Windows Analysis Report
Bonifico 2692024pdf.exe

Overview

General Information

Sample name: Bonifico 2692024pdf.exe
Analysis ID: 1519629
MD5: ab5a5fadd9a58b412281fa7c040c54ef
SHA1: d67c6a5fb65869cbb381c0a8276dea5e30ecfed1
SHA256: e4d1f88b5db146a70bce062886dd60b15d13bda9b325535ef4d3ffcb484981ec
Tags: D3LabexeFormBookSPAM-ITAuser-JAMESWT_MHT
Infos:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected FormBook
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Switches to a custom stack to bypass stack traces
Tries to detect virtualization through RDTSC time measurements
Tries to resolve many domain names, but no domain seems valid
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found evasive API chain (date check)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection
barindex
Found malware configuration
Source: 00000004.00000002.4500748393.0000000004EF0000.00000004.00000800.00020000.00000000.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.reakinggroundtherapy.pro/e23y/"], "decoy": ["stiloeconforto.shop", "79nn470gl.autos", "ffg.autos", "elix-saaac.buzz", "tlasbet88win.sbs", "inoliga.app", "777.fun", "avada-ga-3.press", "avandakitchen.online", "61ep864tr.autos", "igitalonlineseva.online", "ar-deals-15908.bond", "sqqpkv.pro", "368i8rnoy.xyz", "lxspinsenin.lol", "9y204r7eo.sbs", "toptalkingaboutit.net", "eeplab.xyz", "filmyhit.vip", "athroom-remodeling-59089.bond", "hwqcoiu.xyz", "ome-care-76206.bond", "tudioalberto.online", "anfocusedviews.shop", "ibrarygym.online", "emosjumpers.net", "mg-marketing.online", "19bet.xyz", "7556r.club", "sed-cars-35796.bond", "liveiraeletro.online", "iangshen56.cloud", "aeempreendora.online", "bets.net", "sychology-degree-69585.bond", "est-arthritis-therapy-9711.buzz", "zkirv.top", "8015.xyz", "uwueriudsjkdjnfjkdjnkxzk.vip", "etausaha.online", "crubber-brush-64789.bond", "iversitiendaplus.shop", "wrzlak.buzz", "b-999.top", "ower-bank-za-4886348.world", "2361.asia", "believehim.net", "leeconcerned.info", "oland-flight-deal.today", "c-marketing.net", "wgxb.top", "pboardresult.net", "nitednationsofindia.net", "oupondhakel.shop", "elationship-coach-72450.bond", "ounjaronaturaloferta.online", "wpgs2448.vip", "8080734.xyz", "mvqimnpwkxcixccaeafmibpiq.top", "arpediemwireless.net", "eth-paaad.buzz", "renvillemarianne.net", "tephsmith.info", "opinformation.net"]}
Multi AV Scanner detection for submitted file
Source: Bonifico 2692024pdf.exe ReversingLabs: Detection: 42%
Yara detected FormBook
Source: Yara match File source: 0.2.Bonifico 2692024pdf.exe.f60000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Bonifico 2692024pdf.exe.f60000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000002.4500748393.0000000004EF0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2101569543.0000000002FA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2101179285.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2101452453.0000000000EE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.4500674089.0000000004EC0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.4500108224.0000000003260000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2043224034.0000000000F60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: Bonifico 2692024pdf.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: Bonifico 2692024pdf.exe Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: Binary string: colorcpl.pdbGCTL source: svchost.exe, 00000002.00000003.2100988646.000000000341B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2101004918.0000000003430000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2102673772.0000000005620000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 00000002.00000003.2100887491.000000000341C000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000004.00000002.4499924950.0000000000C50000.00000040.80000000.00040000.00000000.sdmp
Source: Binary string: colorcpl.pdb source: svchost.exe, 00000002.00000003.2100988646.000000000341B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2101004918.0000000003430000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2102673772.0000000005620000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 00000002.00000003.2100887491.000000000341C000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, colorcpl.exe, 00000004.00000002.4499924950.0000000000C50000.00000040.80000000.00040000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: Bonifico 2692024pdf.exe, 00000000.00000003.2041580738.00000000038D0000.00000004.00001000.00020000.00000000.sdmp, Bonifico 2692024pdf.exe, 00000000.00000003.2042095302.0000000003DC0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2042804509.0000000003600000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2044608415.0000000003800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2101958762.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2101958762.0000000003B9E000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, 00000004.00000003.2101721514.0000000004DB6000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000004.00000002.4501025868.00000000052AE000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, 00000004.00000003.2103406264.0000000004F61000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000004.00000002.4501025868.0000000005110000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: Bonifico 2692024pdf.exe, 00000000.00000003.2041580738.00000000038D0000.00000004.00001000.00020000.00000000.sdmp, Bonifico 2692024pdf.exe, 00000000.00000003.2042095302.0000000003DC0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.2042804509.0000000003600000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2044608415.0000000003800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2101958762.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2101958762.0000000003B9E000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, colorcpl.exe, 00000004.00000003.2101721514.0000000004DB6000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000004.00000002.4501025868.00000000052AE000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, 00000004.00000003.2103406264.0000000004F61000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000004.00000002.4501025868.0000000005110000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: svchost.pdb source: explorer.exe, 00000003.00000002.4513780603.0000000010CBF000.00000004.80000000.00040000.00000000.sdmp, colorcpl.exe, 00000004.00000002.4500309363.000000000330E000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000004.00000002.4501809903.000000000565F000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: svchost.pdbUGP source: explorer.exe, 00000003.00000002.4513780603.0000000010CBF000.00000004.80000000.00040000.00000000.sdmp, colorcpl.exe, 00000004.00000002.4500309363.000000000330E000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000004.00000002.4501809903.000000000565F000.00000004.10000000.00040000.00000000.sdmp
Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exe Code function: 0_2_01024696 GetFileAttributesW,FindFirstFileW,FindClose, 0_2_01024696
Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exe Code function: 0_2_0102C93C FindFirstFileW,FindClose, 0_2_0102C93C
Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exe Code function: 0_2_0102C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, 0_2_0102C9C7
Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exe Code function: 0_2_0102F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 0_2_0102F35D
Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exe Code function: 0_2_0102F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 0_2_0102F200
Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exe Code function: 0_2_0102F65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose, 0_2_0102F65E
Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exe Code function: 0_2_01023A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 0_2_01023A2B
Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exe Code function: 0_2_01023D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 0_2_01023D4E
Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exe Code function: 0_2_0102BF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose, 0_2_0102BF27
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Windows\SysWOW64\svchost.exe Code function: 4x nop then pop esi 2_2_004172F0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4x nop then pop esi 4_2_032772F0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4x nop then pop ebx 4_2_03267B1B

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2031412 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.5:62804 -> 195.85.59.61:80
Source: Network traffic Suricata IDS: 2031449 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.5:62804 -> 195.85.59.61:80
Source: Network traffic Suricata IDS: 2031453 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.5:62804 -> 195.85.59.61:80
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.reakinggroundtherapy.pro/e23y/
Performs DNS queries to domains with low reputation
Source: DNS query: www.eeplab.xyz
Tries to resolve many domain names, but no domain seems valid
Source: unknown DNS traffic detected: query: www.emosjumpers.net replaycode: Name error (3)
Source: unknown DNS traffic detected: query: 241.42.69.40.in-addr.arpa replaycode: Name error (3)
Source: unknown DNS traffic detected: query: www.ome-care-76206.bond replaycode: Name error (3)
Source: unknown DNS traffic detected: query: www.oland-flight-deal.today replaycode: Name error (3)
Source: unknown DNS traffic detected: query: www.ower-bank-za-4886348.world replaycode: Name error (3)
Source: unknown DNS traffic detected: query: www.arpediemwireless.net replaycode: Name error (3)
Source: unknown DNS traffic detected: query: www.eeplab.xyz replaycode: Name error (3)
Source: unknown DNS traffic detected: query: www.zkirv.top replaycode: Name error (3)
Source: unknown DNS traffic detected: query: www.reakinggroundtherapy.pro replaycode: Name error (3)
Source: unknown DNS traffic detected: query: www.believehim.net replaycode: Name error (3)
Source: unknown DNS traffic detected: query: www.inoliga.app replaycode: Name error (3)
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /e23y/?t8UP=DwtvniUQLpu3MRUm2IfWFG9b5evRRAGuG0irUgkzEgTLOHOkkfBziq8rt1/3cMlKaUc0&9r4Hc=GdSL HTTP/1.1Host: www.bets.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: DANISCODK DANISCODK
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exe Code function: 0_2_010325E2 InternetReadFile,InternetQueryDataAvailable,InternetReadFile, 0_2_010325E2
Source: global traffic HTTP traffic detected: GET /e23y/?t8UP=DwtvniUQLpu3MRUm2IfWFG9b5evRRAGuG0irUgkzEgTLOHOkkfBziq8rt1/3cMlKaUc0&9r4Hc=GdSL HTTP/1.1Host: www.bets.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic DNS traffic detected: DNS query: 241.42.69.40.in-addr.arpa
Source: global traffic DNS traffic detected: DNS query: www.eeplab.xyz
Source: global traffic DNS traffic detected: DNS query: www.inoliga.app
Source: global traffic DNS traffic detected: DNS query: www.ower-bank-za-4886348.world
Source: global traffic DNS traffic detected: DNS query: www.zkirv.top
Source: global traffic DNS traffic detected: DNS query: www.bets.net
Source: global traffic DNS traffic detected: DNS query: www.emosjumpers.net
Source: global traffic DNS traffic detected: DNS query: www.arpediemwireless.net
Source: global traffic DNS traffic detected: DNS query: www.believehim.net
Source: global traffic DNS traffic detected: DNS query: www.reakinggroundtherapy.pro
Source: global traffic DNS traffic detected: DNS query: www.oland-flight-deal.today
Source: global traffic DNS traffic detected: DNS query: www.ome-care-76206.bond
Source: explorer.exe, 00000003.00000002.4506883763.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2059229241.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2059229241.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4506883763.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: explorer.exe, 00000003.00000000.2053555947.0000000000F13000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4500060295.0000000000F13000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.v
Source: explorer.exe, 00000003.00000002.4506883763.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2059229241.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2059229241.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4506883763.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: explorer.exe, 00000003.00000002.4506883763.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2059229241.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2059229241.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4506883763.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: explorer.exe, 00000003.00000002.4506883763.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2059229241.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2059229241.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4506883763.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: explorer.exe, 00000003.00000000.2059229241.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4506883763.00000000099C0000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: explorer.exe, 00000003.00000002.4506223697.0000000008890000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.2058010233.0000000007DC0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.2058557156.0000000008870000.00000002.00000001.00040000.00000000.sdmp String found in binary or memory: http://schemas.micro
Source: explorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.8015.xyz
Source: explorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.8015.xyz/e23y/
Source: explorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.8015.xyz/e23y/www.b-999.top
Source: explorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.8015.xyzReferer:
Source: explorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.ar-deals-15908.bond
Source: explorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.ar-deals-15908.bond/e23y/
Source: explorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.ar-deals-15908.bond/e23y/www.wgxb.top
Source: explorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.ar-deals-15908.bondReferer:
Source: explorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.arpediemwireless.net
Source: explorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.arpediemwireless.net/e23y/
Source: explorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.arpediemwireless.net/e23y/www.believehim.net
Source: explorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.arpediemwireless.netReferer:
Source: explorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.b-999.top
Source: explorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.b-999.top/e23y/
Source: explorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.b-999.top/e23y/h
Source: explorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.b-999.topReferer:
Source: explorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.believehim.net
Source: explorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.believehim.net/e23y/
Source: explorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.believehim.net/e23y/www.reakinggroundtherapy.pro
Source: explorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.believehim.netReferer:
Source: explorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.bets.net
Source: explorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.bets.net/e23y/
Source: explorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.bets.net/e23y/www.emosjumpers.net
Source: explorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.bets.netReferer:
Source: explorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.eeplab.xyz
Source: explorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.eeplab.xyz/e23y/
Source: explorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.eeplab.xyz/e23y/www.inoliga.app
Source: explorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.eeplab.xyzReferer:
Source: explorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.emosjumpers.net
Source: explorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.emosjumpers.net/e23y/
Source: explorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.emosjumpers.net/e23y/www.arpediemwireless.net
Source: explorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.emosjumpers.netReferer:
Source: explorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.hwqcoiu.xyz
Source: explorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.hwqcoiu.xyz/e23y/
Source: explorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.hwqcoiu.xyz/e23y/www.bets.net
Source: explorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.hwqcoiu.xyzReferer:
Source: explorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.inoliga.app
Source: explorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.inoliga.app/e23y/
Source: explorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.inoliga.app/e23y/www.ower-bank-za-4886348.world
Source: explorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.inoliga.appReferer:
Source: explorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.oland-flight-deal.today
Source: explorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.oland-flight-deal.today/e23y/
Source: explorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.oland-flight-deal.today/e23y/www.ome-care-76206.bond
Source: explorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.oland-flight-deal.todayReferer:
Source: explorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.ome-care-76206.bond
Source: explorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.ome-care-76206.bond/e23y/
Source: explorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.ome-care-76206.bond/e23y/www.ar-deals-15908.bond
Source: explorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.ome-care-76206.bondReferer:
Source: explorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.ower-bank-za-4886348.world
Source: explorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.ower-bank-za-4886348.world/e23y/
Source: explorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.ower-bank-za-4886348.world/e23y/www.zkirv.top
Source: explorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.ower-bank-za-4886348.worldReferer:
Source: explorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.reakinggroundtherapy.pro
Source: explorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.reakinggroundtherapy.pro/e23y/
Source: explorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.reakinggroundtherapy.pro/e23y/www.oland-flight-deal.today
Source: explorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.reakinggroundtherapy.proReferer:
Source: explorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.wgxb.top
Source: explorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.wgxb.top/e23y/
Source: explorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.wgxb.top/e23y/www.8015.xyz
Source: explorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.wgxb.topReferer:
Source: explorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.zkirv.top
Source: explorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.zkirv.top/e23y/
Source: explorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.zkirv.top/e23y/www.hwqcoiu.xyz
Source: explorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.zkirv.topReferer:
Source: explorer.exe, 00000003.00000002.4510678695.000000000C4DC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2061812730.000000000C4DC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe
Source: explorer.exe, 00000003.00000003.3825137778.00000000076F8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2056882234.00000000076F8000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 00000003.00000002.4506883763.0000000009ADB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2059229241.0000000009ADB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 00000003.00000000.2056882234.0000000007637000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4504170102.0000000007637000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 00000003.00000002.4502198824.00000000035FA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097030243.00000000035FA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2054700448.00000000035FA000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://arc.msn.coml
