2349 mov eax, dword ptr fs:[00000030h] 3_2_00CB2349
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CB2349 mov eax, dword ptr fs:[00000030h] 3_2_00CB2349
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CB2349 mov eax, dword ptr fs:[00000030h] 3_2_00CB2349
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CB2349 mov eax, dword ptr fs:[00000030h] 3_2_00CB2349
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CB035C mov eax, dword ptr fs:[00000030h] 3_2_00CB035C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CB035C mov eax, dword ptr fs:[00000030h] 3_2_00CB035C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CB035C mov eax, dword ptr fs:[00000030h] 3_2_00CB035C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CB035C mov ecx, dword ptr fs:[00000030h] 3_2_00CB035C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CB035C mov eax, dword ptr fs:[00000030h] 3_2_00CB035C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CB035C mov eax, dword ptr fs:[00000030h] 3_2_00CB035C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CFA352 mov eax, dword ptr fs:[00000030h] 3_2_00CFA352
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CD8350 mov ecx, dword ptr fs:[00000030h] 3_2_00CD8350
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00D0634F mov eax, dword ptr fs:[00000030h] 3_2_00D0634F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CD437C mov eax, dword ptr fs:[00000030h] 3_2_00CD437C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C6A30B mov eax, dword ptr fs:[00000030h] 3_2_00C6A30B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C6A30B mov eax, dword ptr fs:[00000030h] 3_2_00C6A30B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C6A30B mov eax, dword ptr fs:[00000030h] 3_2_00C6A30B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C2C310 mov ecx, dword ptr fs:[00000030h] 3_2_00C2C310
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C50310 mov ecx, dword ptr fs:[00000030h] 3_2_00C50310
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00D08324 mov eax, dword ptr fs:[00000030h] 3_2_00D08324
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00D08324 mov ecx, dword ptr fs:[00000030h] 3_2_00D08324
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00D08324 mov eax, dword ptr fs:[00000030h] 3_2_00D08324
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00D08324 mov eax, dword ptr fs:[00000030h] 3_2_00D08324
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C304E5 mov ecx, dword ptr fs:[00000030h] 3_2_00C304E5
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CEA49A mov eax, dword ptr fs:[00000030h] 3_2_00CEA49A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C364AB mov eax, dword ptr fs:[00000030h] 3_2_00C364AB
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C644B0 mov ecx, dword ptr fs:[00000030h] 3_2_00C644B0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CBA4B0 mov eax, dword ptr fs:[00000030h] 3_2_00CBA4B0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C6E443 mov eax, dword ptr fs:[00000030h] 3_2_00C6E443
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C6E443 mov eax, dword ptr fs:[00000030h] 3_2_00C6E443
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C6E443 mov eax, dword ptr fs:[00000030h] 3_2_00C6E443
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C6E443 mov eax, dword ptr fs:[00000030h] 3_2_00C6E443
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C6E443 mov eax, dword ptr fs:[00000030h] 3_2_00C6E443
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C6E443 mov eax, dword ptr fs:[00000030h] 3_2_00C6E443
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C6E443 mov eax, dword ptr fs:[00000030h] 3_2_00C6E443
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C6E443 mov eax, dword ptr fs:[00000030h] 3_2_00C6E443
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CEA456 mov eax, dword ptr fs:[00000030h] 3_2_00CEA456
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C2645D mov eax, dword ptr fs:[00000030h] 3_2_00C2645D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C5245A mov eax, dword ptr fs:[00000030h] 3_2_00C5245A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CBC460 mov ecx, dword ptr fs:[00000030h] 3_2_00CBC460
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C5A470 mov eax, dword ptr fs:[00000030h] 3_2_00C5A470
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C5A470 mov eax, dword ptr fs:[00000030h] 3_2_00C5A470
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C5A470 mov eax, dword ptr fs:[00000030h] 3_2_00C5A470
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C68402 mov eax, dword ptr fs:[00000030h] 3_2_00C68402
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C68402 mov eax, dword ptr fs:[00000030h] 3_2_00C68402
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C68402 mov eax, dword ptr fs:[00000030h] 3_2_00C68402
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C2E420 mov eax, dword ptr fs:[00000030h] 3_2_00C2E420
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C2E420 mov eax, dword ptr fs:[00000030h] 3_2_00C2E420
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C2E420 mov eax, dword ptr fs:[00000030h] 3_2_00C2E420
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C2C427 mov eax, dword ptr fs:[00000030h] 3_2_00C2C427
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CB6420 mov eax, dword ptr fs:[00000030h] 3_2_00CB6420
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CB6420 mov eax, dword ptr fs:[00000030h] 3_2_00CB6420
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CB6420 mov eax, dword ptr fs:[00000030h] 3_2_00CB6420
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CB6420 mov eax, dword ptr fs:[00000030h] 3_2_00CB6420
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CB6420 mov eax, dword ptr fs:[00000030h] 3_2_00CB6420
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CB6420 mov eax, dword ptr fs:[00000030h] 3_2_00CB6420
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CB6420 mov eax, dword ptr fs:[00000030h] 3_2_00CB6420
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C6A430 mov eax, dword ptr fs:[00000030h] 3_2_00C6A430
