Windows Analysis Report
Purchase Order.exe

Overview

General Information

Sample name: Purchase Order.exe
Analysis ID: 1523569
MD5: 4bf3c3730f87303d462d33cd7439d24e
SHA1: 0b242ca2f09aca59d55bfcac3c6842d3b5ed2578
SHA256: 3ef886ad71e5fc825b9b608b3f80ce2a3c3dafc0ecc1bc7dc9721c6855898bc6
Infos:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected FormBook
Contains functionality to detect sleep reduction / modifications
Found direct / indirect Syscall (likely to bypass EDR)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Switches to a custom stack to bypass stack traces
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
PE file contains an invalid checksum
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: Purchase Order.exe ReversingLabs: Detection: 31%
Yara detected FormBook
Source: Yara match File source: 2.2.svchost.exe.600000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.svchost.exe.600000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.4885525142.0000000004250000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.4885598668.00000000042A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.3339599911.0000000002F40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.3338743779.0000000000600000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Machine Learning detection for sample
Source: Purchase Order.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: Purchase Order.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: Binary string: expand.pdb source: svchost.exe, 00000002.00000003.3307786096.0000000002C3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.3307529501.0000000002C1A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: Purchase Order.exe, 00000000.00000003.2475206794.0000000004D10000.00000004.00001000.00020000.00000000.sdmp, Purchase Order.exe, 00000000.00000003.2478113585.0000000004B70000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.3255295030.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.3339721963.0000000003200000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.3252572055.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.3339721963.000000000332D000.00000040.00001000.00020000.00000000.sdmp, expand.exe, 00000005.00000002.4885822563.00000000044B0000.00000040.00001000.00020000.00000000.sdmp, expand.exe, 00000005.00000003.3341859494.0000000004301000.00000004.00000020.00020000.00000000.sdmp, expand.exe, 00000005.00000002.4885822563.00000000045DD000.00000040.00001000.00020000.00000000.sdmp, expand.exe, 00000005.00000003.3338856185.000000000415C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: Purchase Order.exe, 00000000.00000003.2475206794.0000000004D10000.00000004.00001000.00020000.00000000.sdmp, Purchase Order.exe, 00000000.00000003.2478113585.0000000004B70000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.3255295030.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.3339721963.0000000003200000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.3252572055.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.3339721963.000000000332D000.00000040.00001000.00020000.00000000.sdmp, expand.exe, 00000005.00000002.4885822563.00000000044B0000.00000040.00001000.00020000.00000000.sdmp, expand.exe, 00000005.00000003.3341859494.0000000004301000.00000004.00000020.00020000.00000000.sdmp, expand.exe, 00000005.00000002.4885822563.00000000045DD000.00000040.00001000.00020000.00000000.sdmp, expand.exe, 00000005.00000003.3338856185.000000000415C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: expand.pdbGCTL source: svchost.exe, 00000002.00000003.3307786096.0000000002C3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.3307529501.0000000002C1A000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 0_2_00452126 FindFirstFileW,Sleep,FindNextFileW,FindClose, 0_2_00452126
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 0_2_0045C999 FindFirstFileW,FindNextFileW,FindClose, 0_2_0045C999
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 0_2_00436ADE GetFileAttributesW,FindFirstFileW,FindClose, 0_2_00436ADE
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 0_2_00434BEE FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 0_2_00434BEE
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 0_2_0045DD7C FindFirstFileW,FindClose, 0_2_0045DD7C
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 0_2_0044BD29 FindFirstFileW,CopyFileW,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose, 0_2_0044BD29
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 0_2_00436D2D FindFirstFileW,CreateFileW,SetFileTime,CloseHandle,SetFileTime,CloseHandle, 0_2_00436D2D
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 0_2_00442E1F SetCurrentDirectoryW,FindFirstFileW,SetCurrentDirectoryW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 0_2_00442E1F
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 0_2_00475FE5 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime, 0_2_00475FE5
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 0_2_0044BF8D FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 0_2_0044BF8D
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 0_2_0044289D InternetQueryDataAvailable,InternetReadFile, 0_2_0044289D
Source: explorer.exe, 00000006.00000000.4818852400.000000000D8D9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.7533683446.0000000009E4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.7539179240.000000000D8D9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.4815046665.0000000009E4A000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
Source: explorer.exe, 00000006.00000000.4818852400.000000000D8D9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.7533683446.0000000009E4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.7539179240.000000000D8D9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.4815046665.0000000009E4A000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
Source: explorer.exe, 00000006.00000000.4818852400.000000000D8D9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.7533683446.0000000009E4A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.7539179240.000000000D8D9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.4815046665.0000000009E4A000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: explorer.exe, 00000006.00000002.7538704599.000000000D8BE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.4818523594.000000000D8BE000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crl
Source: explorer.exe, 00000006.00000002.7535770556.000000000AC50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.4810489818.00000000015C0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000002.7534939116.000000000A1D0000.00000002.00000001.00040000.00000000.sdmp String found in binary or memory: http://schemas.micro
Source: explorer.exe, 00000006.00000002.7532968534.0000000009CA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.4814522688.0000000009CA7000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/odirm
Source: explorer.exe, 00000006.00000000.4811153831.00000000037A0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.7528175498.00000000037A0000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 00000006.00000000.4811153831.00000000037A0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.7528175498.00000000037A0000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/;
Source: explorer.exe, 00000006.00000002.7532753166.0000000009C04000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 00000006.00000000.4818523594.000000000D88C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.7538704599.000000000D88C000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?