Source: explorer.exe, 00000003.00000003.3097566585.0000000009C21000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4507885872.0000000009C22000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3095576604.0000000009B79000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2059229241.0000000009B79000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://excel.office.com
Source: explorer.exe, 00000003.00000003.3096282137.0000000009C92000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3095576604.0000000009B79000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2059229241.0000000009B79000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4507951422.0000000009D42000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://outlook.com
Source: explorer.exe, 00000003.00000000.2061812730.000000000C460000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4510678695.000000000C460000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://powerpoint.office.comcember
Source: explorer.exe, 00000003.00000000.2059229241.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4506883763.00000000099C0000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://wns.windows.com/)s
Source: explorer.exe, 00000003.00000000.2059229241.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4506883763.00000000099C0000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://word.office.comon
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exe Code function: 0_2_0103425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard, 0_2_0103425A
Contains functionality to modify clipboard data
Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exe Code function: 0_2_01034458 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard, 0_2_01034458
Contains functionality to read the clipboard data
Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exe Code function: 0_2_0103425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard, 0_2_0103425A
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exe Code function: 0_2_01020219 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState, 0_2_01020219
Potential key logger detected (key state polling based)
Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exe Code function: 0_2_0104CDAC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW, 0_2_0104CDAC

E-Banking Fraud
barindex
Yara detected FormBook
Source: Yara match File source: 0.2.Bonifico 2692024pdf.exe.f60000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Bonifico 2692024pdf.exe.f60000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000002.4500748393.0000000004EF0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2101569543.0000000002FA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2101179285.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2101452453.0000000000EE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.4500674089.0000000004EC0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.4500108224.0000000003260000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2043224034.0000000000F60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 0.2.Bonifico 2692024pdf.exe.f60000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0.2.Bonifico 2692024pdf.exe.f60000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.Bonifico 2692024pdf.exe.f60000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.Bonifico 2692024pdf.exe.f60000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0.2.Bonifico 2692024pdf.exe.f60000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.Bonifico 2692024pdf.exe.f60000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.4500748393.0000000004EF0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.4500748393.0000000004EF0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.4500748393.0000000004EF0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.2101569543.0000000002FA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.2101569543.0000000002FA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.2101569543.0000000002FA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.4512445617.000000000E583000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_772cc62d Author: unknown
Source: 00000002.00000002.2101179285.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.2101179285.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.2101179285.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.2101452453.0000000000EE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.2101452453.0000000000EE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.2101452453.0000000000EE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.4500674089.0000000004EC0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.4500674089.0000000004EC0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.4500674089.0000000004EC0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.4500108224.0000000003260000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.4500108224.0000000003260000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.4500108224.0000000003260000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.2043224034.0000000000F60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000000.00000002.2043224034.0000000000F60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.2043224034.0000000000F60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: Bonifico 2692024pdf.exe PID: 6084, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: svchost.exe PID: 1900, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: colorcpl.exe PID: 6184, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Binary is likely a compiled AutoIt script file
Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exe Code function: This is a third-party compiled AutoIt script. 0_2_00FC3B4C
Source: Bonifico 2692024pdf.exe String found in binary or memory: This is a third-party compiled AutoIt script.
Source: Bonifico 2692024pdf.exe, 00000000.00000000.2030744951.0000000001075000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: This is a third-party compiled AutoIt script. memstr_f036cb80-1
Source: Bonifico 2692024pdf.exe, 00000000.00000000.2030744951.0000000001075000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer memstr_dd97cbd1-0
Source: Bonifico 2692024pdf.exe String found in binary or memory: This is a third-party compiled AutoIt script. memstr_53916b9b-7
Source: Bonifico 2692024pdf.exe String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer memstr_94766f23-f
Contains functionality to call native functions
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0041A330 NtCreateFile, 2_2_0041A330
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0041A3E0 NtReadFile, 2_2_0041A3E0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0041A460 NtClose, 2_2_0041A460
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0041A510 NtAllocateVirtualMemory, 2_2_0041A510
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0041A3DA NtReadFile, 2_2_0041A3DA
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0041A385 NtCreateFile, 2_2_0041A385
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0041A45B NtClose, 2_2_0041A45B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0041A50B NtAllocateVirtualMemory, 2_2_0041A50B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A72BF0 NtAllocateVirtualMemory,LdrInitializeThunk, 2_2_03A72BF0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A72B60 NtClose,LdrInitializeThunk, 2_2_03A72B60
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A72AD0 NtReadFile,LdrInitializeThunk, 2_2_03A72AD0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A72FB0 NtResumeThread,LdrInitializeThunk, 2_2_03A72FB0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A72F90 NtProtectVirtualMemory,LdrInitializeThunk, 2_2_03A72F90
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A72FE0 NtCreateFile,LdrInitializeThunk, 2_2_03A72FE0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A72F30 NtCreateSection,LdrInitializeThunk, 2_2_03A72F30
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A72EA0 NtAdjustPrivilegesToken,LdrInitializeThunk, 2_2_03A72EA0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A72E80 NtReadVirtualMemory,LdrInitializeThunk, 2_2_03A72E80
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A72DF0 NtQuerySystemInformation,LdrInitializeThunk, 2_2_03A72DF0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A72DD0 NtDelayExecution,LdrInitializeThunk, 2_2_03A72DD0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A72D30 NtUnmapViewOfSection,LdrInitializeThunk, 2_2_03A72D30
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A72D10 NtMapViewOfSection,LdrInitializeThunk, 2_2_03A72D10
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A72CA0 NtQueryInformationToken,LdrInitializeThunk, 2_2_03A72CA0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A74340 NtSetContextThread, 2_2_03A74340
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A74650 NtSuspendThread, 2_2_03A74650
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A72BA0 NtEnumerateValueKey, 2_2_03A72BA0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A72B80 NtQueryInformationFile, 2_2_03A72B80
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A72BE0 NtQueryValueKey, 2_2_03A72BE0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A72AB0 NtWaitForSingleObject, 2_2_03A72AB0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A72AF0 NtWriteFile, 2_2_03A72AF0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A72FA0 NtQuerySection, 2_2_03A72FA0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A72F60 NtCreateProcessEx, 2_2_03A72F60
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A72EE0 NtQueueApcThread, 2_2_03A72EE0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A72E30 NtWriteVirtualMemory, 2_2_03A72E30
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A72DB0 NtEnumerateKey, 2_2_03A72DB0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A72D00 NtSetInformationFile, 2_2_03A72D00
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A72CF0 NtOpenProcess, 2_2_03A72CF0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A72CC0 NtQueryVirtualMemory, 2_2_03A72CC0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A72C00 NtQueryInformationProcess, 2_2_03A72C00
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A72C60 NtCreateKey, 2_2_03A72C60
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A72C70 NtFreeVirtualMemory, 2_2_03A72C70
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A73090 NtSetValueKey, 2_2_03A73090
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A73010 NtOpenDirectoryObject, 2_2_03A73010
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A735C0 NtCreateMutant, 2_2_03A735C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A739B0 NtGetContextThread, 2_2_03A739B0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A73D10 NtOpenProcessToken, 2_2_03A73D10
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A73D70 NtOpenThread, 2_2_03A73D70
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FEA036 NtQueryInformationProcess,NtSuspendThread,NtSetContextThread,NtQueueApcThread,NtResumeThread,NtClose, 2_2_02FEA036
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FEA042 NtQueryInformationProcess, 2_2_02FEA042
Source: C:\Windows\explorer.exe Code function: 3_2_0E56CE12 NtProtectVirtualMemory, 3_2_0E56CE12
Source: C:\Windows\explorer.exe Code function: 3_2_0E56B232 NtCreateFile, 3_2_0E56B232
Source: C:\Windows\explorer.exe Code function: 3_2_0E56CE0A NtProtectVirtualMemory, 3_2_0E56CE0A
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_05182D10 NtMapViewOfSection,LdrInitializeThunk, 4_2_05182D10
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_05182DD0 NtDelayExecution,LdrInitializeThunk, 4_2_05182DD0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_05182DF0 NtQuerySystemInformation,LdrInitializeThunk, 4_2_05182DF0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_05182C70 NtFreeVirtualMemory,LdrInitializeThunk, 4_2_05182C70
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_05182C60 NtCreateKey,LdrInitializeThunk, 4_2_05182C60
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_05182CA0 NtQueryInformationToken,LdrInitializeThunk, 4_2_05182CA0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_05182F30 NtCreateSection,LdrInitializeThunk, 4_2_05182F30
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_05182FE0 NtCreateFile,LdrInitializeThunk, 4_2_05182FE0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_05182EA0 NtAdjustPrivilegesToken,LdrInitializeThunk, 4_2_05182EA0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_05182B60 NtClose,LdrInitializeThunk, 4_2_05182B60
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_05182BF0 NtAllocateVirtualMemory,LdrInitializeThunk, 4_2_05182BF0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_05182BE0 NtQueryValueKey,LdrInitializeThunk, 4_2_05182BE0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_05182AD0 NtReadFile,LdrInitializeThunk, 4_2_05182AD0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_051835C0 NtCreateMutant,LdrInitializeThunk, 4_2_051835C0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_05184650 NtSuspendThread, 4_2_05184650
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_05184340 NtSetContextThread, 4_2_05184340
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_05182D00 NtSetInformationFile, 4_2_05182D00
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_05182D30 NtUnmapViewOfSection, 4_2_05182D30
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_05182DB0 NtEnumerateKey, 4_2_05182DB0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_05182C00 NtQueryInformationProcess, 4_2_05182C00
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_05182CC0 NtQueryVirtualMemory, 4_2_05182CC0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_05182CF0 NtOpenProcess, 4_2_05182CF0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_05182F60 NtCreateProcessEx, 4_2_05182F60
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_05182F90 NtProtectVirtualMemory, 4_2_05182F90
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_05182FB0 NtResumeThread, 4_2_05182FB0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_05182FA0 NtQuerySection, 4_2_05182FA0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_05182E30 NtWriteVirtualMemory, 4_2_05182E30
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_05182E80 NtReadVirtualMemory, 4_2_05182E80
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_05182EE0 NtQueueApcThread, 4_2_05182EE0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_05182B80 NtQueryInformationFile, 4_2_05182B80
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_05182BA0 NtEnumerateValueKey, 4_2_05182BA0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_05182AB0 NtWaitForSingleObject, 4_2_05182AB0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_05182AF0 NtWriteFile, 4_2_05182AF0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_05183010 NtOpenDirectoryObject, 4_2_05183010
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_05183090 NtSetValueKey, 4_2_05183090
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_05183D10 NtOpenProcessToken, 4_2_05183D10
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_05183D70 NtOpenThread, 4_2_05183D70
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_051839B0 NtGetContextThread, 4_2_051839B0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_0327A330 NtCreateFile, 4_2_0327A330
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_0327A3E0 NtReadFile, 4_2_0327A3E0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_0327A510 NtAllocateVirtualMemory, 4_2_0327A510
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_0327A460 NtClose, 4_2_0327A460
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_0327A385 NtCreateFile, 4_2_0327A385
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_0327A3DA NtReadFile, 4_2_0327A3DA
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_0327A50B NtAllocateVirtualMemory, 4_2_0327A50B
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_0327A45B NtClose, 4_2_0327A45B
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_04FCA036 NtQueryInformationProcess,NtSuspendThread,NtSetContextThread,NtQueueApcThread,NtResumeThread, 4_2_04FCA036
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_04FC9BAF NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtUnmapViewOfSection,NtClose, 4_2_04FC9BAF
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_04FCA042 NtQueryInformationProcess, 4_2_04FCA042
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_04FC9BB2 NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 4_2_04FC9BB2
Contains functionality to communicate with device drivers
Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exe Code function: 0_2_01024021: CreateFileW,DeviceIoControl,CloseHandle, 0_2_01024021
Contains functionality to launch a process as a different user
Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exe Code function: 0_2_01018858 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock, 0_2_01018858
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exe Code function: 0_2_0102545F ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState, 0_2_0102545F
Detected potential crypto function
Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exe Code function: 0_2_00FCE800 0_2_00FCE800
Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exe Code function: 0_2_00FEDBB5 0_2_00FEDBB5
Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exe Code function: 0_2_00FCE060 0_2_00FCE060
Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exe Code function: 0_2_0104804A 0_2_0104804A
Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exe Code function: 0_2_00FD4140 0_2_00FD4140
Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exe Code function: 0_2_00FE2405 0_2_00FE2405
Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exe Code function: 0_2_00FF6522 0_2_00FF6522
Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exe Code function: 0_2_00FF267E 0_2_00FF267E
Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exe Code function: 0_2_01040665 0_2_01040665
Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exe Code function: 0_2_00FD6843 0_2_00FD6843
Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exe Code function: 0_2_00FE283A 0_2_00FE283A
Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exe Code function: 0_2_00FF89DF 0_2_00FF89DF
Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exe Code function: 0_2_0101EB07 0_2_0101EB07
Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exe Code function: 0_2_01028B13 0_2_01028B13
Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exe Code function: 0_2_00FF6A94 0_2_00FF6A94
Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exe Code function: 0_2_00FD8A0E 0_2_00FD8A0E
Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exe Code function: 0_2_01040AE2 0_2_01040AE2
Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exe Code function: 0_2_00FECD61 0_2_00FECD61
Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exe Code function: 0_2_00FF7006 0_2_00FF7006
Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exe Code function: 0_2_00FD3190 0_2_00FD3190
Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exe Code function: 0_2_00FD710E 0_2_00FD710E
Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exe Code function: 0_2_00FC1287 0_2_00FC1287
Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exe Code function: 0_2_00FE33C7 0_2_00FE33C7
Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exe Code function: 0_2_00FEF419 0_2_00FEF419
Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exe Code function: 0_2_00FE16C4 0_2_00FE16C4
Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exe Code function: 0_2_00FD5680 0_2_00FD5680
Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exe Code function: 0_2_00FE78D3 0_2_00FE78D3
Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exe Code function: 0_2_00FD58C0 0_2_00FD58C0
Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exe Code function: 0_2_00FE1BB8 0_2_00FE1BB8
Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exe Code function: 0_2_00FF9D05 0_2_00FF9D05
Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exe Code function: 0_2_00FCFE40 0_2_00FCFE40
Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exe Code function: 0_2_00FEBFE6 0_2_00FEBFE6
Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exe Code function: 0_2_00FE1FD0 0_2_00FE1FD0
Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exe Code function: 0_2_00E53660 0_2_00E53660
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00401027 2_2_00401027
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00401030 2_2_00401030
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0041E326 2_2_0041E326
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0041D573 2_2_0041D573
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00402D90 2_2_00402D90
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0041E5B7 2_2_0041E5B7
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0041DDBE 2_2_0041DDBE
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00409E5B 2_2_00409E5B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00409E60 2_2_00409E60
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00402FB0 2_2_00402FB0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A4E3F0 2_2_03A4E3F0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B003E6 2_2_03B003E6
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AFA352 2_2_03AFA352
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AC02C0 2_2_03AC02C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AE0274 2_2_03AE0274
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AF41A2 2_2_03AF41A2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B001AA 2_2_03B001AA
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AF81CC 2_2_03AF81CC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A30100 2_2_03A30100
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03ADA118 2_2_03ADA118
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AC8158 2_2_03AC8158
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AD2000 2_2_03AD2000
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A3C7C0 2_2_03A3C7C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A40770 2_2_03A40770
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A64750 2_2_03A64750
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A5C6E0 2_2_03A5C6E0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B00591 2_2_03B00591
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A40535 2_2_03A40535
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AEE4F6 2_2_03AEE4F6
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AE4420 2_2_03AE4420
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AF2446 2_2_03AF2446
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AF6BD7 2_2_03AF6BD7
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AFAB40 2_2_03AFAB40
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A3EA80 2_2_03A3EA80
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A429A0 2_2_03A429A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B0A9A6 2_2_03B0A9A6
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A56962 2_2_03A56962
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A268B8 2_2_03A268B8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A6E8F0 2_2_03A6E8F0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A4A840 2_2_03A4A840
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A42840 2_2_03A42840
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03ABEFA0 2_2_03ABEFA0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A4CFE0 2_2_03A4CFE0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A32FC8 2_2_03A32FC8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A82F28 2_2_03A82F28
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A60F30 2_2_03A60F30
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AE2F30 2_2_03AE2F30
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AB4F40 2_2_03AB4F40
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A52E90 2_2_03A52E90
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AFCE93 2_2_03AFCE93
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AFEEDB 2_2_03AFEEDB
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AFEE26 2_2_03AFEE26
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A40E59 2_2_03A40E59
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A58DBF 2_2_03A58DBF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A3ADE0 2_2_03A3ADE0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A4AD00 2_2_03A4AD00
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03ADCD1F 2_2_03ADCD1F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AE0CB5 2_2_03AE0CB5
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A30CF2 2_2_03A30CF2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A40C00 2_2_03A40C00
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A8739A 2_2_03A8739A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AF132D 2_2_03AF132D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A2D34C 2_2_03A2D34C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A452A0 2_2_03A452A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AE12ED 2_2_03AE12ED
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A5B2C0 2_2_03A5B2C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A4B1B0 2_2_03A4B1B0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A7516C 2_2_03A7516C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A2F172 2_2_03A2F172
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B0B16B 2_2_03B0B16B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AF70E9 2_2_03AF70E9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AFF0E0 2_2_03AFF0E0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AEF0CC 2_2_03AEF0CC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A470C0 2_2_03A470C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AFF7B0 2_2_03AFF7B0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AF16CC 2_2_03AF16CC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A85630 2_2_03A85630
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03ADD5B0 2_2_03ADD5B0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B095C3 2_2_03B095C3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AF7571 2_2_03AF7571
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AFF43F 2_2_03AFF43F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A31460 2_2_03A31460
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A5FB80 2_2_03A5FB80
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AB5BF0 2_2_03AB5BF0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A7DBF9 2_2_03A7DBF9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AFFB76 2_2_03AFFB76
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03ADDAAC 2_2_03ADDAAC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A85AA0 2_2_03A85AA0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AE1AA3 2_2_03AE1AA3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AEDAC6 2_2_03AEDAC6
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AB3A6C 2_2_03AB3A6C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AFFA49 2_2_03AFFA49
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AF7A46 2_2_03AF7A46
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AD5910 2_2_03AD5910
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A49950 2_2_03A49950
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A5B950 2_2_03A5B950
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A438E0 2_2_03A438E0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AAD800 2_2_03AAD800
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AFFFB1 2_2_03AFFFB1
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A41F92 2_2_03A41F92
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A03FD2 2_2_03A03FD2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A03FD5 2_2_03A03FD5
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AFFF09 2_2_03AFFF09
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A49EB0 2_2_03A49EB0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A5FDC0 2_2_03A5FDC0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AF7D73 2_2_03AF7D73
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A43D40 2_2_03A43D40
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AF1D5A 2_2_03AF1D5A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AFFCF2 2_2_03AFFCF2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AB9C32 2_2_03AB9C32
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FEA036 2_2_02FEA036
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FEB232 2_2_02FEB232
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FE1082 2_2_02FE1082
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FEE5CD 2_2_02FEE5CD
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FE5B32 2_2_02FE5B32
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FE5B30 2_2_02FE5B30
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FE8912 2_2_02FE8912
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FE2D02 2_2_02FE2D02
Source: C:\Windows\explorer.exe Code function: 3_2_0E56B232 3_2_0E56B232
Source: C:\Windows\explorer.exe Code function: 3_2_0E56A036 3_2_0E56A036
Source: C:\Windows\explorer.exe Code function: 3_2_0E561082 3_2_0E561082
Source: C:\Windows\explorer.exe Code function: 3_2_0E568912 3_2_0E568912
Source: C:\Windows\explorer.exe Code function: 3_2_0E562D02 3_2_0E562D02
Source: C:\Windows\explorer.exe Code function: 3_2_0E565B32 3_2_0E565B32
Source: C:\Windows\explorer.exe Code function: 3_2_0E565B30 3_2_0E565B30
Source: C:\Windows\explorer.exe Code function: 3_2_0E56E5CD 3_2_0E56E5CD
Source: C:\Windows\explorer.exe Code function: 3_2_1090B082 3_2_1090B082
Source: C:\Windows\explorer.exe Code function: 3_2_10914036 3_2_10914036
Source: C:\Windows\explorer.exe Code function: 3_2_109185CD 3_2_109185CD
Source: C:\Windows\explorer.exe Code function: 3_2_10912912 3_2_10912912
Source: C:\Windows\explorer.exe Code function: 3_2_1090CD02 3_2_1090CD02
Source: C:\Windows\explorer.exe Code function: 3_2_10915232 3_2_10915232
Source: C:\Windows\explorer.exe Code function: 3_2_1090FB30 3_2_1090FB30
Source: C:\Windows\explorer.exe Code function: 3_2_1090FB32 3_2_1090FB32
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_05150535 4_2_05150535
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_05210591 4_2_05210591
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_051F4420 4_2_051F4420
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_05202446 4_2_05202446
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_051FE4F6 4_2_051FE4F6
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_05174750 4_2_05174750
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_05150770 4_2_05150770
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_0514C7C0 4_2_0514C7C0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_0516C6E0 4_2_0516C6E0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_051EA118 4_2_051EA118
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_05140100 4_2_05140100
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_051D8158 4_2_051D8158
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_052041A2 4_2_052041A2
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_052101AA 4_2_052101AA
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_052081CC 4_2_052081CC
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_051E2000 4_2_051E2000
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_0520A352 4_2_0520A352
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_052103E6 4_2_052103E6
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_0515E3F0 4_2_0515E3F0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_051F0274 4_2_051F0274
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_051D02C0 4_2_051D02C0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_051ECD1F 4_2_051ECD1F
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_0515AD00 4_2_0515AD00
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_05168DBF 4_2_05168DBF
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_0514ADE0 4_2_0514ADE0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_05150C00 4_2_05150C00
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_051F0CB5 4_2_051F0CB5
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_05140CF2 4_2_05140CF2
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_05170F30 4_2_05170F30
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_051F2F30 4_2_051F2F30
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_05192F28 4_2_05192F28
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_051C4F40 4_2_051C4F40
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_05162F7D 4_2_05162F7D
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_051CEFA0 4_2_051CEFA0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_05142FC8 4_2_05142FC8
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_0515CFE0 4_2_0515CFE0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_0520EE26 4_2_0520EE26
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_05150E59 4_2_05150E59
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_0520CE93 4_2_0520CE93
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_0520EEDB 4_2_0520EEDB
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_05166962 4_2_05166962
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_0521A9A6 4_2_0521A9A6
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_051529A0 4_2_051529A0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_05152840 4_2_05152840
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_0515A840 4_2_0515A840
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_051368B8 4_2_051368B8
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_0517E8F0 4_2_0517E8F0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_0520AB40 4_2_0520AB40
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_05206BD7 4_2_05206BD7
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_0514EA80 4_2_0514EA80
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_05207571 4_2_05207571
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_051ED5B0 4_2_051ED5B0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_052195C3 4_2_052195C3
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_0520F43F 4_2_0520F43F
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_05141460 4_2_05141460
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_0520F7B0 4_2_0520F7B0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_05195630 4_2_05195630
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_052016CC 4_2_052016CC
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_0521B16B 4_2_0521B16B
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_0513F172 4_2_0513F172
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_0518516C 4_2_0518516C
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_0515B1B0 4_2_0515B1B0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_0520F0E0 4_2_0520F0E0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_052070E9 4_2_052070E9
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_051FF0CC 4_2_051FF0CC
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_051570C0 4_2_051570C0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_0520132D 4_2_0520132D
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_0513D34C 4_2_0513D34C
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_0519739A 4_2_0519739A
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_051552A0 4_2_051552A0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_0516B2C0 4_2_0516B2C0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_051F12ED 4_2_051F12ED
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_05207D73 4_2_05207D73
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_05153D40 4_2_05153D40
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_05201D5A 4_2_05201D5A
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_0516FDC0 4_2_0516FDC0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_051C9C32 4_2_051C9C32
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_0520FCF2 4_2_0520FCF2
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_0520FF09 4_2_0520FF09
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_05151F92 4_2_05151F92
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_0520FFB1 4_2_0520FFB1
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_05113FD2 4_2_05113FD2
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_05113FD5 4_2_05113FD5
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_05159EB0 4_2_05159EB0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_051E5910 4_2_051E5910
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_05159950 4_2_05159950
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_0516B950 4_2_0516B950
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_051BD800 4_2_051BD800
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_051538E0 4_2_051538E0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_0520FB76 4_2_0520FB76
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_0516FB80 4_2_0516FB80
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_0518DBF9 4_2_0518DBF9
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_051C5BF0 4_2_051C5BF0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_05207A46 4_2_05207A46
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_0520FA49 4_2_0520FA49
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_051C3A6C 4_2_051C3A6C
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_051EDAAC 4_2_051EDAAC
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_05195AA0 4_2_05195AA0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_051F1AA3 4_2_051F1AA3
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_051FDAC6 4_2_051FDAC6
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_0327E326 4_2_0327E326
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_0327D573 4_2_0327D573
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_0327E5B7 4_2_0327E5B7
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_03262FB0 4_2_03262FB0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_03269E60 4_2_03269E60
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_03269E5B 4_2_03269E5B
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_0327DDBE 4_2_0327DDBE
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_03262D90 4_2_03262D90
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_04FCA036 4_2_04FCA036
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_04FCE5CD 4_2_04FCE5CD
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_04FC2D02 4_2_04FC2D02
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_04FC1082 4_2_04FC1082
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_04FC8912 4_2_04FC8912
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_04FCB232 4_2_04FCB232
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_04FC5B30 4_2_04FC5B30
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_04FC5B32 4_2_04FC5B32
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exe Code function: String function: 00FE0D27 appears 70 times
Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exe Code function: String function: 00FC7F41 appears 35 times
Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exe Code function: String function: 00FE8B40 appears 42 times
Source: C:\Windows\SysWOW64\svchost.exe Code function: String function: 03AAEA12 appears 86 times
Source: C:\Windows\SysWOW64\svchost.exe Code function: String function: 03A2B970 appears 280 times
Source: C:\Windows\SysWOW64\svchost.exe Code function: String function: 03A87E54 appears 111 times
Source: C:\Windows\SysWOW64\svchost.exe Code function: String function: 03ABF290 appears 105 times
Source: C:\Windows\SysWOW64\svchost.exe Code function: String function: 03A75130 appears 58 times
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: String function: 05185130 appears 58 times
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: String function: 051CF290 appears 105 times
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: String function: 05197E54 appears 111 times
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: String function: 0513B970 appears 280 times
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: String function: 051BEA12 appears 86 times
Sample file is different than original file name gathered from version info
Source: Bonifico 2692024pdf.exe, 00000000.00000003.2040750326.00000000039F3000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs Bonifico 2692024pdf.exe