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C6E5CF mov eax, dword ptr fs:[00000030h] 3_2_00C6E5CF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C6E5CF mov eax, dword ptr fs:[00000030h] 3_2_00C6E5CF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C365D0 mov eax, dword ptr fs:[00000030h] 3_2_00C365D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C6A5D0 mov eax, dword ptr fs:[00000030h] 3_2_00C6A5D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C6A5D0 mov eax, dword ptr fs:[00000030h] 3_2_00C6A5D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C5E5E7 mov eax, dword ptr fs:[00000030h] 3_2_00C5E5E7
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C5E5E7 mov eax, dword ptr fs:[00000030h] 3_2_00C5E5E7
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C5E5E7 mov eax, dword ptr fs:[00000030h] 3_2_00C5E5E7
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C5E5E7 mov eax, dword ptr fs:[00000030h] 3_2_00C5E5E7
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C5E5E7 mov eax, dword ptr fs:[00000030h] 3_2_00C5E5E7
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C5E5E7 mov eax, dword ptr fs:[00000030h] 3_2_00C5E5E7
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C5E5E7 mov eax, dword ptr fs:[00000030h] 3_2_00C5E5E7
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C5E5E7 mov eax, dword ptr fs:[00000030h] 3_2_00C5E5E7
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C325E0 mov eax, dword ptr fs:[00000030h] 3_2_00C325E0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C6C5ED mov eax, dword ptr fs:[00000030h] 3_2_00C6C5ED
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C6C5ED mov eax, dword ptr fs:[00000030h] 3_2_00C6C5ED
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C32582 mov eax, dword ptr fs:[00000030h] 3_2_00C32582
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C32582 mov ecx, dword ptr fs:[00000030h] 3_2_00C32582
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C64588 mov eax, dword ptr fs:[00000030h] 3_2_00C64588
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C6E59C mov eax, dword ptr fs:[00000030h] 3_2_00C6E59C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CB05A7 mov eax, dword ptr fs:[00000030h] 3_2_00CB05A7
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CB05A7 mov eax, dword ptr fs:[00000030h] 3_2_00CB05A7
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CB05A7 mov eax, dword ptr fs:[00000030h] 3_2_00CB05A7
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C545B1 mov eax, dword ptr fs:[00000030h] 3_2_00C545B1
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C545B1 mov eax, dword ptr fs:[00000030h] 3_2_00C545B1
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C38550 mov eax, dword ptr fs:[00000030h] 3_2_00C38550
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C38550 mov eax, dword ptr fs:[00000030h] 3_2_00C38550
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C6656A mov eax, dword ptr fs:[00000030h] 3_2_00C6656A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C6656A mov eax, dword ptr fs:[00000030h] 3_2_00C6656A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C6656A mov eax, dword ptr fs:[00000030h] 3_2_00C6656A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CC6500 mov eax, dword ptr fs:[00000030h] 3_2_00CC6500
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00D04500 mov eax, dword ptr fs:[00000030h] 3_2_00D04500
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00D04500 mov eax, dword ptr fs:[00000030h] 3_2_00D04500
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00D04500 mov eax, dword ptr fs:[00000030h] 3_2_00D04500
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00D04500 mov eax, dword ptr fs:[00000030h] 3_2_00D04500
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00D04500 mov eax, dword ptr fs:[00000030h] 3_2_00D04500
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00D04500 mov eax, dword ptr fs:[00000030h] 3_2_00D04500
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00D04500 mov eax, dword ptr fs:[00000030h] 3_2_00D04500
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C40535 mov eax, dword ptr fs:[00000030h] 3_2_00C40535
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C40535 mov eax, dword ptr fs:[00000030h] 3_2_00C40535
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C40535 mov eax, dword ptr fs:[00000030h] 3_2_00C40535
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C40535 mov eax, dword ptr fs:[00000030h] 3_2_00C40535
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C40535 mov eax, dword ptr fs:[00000030h] 3_2_00C40535
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C40535 mov eax, dword ptr fs:[00000030h] 3_2_00C40535
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C5E53E mov eax, dword ptr fs:[00000030h] 3_2_00C5E53E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C5E53E mov eax, dword ptr fs:[00000030h] 3_2_00C5E53E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C5E53E mov eax, dword ptr fs:[00000030h] 3_2_00C5E53E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C5E53E mov eax, dword ptr fs:[00000030h] 3_2_00C5E53E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C5E53E mov eax, dword ptr fs:[00000030h] 3_2_00C5E53E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C6A6C7 mov ebx, dword ptr fs:[00000030h] 3_2_00C6A6C7
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C6A6C7 mov eax, dword ptr fs:[00000030h] 3_2_00C6A6C7
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CAE6F2 mov eax, dword ptr fs:[00000030h] 3_2_00CAE6F2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CAE6F2 mov eax, dword ptr fs:[00000030h] 3_2_00CAE6F2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CAE6F2 mov eax, dword ptr fs:[00000030h] 3_2_00CAE6F2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CAE6F2 mov eax, dword ptr fs:[00000030h] 3_2_00CAE6F2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CB06F1 mov eax, dword ptr fs:[00000030h] 3_2_00CB06F1
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CB06F1 mov eax, dword ptr fs:[00000030h] 3_2_00CB06F1
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C34690 mov eax, dword ptr fs:[00000030h] 3_2_00C34690