Source: explorer.exe, 00000006.00000002.7540381501.000000000DC32000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.4819755786.000000000DC32000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=74FEDC5505D64D82A7BF425565317295&timeOut=5000&oc
Source: explorer.exe, 00000006.00000002.7531970828.0000000009AA2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.4813810894.0000000009AA2000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=DC09251A71C5472DA2BDFD73DC109609&timeOut=5000&oc
Source: explorer.exe, 00000006.00000002.7540381501.000000000DC32000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.7531970828.0000000009AA2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.4813810894.0000000009AA2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.4819755786.000000000DC32000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.4818523594.000000000D88C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.7538704599.000000000D88C000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
Source: explorer.exe, 00000006.00000000.4814714514.0000000009CB5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.7533219203.0000000009CB5000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://arc.msn.comI
Source: explorer.exe, 00000006.00000000.4813771435.0000000009A90000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.7531907911.0000000009A90000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://assets.msn.c
Source: explorer.exe, 00000006.00000000.4813771435.0000000009A90000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.7531907911.0000000009A90000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://assets.msn.ceath
Source: explorer.exe, 00000006.00000002.7540381501.000000000DC32000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.4819755786.000000000DC32000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/taskbar/icons/index/svg/light/greenup.svg
Source: explorer.exe, 00000006.00000000.4819755786.000000000DC32000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/taskbar/icons/index/svg/light/reddown.svg
Source: explorer.exe, 00000006.00000002.7540381501.000000000DC32000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.4819755786.000000000DC32000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/MSIAWwA=/Condition/D200PartlySunnyV2.pn
Source: explorer.exe, 00000006.00000000.4819755786.000000000DC32000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/MSIAWwA=/Condition/D200PartlySunnyV2.sv
Source: explorer.exe, 00000006.00000002.7531970828.0000000009AA2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.4813810894.0000000009AA2000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.que
Source: explorer.exe, 00000006.00000002.7540381501.000000000DC32000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.4819755786.000000000DC32000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gAyL
Source: explorer.exe, 00000006.00000002.7540381501.000000000DC32000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.4819755786.000000000DC32000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gAyL-dark
Source: explorer.exe, 00000006.00000002.7540381501.000000000DC32000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.4819755786.000000000DC32000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gFtr
Source: explorer.exe, 00000006.00000002.7540381501.000000000DC32000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.4819755786.000000000DC32000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gFtr-dark
Source: explorer.exe, 00000006.00000002.7540381501.000000000DC32000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.4819755786.000000000DC32000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gRoU
Source: explorer.exe, 00000006.00000002.7540381501.000000000DC32000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.4819755786.000000000DC32000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gRoU-dark
Source: explorer.exe, 00000006.00000002.7539498768.000000000D927000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.4819076069.000000000D927000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://excel.office.com
Source: explorer.exe, 00000006.00000002.7531970828.0000000009AA2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.4813810894.0000000009AA2000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1
Source: explorer.exe, 00000006.00000002.7540381501.000000000DC32000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.4819755786.000000000DC32000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA179X84.img
Source: explorer.exe, 00000006.00000002.7540381501.000000000DC32000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.4819755786.000000000DC32000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1rx96r.img
Source: explorer.exe, 00000006.00000002.7540381501.000000000DC32000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.4819755786.000000000DC32000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA3AZO2.img
Source: explorer.exe, 00000006.00000002.7540381501.000000000DC32000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.4819755786.000000000DC32000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA6J22N.img
Source: explorer.exe, 00000006.00000002.7540381501.000000000DC32000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.4819755786.000000000DC32000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAZhPUS.img
Source: explorer.exe, 00000006.00000000.4813771435.0000000009A90000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.7531907911.0000000009A90000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAw0aqB.img
Source: explorer.exe, 00000006.00000000.4813771435.0000000009A90000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.7531907911.0000000009A90000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAw0aqB.imgrofi
Source: explorer.exe, 00000006.00000002.7540381501.000000000DC32000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.4819755786.000000000DC32000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBiuKxg.img
Source: explorer.exe, 00000006.00000002.7540381501.000000000DC32000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.4819755786.000000000DC32000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBxWcHH.img
Source: explorer.exe, 00000006.00000000.4813771435.0000000009A90000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.7531907911.0000000009A90000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://ntp.m
Source: explorer.exe, 00000006.00000000.4813771435.0000000009A90000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.7531907911.0000000009A90000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://ntp.mdge/ntp?