Source: Bonifico 2692024pdf.exe, 00000000.00000003.2040878420.0000000003EED000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs Bonifico 2692024pdf.exe
Uses 32bit PE files
Source: Bonifico 2692024pdf.exe Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Yara signature match
Source: 0.2.Bonifico 2692024pdf.exe.f60000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0.2.Bonifico 2692024pdf.exe.f60000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.Bonifico 2692024pdf.exe.f60000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.Bonifico 2692024pdf.exe.f60000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0.2.Bonifico 2692024pdf.exe.f60000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.Bonifico 2692024pdf.exe.f60000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.4500748393.0000000004EF0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.4500748393.0000000004EF0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.4500748393.0000000004EF0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.2101569543.0000000002FA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.2101569543.0000000002FA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.2101569543.0000000002FA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.4512445617.000000000E583000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_772cc62d os = windows, severity = x86, creation_date = 2022-05-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8343b5d02d74791ba2d5d52d19a759f761de2b5470d935000bc27ea6c0633f5, id = 772cc62d-345c-42d8-97ab-f67e447ddca4, last_modified = 2022-07-18
Source: 00000002.00000002.2101179285.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.2101179285.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.2101179285.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.2101452453.0000000000EE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.2101452453.0000000000EE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.2101452453.0000000000EE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.4500674089.0000000004EC0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.4500674089.0000000004EC0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.4500674089.0000000004EC0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.4500108224.0000000003260000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.4500108224.0000000003260000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.4500108224.0000000003260000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.2043224034.0000000000F60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000000.00000002.2043224034.0000000000F60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.2043224034.0000000000F60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: Bonifico 2692024pdf.exe PID: 6084, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: svchost.exe PID: 1900, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: colorcpl.exe PID: 6184, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: classification engine Classification label: mal100.troj.evad.winEXE@8/4@12/1
Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exe Code function: 0_2_0102A2D5 GetLastError,FormatMessageW, 0_2_0102A2D5
Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exe Code function: 0_2_01018713 AdjustTokenPrivileges,CloseHandle, 0_2_01018713
Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exe Code function: 0_2_01018CC3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError, 0_2_01018CC3
Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exe Code function: 0_2_0102B59E SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode, 0_2_0102B59E
Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exe Code function: 0_2_0103F121 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle, 0_2_0103F121
Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exe Code function: 0_2_0102C602 CoInitialize,CoCreateInstance,CoUninitialize, 0_2_0102C602
Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exe Code function: 0_2_00FC4FE9 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource, 0_2_00FC4FE9
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6048:120:WilError_03
Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exe File created: C:\Users\user\AppData\Local\Temp\autF7C0.tmp Jump to behavior
Source: Bonifico 2692024pdf.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: Bonifico 2692024pdf.exe ReversingLabs: Detection: 42%
Source: unknown Process created: C:\Users\user\Desktop\Bonifico 2692024pdf.exe "C:\Users\user\Desktop\Bonifico 2692024pdf.exe"
Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exe Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Bonifico 2692024pdf.exe"
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\colorcpl.exe "C:\Windows\SysWOW64\colorcpl.exe"
Source: C:\Windows\SysWOW64\colorcpl.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\SysWOW64\svchost.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exe Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Bonifico 2692024pdf.exe" Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\colorcpl.exe "C:\Windows\SysWOW64\colorcpl.exe" Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\SysWOW64\svchost.exe" Jump to behavior
Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: windows.cloudstore.schema.shell.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: windows.internal.shell.broker.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: vcruntime140_1.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: msvcp140.dll Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Section loaded: colorui.dll Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Section loaded: mscms.dll Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Section loaded: coloradapterclient.dll Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\explorer.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{50CE75BC-766C-4136-BF5E-9197AA23569E}\InProcServer32 Jump to behavior
Source: Bonifico 2692024pdf.exe Static file information: File size 1126400 > 1048576
Source: Bonifico 2692024pdf.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Bonifico 2692024pdf.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Bonifico 2692024pdf.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Bonifico 2692024pdf.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Bonifico 2692024pdf.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Bonifico 2692024pdf.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: Bonifico 2692024pdf.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: colorcpl.pdbGCTL source: svchost.exe, 00000002.00000003.2100988646.000000000341B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2101004918.0000000003430000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2102673772.0000000005620000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 00000002.00000003.2100887491.000000000341C000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000004.00000002.4499924950.0000000000C50000.00000040.80000000.00040000.00000000.sdmp
Source: Binary string: colorcpl.pdb source: svchost.exe, 00000002.00000003.2100988646.000000000341B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2101004918.0000000003430000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2102673772.0000000005620000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 00000002.00000003.2100887491.000000000341C000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, colorcpl.exe, 00000004.00000002.4499924950.0000000000C50000.00000040.80000000.00040000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: Bonifico 2692024pdf.exe, 00000000.00000003.2041580738.00000000038D0000.00000004.00001000.00020000.00000000.sdmp, Bonifico 2692024pdf.exe, 00000000.00000003.2042095302.0000000003DC0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2042804509.0000000003600000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2044608415.0000000003800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2101958762.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2101958762.0000000003B9E000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, 00000004.00000003.2101721514.0000000004DB6000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000004.00000002.4501025868.00000000052AE000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, 00000004.00000003.2103406264.0000000004F61000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000004.00000002.4501025868.0000000005110000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: Bonifico 2692024pdf.exe, 00000000.00000003.2041580738.00000000038D0000.00000004.00001000.00020000.00000000.sdmp, Bonifico 2692024pdf.exe, 00000000.00000003.2042095302.0000000003DC0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.2042804509.0000000003600000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2044608415.0000000003800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2101958762.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2101958762.0000000003B9E000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, colorcpl.exe, 00000004.00000003.2101721514.0000000004DB6000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000004.00000002.4501025868.00000000052AE000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, 00000004.00000003.2103406264.0000000004F61000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000004.00000002.4501025868.0000000005110000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: svchost.pdb source: explorer.exe, 00000003.00000002.4513780603.0000000010CBF000.00000004.80000000.00040000.00000000.sdmp, colorcpl.exe, 00000004.00000002.4500309363.000000000330E000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000004.00000002.4501809903.000000000565F000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: svchost.pdbUGP source: explorer.exe, 00000003.00000002.4513780603.0000000010CBF000.00000004.80000000.00040000.00000000.sdmp, colorcpl.exe, 00000004.00000002.4500309363.000000000330E000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000004.00000002.4501809903.000000000565F000.00000004.10000000.00040000.00000000.sdmp
Source: Bonifico 2692024pdf.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Bonifico 2692024pdf.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Bonifico 2692024pdf.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Bonifico 2692024pdf.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Bonifico 2692024pdf.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exe Code function: 0_2_0103C304 LoadLibraryA,GetProcAddress, 0_2_0103C304
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exe Code function: 0_2_00FE8B85 push ecx; ret 0_2_00FE8B98
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0041702C pushad ; retf 2_2_0041702D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0041726A push esp; iretd 2_2_0041726D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00417AA2 push ds; retf 2_2_00417AA3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0040AB37 push FFFFFFF3h; iretd 2_2_0040AB3A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0041D4D2 push eax; ret 2_2_0041D4D8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0041D4DB push eax; ret 2_2_0041D542
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0041D485 push eax; ret 2_2_0041D4D8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0041E571 push es; retf 2_2_0041E57A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0041D53C push eax; ret 2_2_0041D542
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A0225F pushad ; ret 2_2_03A027F9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A027FA pushad ; ret 2_2_03A027F9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A309AD push ecx; mov dword ptr [esp], ecx 2_2_03A309B6
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A0283D push eax; iretd 2_2_03A02858
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A01366 push eax; iretd 2_2_03A01369
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FEEB1E push esp; retn 0000h 2_2_02FEEB1F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FEEB02 push esp; retn 0000h 2_2_02FEEB03
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_02FEE9B5 push esp; retn 0000h 2_2_02FEEAE7
Source: C:\Windows\explorer.exe Code function: 3_2_0E56EB1E push esp; retn 0000h 3_2_0E56EB1F
Source: C:\Windows\explorer.exe Code function: 3_2_0E56EB02 push esp; retn 0000h 3_2_0E56EB03
Source: C:\Windows\explorer.exe Code function: 3_2_0E56E9B5 push esp; retn 0000h 3_2_0E56EAE7
Source: C:\Windows\explorer.exe Code function: 3_2_109189B5 push esp; retn 0000h 3_2_10918AE7
Source: C:\Windows\explorer.exe Code function: 3_2_10918B1E push esp; retn 0000h 3_2_10918B1F
Source: C:\Windows\explorer.exe Code function: 3_2_10918B02 push esp; retn 0000h 3_2_10918B03
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_00C51A6D push ecx; ret 4_2_00C51A80
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_051127FA pushad ; ret 4_2_051127F9
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_0511225F pushad ; ret 4_2_051127F9
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_051409AD push ecx; mov dword ptr [esp], ecx 4_2_051409B6
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_0511283D push eax; iretd 4_2_05112858
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_0511135D push eax; iretd 4_2_05111369
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_0327726A push esp; iretd 4_2_0327726D
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exe Code function: 0_2_00FC4A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput, 0_2_00FC4A35
Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exe Code function: 0_2_010455FD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed, 0_2_010455FD
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exe Code function: 0_2_00FE33C7 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_00FE33C7
Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Switches to a custom stack to bypass stack traces
Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exe API/Special instruction interceptor: Address: E53284
Source: C:\Windows\SysWOW64\svchost.exe API/Special instruction interceptor: Address: 7FF8C88ED324
Source: C:\Windows\SysWOW64\svchost.exe API/Special instruction interceptor: Address: 7FF8C88F0774
Source: C:\Windows\SysWOW64\svchost.exe API/Special instruction interceptor: Address: 7FF8C88F0154
Source: C:\Windows\SysWOW64\svchost.exe API/Special instruction interceptor: Address: 7FF8C88ED8A4
Source: C:\Windows\SysWOW64\svchost.exe API/Special instruction interceptor: Address: 7FF8C88EDA44
Source: C:\Windows\SysWOW64\svchost.exe API/Special instruction interceptor: Address: 7FF8C88ED1E4
Source: C:\Windows\SysWOW64\colorcpl.exe API/Special instruction interceptor: Address: 7FF8C88ED324
Source: C:\Windows\SysWOW64\colorcpl.exe API/Special instruction interceptor: Address: 7FF8C88F0774
Source: C:\Windows\SysWOW64\colorcpl.exe API/Special instruction interceptor: Address: 7FF8C88ED944
Source: C:\Windows\SysWOW64\colorcpl.exe API/Special instruction interceptor: Address: 7FF8C88ED504
Source: C:\Windows\SysWOW64\colorcpl.exe API/Special instruction interceptor: Address: 7FF8C88ED544
Source: C:\Windows\SysWOW64\colorcpl.exe API/Special instruction interceptor: Address: 7FF8C88ED1E4
Source: C:\Windows\SysWOW64\colorcpl.exe API/Special instruction interceptor: Address: 7FF8C88F0154
Source: C:\Windows\SysWOW64\colorcpl.exe API/Special instruction interceptor: Address: 7FF8C88ED8A4
Source: C:\Windows\SysWOW64\colorcpl.exe API/Special instruction interceptor: Address: 7FF8C88EDA44
Tries to detect virtualization through RDTSC time measurements
Source: C:\Windows\SysWOW64\svchost.exe RDTSC instruction interceptor: First address: 409904 second address: 40990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\svchost.exe RDTSC instruction interceptor: First address: 409B7E second address: 409B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\colorcpl.exe RDTSC instruction interceptor: First address: 3269904 second address: 326990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\colorcpl.exe RDTSC instruction interceptor: First address: 3269B7E second address: 3269B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00409AB0 rdtsc 2_2_00409AB0
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 1684 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 8260 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: foregroundWindowGot 880 Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Window / User API: threadDelayed 9800 Jump to behavior
Found decision node followed by non-executed suspicious APIs
Source: C:\Windows\explorer.exe Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
Found evasive API chain (date check)
Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exe Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exe API coverage: 4.6 %
Source: C:\Windows\SysWOW64\svchost.exe API coverage: 2.0 %
Source: C:\Windows\SysWOW64\colorcpl.exe API coverage: 2.2 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\explorer.exe TID: 1240 Thread sleep count: 1684 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 1240 Thread sleep time: -3368000s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 1240 Thread sleep count: 8260 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 1240 Thread sleep time: -16520000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe TID: 6500 Thread sleep count: 171 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe TID: 6500 Thread sleep time: -342000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe TID: 6500 Thread sleep count: 9800 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe TID: 6500 Thread sleep time: -19600000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\SysWOW64\colorcpl.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\colorcpl.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exe Code function: 0_2_01024696 GetFileAttributesW,FindFirstFileW,FindClose, 0_2_01024696
Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exe Code function: 0_2_0102C93C FindFirstFileW,FindClose, 0_2_0102C93C
Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exe Code function: 0_2_0102C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, 0_2_0102C9C7
Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exe Code function: 0_2_0102F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 0_2_0102F35D
Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exe Code function: 0_2_0102F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 0_2_0102F200
Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exe Code function: 0_2_0102F65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose, 0_2_0102F65E
Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exe Code function: 0_2_01023A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 0_2_01023A2B
Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exe Code function: 0_2_01023D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 0_2_01023D4E
Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exe Code function: 0_2_0102BF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose, 0_2_0102BF27
Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exe Code function: 0_2_00FC4AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo, 0_2_00FC4AFE
Source: explorer.exe, 00000003.00000002.4507951422.0000000009C96000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
Source: explorer.exe, 00000003.00000000.2056882234.00000000076F8000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}99105f770555d7dd
Source: explorer.exe, 00000003.00000000.2059229241.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4506883763.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW0r
Source: explorer.exe, 00000003.00000000.2059229241.0000000009B79000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 00000003.00000000.2059229241.0000000009B79000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: NXTcaVMWare
Source: explorer.exe, 00000003.00000002.4507951422.0000000009C96000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000003.00000002.4506883763.0000000009B41000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000%
Source: explorer.exe, 00000003.00000002.4502198824.000000000354E000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware, Inc.