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C34690 mov eax, dword ptr fs:[00000030h] 3_2_00C34690
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C6C6A6 mov eax, dword ptr fs:[00000030h] 3_2_00C6C6A6
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C666B0 mov eax, dword ptr fs:[00000030h] 3_2_00C666B0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C4C640 mov eax, dword ptr fs:[00000030h] 3_2_00C4C640
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CF866E mov eax, dword ptr fs:[00000030h] 3_2_00CF866E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CF866E mov eax, dword ptr fs:[00000030h] 3_2_00CF866E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C6A660 mov eax, dword ptr fs:[00000030h] 3_2_00C6A660
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C6A660 mov eax, dword ptr fs:[00000030h] 3_2_00C6A660
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C62674 mov eax, dword ptr fs:[00000030h] 3_2_00C62674
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CAE609 mov eax, dword ptr fs:[00000030h] 3_2_00CAE609
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C4260B mov eax, dword ptr fs:[00000030h] 3_2_00C4260B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C4260B mov eax, dword ptr fs:[00000030h] 3_2_00C4260B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C4260B mov eax, dword ptr fs:[00000030h] 3_2_00C4260B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C4260B mov eax, dword ptr fs:[00000030h] 3_2_00C4260B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C4260B mov eax, dword ptr fs:[00000030h] 3_2_00C4260B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C4260B mov eax, dword ptr fs:[00000030h] 3_2_00C4260B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C4260B mov eax, dword ptr fs:[00000030h] 3_2_00C4260B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C72619 mov eax, dword ptr fs:[00000030h] 3_2_00C72619
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C4E627 mov eax, dword ptr fs:[00000030h] 3_2_00C4E627
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C66620 mov eax, dword ptr fs:[00000030h] 3_2_00C66620
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C68620 mov eax, dword ptr fs:[00000030h] 3_2_00C68620
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C3262C mov eax, dword ptr fs:[00000030h] 3_2_00C3262C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C3C7C0 mov eax, dword ptr fs:[00000030h] 3_2_00C3C7C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CB07C3 mov eax, dword ptr fs:[00000030h] 3_2_00CB07C3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C527ED mov eax, dword ptr fs:[00000030h] 3_2_00C527ED
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C527ED mov eax, dword ptr fs:[00000030h] 3_2_00C527ED
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C527ED mov eax, dword ptr fs:[00000030h] 3_2_00C527ED
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CBE7E1 mov eax, dword ptr fs:[00000030h] 3_2_00CBE7E1
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C347FB mov eax, dword ptr fs:[00000030h] 3_2_00C347FB
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C347FB mov eax, dword ptr fs:[00000030h] 3_2_00C347FB
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CD678E mov eax, dword ptr fs:[00000030h] 3_2_00CD678E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C307AF mov eax, dword ptr fs:[00000030h] 3_2_00C307AF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CE47A0 mov eax, dword ptr fs:[00000030h] 3_2_00CE47A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C6674D mov esi, dword ptr fs:[00000030h] 3_2_00C6674D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C6674D mov eax, dword ptr fs:[00000030h] 3_2_00C6674D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C6674D mov eax, dword ptr fs:[00000030h] 3_2_00C6674D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C30750 mov eax, dword ptr fs:[00000030h] 3_2_00C30750
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CBE75D mov eax, dword ptr fs:[00000030h] 3_2_00CBE75D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C72750 mov eax, dword ptr fs:[00000030h] 3_2_00C72750
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C72750 mov eax, dword ptr fs:[00000030h] 3_2_00C72750
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CB4755 mov eax, dword ptr fs:[00000030h] 3_2_00CB4755
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C38770 mov eax, dword ptr fs:[00000030h] 3_2_00C38770
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C40770 mov eax, dword ptr fs:[00000030h] 3_2_00C40770
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C40770 mov eax, dword ptr fs:[00000030h] 3_2_00C40770
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C40770 mov eax, dword ptr fs:[00000030h] 3_2_00C40770
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C40770 mov eax, dword ptr fs:[00000030h] 3_2_00C40770
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C40770 mov eax, dword ptr fs:[00000030h] 3_2_00C40770
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C40770 mov eax, dword ptr fs:[00000030h] 3_2_00C40770
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C40770 mov eax, dword ptr fs:[00000030h] 3_2_00C40770
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C40770 mov eax, dword ptr fs:[00000030h] 3_2_00C40770
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C40770 mov eax, dword ptr fs:[00000030h] 3_2_00C40770
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C40770 mov eax, dword ptr fs:[00000030h] 3_2_00C40770
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C40770 mov eax, dword ptr fs:[00000030h] 3_2_00C40770
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C40770 mov eax, dword ptr fs:[00000030h] 3_2_00C40770
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C6C700 mov eax, dword ptr fs:[00000030h] 3_2_00C6C700
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C30710 mov eax, dword ptr fs:[00000030h] 3_2_00C30710
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C60710 mov eax, dword ptr fs:[00000030h] 3_2_00C60710
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C6C720 mov eax, dword ptr fs:[00000030h] 3_2_00C6C720