Source: explorer.exe, 00000006.00000000.4813771435.0000000009A90000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.7531907911.0000000009A90000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://ntp.msn.com/edge/ntp?cm=e
Source: explorer.exe, 00000006.00000000.4813771435.0000000009A90000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.7531907911.0000000009A90000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://ntp.msn.com/edge/ntp?cm=e&oci
Source: explorer.exe, 00000006.00000000.4819755786.000000000DC32000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://ntp.msn.com/edge/ntp?cm=en-us&ocid=widgetonlockscreenwin10&cvid=03f221f1-efc8-4ebc-bcdc-9c6b
Source: explorer.exe, 00000006.00000002.7539498768.000000000D927000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.4819076069.000000000D927000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://outlook.comP51
Source: explorer.exe, 00000006.00000002.7539498768.000000000D927000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.4819076069.000000000D927000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://outlook.comp
Source: explorer.exe, 00000006.00000000.4818523594.000000000D88C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.7538704599.000000000D88C000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://powerpoint.office.comEM
Source: explorer.exe, 00000006.00000002.7540381501.000000000DC32000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.4819755786.000000000DC32000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://universalstore.streaming.mediaservices.windows.net/75db58d3-3007-4c4c-b2fc-8f6f86633a31/5aba
Source: explorer.exe, 00000006.00000002.7540381501.000000000DC32000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.7531970828.0000000009AA2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.4813810894.0000000009AA2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.4819755786.000000000DC32000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-US&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000006.00000002.7540381501.000000000DC32000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.7531970828.0000000009AA2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.4813810894.0000000009AA2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.4819755786.000000000DC32000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-US&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000006.00000002.7539498768.000000000D927000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.4819076069.000000000D927000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://word.office.com
Source: explorer.exe, 00000006.00000002.7540381501.000000000DC32000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.4819755786.000000000DC32000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.delish.com/cooking/a36622721/everything-bagel-seasoning/
Source: explorer.exe, 00000006.00000002.7540381501.000000000DC32000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.4819755786.000000000DC32000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.delish.com/cooking/g1590/easy-lunch-sandwiches/
Source: explorer.exe, 00000006.00000002.7540381501.000000000DC32000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.4819755786.000000000DC32000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.delish.com/cooking/g39601341/breakfast-meal-prep-ideas/
Source: explorer.exe, 00000006.00000002.7540381501.000000000DC32000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.4819755786.000000000DC32000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.delish.com/cooking/nutrition/g2599/healthy-dinner-salads/
Source: explorer.exe, 00000006.00000002.7540381501.000000000DC32000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.4819755786.000000000DC32000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.delish.com/cooking/recipe-ideas/a22096112/copycat-chipotle-chicken-recipe/
Source: explorer.exe, 00000006.00000002.7540381501.000000000DC32000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.4819755786.000000000DC32000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.delish.com/cooking/recipe-ideas/a26146740/ahi-poke-bowls/
Source: explorer.exe, 00000006.00000002.7540381501.000000000DC32000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.4819755786.000000000DC32000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.delish.com/cooking/recipe-ideas/a27793321/chimichurri-sauce-recipe/
Source: explorer.exe, 00000006.00000002.7540381501.000000000DC32000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.4819755786.000000000DC32000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.delish.com/cooking/recipe-ideas/a40022315/steak-grain-bowls-recipe/
Source: explorer.exe, 00000006.00000002.7540381501.000000000DC32000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.4819755786.000000000DC32000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.delish.com/cooking/recipe-ideas/a40239263/philadelphia-roll-recipe/
Source: explorer.exe, 00000006.00000002.7540381501.000000000DC32000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.4819755786.000000000DC32000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.delish.com/cooking/recipe-ideas/a40837113/caribbean-cobb-salad-recipe/
Source: explorer.exe, 00000006.00000002.7540381501.000000000DC32000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.4819755786.000000000DC32000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.delish.com/cooking/recipe-ideas/a52078/crunchwrap-supreme-recipe/
Source: explorer.exe, 00000006.00000002.7540381501.000000000DC32000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.4819755786.000000000DC32000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.delish.com/cooking/recipe-ideas/g1092/wrap-recipes/
Source: explorer.exe, 00000006.00000002.7540381501.000000000DC32000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.4819755786.000000000DC32000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.delish.com/cooking/recipe-ideas/g2887/138-no-bake-desserts/
Source: explorer.exe, 00000006.00000002.7540381501.000000000DC32000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.4819755786.000000000DC32000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.delish.com/cooking/recipe-ideas/g3026/fall-soup-recipes/
Source: explorer.exe, 00000006.00000000.4819755786.000000000DC32000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.delish.com/cooking/recipe-ideas/g3034/quick-work-lunch-ideas/