Source: explorer.exe, 00000003.00000002.4507951422.0000000009C96000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000003.00000002.4502198824.000000000354E000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware-42 27 d9 2e dc 89 72 dX
Source: explorer.exe, 00000003.00000002.4500060295.0000000000F13000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000A
Source: explorer.exe, 00000003.00000000.2056882234.00000000076F8000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}^
Source: explorer.exe, 00000003.00000002.4506883763.0000000009B2C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2059229241.0000000009B2C000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000003.00000002.4502198824.000000000354E000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware, Inc.NoneVMware-42 27 d9 2e dc 89 72 dX
Source: explorer.exe, 00000003.00000002.4502198824.000000000354E000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware,p
Source: explorer.exe, 00000003.00000000.2059229241.0000000009B79000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000_
Source: explorer.exe, 00000003.00000002.4500060295.0000000000F13000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: explorer.exe, 00000003.00000002.4506883763.0000000009B41000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000003.00000000.2056882234.000000000769A000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\svchost.exe Process information queried: ProcessInformation Jump to behavior
Checks if the current process is being debugged
Source: C:\Windows\SysWOW64\svchost.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00409AB0 rdtsc 2_2_00409AB0
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0040ACF0 LdrLoadDll, 2_2_0040ACF0
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exe Code function: 0_2_010341FD BlockInput, 0_2_010341FD
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exe Code function: 0_2_00FC3B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW, 0_2_00FC3B4C
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exe Code function: 0_2_00FF5CCC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, 0_2_00FF5CCC
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exe Code function: 0_2_0103C304 LoadLibraryA,GetProcAddress, 0_2_0103C304
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exe Code function: 0_2_00E534F0 mov eax, dword ptr fs:[00000030h] 0_2_00E534F0
Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exe Code function: 0_2_00E53550 mov eax, dword ptr fs:[00000030h] 0_2_00E53550
Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exe Code function: 0_2_00E51E70 mov eax, dword ptr fs:[00000030h] 0_2_00E51E70
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A2E388 mov eax, dword ptr fs:[00000030h] 2_2_03A2E388
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A2E388 mov eax, dword ptr fs:[00000030h] 2_2_03A2E388
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A2E388 mov eax, dword ptr fs:[00000030h] 2_2_03A2E388
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A5438F mov eax, dword ptr fs:[00000030h] 2_2_03A5438F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A5438F mov eax, dword ptr fs:[00000030h] 2_2_03A5438F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A28397 mov eax, dword ptr fs:[00000030h] 2_2_03A28397
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A28397 mov eax, dword ptr fs:[00000030h] 2_2_03A28397
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A28397 mov eax, dword ptr fs:[00000030h] 2_2_03A28397
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A403E9 mov eax, dword ptr fs:[00000030h] 2_2_03A403E9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A403E9 mov eax, dword ptr fs:[00000030h] 2_2_03A403E9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A403E9 mov eax, dword ptr fs:[00000030h] 2_2_03A403E9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A403E9 mov eax, dword ptr fs:[00000030h] 2_2_03A403E9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A403E9 mov eax, dword ptr fs:[00000030h] 2_2_03A403E9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A403E9 mov eax, dword ptr fs:[00000030h] 2_2_03A403E9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A403E9 mov eax, dword ptr fs:[00000030h] 2_2_03A403E9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A403E9 mov eax, dword ptr fs:[00000030h] 2_2_03A403E9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A4E3F0 mov eax, dword ptr fs:[00000030h] 2_2_03A4E3F0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A4E3F0 mov eax, dword ptr fs:[00000030h] 2_2_03A4E3F0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A4E3F0 mov eax, dword ptr fs:[00000030h] 2_2_03A4E3F0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A663FF mov eax, dword ptr fs:[00000030h] 2_2_03A663FF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AEC3CD mov eax, dword ptr fs:[00000030h] 2_2_03AEC3CD
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A3A3C0 mov eax, dword ptr fs:[00000030h] 2_2_03A3A3C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A3A3C0 mov eax, dword ptr fs:[00000030h] 2_2_03A3A3C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A3A3C0 mov eax, dword ptr fs:[00000030h] 2_2_03A3A3C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A3A3C0 mov eax, dword ptr fs:[00000030h] 2_2_03A3A3C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A3A3C0 mov eax, dword ptr fs:[00000030h] 2_2_03A3A3C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A3A3C0 mov eax, dword ptr fs:[00000030h] 2_2_03A3A3C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A383C0 mov eax, dword ptr fs:[00000030h] 2_2_03A383C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A383C0 mov eax, dword ptr fs:[00000030h] 2_2_03A383C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A383C0 mov eax, dword ptr fs:[00000030h] 2_2_03A383C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A383C0 mov eax, dword ptr fs:[00000030h] 2_2_03A383C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AB63C0 mov eax, dword ptr fs:[00000030h] 2_2_03AB63C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03ADE3DB mov eax, dword ptr fs:[00000030h] 2_2_03ADE3DB
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03ADE3DB mov eax, dword ptr fs:[00000030h] 2_2_03ADE3DB
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03ADE3DB mov ecx, dword ptr fs:[00000030h] 2_2_03ADE3DB
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03ADE3DB mov eax, dword ptr fs:[00000030h] 2_2_03ADE3DB
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AD43D4 mov eax, dword ptr fs:[00000030h] 2_2_03AD43D4
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AD43D4 mov eax, dword ptr fs:[00000030h] 2_2_03AD43D4
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B08324 mov eax, dword ptr fs:[00000030h] 2_2_03B08324
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B08324 mov ecx, dword ptr fs:[00000030h] 2_2_03B08324
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B08324 mov eax, dword ptr fs:[00000030h] 2_2_03B08324
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B08324 mov eax, dword ptr fs:[00000030h] 2_2_03B08324
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A6A30B mov eax, dword ptr fs:[00000030h] 2_2_03A6A30B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A6A30B mov eax, dword ptr fs:[00000030h] 2_2_03A6A30B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A6A30B mov eax, dword ptr fs:[00000030h] 2_2_03A6A30B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A2C310 mov ecx, dword ptr fs:[00000030h] 2_2_03A2C310
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A50310 mov ecx, dword ptr fs:[00000030h] 2_2_03A50310
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AD437C mov eax, dword ptr fs:[00000030h] 2_2_03AD437C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h] 2_2_03AB2349
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h] 2_2_03AB2349
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h] 2_2_03AB2349
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h] 2_2_03AB2349
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h] 2_2_03AB2349
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h] 2_2_03AB2349
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h] 2_2_03AB2349
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h] 2_2_03AB2349
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h] 2_2_03AB2349
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h] 2_2_03AB2349
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h] 2_2_03AB2349
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h] 2_2_03AB2349
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h] 2_2_03AB2349
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h] 2_2_03AB2349
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h] 2_2_03AB2349
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AB035C mov eax, dword ptr fs:[00000030h] 2_2_03AB035C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AB035C mov eax, dword ptr fs:[00000030h] 2_2_03AB035C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AB035C mov eax, dword ptr fs:[00000030h] 2_2_03AB035C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AB035C mov ecx, dword ptr fs:[00000030h] 2_2_03AB035C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AB035C mov eax, dword ptr fs:[00000030h] 2_2_03AB035C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AB035C mov eax, dword ptr fs:[00000030h] 2_2_03AB035C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AFA352 mov eax, dword ptr fs:[00000030h] 2_2_03AFA352
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AD8350 mov ecx, dword ptr fs:[00000030h] 2_2_03AD8350
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B0634F mov eax, dword ptr fs:[00000030h] 2_2_03B0634F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A402A0 mov eax, dword ptr fs:[00000030h] 2_2_03A402A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A402A0 mov eax, dword ptr fs:[00000030h] 2_2_03A402A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AC62A0 mov eax, dword ptr fs:[00000030h] 2_2_03AC62A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AC62A0 mov ecx, dword ptr fs:[00000030h] 2_2_03AC62A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AC62A0 mov eax, dword ptr fs:[00000030h] 2_2_03AC62A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AC62A0 mov eax, dword ptr fs:[00000030h] 2_2_03AC62A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AC62A0 mov eax, dword ptr fs:[00000030h] 2_2_03AC62A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AC62A0 mov eax, dword ptr fs:[00000030h] 2_2_03AC62A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A6E284 mov eax, dword ptr fs:[00000030h] 2_2_03A6E284
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A6E284 mov eax, dword ptr fs:[00000030h] 2_2_03A6E284
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AB0283 mov eax, dword ptr fs:[00000030h] 2_2_03AB0283
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AB0283 mov eax, dword ptr fs:[00000030h] 2_2_03AB0283
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AB0283 mov eax, dword ptr fs:[00000030h] 2_2_03AB0283
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A402E1 mov eax, dword ptr fs:[00000030h] 2_2_03A402E1
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A402E1 mov eax, dword ptr fs:[00000030h] 2_2_03A402E1
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A402E1 mov eax, dword ptr fs:[00000030h] 2_2_03A402E1
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A3A2C3 mov eax, dword ptr fs:[00000030h] 2_2_03A3A2C3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A3A2C3 mov eax, dword ptr fs:[00000030h] 2_2_03A3A2C3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A3A2C3 mov eax, dword ptr fs:[00000030h] 2_2_03A3A2C3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A3A2C3 mov eax, dword ptr fs:[00000030h] 2_2_03A3A2C3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A3A2C3 mov eax, dword ptr fs:[00000030h] 2_2_03A3A2C3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B062D6 mov eax, dword ptr fs:[00000030h] 2_2_03B062D6
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A2823B mov eax, dword ptr fs:[00000030h] 2_2_03A2823B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A34260 mov eax, dword ptr fs:[00000030h] 2_2_03A34260
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A34260 mov eax, dword ptr fs:[00000030h] 2_2_03A34260
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A34260 mov eax, dword ptr fs:[00000030h] 2_2_03A34260
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A2826B mov eax, dword ptr fs:[00000030h] 2_2_03A2826B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AE0274 mov eax, dword ptr fs:[00000030h] 2_2_03AE0274
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AE0274 mov eax, dword ptr fs:[00000030h] 2_2_03AE0274
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AE0274 mov eax, dword ptr fs:[00000030h] 2_2_03AE0274
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AE0274 mov eax, dword ptr fs:[00000030h] 2_2_03AE0274
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AE0274 mov eax, dword ptr fs:[00000030h] 2_2_03AE0274
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AE0274 mov eax, dword ptr fs:[00000030h] 2_2_03AE0274
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AE0274 mov eax, dword ptr fs:[00000030h] 2_2_03AE0274
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AE0274 mov eax, dword ptr fs:[00000030h] 2_2_03AE0274
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AE0274 mov eax, dword ptr fs:[00000030h] 2_2_03AE0274
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AE0274 mov eax, dword ptr fs:[00000030h] 2_2_03AE0274
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AE0274 mov eax, dword ptr fs:[00000030h] 2_2_03AE0274
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AE0274 mov eax, dword ptr fs:[00000030h] 2_2_03AE0274
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AB8243 mov eax, dword ptr fs:[00000030h] 2_2_03AB8243
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AB8243 mov ecx, dword ptr fs:[00000030h] 2_2_03AB8243
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B0625D mov eax, dword ptr fs:[00000030h] 2_2_03B0625D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A2A250 mov eax, dword ptr fs:[00000030h] 2_2_03A2A250
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A36259 mov eax, dword ptr fs:[00000030h] 2_2_03A36259
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AEA250 mov eax, dword ptr fs:[00000030h] 2_2_03AEA250
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AEA250 mov eax, dword ptr fs:[00000030h] 2_2_03AEA250
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A70185 mov eax, dword ptr fs:[00000030h] 2_2_03A70185
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AEC188 mov eax, dword ptr fs:[00000030h] 2_2_03AEC188
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AEC188 mov eax, dword ptr fs:[00000030h] 2_2_03AEC188
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AD4180 mov eax, dword ptr fs:[00000030h] 2_2_03AD4180
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AD4180 mov eax, dword ptr fs:[00000030h] 2_2_03AD4180
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AB019F mov eax, dword ptr fs:[00000030h] 2_2_03AB019F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AB019F mov eax, dword ptr fs:[00000030h] 2_2_03AB019F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AB019F mov eax, dword ptr fs:[00000030h] 2_2_03AB019F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AB019F mov eax, dword ptr fs:[00000030h] 2_2_03AB019F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A2A197 mov eax, dword ptr fs:[00000030h] 2_2_03A2A197
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A2A197 mov eax, dword ptr fs:[00000030h] 2_2_03A2A197
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A2A197 mov eax, dword ptr fs:[00000030h] 2_2_03A2A197
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B061E5 mov eax, dword ptr fs:[00000030h] 2_2_03B061E5