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C6C720 mov eax, dword ptr fs:[00000030h] 3_2_00C6C720
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C6273C mov eax, dword ptr fs:[00000030h] 3_2_00C6273C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C6273C mov ecx, dword ptr fs:[00000030h] 3_2_00C6273C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C6273C mov eax, dword ptr fs:[00000030h] 3_2_00C6273C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CAC730 mov eax, dword ptr fs:[00000030h] 3_2_00CAC730
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C5E8C0 mov eax, dword ptr fs:[00000030h] 3_2_00C5E8C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00D008C0 mov eax, dword ptr fs:[00000030h] 3_2_00D008C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CFA8E4 mov eax, dword ptr fs:[00000030h] 3_2_00CFA8E4
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C6C8F9 mov eax, dword ptr fs:[00000030h] 3_2_00C6C8F9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C6C8F9 mov eax, dword ptr fs:[00000030h] 3_2_00C6C8F9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C30887 mov eax, dword ptr fs:[00000030h] 3_2_00C30887
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CBC89D mov eax, dword ptr fs:[00000030h] 3_2_00CBC89D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C42840 mov ecx, dword ptr fs:[00000030h] 3_2_00C42840
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C60854 mov eax, dword ptr fs:[00000030h] 3_2_00C60854
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C34859 mov eax, dword ptr fs:[00000030h] 3_2_00C34859
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C34859 mov eax, dword ptr fs:[00000030h] 3_2_00C34859
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CBE872 mov eax, dword ptr fs:[00000030h] 3_2_00CBE872
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CBE872 mov eax, dword ptr fs:[00000030h] 3_2_00CBE872
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CC6870 mov eax, dword ptr fs:[00000030h] 3_2_00CC6870
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CC6870 mov eax, dword ptr fs:[00000030h] 3_2_00CC6870
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CBC810 mov eax, dword ptr fs:[00000030h] 3_2_00CBC810
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C52835 mov eax, dword ptr fs:[00000030h] 3_2_00C52835
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C52835 mov eax, dword ptr fs:[00000030h] 3_2_00C52835
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C52835 mov eax, dword ptr fs:[00000030h] 3_2_00C52835
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C52835 mov ecx, dword ptr fs:[00000030h] 3_2_00C52835
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C52835 mov eax, dword ptr fs:[00000030h] 3_2_00C52835
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C52835 mov eax, dword ptr fs:[00000030h] 3_2_00C52835
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C6A830 mov eax, dword ptr fs:[00000030h] 3_2_00C6A830
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CD483A mov eax, dword ptr fs:[00000030h] 3_2_00CD483A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CD483A mov eax, dword ptr fs:[00000030h] 3_2_00CD483A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CC69C0 mov eax, dword ptr fs:[00000030h] 3_2_00CC69C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C3A9D0 mov eax, dword ptr fs:[00000030h] 3_2_00C3A9D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C3A9D0 mov eax, dword ptr fs:[00000030h] 3_2_00C3A9D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C3A9D0 mov eax, dword ptr fs:[00000030h] 3_2_00C3A9D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C3A9D0 mov eax, dword ptr fs:[00000030h] 3_2_00C3A9D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C3A9D0 mov eax, dword ptr fs:[00000030h] 3_2_00C3A9D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C3A9D0 mov eax, dword ptr fs:[00000030h] 3_2_00C3A9D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C649D0 mov eax, dword ptr fs:[00000030h] 3_2_00C649D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CFA9D3 mov eax, dword ptr fs:[00000030h] 3_2_00CFA9D3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CBE9E0 mov eax, dword ptr fs:[00000030h] 3_2_00CBE9E0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C629F9 mov eax, dword ptr fs:[00000030h] 3_2_00C629F9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C629F9 mov eax, dword ptr fs:[00000030h] 3_2_00C629F9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C429A0 mov eax, dword ptr fs:[00000030h] 3_2_00C429A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C429A0 mov eax, dword ptr fs:[00000030h] 3_2_00C429A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C429A0 mov eax, dword ptr fs:[00000030h] 3_2_00C429A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C429A0 mov eax, dword ptr fs:[00000030h] 3_2_00C429A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C429A0 mov eax, dword ptr fs:[00000030h] 3_2_00C429A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C429A0 mov eax, dword ptr fs:[00000030h] 3_2_00C429A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C429A0 mov eax, dword ptr fs:[00000030h] 3_2_00C429A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C429A0 mov eax, dword ptr fs:[00000030h] 3_2_00C429A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C429A0 mov eax, dword ptr fs:[00000030h] 3_2_00C429A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C429A0 mov eax, dword ptr fs:[00000030h] 3_2_00C429A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C429A0 mov eax, dword ptr fs:[00000030h] 3_2_00C429A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C429A0 mov eax, dword ptr fs:[00000030h] 3_2_00C429A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C429A0 mov eax, dword ptr fs:[00000030h] 3_2_00C429A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C309AD mov eax, dword ptr fs:[00000030h] 3_2_00C309AD
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C309AD mov eax, dword ptr fs:[00000030h] 3_2_00C309AD