Source: explorer.exe, 00000006.00000002.7540381501.000000000DC32000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.4819755786.000000000DC32000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.delish.com/cooking/recipe-ideas/g32055698/how-to-make-leftovers-more-exciting/
Source: explorer.exe, 00000006.00000002.7540381501.000000000DC32000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.4819755786.000000000DC32000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.delish.com/cooking/recipe-ideas/g3219/copycat-recipes/
Source: explorer.exe, 00000006.00000002.7540381501.000000000DC32000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.4819755786.000000000DC32000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.delish.com/cooking/recipe-ideas/g3338/best-weeknight-dinners/
Source: explorer.exe, 00000006.00000002.7540381501.000000000DC32000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.4819755786.000000000DC32000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.delish.com/cooking/recipe-ideas/recipes/a45873/copycat-olive-garden-zuppa-toscana-recipe
Source: explorer.exe, 00000006.00000002.7540381501.000000000DC32000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.4819755786.000000000DC32000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.delish.com/cooking/recipe-ideas/recipes/a46821/general-tsos-chicken-stir-fry-recipe/
Source: explorer.exe, 00000006.00000002.7540381501.000000000DC32000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.4819755786.000000000DC32000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.delish.com/cooking/recipe-ideas/recipes/a49533/asian-lettuce-wraps-recipe/
Source: explorer.exe, 00000006.00000002.7540381501.000000000DC32000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.4819755786.000000000DC32000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.delish.com/cooking/recipe-ideas/recipes/a54961/chicken-caesar-wraps-recipe/
Source: explorer.exe, 00000006.00000000.4813771435.0000000009A90000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.7531907911.0000000009A90000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/channel/source/AZ%20Animals%20US/sr-vid-7etr9q8xun
Source: explorer.exe, 00000006.00000002.7540381501.000000000DC32000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.7531970828.0000000009AA2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.4813810894.0000000009AA2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.4819755786.000000000DC32000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/feed
Source: explorer.exe, 00000006.00000002.7531970828.0000000009AA2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.4813810894.0000000009AA2000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/foodanddrink/cookingschool/for-the-best-grilled-clams-avoid-this-fatal-mis
Source: explorer.exe, 00000006.00000002.7540381501.000000000DC32000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.4819755786.000000000DC32000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/foodanddrink/recipes/i-asked-3-butchers-how-to-choose-the-best-steak-they-
Source: explorer.exe, 00000006.00000002.7540381501.000000000DC32000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.4819755786.000000000DC32000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/lifestyle/celeb-style/the-21-best-red-carpet-fashion-moments-of-all-time/s
Source: explorer.exe, 00000006.00000002.7531907911.0000000009A90000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/lifestyle/lifestyle-buzz/tracee-ellis-ross-wedge-ponytail-is-a-new-way-to-
Source: explorer.exe, 00000006.00000002.7540381501.000000000DC32000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.4819755786.000000000DC32000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/lifestyle/pets/these-are-the-largest-reptiles-still-living-in-the-u-s/ss-B
Source: explorer.exe, 00000006.00000002.7540381501.000000000DC32000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.4819755786.000000000DC32000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/money/companies/charles-schwab-names-president-rick-wurster-as-next-ceo/ar
Source: explorer.exe, 00000006.00000002.7540381501.000000000DC32000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.4819755786.000000000DC32000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/money/companies/microsoft-exec-tells-staff-there-won-t-be-an-amazon-style-
Source: explorer.exe, 00000006.00000002.7540381501.000000000DC32000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.4819755786.000000000DC32000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/money/companies/pepsico-to-buy-tortilla-chip-maker-siete-foods-for-1-2-bil
Source: explorer.exe, 00000006.00000002.7540381501.000000000DC32000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.4819755786.000000000DC32000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/money/realestate/ask-the-builder-asphalt-shingle-alternatives/ar-AA1rjlsz
Source: explorer.exe, 00000006.00000002.7540381501.000000000DC32000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.4819755786.000000000DC32000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/movies/news/robert-downey-jr-beams-as-he-makes-his-broadway-bow-on-opening
Source: explorer.exe, 00000006.00000002.7540381501.000000000DC32000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.4819755786.000000000DC32000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/politics/can-kamala-harris-beat-donald-trump-latest-poll-updates/ar-A
Source: explorer.exe, 00000006.00000002.7540381501.000000000DC32000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.4819755786.000000000DC32000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/politics/n-c-presidential-race-close-as-helene-recovery-begins-post-p
Source: explorer.exe, 00000006.00000002.7540381501.000000000DC32000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.4819755786.000000000DC32000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/technology/microsoft-reveals-windows-11-s-ai-roadmap-smart-search-ups
Source: explorer.exe, 00000006.00000002.7540381501.000000000DC32000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.4819755786.000000000DC32000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/world/a-former-hostage-fought-for-her-own-life-in-gaza-a-year-on-she-
Source: explorer.exe, 00000006.00000002.7540381501.000000000DC32000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.4819755786.000000000DC32000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/world/prince-william-joins-david-beckham-in-the-cockpit-for-helicopte