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A601F8 mov eax, dword ptr fs:[00000030h] 2_2_03A601F8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AF61C3 mov eax, dword ptr fs:[00000030h] 2_2_03AF61C3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AF61C3 mov eax, dword ptr fs:[00000030h] 2_2_03AF61C3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AAE1D0 mov eax, dword ptr fs:[00000030h] 2_2_03AAE1D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AAE1D0 mov eax, dword ptr fs:[00000030h] 2_2_03AAE1D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AAE1D0 mov ecx, dword ptr fs:[00000030h] 2_2_03AAE1D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AAE1D0 mov eax, dword ptr fs:[00000030h] 2_2_03AAE1D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AAE1D0 mov eax, dword ptr fs:[00000030h] 2_2_03AAE1D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A60124 mov eax, dword ptr fs:[00000030h] 2_2_03A60124
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03ADE10E mov eax, dword ptr fs:[00000030h] 2_2_03ADE10E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03ADE10E mov ecx, dword ptr fs:[00000030h] 2_2_03ADE10E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03ADE10E mov eax, dword ptr fs:[00000030h] 2_2_03ADE10E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03ADE10E mov eax, dword ptr fs:[00000030h] 2_2_03ADE10E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03ADE10E mov ecx, dword ptr fs:[00000030h] 2_2_03ADE10E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03ADE10E mov eax, dword ptr fs:[00000030h] 2_2_03ADE10E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03ADE10E mov eax, dword ptr fs:[00000030h] 2_2_03ADE10E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03ADE10E mov ecx, dword ptr fs:[00000030h] 2_2_03ADE10E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03ADE10E mov eax, dword ptr fs:[00000030h] 2_2_03ADE10E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03ADE10E mov ecx, dword ptr fs:[00000030h] 2_2_03ADE10E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03ADA118 mov ecx, dword ptr fs:[00000030h] 2_2_03ADA118
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03ADA118 mov eax, dword ptr fs:[00000030h] 2_2_03ADA118
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03ADA118 mov eax, dword ptr fs:[00000030h] 2_2_03ADA118
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03ADA118 mov eax, dword ptr fs:[00000030h] 2_2_03ADA118
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AF0115 mov eax, dword ptr fs:[00000030h] 2_2_03AF0115
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B04164 mov eax, dword ptr fs:[00000030h] 2_2_03B04164
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B04164 mov eax, dword ptr fs:[00000030h] 2_2_03B04164
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AC4144 mov eax, dword ptr fs:[00000030h] 2_2_03AC4144
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AC4144 mov eax, dword ptr fs:[00000030h] 2_2_03AC4144
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AC4144 mov ecx, dword ptr fs:[00000030h] 2_2_03AC4144
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AC4144 mov eax, dword ptr fs:[00000030h] 2_2_03AC4144
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AC4144 mov eax, dword ptr fs:[00000030h] 2_2_03AC4144
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A2C156 mov eax, dword ptr fs:[00000030h] 2_2_03A2C156
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AC8158 mov eax, dword ptr fs:[00000030h] 2_2_03AC8158
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A36154 mov eax, dword ptr fs:[00000030h] 2_2_03A36154
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A36154 mov eax, dword ptr fs:[00000030h] 2_2_03A36154
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A280A0 mov eax, dword ptr fs:[00000030h] 2_2_03A280A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AC80A8 mov eax, dword ptr fs:[00000030h] 2_2_03AC80A8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AF60B8 mov eax, dword ptr fs:[00000030h] 2_2_03AF60B8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AF60B8 mov ecx, dword ptr fs:[00000030h] 2_2_03AF60B8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A3208A mov eax, dword ptr fs:[00000030h] 2_2_03A3208A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A2A0E3 mov ecx, dword ptr fs:[00000030h] 2_2_03A2A0E3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A380E9 mov eax, dword ptr fs:[00000030h] 2_2_03A380E9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AB60E0 mov eax, dword ptr fs:[00000030h] 2_2_03AB60E0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A2C0F0 mov eax, dword ptr fs:[00000030h] 2_2_03A2C0F0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A720F0 mov ecx, dword ptr fs:[00000030h] 2_2_03A720F0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AB20DE mov eax, dword ptr fs:[00000030h] 2_2_03AB20DE
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A2A020 mov eax, dword ptr fs:[00000030h] 2_2_03A2A020
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A2C020 mov eax, dword ptr fs:[00000030h] 2_2_03A2C020
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AC6030 mov eax, dword ptr fs:[00000030h] 2_2_03AC6030
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AB4000 mov ecx, dword ptr fs:[00000030h] 2_2_03AB4000
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AD2000 mov eax, dword ptr fs:[00000030h] 2_2_03AD2000
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AD2000 mov eax, dword ptr fs:[00000030h] 2_2_03AD2000
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AD2000 mov eax, dword ptr fs:[00000030h] 2_2_03AD2000
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AD2000 mov eax, dword ptr fs:[00000030h] 2_2_03AD2000
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AD2000 mov eax, dword ptr fs:[00000030h] 2_2_03AD2000
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AD2000 mov eax, dword ptr fs:[00000030h] 2_2_03AD2000
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AD2000 mov eax, dword ptr fs:[00000030h] 2_2_03AD2000
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AD2000 mov eax, dword ptr fs:[00000030h] 2_2_03AD2000
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A4E016 mov eax, dword ptr fs:[00000030h] 2_2_03A4E016
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A4E016 mov eax, dword ptr fs:[00000030h] 2_2_03A4E016
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A4E016 mov eax, dword ptr fs:[00000030h] 2_2_03A4E016
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A4E016 mov eax, dword ptr fs:[00000030h] 2_2_03A4E016
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A5C073 mov eax, dword ptr fs:[00000030h] 2_2_03A5C073
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A32050 mov eax, dword ptr fs:[00000030h] 2_2_03A32050
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AB6050 mov eax, dword ptr fs:[00000030h] 2_2_03AB6050
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A307AF mov eax, dword ptr fs:[00000030h] 2_2_03A307AF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AE47A0 mov eax, dword ptr fs:[00000030h] 2_2_03AE47A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AD678E mov eax, dword ptr fs:[00000030h] 2_2_03AD678E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A527ED mov eax, dword ptr fs:[00000030h] 2_2_03A527ED
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A527ED mov eax, dword ptr fs:[00000030h] 2_2_03A527ED
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A527ED mov eax, dword ptr fs:[00000030h] 2_2_03A527ED
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03ABE7E1 mov eax, dword ptr fs:[00000030h] 2_2_03ABE7E1
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A347FB mov eax, dword ptr fs:[00000030h] 2_2_03A347FB
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A347FB mov eax, dword ptr fs:[00000030h] 2_2_03A347FB
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A3C7C0 mov eax, dword ptr fs:[00000030h] 2_2_03A3C7C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AB07C3 mov eax, dword ptr fs:[00000030h] 2_2_03AB07C3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A6C720 mov eax, dword ptr fs:[00000030h] 2_2_03A6C720
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A6C720 mov eax, dword ptr fs:[00000030h] 2_2_03A6C720
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A6273C mov eax, dword ptr fs:[00000030h] 2_2_03A6273C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A6273C mov ecx, dword ptr fs:[00000030h] 2_2_03A6273C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A6273C mov eax, dword ptr fs:[00000030h] 2_2_03A6273C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AAC730 mov eax, dword ptr fs:[00000030h] 2_2_03AAC730
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A6C700 mov eax, dword ptr fs:[00000030h] 2_2_03A6C700
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A30710 mov eax, dword ptr fs:[00000030h] 2_2_03A30710
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A60710 mov eax, dword ptr fs:[00000030h] 2_2_03A60710
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A38770 mov eax, dword ptr fs:[00000030h] 2_2_03A38770
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A40770 mov eax, dword ptr fs:[00000030h] 2_2_03A40770
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A40770 mov eax, dword ptr fs:[00000030h] 2_2_03A40770
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A40770 mov eax, dword ptr fs:[00000030h] 2_2_03A40770
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A40770 mov eax, dword ptr fs:[00000030h] 2_2_03A40770
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A40770 mov eax, dword ptr fs:[00000030h] 2_2_03A40770
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A40770 mov eax, dword ptr fs:[00000030h] 2_2_03A40770
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A40770 mov eax, dword ptr fs:[00000030h] 2_2_03A40770
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A40770 mov eax, dword ptr fs:[00000030h] 2_2_03A40770
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A40770 mov eax, dword ptr fs:[00000030h] 2_2_03A40770
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A40770 mov eax, dword ptr fs:[00000030h] 2_2_03A40770
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A40770 mov eax, dword ptr fs:[00000030h] 2_2_03A40770
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A40770 mov eax, dword ptr fs:[00000030h] 2_2_03A40770
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A6674D mov esi, dword ptr fs:[00000030h] 2_2_03A6674D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A6674D mov eax, dword ptr fs:[00000030h] 2_2_03A6674D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A6674D mov eax, dword ptr fs:[00000030h] 2_2_03A6674D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A30750 mov eax, dword ptr fs:[00000030h] 2_2_03A30750
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03ABE75D mov eax, dword ptr fs:[00000030h] 2_2_03ABE75D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A72750 mov eax, dword ptr fs:[00000030h] 2_2_03A72750
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A72750 mov eax, dword ptr fs:[00000030h] 2_2_03A72750
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AB4755 mov eax, dword ptr fs:[00000030h] 2_2_03AB4755
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A6C6A6 mov eax, dword ptr fs:[00000030h] 2_2_03A6C6A6
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A666B0 mov eax, dword ptr fs:[00000030h] 2_2_03A666B0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A34690 mov eax, dword ptr fs:[00000030h] 2_2_03A34690
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A34690 mov eax, dword ptr fs:[00000030h] 2_2_03A34690
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AAE6F2 mov eax, dword ptr fs:[00000030h] 2_2_03AAE6F2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AAE6F2 mov eax, dword ptr fs:[00000030h] 2_2_03AAE6F2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AAE6F2 mov eax, dword ptr fs:[00000030h] 2_2_03AAE6F2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AAE6F2 mov eax, dword ptr fs:[00000030h] 2_2_03AAE6F2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AB06F1 mov eax, dword ptr fs:[00000030h] 2_2_03AB06F1
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AB06F1 mov eax, dword ptr fs:[00000030h] 2_2_03AB06F1
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A6A6C7 mov ebx, dword ptr fs:[00000030h] 2_2_03A6A6C7
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A6A6C7 mov eax, dword ptr fs:[00000030h] 2_2_03A6A6C7
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A4E627 mov eax, dword ptr fs:[00000030h] 2_2_03A4E627
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A66620 mov eax, dword ptr fs:[00000030h] 2_2_03A66620
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A68620 mov eax, dword ptr fs:[00000030h] 2_2_03A68620
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A3262C mov eax, dword ptr fs:[00000030h] 2_2_03A3262C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AAE609 mov eax, dword ptr fs:[00000030h] 2_2_03AAE609
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A4260B mov eax, dword ptr fs:[00000030h] 2_2_03A4260B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A4260B mov eax, dword ptr fs:[00000030h] 2_2_03A4260B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A4260B mov eax, dword ptr fs:[00000030h] 2_2_03A4260B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A4260B mov eax, dword ptr fs:[00000030h] 2_2_03A4260B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A4260B mov eax, dword ptr fs:[00000030h] 2_2_03A4260B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A4260B mov eax, dword ptr fs:[00000030h] 2_2_03A4260B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A4260B mov eax, dword ptr fs:[00000030h] 2_2_03A4260B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A72619 mov eax, dword ptr fs:[00000030h] 2_2_03A72619
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AF866E mov eax, dword ptr fs:[00000030h] 2_2_03AF866E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AF866E mov eax, dword ptr fs:[00000030h] 2_2_03AF866E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A6A660 mov eax, dword ptr fs:[00000030h] 2_2_03A6A660
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A6A660 mov eax, dword ptr fs:[00000030h] 2_2_03A6A660
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A62674 mov eax, dword ptr fs:[00000030h] 2_2_03A62674
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A4C640 mov eax, dword ptr fs:[00000030h] 2_2_03A4C640
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AB05A7 mov eax, dword ptr fs:[00000030h] 2_2_03AB05A7
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AB05A7 mov eax, dword ptr fs:[00000030h] 2_2_03AB05A7
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AB05A7 mov eax, dword ptr fs:[00000030h] 2_2_03AB05A7
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A545B1 mov eax, dword ptr fs:[00000030h] 2_2_03A545B1
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A545B1 mov eax, dword ptr fs:[00000030h] 2_2_03A545B1
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A32582 mov eax, dword ptr fs:[00000030h] 2_2_03A32582
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A32582 mov ecx, dword ptr fs:[00000030h] 2_2_03A32582
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A64588 mov eax, dword ptr fs:[00000030h] 2_2_03A64588
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A6E59C mov eax, dword ptr fs:[00000030h] 2_2_03A6E59C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A5E5E7 mov eax, dword ptr fs:[00000030h] 2_2_03A5E5E7
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A5E5E7 mov eax, dword ptr fs:[00000030h] 2_2_03A5E5E7
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A5E5E7 mov eax, dword ptr fs:[00000030h] 2_2_03A5E5E7
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A5E5E7 mov eax, dword ptr fs:[00000030h] 2_2_03A5E5E7
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A5E5E7 mov eax, dword ptr fs:[00000030h] 2_2_03A5E5E7
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A5E5E7 mov eax, dword ptr fs:[00000030h] 2_2_03A5E5E7
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A5E5E7 mov eax, dword ptr fs:[00000030h] 2_2_03A5E5E7
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A5E5E7 mov eax, dword ptr fs:[00000030h] 2_2_03A5E5E7