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CB89B3 mov esi, dword ptr fs:[00000030h] 3_2_00CB89B3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CB89B3 mov eax, dword ptr fs:[00000030h] 3_2_00CB89B3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CB89B3 mov eax, dword ptr fs:[00000030h] 3_2_00CB89B3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CB0946 mov eax, dword ptr fs:[00000030h] 3_2_00CB0946
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00D04940 mov eax, dword ptr fs:[00000030h] 3_2_00D04940
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C56962 mov eax, dword ptr fs:[00000030h] 3_2_00C56962
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C56962 mov eax, dword ptr fs:[00000030h] 3_2_00C56962
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C56962 mov eax, dword ptr fs:[00000030h] 3_2_00C56962
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C7096E mov eax, dword ptr fs:[00000030h] 3_2_00C7096E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C7096E mov edx, dword ptr fs:[00000030h] 3_2_00C7096E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C7096E mov eax, dword ptr fs:[00000030h] 3_2_00C7096E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CD4978 mov eax, dword ptr fs:[00000030h] 3_2_00CD4978
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CD4978 mov eax, dword ptr fs:[00000030h] 3_2_00CD4978
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CBC97C mov eax, dword ptr fs:[00000030h] 3_2_00CBC97C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CAE908 mov eax, dword ptr fs:[00000030h] 3_2_00CAE908
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CAE908 mov eax, dword ptr fs:[00000030h] 3_2_00CAE908
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CBC912 mov eax, dword ptr fs:[00000030h] 3_2_00CBC912
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C28918 mov eax, dword ptr fs:[00000030h] 3_2_00C28918
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C28918 mov eax, dword ptr fs:[00000030h] 3_2_00C28918
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CB892A mov eax, dword ptr fs:[00000030h] 3_2_00CB892A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CC892B mov eax, dword ptr fs:[00000030h] 3_2_00CC892B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C86ACC mov eax, dword ptr fs:[00000030h] 3_2_00C86ACC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C86ACC mov eax, dword ptr fs:[00000030h] 3_2_00C86ACC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C86ACC mov eax, dword ptr fs:[00000030h] 3_2_00C86ACC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C30AD0 mov eax, dword ptr fs:[00000030h] 3_2_00C30AD0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C64AD0 mov eax, dword ptr fs:[00000030h] 3_2_00C64AD0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C64AD0 mov eax, dword ptr fs:[00000030h] 3_2_00C64AD0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C6AAEE mov eax, dword ptr fs:[00000030h] 3_2_00C6AAEE
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C6AAEE mov eax, dword ptr fs:[00000030h] 3_2_00C6AAEE
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C3EA80 mov eax, dword ptr fs:[00000030h] 3_2_00C3EA80
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C3EA80 mov eax, dword ptr fs:[00000030h] 3_2_00C3EA80
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C3EA80 mov eax, dword ptr fs:[00000030h] 3_2_00C3EA80
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C3EA80 mov eax, dword ptr fs:[00000030h] 3_2_00C3EA80
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C3EA80 mov eax, dword ptr fs:[00000030h] 3_2_00C3EA80
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C3EA80 mov eax, dword ptr fs:[00000030h] 3_2_00C3EA80
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C3EA80 mov eax, dword ptr fs:[00000030h] 3_2_00C3EA80
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C3EA80 mov eax, dword ptr fs:[00000030h] 3_2_00C3EA80
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C3EA80 mov eax, dword ptr fs:[00000030h] 3_2_00C3EA80
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00D04A80 mov eax, dword ptr fs:[00000030h] 3_2_00D04A80
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C68A90 mov edx, dword ptr fs:[00000030h] 3_2_00C68A90
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C38AA0 mov eax, dword ptr fs:[00000030h] 3_2_00C38AA0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C38AA0 mov eax, dword ptr fs:[00000030h] 3_2_00C38AA0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C86AA4 mov eax, dword ptr fs:[00000030h] 3_2_00C86AA4
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C36A50 mov eax, dword ptr fs:[00000030h] 3_2_00C36A50
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C36A50 mov eax, dword ptr fs:[00000030h] 3_2_00C36A50
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C36A50 mov eax, dword ptr fs:[00000030h] 3_2_00C36A50
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C36A50 mov eax, dword ptr fs:[00000030h] 3_2_00C36A50
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C36A50 mov eax, dword ptr fs:[00000030h] 3_2_00C36A50
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C36A50 mov eax, dword ptr fs:[00000030h] 3_2_00C36A50
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C36A50 mov eax, dword ptr fs:[00000030h] 3_2_00C36A50
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C40A5B mov eax, dword ptr fs:[00000030h] 3_2_00C40A5B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C40A5B mov eax, dword ptr fs:[00000030h] 3_2_00C40A5B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C6CA6F mov eax, dword ptr fs:[00000030h] 3_2_00C6CA6F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C6CA6F mov eax, dword ptr fs:[00000030h] 3_2_00C6CA6F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C6CA6F mov eax, dword ptr fs:[00000030h] 3_2_00C6CA6F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CDEA60 mov eax, dword ptr fs:[00000030h] 3_2_00CDEA60
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CACA72 mov eax, dword ptr fs:[00000030h] 3_2_00CACA72
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CACA72 mov eax, dword ptr fs:[00000030h] 3_2_00CACA72
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CBCA11 mov eax, dword ptr fs:[00000030h] 3_2_00CBCA11