Source: explorer.exe, 00000006.00000002.7540381501.000000000DC32000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.4819755786.000000000DC32000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/world/russia-secures-biggest-victory-since-february-as-it-captures-uk
Source: explorer.exe, 00000006.00000002.7540381501.000000000DC32000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.4819755786.000000000DC32000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/sports/nfl/miami-dolphins-mike-mcdaniel-draws-line-knows-things-must-chang
Source: explorer.exe, 00000006.00000002.7540381501.000000000DC32000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.4819755786.000000000DC32000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/sports/other/ohio-state-women-s-basketball-freshman-ava-watson-s-ability-t
Source: explorer.exe, 00000006.00000002.7540381501.000000000DC32000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.4819755786.000000000DC32000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/tv/news/arsenio-hall-net-worth-a-closer-look-at-the-comedian-s-wealth/ar-A
Source: explorer.exe, 00000006.00000002.7540381501.000000000DC32000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.4819755786.000000000DC32000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/tv/news/frank-fritz-american-pickers-co-host-dies-at-60/ar-AA1rxfcm
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 0_2_0046C5D0 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard, 0_2_0046C5D0
Contains functionality to modify clipboard data
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 0_2_00459FFF OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard, 0_2_00459FFF
Contains functionality to read the clipboard data
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 0_2_0046C5D0 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard, 0_2_0046C5D0
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 0_2_00456354 GetCursorPos,ScreenToClient,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetWindowLongW, 0_2_00456354
Potential key logger detected (key state polling based)
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 0_2_0047C08E SendMessageW,DefDlgProcW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,GetWindowLongW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,InvalidateRect,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW, 0_2_0047C08E

E-Banking Fraud
barindex
Yara detected FormBook
Source: Yara match File source: 2.2.svchost.exe.600000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.svchost.exe.600000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.4885525142.0000000004250000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.4885598668.00000000042A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.3339599911.0000000002F40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.3338743779.0000000000600000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 2.2.svchost.exe.600000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 2.2.svchost.exe.600000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000002.4885525142.0000000004250000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000002.4885598668.00000000042A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.3339599911.0000000002F40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.3338743779.0000000000600000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: Purchase Order.exe
Contains functionality to call native functions
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0062C383 NtClose, 2_2_0062C383
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00601857 NtProtectVirtualMemory, 2_2_00601857
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03272BC0 NtQueryInformationToken,LdrInitializeThunk, 2_2_03272BC0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03272A80 NtClose,LdrInitializeThunk, 2_2_03272A80
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03272EB0 NtProtectVirtualMemory,LdrInitializeThunk, 2_2_03272EB0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03272D10 NtQuerySystemInformation,LdrInitializeThunk, 2_2_03272D10
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032734E0 NtCreateMutant,LdrInitializeThunk, 2_2_032734E0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03274260 NtSetContextThread, 2_2_03274260
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03274570 NtSuspendThread, 2_2_03274570
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03272B20 NtQueryInformationProcess, 2_2_03272B20
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03272B00 NtQueryValueKey, 2_2_03272B00
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03272B10 NtAllocateVirtualMemory, 2_2_03272B10
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03272B80 NtCreateKey, 2_2_03272B80
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03272B90 NtFreeVirtualMemory, 2_2_03272B90
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03272BE0 NtQueryVirtualMemory, 2_2_03272BE0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03272A10 NtWriteFile, 2_2_03272A10
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03272AA0 NtQueryInformationFile, 2_2_03272AA0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03272AC0 NtEnumerateValueKey, 2_2_03272AC0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032729F0 NtReadFile, 2_2_032729F0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032729D0 NtWaitForSingleObject, 2_2_032729D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03272F30 NtOpenDirectoryObject, 2_2_03272F30
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03272F00 NtCreateFile, 2_2_03272F00
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03272FB0 NtSetValueKey, 2_2_03272FB0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03272E00 NtQueueApcThread, 2_2_03272E00
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03272E50 NtCreateSection, 2_2_03272E50
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03272E80 NtCreateProcessEx, 2_2_03272E80
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03272EC0 NtQuerySection, 2_2_03272EC0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03272ED0 NtResumeThread, 2_2_03272ED0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03272D50 NtWriteVirtualMemory, 2_2_03272D50
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03272DA0 NtReadVirtualMemory, 2_2_03272DA0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03272DC0 NtAdjustPrivilegesToken, 2_2_03272DC0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03272C20 NtSetInformationFile, 2_2_03272C20