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A325E0 mov eax, dword ptr fs:[00000030h] 2_2_03A325E0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A6C5ED mov eax, dword ptr fs:[00000030h] 2_2_03A6C5ED
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A6C5ED mov eax, dword ptr fs:[00000030h] 2_2_03A6C5ED
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A6E5CF mov eax, dword ptr fs:[00000030h] 2_2_03A6E5CF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A6E5CF mov eax, dword ptr fs:[00000030h] 2_2_03A6E5CF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A365D0 mov eax, dword ptr fs:[00000030h] 2_2_03A365D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A6A5D0 mov eax, dword ptr fs:[00000030h] 2_2_03A6A5D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A6A5D0 mov eax, dword ptr fs:[00000030h] 2_2_03A6A5D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A40535 mov eax, dword ptr fs:[00000030h] 2_2_03A40535
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A40535 mov eax, dword ptr fs:[00000030h] 2_2_03A40535
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A40535 mov eax, dword ptr fs:[00000030h] 2_2_03A40535
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A40535 mov eax, dword ptr fs:[00000030h] 2_2_03A40535
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A40535 mov eax, dword ptr fs:[00000030h] 2_2_03A40535
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A40535 mov eax, dword ptr fs:[00000030h] 2_2_03A40535
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A5E53E mov eax, dword ptr fs:[00000030h] 2_2_03A5E53E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A5E53E mov eax, dword ptr fs:[00000030h] 2_2_03A5E53E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A5E53E mov eax, dword ptr fs:[00000030h] 2_2_03A5E53E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A5E53E mov eax, dword ptr fs:[00000030h] 2_2_03A5E53E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A5E53E mov eax, dword ptr fs:[00000030h] 2_2_03A5E53E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AC6500 mov eax, dword ptr fs:[00000030h] 2_2_03AC6500
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B04500 mov eax, dword ptr fs:[00000030h] 2_2_03B04500
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B04500 mov eax, dword ptr fs:[00000030h] 2_2_03B04500
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B04500 mov eax, dword ptr fs:[00000030h] 2_2_03B04500
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B04500 mov eax, dword ptr fs:[00000030h] 2_2_03B04500
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B04500 mov eax, dword ptr fs:[00000030h] 2_2_03B04500
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B04500 mov eax, dword ptr fs:[00000030h] 2_2_03B04500
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B04500 mov eax, dword ptr fs:[00000030h] 2_2_03B04500
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A6656A mov eax, dword ptr fs:[00000030h] 2_2_03A6656A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A6656A mov eax, dword ptr fs:[00000030h] 2_2_03A6656A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A6656A mov eax, dword ptr fs:[00000030h] 2_2_03A6656A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A38550 mov eax, dword ptr fs:[00000030h] 2_2_03A38550
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A38550 mov eax, dword ptr fs:[00000030h] 2_2_03A38550
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A364AB mov eax, dword ptr fs:[00000030h] 2_2_03A364AB
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A644B0 mov ecx, dword ptr fs:[00000030h] 2_2_03A644B0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03ABA4B0 mov eax, dword ptr fs:[00000030h] 2_2_03ABA4B0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AEA49A mov eax, dword ptr fs:[00000030h] 2_2_03AEA49A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A304E5 mov ecx, dword ptr fs:[00000030h] 2_2_03A304E5
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A2E420 mov eax, dword ptr fs:[00000030h] 2_2_03A2E420
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A2E420 mov eax, dword ptr fs:[00000030h] 2_2_03A2E420
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A2E420 mov eax, dword ptr fs:[00000030h] 2_2_03A2E420
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A2C427 mov eax, dword ptr fs:[00000030h] 2_2_03A2C427
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AB6420 mov eax, dword ptr fs:[00000030h] 2_2_03AB6420
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AB6420 mov eax, dword ptr fs:[00000030h] 2_2_03AB6420
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AB6420 mov eax, dword ptr fs:[00000030h] 2_2_03AB6420
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AB6420 mov eax, dword ptr fs:[00000030h] 2_2_03AB6420
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AB6420 mov eax, dword ptr fs:[00000030h] 2_2_03AB6420
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AB6420 mov eax, dword ptr fs:[00000030h] 2_2_03AB6420
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AB6420 mov eax, dword ptr fs:[00000030h] 2_2_03AB6420
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A6A430 mov eax, dword ptr fs:[00000030h] 2_2_03A6A430
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A68402 mov eax, dword ptr fs:[00000030h] 2_2_03A68402
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A68402 mov eax, dword ptr fs:[00000030h] 2_2_03A68402
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A68402 mov eax, dword ptr fs:[00000030h] 2_2_03A68402
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03ABC460 mov ecx, dword ptr fs:[00000030h] 2_2_03ABC460
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A5A470 mov eax, dword ptr fs:[00000030h] 2_2_03A5A470
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A5A470 mov eax, dword ptr fs:[00000030h] 2_2_03A5A470
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A5A470 mov eax, dword ptr fs:[00000030h] 2_2_03A5A470
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A6E443 mov eax, dword ptr fs:[00000030h] 2_2_03A6E443
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A6E443 mov eax, dword ptr fs:[00000030h] 2_2_03A6E443
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A6E443 mov eax, dword ptr fs:[00000030h] 2_2_03A6E443
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A6E443 mov eax, dword ptr fs:[00000030h] 2_2_03A6E443
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A6E443 mov eax, dword ptr fs:[00000030h] 2_2_03A6E443
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A6E443 mov eax, dword ptr fs:[00000030h] 2_2_03A6E443
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A6E443 mov eax, dword ptr fs:[00000030h] 2_2_03A6E443
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A6E443 mov eax, dword ptr fs:[00000030h] 2_2_03A6E443
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AEA456 mov eax, dword ptr fs:[00000030h] 2_2_03AEA456
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A2645D mov eax, dword ptr fs:[00000030h] 2_2_03A2645D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A5245A mov eax, dword ptr fs:[00000030h] 2_2_03A5245A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A40BBE mov eax, dword ptr fs:[00000030h] 2_2_03A40BBE
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A40BBE mov eax, dword ptr fs:[00000030h] 2_2_03A40BBE
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AE4BB0 mov eax, dword ptr fs:[00000030h] 2_2_03AE4BB0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AE4BB0 mov eax, dword ptr fs:[00000030h] 2_2_03AE4BB0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A38BF0 mov eax, dword ptr fs:[00000030h] 2_2_03A38BF0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A38BF0 mov eax, dword ptr fs:[00000030h] 2_2_03A38BF0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A38BF0 mov eax, dword ptr fs:[00000030h] 2_2_03A38BF0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A5EBFC mov eax, dword ptr fs:[00000030h] 2_2_03A5EBFC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03ABCBF0 mov eax, dword ptr fs:[00000030h] 2_2_03ABCBF0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A50BCB mov eax, dword ptr fs:[00000030h] 2_2_03A50BCB
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A50BCB mov eax, dword ptr fs:[00000030h] 2_2_03A50BCB
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A50BCB mov eax, dword ptr fs:[00000030h] 2_2_03A50BCB
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A30BCD mov eax, dword ptr fs:[00000030h] 2_2_03A30BCD
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A30BCD mov eax, dword ptr fs:[00000030h] 2_2_03A30BCD
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A30BCD mov eax, dword ptr fs:[00000030h] 2_2_03A30BCD
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03ADEBD0 mov eax, dword ptr fs:[00000030h] 2_2_03ADEBD0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A5EB20 mov eax, dword ptr fs:[00000030h] 2_2_03A5EB20
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A5EB20 mov eax, dword ptr fs:[00000030h] 2_2_03A5EB20
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AF8B28 mov eax, dword ptr fs:[00000030h] 2_2_03AF8B28
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AF8B28 mov eax, dword ptr fs:[00000030h] 2_2_03AF8B28
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B04B00 mov eax, dword ptr fs:[00000030h] 2_2_03B04B00
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AAEB1D mov eax, dword ptr fs:[00000030h] 2_2_03AAEB1D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AAEB1D mov eax, dword ptr fs:[00000030h] 2_2_03AAEB1D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AAEB1D mov eax, dword ptr fs:[00000030h] 2_2_03AAEB1D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AAEB1D mov eax, dword ptr fs:[00000030h] 2_2_03AAEB1D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AAEB1D mov eax, dword ptr fs:[00000030h] 2_2_03AAEB1D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AAEB1D mov eax, dword ptr fs:[00000030h] 2_2_03AAEB1D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AAEB1D mov eax, dword ptr fs:[00000030h] 2_2_03AAEB1D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AAEB1D mov eax, dword ptr fs:[00000030h] 2_2_03AAEB1D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AAEB1D mov eax, dword ptr fs:[00000030h] 2_2_03AAEB1D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A2CB7E mov eax, dword ptr fs:[00000030h] 2_2_03A2CB7E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AE4B4B mov eax, dword ptr fs:[00000030h] 2_2_03AE4B4B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AE4B4B mov eax, dword ptr fs:[00000030h] 2_2_03AE4B4B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B02B57 mov eax, dword ptr fs:[00000030h] 2_2_03B02B57
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B02B57 mov eax, dword ptr fs:[00000030h] 2_2_03B02B57
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B02B57 mov eax, dword ptr fs:[00000030h] 2_2_03B02B57
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B02B57 mov eax, dword ptr fs:[00000030h] 2_2_03B02B57
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AC6B40 mov eax, dword ptr fs:[00000030h] 2_2_03AC6B40
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AC6B40 mov eax, dword ptr fs:[00000030h] 2_2_03AC6B40
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AFAB40 mov eax, dword ptr fs:[00000030h] 2_2_03AFAB40
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AD8B42 mov eax, dword ptr fs:[00000030h] 2_2_03AD8B42
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A28B50 mov eax, dword ptr fs:[00000030h] 2_2_03A28B50
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03ADEB50 mov eax, dword ptr fs:[00000030h] 2_2_03ADEB50
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A38AA0 mov eax, dword ptr fs:[00000030h] 2_2_03A38AA0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A38AA0 mov eax, dword ptr fs:[00000030h] 2_2_03A38AA0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A86AA4 mov eax, dword ptr fs:[00000030h] 2_2_03A86AA4
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A3EA80 mov eax, dword ptr fs:[00000030h] 2_2_03A3EA80
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A3EA80 mov eax, dword ptr fs:[00000030h] 2_2_03A3EA80
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A3EA80 mov eax, dword ptr fs:[00000030h] 2_2_03A3EA80
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A3EA80 mov eax, dword ptr fs:[00000030h] 2_2_03A3EA80
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A3EA80 mov eax, dword ptr fs:[00000030h] 2_2_03A3EA80
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A3EA80 mov eax, dword ptr fs:[00000030h] 2_2_03A3EA80
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A3EA80 mov eax, dword ptr fs:[00000030h] 2_2_03A3EA80
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A3EA80 mov eax, dword ptr fs:[00000030h] 2_2_03A3EA80
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A3EA80 mov eax, dword ptr fs:[00000030h] 2_2_03A3EA80
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B04A80 mov eax, dword ptr fs:[00000030h] 2_2_03B04A80
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A68A90 mov edx, dword ptr fs:[00000030h] 2_2_03A68A90
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A6AAEE mov eax, dword ptr fs:[00000030h] 2_2_03A6AAEE
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A6AAEE mov eax, dword ptr fs:[00000030h] 2_2_03A6AAEE
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A86ACC mov eax, dword ptr fs:[00000030h] 2_2_03A86ACC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A86ACC mov eax, dword ptr fs:[00000030h] 2_2_03A86ACC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A86ACC mov eax, dword ptr fs:[00000030h] 2_2_03A86ACC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A30AD0 mov eax, dword ptr fs:[00000030h] 2_2_03A30AD0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A64AD0 mov eax, dword ptr fs:[00000030h] 2_2_03A64AD0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A64AD0 mov eax, dword ptr fs:[00000030h] 2_2_03A64AD0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A6CA24 mov eax, dword ptr fs:[00000030h] 2_2_03A6CA24
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A5EA2E mov eax, dword ptr fs:[00000030h] 2_2_03A5EA2E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A54A35 mov eax, dword ptr fs:[00000030h] 2_2_03A54A35
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A54A35 mov eax, dword ptr fs:[00000030h] 2_2_03A54A35
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A6CA38 mov eax, dword ptr fs:[00000030h] 2_2_03A6CA38
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03ABCA11 mov eax, dword ptr fs:[00000030h] 2_2_03ABCA11
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A6CA6F mov eax, dword ptr fs:[00000030h] 2_2_03A6CA6F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A6CA6F mov eax, dword ptr fs:[00000030h] 2_2_03A6CA6F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A6CA6F mov eax, dword ptr fs:[00000030h] 2_2_03A6CA6F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03ADEA60 mov eax, dword ptr fs:[00000030h] 2_2_03ADEA60
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AACA72 mov eax, dword ptr fs:[00000030h] 2_2_03AACA72
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AACA72 mov eax, dword ptr fs:[00000030h] 2_2_03AACA72
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A36A50 mov eax, dword ptr fs:[00000030h] 2_2_03A36A50
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A36A50 mov eax, dword ptr fs:[00000030h] 2_2_03A36A50
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A36A50 mov eax, dword ptr fs:[00000030h] 2_2_03A36A50
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A36A50 mov eax, dword ptr fs:[00000030h] 2_2_03A36A50
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A36A50 mov eax, dword ptr fs:[00000030h] 2_2_03A36A50
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A36A50 mov eax, dword ptr fs:[00000030h] 2_2_03A36A50
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A36A50 mov eax, dword ptr fs:[00000030h] 2_2_03A36A50