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C6CA24 mov eax, dword ptr fs:[00000030h] 3_2_00C6CA24
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C5EA2E mov eax, dword ptr fs:[00000030h] 3_2_00C5EA2E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C54A35 mov eax, dword ptr fs:[00000030h] 3_2_00C54A35
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C54A35 mov eax, dword ptr fs:[00000030h] 3_2_00C54A35
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C6CA38 mov eax, dword ptr fs:[00000030h] 3_2_00C6CA38
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C50BCB mov eax, dword ptr fs:[00000030h] 3_2_00C50BCB
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C50BCB mov eax, dword ptr fs:[00000030h] 3_2_00C50BCB
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C50BCB mov eax, dword ptr fs:[00000030h] 3_2_00C50BCB
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C30BCD mov eax, dword ptr fs:[00000030h] 3_2_00C30BCD
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C30BCD mov eax, dword ptr fs:[00000030h] 3_2_00C30BCD
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C30BCD mov eax, dword ptr fs:[00000030h] 3_2_00C30BCD
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CDEBD0 mov eax, dword ptr fs:[00000030h] 3_2_00CDEBD0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C38BF0 mov eax, dword ptr fs:[00000030h] 3_2_00C38BF0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C38BF0 mov eax, dword ptr fs:[00000030h] 3_2_00C38BF0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C38BF0 mov eax, dword ptr fs:[00000030h] 3_2_00C38BF0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C5EBFC mov eax, dword ptr fs:[00000030h] 3_2_00C5EBFC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CBCBF0 mov eax, dword ptr fs:[00000030h] 3_2_00CBCBF0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C40BBE mov eax, dword ptr fs:[00000030h] 3_2_00C40BBE
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C40BBE mov eax, dword ptr fs:[00000030h] 3_2_00C40BBE
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CE4BB0 mov eax, dword ptr fs:[00000030h] 3_2_00CE4BB0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CE4BB0 mov eax, dword ptr fs:[00000030h] 3_2_00CE4BB0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CE4B4B mov eax, dword ptr fs:[00000030h] 3_2_00CE4B4B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CE4B4B mov eax, dword ptr fs:[00000030h] 3_2_00CE4B4B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00D02B57 mov eax, dword ptr fs:[00000030h] 3_2_00D02B57
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00D02B57 mov eax, dword ptr fs:[00000030h] 3_2_00D02B57
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00D02B57 mov eax, dword ptr fs:[00000030h] 3_2_00D02B57
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00D02B57 mov eax, dword ptr fs:[00000030h] 3_2_00D02B57
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CC6B40 mov eax, dword ptr fs:[00000030h] 3_2_00CC6B40
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CC6B40 mov eax, dword ptr fs:[00000030h] 3_2_00CC6B40
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CFAB40 mov eax, dword ptr fs:[00000030h] 3_2_00CFAB40
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CD8B42 mov eax, dword ptr fs:[00000030h] 3_2_00CD8B42
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00C28B50 mov eax, dword ptr fs:[00000030h] 3_2_00C28B50
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00CDEB50 mov eax, dword ptr fs:[00000030h] 3_2_00CDEB50
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\New PO 127429.exe Code function: 0_2_00426DA1 CreateFileW,__lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock, 0_2_00426DA1
Enables debug privileges
Source: C:\Windows\SysWOW64\svchost.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\New PO 127429.exe Code function: 0_2_0042202E SetUnhandledExceptionFilter, 0_2_0042202E
Source: C:\Users\user\Desktop\New PO 127429.exe Code function: 0_2_004230F5 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_004230F5
Source: C:\Users\user\Desktop\New PO 127429.exe Code function: 0_2_00417D93 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00417D93
Source: C:\Users\user\Desktop\New PO 127429.exe Code function: 0_2_00421FA7 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00421FA7
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Code function: 2_2_0042202E SetUnhandledExceptionFilter, 2_2_0042202E
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Code function: 2_2_004230F5 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_004230F5
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Code function: 2_2_00417D93 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_00417D93
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Code function: 2_2_00421FA7 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_00421FA7

HIPS / PFW / Operating System Protection Evasion
barindex
Maps a DLL or memory area into another process
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: NULL target: C:\Windows\SysWOW64\WWAHost.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: NULL target: C:\Windows\SysWOW64\WWAHost.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe Section loaded: NULL target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: NULL target: C:\Windows\SysWOW64\control.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: NULL target: C:\Windows\SysWOW64\control.exe protection: execute and read and write Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Windows\SysWOW64\svchost.exe Thread register set: target process: 4004 Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe Thread register set: target process: 4004 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread register set: target process: 4004 Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Windows\SysWOW64\svchost.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Sample uses process hollowing technique
Source: C:\Windows\SysWOW64\svchost.exe Section unmapped: C:\Windows\SysWOW64\WWAHost.exe base address: 650000 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section unmapped: C:\Windows\SysWOW64\control.exe base address: 4F0000 Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Memory written: C:\Windows\SysWOW64\svchost.exe base: 4FA008 Jump to behavior