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03272C30 NtMapViewOfSection, 2_2_03272C30
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03272C10 NtOpenProcess, 2_2_03272C10
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03272C50 NtUnmapViewOfSection, 2_2_03272C50
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03272CF0 NtDelayExecution, 2_2_03272CF0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03272CD0 NtEnumerateKey, 2_2_03272CD0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032738D0 NtGetContextThread, 2_2_032738D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03273C30 NtOpenProcessToken, 2_2_03273C30
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03273C90 NtOpenThread, 2_2_03273C90
Contains functionality to communicate with device drivers
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 0_2_00434D50: GetFullPathNameW,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle, 0_2_00434D50
Contains functionality to launch a process as a different user
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 0_2_004461ED DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock, 0_2_004461ED
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 0_2_004364AA GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState, 0_2_004364AA
Detected potential crypto function
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 0_2_00409A40 0_2_00409A40
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 0_2_00412038 0_2_00412038
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 0_2_00427161 0_2_00427161
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 0_2_0047E1FA 0_2_0047E1FA
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 0_2_004212BE 0_2_004212BE
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 0_2_00443390 0_2_00443390
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 0_2_00443391 0_2_00443391
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 0_2_0041A46B 0_2_0041A46B
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 0_2_0041240C 0_2_0041240C
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 0_2_00446566 0_2_00446566
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 0_2_004045E0 0_2_004045E0
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 0_2_0041D750 0_2_0041D750
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 0_2_004037E0 0_2_004037E0
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 0_2_00427859 0_2_00427859
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 0_2_00412818 0_2_00412818
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 0_2_0040F890 0_2_0040F890
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 0_2_0042397B 0_2_0042397B
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 0_2_00411B63 0_2_00411B63
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 0_2_0047CBF0 0_2_0047CBF0
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 0_2_0044EBBC 0_2_0044EBBC
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 0_2_00412C38 0_2_00412C38
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 0_2_0044ED9A 0_2_0044ED9A
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 0_2_00423EBF 0_2_00423EBF
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 0_2_00424F70 0_2_00424F70
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 0_2_0041AF0D 0_2_0041AF0D
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 0_2_04565728 0_2_04565728
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00618363 2_2_00618363
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00601941 2_2_00601941
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0062E993 2_2_0062E993
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00602AC0 2_2_00602AC0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00602AB3 2_2_00602AB3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00602340 2_2_00602340
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0060FBFE 2_2_0060FBFE
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0060FC03 2_2_0060FC03
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00616543 2_2_00616543
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0061653E 2_2_0061653E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0060FE23 2_2_0060FE23
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_006026A0 2_2_006026A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0060DEA3 2_2_0060DEA3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00602FA0 2_2_00602FA0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0324E310 2_2_0324E310
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03202245 2_2_03202245
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0330010E 2_2_0330010E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032EE076 2_2_032EE076
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032300A0 2_2_032300A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0324A760 2_2_0324A760
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03242760 2_2_03242760
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032F6757 2_2_032F6757
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0325C600 2_2_0325C600
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03264670 2_2_03264670
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03240680 2_2_03240680
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0323C6E0 2_2_0323C6E0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032FA6C0 2_2_032FA6C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0330A526 2_2_0330A526
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03240445 2_2_03240445
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03240B10 2_2_03240B10
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032B4BC0 2_2_032B4BC0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032FCA13 2_2_032FCA13
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032FEA5B 2_2_032FEA5B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032E2AC0 2_2_032E2AC0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0323E9A0 2_2_0323E9A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032FE9A6 2_2_032FE9A6
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032E0835 2_2_032E0835
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0326E810 2_2_0326E810
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03226868 2_2_03226868
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03256882 2_2_03256882
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032DC89F 2_2_032DC89F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032428C0 2_2_032428C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0324CF00 2_2_0324CF00