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A40A5B mov eax, dword ptr fs:[00000030h] 2_2_03A40A5B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A40A5B mov eax, dword ptr fs:[00000030h] 2_2_03A40A5B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A429A0 mov eax, dword ptr fs:[00000030h] 2_2_03A429A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A429A0 mov eax, dword ptr fs:[00000030h] 2_2_03A429A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A429A0 mov eax, dword ptr fs:[00000030h] 2_2_03A429A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A429A0 mov eax, dword ptr fs:[00000030h] 2_2_03A429A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A429A0 mov eax, dword ptr fs:[00000030h] 2_2_03A429A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A429A0 mov eax, dword ptr fs:[00000030h] 2_2_03A429A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A429A0 mov eax, dword ptr fs:[00000030h] 2_2_03A429A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A429A0 mov eax, dword ptr fs:[00000030h] 2_2_03A429A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A429A0 mov eax, dword ptr fs:[00000030h] 2_2_03A429A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A429A0 mov eax, dword ptr fs:[00000030h] 2_2_03A429A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A429A0 mov eax, dword ptr fs:[00000030h] 2_2_03A429A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A429A0 mov eax, dword ptr fs:[00000030h] 2_2_03A429A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A429A0 mov eax, dword ptr fs:[00000030h] 2_2_03A429A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A309AD mov eax, dword ptr fs:[00000030h] 2_2_03A309AD
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A309AD mov eax, dword ptr fs:[00000030h] 2_2_03A309AD
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AB89B3 mov esi, dword ptr fs:[00000030h] 2_2_03AB89B3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AB89B3 mov eax, dword ptr fs:[00000030h] 2_2_03AB89B3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AB89B3 mov eax, dword ptr fs:[00000030h] 2_2_03AB89B3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03ABE9E0 mov eax, dword ptr fs:[00000030h] 2_2_03ABE9E0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A629F9 mov eax, dword ptr fs:[00000030h] 2_2_03A629F9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A629F9 mov eax, dword ptr fs:[00000030h] 2_2_03A629F9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AC69C0 mov eax, dword ptr fs:[00000030h] 2_2_03AC69C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A3A9D0 mov eax, dword ptr fs:[00000030h] 2_2_03A3A9D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A3A9D0 mov eax, dword ptr fs:[00000030h] 2_2_03A3A9D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A3A9D0 mov eax, dword ptr fs:[00000030h] 2_2_03A3A9D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A3A9D0 mov eax, dword ptr fs:[00000030h] 2_2_03A3A9D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A3A9D0 mov eax, dword ptr fs:[00000030h] 2_2_03A3A9D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A3A9D0 mov eax, dword ptr fs:[00000030h] 2_2_03A3A9D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A649D0 mov eax, dword ptr fs:[00000030h] 2_2_03A649D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AFA9D3 mov eax, dword ptr fs:[00000030h] 2_2_03AFA9D3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AB892A mov eax, dword ptr fs:[00000030h] 2_2_03AB892A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AC892B mov eax, dword ptr fs:[00000030h] 2_2_03AC892B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AAE908 mov eax, dword ptr fs:[00000030h] 2_2_03AAE908
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AAE908 mov eax, dword ptr fs:[00000030h] 2_2_03AAE908
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03ABC912 mov eax, dword ptr fs:[00000030h] 2_2_03ABC912
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A28918 mov eax, dword ptr fs:[00000030h] 2_2_03A28918
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A28918 mov eax, dword ptr fs:[00000030h] 2_2_03A28918
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A56962 mov eax, dword ptr fs:[00000030h] 2_2_03A56962
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A56962 mov eax, dword ptr fs:[00000030h] 2_2_03A56962
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A56962 mov eax, dword ptr fs:[00000030h] 2_2_03A56962
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A7096E mov eax, dword ptr fs:[00000030h] 2_2_03A7096E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A7096E mov edx, dword ptr fs:[00000030h] 2_2_03A7096E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A7096E mov eax, dword ptr fs:[00000030h] 2_2_03A7096E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AD4978 mov eax, dword ptr fs:[00000030h] 2_2_03AD4978
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AD4978 mov eax, dword ptr fs:[00000030h] 2_2_03AD4978
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03ABC97C mov eax, dword ptr fs:[00000030h] 2_2_03ABC97C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AB0946 mov eax, dword ptr fs:[00000030h] 2_2_03AB0946
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B04940 mov eax, dword ptr fs:[00000030h] 2_2_03B04940
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A30887 mov eax, dword ptr fs:[00000030h] 2_2_03A30887
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03ABC89D mov eax, dword ptr fs:[00000030h] 2_2_03ABC89D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03AFA8E4 mov eax, dword ptr fs:[00000030h] 2_2_03AFA8E4
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A6C8F9 mov eax, dword ptr fs:[00000030h] 2_2_03A6C8F9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A6C8F9 mov eax, dword ptr fs:[00000030h] 2_2_03A6C8F9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A5E8C0 mov eax, dword ptr fs:[00000030h] 2_2_03A5E8C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03B008C0 mov eax, dword ptr fs:[00000030h] 2_2_03B008C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A52835 mov eax, dword ptr fs:[00000030h] 2_2_03A52835
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A52835 mov eax, dword ptr fs:[00000030h] 2_2_03A52835
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A52835 mov eax, dword ptr fs:[00000030h] 2_2_03A52835
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03A52835 mov ecx, dword ptr fs:[00000030h] 2_2_03A52835
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exe Code function: 0_2_010181F7 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity, 0_2_010181F7
Enables debug privileges
Source: C:\Windows\SysWOW64\svchost.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exe Code function: 0_2_00FEA395 SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00FEA395
Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exe Code function: 0_2_00FEA364 SetUnhandledExceptionFilter, 0_2_00FEA364
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_00C51AC3 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 4_2_00C51AC3

HIPS / PFW / Operating System Protection Evasion
barindex
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exe Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: NULL target: C:\Windows\SysWOW64\colorcpl.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: NULL target: C:\Windows\SysWOW64\colorcpl.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Section loaded: NULL target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Windows\SysWOW64\svchost.exe Thread register set: target process: 1028 Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Thread register set: target process: 1028 Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Windows\SysWOW64\svchost.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Sample uses process hollowing technique
Source: C:\Windows\SysWOW64\svchost.exe Section unmapped: C:\Windows\SysWOW64\colorcpl.exe base address: C50000 Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exe Memory written: C:\Windows\SysWOW64\svchost.exe base: 30D8008 Jump to behavior
Contains functionality to execute programs as a different user
Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exe Code function: 0_2_01018C93 LogonUserW, 0_2_01018C93
Contains functionality to launch a program with higher privileges
Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exe Code function: 0_2_00FC3B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW, 0_2_00FC3B4C
Contains functionality to simulate keystroke presses
Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exe Code function: 0_2_00FC4A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput, 0_2_00FC4A35
Contains functionality to simulate mouse events
Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exe Code function: 0_2_01024F21 mouse_event, 0_2_01024F21
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exe Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Bonifico 2692024pdf.exe" Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\SysWOW64\svchost.exe" Jump to behavior
Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exe Code function: 0_2_010181F7 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity, 0_2_010181F7
Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exe Code function: 0_2_01024C03 AllocateAndInitializeSid,CheckTokenMembership,FreeSid, 0_2_01024C03
Source: Bonifico 2692024pdf.exe Binary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: explorer.exe, 00000003.00000003.3097566585.0000000009C21000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4507885872.0000000009C22000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3095576604.0000000009B79000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Shell_TrayWnd=
Source: explorer.exe, 00000003.00000000.2054110873.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000002.4501147415.0000000001731000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Program Manager
Source: Bonifico 2692024pdf.exe, explorer.exe, 00000003.00000000.2056460554.0000000004B00000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2054110873.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000002.4501147415.0000000001731000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000003.00000000.2054110873.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000002.4501147415.0000000001731000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000003.00000000.2054110873.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000002.4501147415.0000000001731000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Source: explorer.exe, 00000003.00000000.2053555947.0000000000EF8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4500060295.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: PProgman
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exe Code function: 0_2_00FE886B cpuid 0_2_00FE886B
Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exe Code function: 0_2_00FF50D7 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_00FF50D7
Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exe Code function: 0_2_01002230 GetUserNameW, 0_2_01002230
Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exe Code function: 0_2_00FF418A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte, 0_2_00FF418A
Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exe Code function: 0_2_00FC4AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo, 0_2_00FC4AFE

Stealing of Sensitive Information
barindex
Yara detected FormBook
Source: Yara match File source: 0.2.Bonifico 2692024pdf.exe.f60000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Bonifico 2692024pdf.exe.f60000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000002.4500748393.0000000004EF0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2101569543.0000000002FA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2101179285.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2101452453.0000000000EE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.4500674089.0000000004EC0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.4500108224.0000000003260000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2043224034.0000000000F60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
OS version to string mapping found (often used in BOTs)
Source: Bonifico 2692024pdf.exe Binary or memory string: WIN_81
Source: Bonifico 2692024pdf.exe Binary or memory string: WIN_XP
Source: Bonifico 2692024pdf.exe Binary or memory string: WIN_XPe
Source: Bonifico 2692024pdf.exe Binary or memory string: WIN_VISTA
Source: Bonifico 2692024pdf.exe Binary or memory string: WIN_7
Source: Bonifico 2692024pdf.exe Binary or memory string: WIN_8
Source: Bonifico 2692024pdf.exe Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 5USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Remote Access Functionality
barindex
Yara detected FormBook
Source: Yara match File source: 0.2.Bonifico 2692024pdf.exe.f60000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Bonifico 2692024pdf.exe.f60000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000002.4500748393.0000000004EF0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2101569543.0000000002FA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2101179285.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2101452453.0000000000EE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.4500674089.0000000004EC0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.4500108224.0000000003260000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2043224034.0000000000F60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exe Code function: 0_2_01036596 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket, 0_2_01036596
Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exe Code function: 0_2_01036A5A socket,WSAGetLastError,bind,WSAGetLastError,closesocket, 0_2_01036A5A
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1519629 Sample: Bonifico 2692024pdf.exe Startdate: 26/09/2024 Architecture: WINDOWS Score: 100 29 www.eeplab.xyz 2->29 31 www.zkirv.top 2->31 33 10 other IPs or domains 2->33 35 Suricata IDS alerts for network traffic 2->35 37 Found malware configuration 2->37 39 Malicious sample detected (through community Yara rule) 2->39 43 8 other signatures 2->43 11 Bonifico 2692024pdf.exe 4 2->11         started        signatures3 41 Performs DNS queries to domains with low reputation 29->41 process4 signatures5 53 Binary is likely a compiled AutoIt script file 11->53 55 Writes to foreign memory regions 11->55 57 Maps a DLL or memory area into another process 11->57 14 svchost.exe 11->14         started        process6 signatures7 59 Modifies the context of a thread in another process (thread injection) 14->59 61 Maps a DLL or memory area into another process 14->61 63 Sample uses process hollowing technique 14->63 65 3 other signatures 14->65 17 explorer.exe 91 1 14->17 injected process8 dnsIp9 27 www.bets.net 195.85.59.61, 62804, 80 DANISCODK Denmark 17->27 20 colorcpl.exe 17->20         started        process10 signatures11 45 Modifies the context of a thread in another process (thread injection) 20->45 47 Maps a DLL or memory area into another process 20->47 49 Tries to detect virtualization through RDTSC time measurements 20->49 51 Switches to a custom stack to bypass stack traces 20->51 23 cmd.exe 1 20->23         started        process12 process13 25 conhost.exe 23->25         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
195.85.59.61
 www.bets.net Denmark
15411 DANISCODK true

Contacted Domains

Name IP Active
www.bets.net 195.85.59.61 true
241.42.69.40.in-addr.arpa unknown unknown
www.eeplab.xyz unknown unknown
www.ower-bank-za-4886348.world unknown unknown
www.oland-flight-deal.today unknown unknown
www.zkirv.top unknown unknown
www.reakinggroundtherapy.pro unknown unknown
www.emosjumpers.net unknown unknown
www.arpediemwireless.net unknown unknown
www.ome-care-76206.bond unknown unknown
www.inoliga.app unknown unknown
www.believehim.net unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
www.reakinggroundtherapy.pro/e23y/ true
  • Avira URL Cloud: safe
 unknown
http://www.bets.net/e23y/?t8UP=DwtvniUQLpu3MRUm2IfWFG9b5evRRAGuG0irUgkzEgTLOHOkkfBziq8rt1/3cMlKaUc0&9r4Hc=GdSL true
  • Avira URL Cloud: safe
 unknown