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Memory written: C:\Windows\SysWOW64\svchost.exe base: 75B008 Jump to behavior
Contains functionality to execute programs as a different user
Source: C:\Users\user\Desktop\New PO 127429.exe Code function: 0_2_0043916A LogonUserW, 0_2_0043916A
Contains functionality to launch a program with higher privileges
Source: C:\Users\user\Desktop\New PO 127429.exe Code function: 0_2_0040D6D0 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,GetForegroundWindow,ShellExecuteW, 0_2_0040D6D0
Contains functionality to simulate keystroke presses
Source: C:\Users\user\Desktop\New PO 127429.exe Code function: 0_2_004375B0 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput, 0_2_004375B0
Contains functionality to simulate mouse events
Source: C:\Users\user\Desktop\New PO 127429.exe Code function: 0_2_00436431 __wcsicoll,mouse_event,__wcsicoll,mouse_event, 0_2_00436431
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\New PO 127429.exe" Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\SysWOW64\svchost.exe" Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe "C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe" Jump to behavior
Source: C:\Users\user\Desktop\New PO 127429.exe Code function: 0_2_00445DD3 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity, 0_2_00445DD3
Source: explorer.exe, 00000004.00000000.2165979441.00000000013A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000002.4570679148.00000000013A1000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: IProgram Manager
Source: New PO 127429.exe, subpredicate.exe, explorer.exe, 00000004.00000000.2165979441.00000000013A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000002.4570679148.00000000013A1000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.2176290512.00000000048E0000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000004.00000000.2165979441.00000000013A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000002.4570679148.00000000013A1000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000004.00000000.2165654124.0000000000D69000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4569861643.0000000000D69000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: +Progman
Source: New PO 127429.exe, subpredicate.exe.0.dr Binary or memory string: @3PDASCRWINUPRWINDOWNLWINUPLWINDOWNSHIFTUPSHIFTDOWNALTUPALTDOWNCTRLUPCTRLDOWNMOUSE_XBUTTON2MOUSE_XBUTTON1MOUSE_MBUTTONMOUSE_RBUTTONMOUSE_LBUTTONLAUNCH_APP2LAUNCH_APP1LAUNCH_MEDIALAUNCH_MAILMEDIA_PLAY_PAUSEMEDIA_STOPMEDIA_PREVMEDIA_NEXTVOLUME_UPVOLUME_DOWNVOLUME_MUTEBROWSER_HOMEBROWSER_FAVORTIESBROWSER_SEARCHBROWSER_STOPBROWSER_REFRESHBROWSER_FORWARDBROWSER_BACKNUMPADENTERSLEEPRSHIFTLSHIFTRALTLALTRCTRLLCTRLAPPSKEYNUMPADDIVNUMPADDOTNUMPADSUBNUMPADADDNUMPADMULTNUMPAD9NUMPAD8NUMPAD7NUMPAD6NUMPAD5NUMPAD4NUMPAD3NUMPAD2NUMPAD1NUMPAD0CAPSLOCKPAUSEBREAKNUMLOCKSCROLLLOCKRWINLWINPRINTSCREENUPTABSPACERIGHTPGUPPGDNLEFTINSERTINSHOMEF12F11F10F9F8F7F6F5F4F3F2F1ESCAPEESCENTERENDDOWNDELETEDELBSBACKSPACEALTONOFF0%d%dShell_TrayWndExitScript Pausedblankinfoquestionstopwarning
Source: explorer.exe, 00000004.00000000.2165979441.00000000013A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000002.4570679148.00000000013A1000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Source: explorer.exe, 00000004.00000000.2179503898.00000000098AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4576072203.00000000098AD000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Shell_TrayWnd31A
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\New PO 127429.exe Code function: 0_2_00410D10 cpuid 0_2_00410D10
Source: C:\Users\user\Desktop\New PO 127429.exe Code function: 0_2_004223BC GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 0_2_004223BC
Source: C:\Users\user\Desktop\New PO 127429.exe Code function: 0_2_004711D2 GetUserNameW, 0_2_004711D2
Source: C:\Users\user\Desktop\New PO 127429.exe Code function: 0_2_0042039F __invoke_watson,__get_daylight,__invoke_watson,__get_daylight,__invoke_watson,____lc_codepage_func,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,__invoke_watson,__invoke_watson, 0_2_0042039F
Source: C:\Users\user\Desktop\New PO 127429.exe Code function: 0_2_0040E470 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo, 0_2_0040E470
Source: C:\Users\user\Desktop\New PO 127429.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected FormBook
Source: Yara match File source: 3.2.svchost.exe.3b0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.subpredicate.exe.3020000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.subpredicate.exe.3020000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.subpredicate.exe.b30000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.subpredicate.exe.b30000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000C.00000002.2330599381.0000000000310000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.4569629328.0000000000620000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.4570251763.0000000002CE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.2231589301.00000000003B1000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2325079929.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.2231787989.00000000009B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2325776767.00000000009D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2327836661.0000000000F40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2291675436.0000000003020000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.2232255534.0000000000F50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.4570322313.0000000002D10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2162533053.0000000000B30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
OS version to string mapping found (often used in BOTs)