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032FEFBF 2_2_032FEFBF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03246FE0 2_2_03246FE0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032E0E6D 2_2_032E0E6D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03282E48 2_2_03282E48
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03260E50 2_2_03260E50
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032F0EAD 2_2_032F0EAD
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03232EE8 2_2_03232EE8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0323AD00 2_2_0323AD00
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03240D69 2_2_03240D69
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03252DB0 2_2_03252DB0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0324AC20 2_2_0324AC20
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032BEC20 2_2_032BEC20
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03230C12 2_2_03230C12
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032F6C69 2_2_032F6C69
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032FEC60 2_2_032FEC60
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032EEC4C 2_2_032EEC4C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0330ACEB 2_2_0330ACEB
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03258CDF 2_2_03258CDF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032FF330 2_2_032FF330
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03231380 2_2_03231380
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032F124C 2_2_032F124C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0322D2EC 2_2_0322D2EC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032DD130 2_2_032DD130
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0322F113 2_2_0322F113
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0328717A 2_2_0328717A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0325B1E0 2_2_0325B1E0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032451C0 2_2_032451C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0327508C 2_2_0327508C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032F70F1 2_2_032F70F1
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0324B0D0 2_2_0324B0D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03201707 2_2_03201707
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032DD62C 2_2_032DD62C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032E1623 2_2_032E1623
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032ED646 2_2_032ED646
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032B36EC 2_2_032B36EC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032FF6F6 2_2_032FF6F6
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032FF5C9 2_2_032FF5C9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032F75C6 2_2_032F75C6
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032AD480 2_2_032AD480
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032D5490 2_2_032D5490
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032FFB2E 2_2_032FFB2E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0327DB19 2_2_0327DB19
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032D1B80 2_2_032D1B80
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0325FAA0 2_2_0325FAA0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032FFA89 2_2_032FFA89
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032099E8 2_2_032099E8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032859C0 2_2_032859C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03243800 2_2_03243800
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03249870 2_2_03249870
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0325B870 2_2_0325B870
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032B5870 2_2_032B5870
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032FF872 2_2_032FF872
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032B98B2 2_2_032B98B2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032F78F3 2_2_032F78F3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032F18DA 2_2_032F18DA
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032FFF63 2_2_032FFF63
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032BFF40 2_2_032BFF40
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032E3FA0 2_2_032E3FA0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032F1FC6 2_2_032F1FC6
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03241EB2 2_2_03241EB2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032F9ED2 2_2_032F9ED2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032FFD27 2_2_032FFD27
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032F3D22 2_2_032F3D22
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032F7D4C 2_2_032F7D4C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032DFDF4 2_2_032DFDF4
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03249DD0 2_2_03249DD0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03243C60 2_2_03243C60
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032D9C98 2_2_032D9C98
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032C7CE8 2_2_032C7CE8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0325FCE0 2_2_0325FCE0
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\svchost.exe Code function: String function: 03287BE4 appears 99 times
Source: C:\Windows\SysWOW64\svchost.exe Code function: String function: 03275050 appears 57 times
Source: C:\Windows\SysWOW64\svchost.exe Code function: String function: 032BEF10 appears 105 times
Source: C:\Windows\SysWOW64\svchost.exe Code function: String function: 0322B910 appears 280 times
Source: C:\Windows\SysWOW64\svchost.exe Code function: String function: 032AE692 appears 86 times
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: String function: 00445975 appears 65 times
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: String function: 0041171A appears 37 times
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: String function: 0041718C appears 45 times
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: String function: 0040E6D0 appears 35 times
Sample file is different than original file name gathered from version info
Source: Purchase Order.exe, 00000000.00000003.2476458487.0000000004C93000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs Purchase Order.exe
Source: Purchase Order.exe, 00000000.00000003.2476800620.0000000004E3D000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs Purchase Order.exe