Source: subpredicate.exe.0.dr Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPWIN_2000InstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 6, 0USERPROFILEUSERDOMAINUSERDNSDOMAINDefaultGetSystemWow64DirectoryWSeDebugPrivilege:cdeclwinapistdcallnonestrwstrintbooluintlongulongdwordshortushortwordbyteubytebooleanfloatdoubleptrhwndhandlelresultlparamwparamint64uint64int_ptruint_ptrlong_ptrulong_ptrdword_ptridispatch64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYadvapi32.dllRegDeleteKeyExW+.-.+-\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]ISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXISTSEXPANDmsctls_statusbar321tooltips_class32AutoIt v3 GUI%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----
Source: subpredicate.exe Binary or memory string: WIN_XP
Source: subpredicate.exe Binary or memory string: WIN_XPe
Source: subpredicate.exe Binary or memory string: WIN_VISTA
Source: subpredicate.exe Binary or memory string: WIN_7

Remote Access Functionality
barindex
Yara detected FormBook
Source: Yara match File source: 3.2.svchost.exe.3b0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.subpredicate.exe.3020000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.subpredicate.exe.3020000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.subpredicate.exe.b30000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.subpredicate.exe.b30000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000C.00000002.2330599381.0000000000310000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.4569629328.0000000000620000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.4570251763.0000000002CE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.2231589301.00000000003B1000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2325079929.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.2231787989.00000000009B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2325776767.00000000009D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2327836661.0000000000F40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2291675436.0000000003020000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.2232255534.0000000000F50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.4570322313.0000000002D10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2162533053.0000000000B30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\Desktop\New PO 127429.exe Code function: 0_2_004741BB socket,WSAGetLastError,bind,WSAGetLastError,closesocket, 0_2_004741BB
Source: C:\Users\user\Desktop\New PO 127429.exe Code function: 0_2_0046483C socket,WSAGetLastError,bind,WSAGetLastError,listen,WSAGetLastError,closesocket, 0_2_0046483C
Source: C:\Users\user\Desktop\New PO 127429.exe Code function: 0_2_0047AD92 OleInitialize,_wcslen,CreateBindCtx,MkParseDisplayName,CLSIDFromProgID,GetActiveObject, 0_2_0047AD92
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Code function: 2_2_004741BB socket,WSAGetLastError,bind,WSAGetLastError,closesocket, 2_2_004741BB
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Code function: 2_2_0046483C socket,WSAGetLastError,bind,WSAGetLastError,listen,WSAGetLastError,closesocket, 2_2_0046483C
Source: C:\Users\user\AppData\Local\meshuggenah\subpredicate.exe Code function: 2_2_0047AD92 OleInitialize,_wcslen,CreateBindCtx,MkParseDisplayName,CLSIDFromProgID,GetActiveObject, 2_2_0047AD92
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1543823 Sample: New PO 127429.exe Startdate: 28/10/2024 Architecture: WINDOWS Score: 100 46 www.siabgc4d.online 2->46 48 www.oursmile.vip 2->48 50 9 other IPs or domains 2->50 66 Suricata IDS alerts for network traffic 2->66 68 Found malware configuration 2->68 70 Malicious sample detected (through community Yara rule) 2->70 72 9 other signatures 2->72 12 New PO 127429.exe 3 2->12         started        signatures3 process4 file5 42 C:\Users\user\AppData\...\subpredicate.exe, PE32 12->42 dropped 15 subpredicate.exe 1 12->15         started        process6 file7 44 C:\Users\user\AppData\...\subpredicate.vbs, data 15->44 dropped 54 Multi AV Scanner detection for dropped file 15->54 56 Machine Learning detection for dropped file 15->56 58 Drops VBS files to the startup folder 15->58 60 4 other signatures 15->60 19 svchost.exe 15->19         started        signatures8 process9 signatures10 74 Modifies the context of a thread in another process (thread injection) 19->74 76 Maps a DLL or memory area into another process 19->76 78 Sample uses process hollowing technique 19->78 80 3 other signatures 19->80 22 explorer.exe 62 2 19->22 injected process11 dnsIp12 52 www.irex.info 85.13.166.18, 49984, 80 NMM-ASD-02742FriedersdorfHauptstrasse68DE Germany 22->52 25 wscript.exe 1 22->25         started        28 WWAHost.exe 22->28         started        30 control.exe 22->30         started        process13 signatures14 88 Windows Scripting host queries suspicious COM object (likely to drop second stage) 25->88 32 subpredicate.exe 25->32         started        90 Modifies the context of a thread in another process (thread injection) 28->90 92 Maps a DLL or memory area into another process 28->92 94 Tries to detect virtualization through RDTSC time measurements 28->94 96 Switches to a custom stack to bypass stack traces 28->96 35 cmd.exe 1 28->35         started        process15 signatures16 62 Writes to foreign memory regions 32->62 64 Maps a DLL or memory area into another process 32->64 37 svchost.exe 32->37         started        40 conhost.exe 35->40         started        process17 signatures18 82 Modifies the context of a thread in another process (thread injection) 37->82 84 Maps a DLL or memory area into another process 37->84 86 Sample uses process hollowing technique 37->86
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
85.13.166.18
 www.irex.info Germany
34788 NMM-ASD-02742FriedersdorfHauptstrasse68DE true

Contacted Domains

Name IP Active
www.irex.info 85.13.166.18 true
www.nlineschools-2507-001-sap.click unknown unknown
www.olandopaintingllc.online unknown unknown
www.f6b-crxy.top unknown unknown
www.inn-paaaa.buzz unknown unknown
www.ainan.company unknown unknown
www.itusbandar126.info unknown unknown
www.siabgc4d.online unknown unknown
www.48372305.top unknown unknown
www.oursmile.vip unknown unknown
www.ajakgoid.online unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
www.f6b-crxy.top/cu29/ true
    		unknown