Uses 32bit PE files
Source: Purchase Order.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Yara signature match
Source: 2.2.svchost.exe.600000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 2.2.svchost.exe.600000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000002.4885525142.0000000004250000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000002.4885598668.00000000042A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.3339599911.0000000002F40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.3338743779.0000000000600000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: classification engine Classification label: mal100.troj.evad.winEXE@5/1@0/0
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 0_2_0044AF5C GetLastError,FormatMessageW, 0_2_0044AF5C
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 0_2_00464422 OpenProcess,GetLastError,GetLastError,GetCurrentThread,OpenThreadToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,AdjustTokenPrivileges,GetLastError,OpenProcess,AdjustTokenPrivileges,CloseHandle,TerminateProcess,GetLastError,CloseHandle, 0_2_00464422
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 0_2_004364AA GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState, 0_2_004364AA
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 0_2_0045D517 SetErrorMode,GetDiskFreeSpaceW,GetLastError,SetErrorMode, 0_2_0045D517
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 0_2_0043701F CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle, 0_2_0043701F
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 0_2_0047A999 OleInitialize,CLSIDFromProgID,CoCreateInstance,CoInitializeSecurity,CoCreateInstanceEx,CoSetProxyBlanket, 0_2_0047A999
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 0_2_0043614F FindResourceW,LoadResource,LockResource,FindResourceW,LoadResource,SizeofResource,LockResource,CreateIconFromResourceEx, 0_2_0043614F
Source: C:\Users\user\Desktop\Purchase Order.exe File created: C:\Users\user\AppData\Local\Temp\Hymenophyllaceae Jump to behavior
Source: Purchase Order.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Purchase Order.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: Purchase Order.exe ReversingLabs: Detection: 31%
Source: C:\Users\user\Desktop\Purchase Order.exe File read: C:\Users\user\Desktop\Purchase Order.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Purchase Order.exe "C:\Users\user\Desktop\Purchase Order.exe"
Source: C:\Users\user\Desktop\Purchase Order.exe Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Purchase Order.exe"
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe Process created: C:\Windows\SysWOW64\expand.exe "C:\Windows\SysWOW64\expand.exe"
Source: C:\Users\user\Desktop\Purchase Order.exe Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Purchase Order.exe" Jump to behavior
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe Process created: C:\Windows\SysWOW64\expand.exe "C:\Windows\SysWOW64\expand.exe" Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: storageusage.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: fhcfg.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: efsutil.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: dsrole.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: windows.internal.system.userprofile.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: cloudexperiencehostbroker.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: credui.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: dui70.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: wdscore.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: dbgcore.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: mfsrcsnk.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: vcruntime140_1.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: msvcp140.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: Purchase Order.exe Static file information: File size 1341549 > 1048576
Source: Binary string: expand.pdb source: svchost.exe, 00000002.00000003.3307786096.0000000002C3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.3307529501.0000000002C1A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: Purchase Order.exe, 00000000.00000003.2475206794.0000000004D10000.00000004.00001000.00020000.00000000.sdmp, Purchase Order.exe, 00000000.00000003.2478113585.0000000004B70000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.3255295030.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.3339721963.0000000003200000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.3252572055.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.3339721963.000000000332D000.00000040.00001000.00020000.00000000.sdmp, expand.exe, 00000005.00000002.4885822563.00000000044B0000.00000040.00001000.00020000.00000000.sdmp, expand.exe, 00000005.00000003.3341859494.0000000004301000.00000004.00000020.00020000.00000000.sdmp, expand.exe, 00000005.00000002.4885822563.00000000045DD000.00000040.00001000.00020000.00000000.sdmp, expand.exe, 00000005.00000003.3338856185.000000000415C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: Purchase Order.exe, 00000000.00000003.2475206794.0000000004D10000.00000004.00001000.00020000.00000000.sdmp, Purchase Order.exe, 00000000.00000003.2478113585.0000000004B70000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.3255295030.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.3339721963.0000000003200000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.3252572055.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.3339721963.000000000332D000.00000040.00001000.00020000.00000000.sdmp, expand.exe, 00000005.00000002.4885822563.00000000044B0000.00000040.00001000.00020000.00000000.sdmp, expand.exe, 00000005.00000003.3341859494.0000000004301000.00000004.00000020.00020000.00000000.sdmp, expand.exe, 00000005.00000002.4885822563.00000000045DD000.00000040.00001000.00020000.00000000.sdmp, expand.exe, 00000005.00000003.3338856185.000000000415C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: expand.pdbGCTL source: svchost.exe, 00000002.00000003.3307786096.0000000002C3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.3307529501.0000000002C1A000.00000004.00000020.00020000.00000000.sdmp
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 0_2_0040EB70 LoadLibraryA,GetProcAddress, 0_2_0040EB70
PE file contains an invalid checksum
Source: Purchase Order.exe Static PE information: real checksum: 0xa2135 should be: 0x156728
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 0_2_004171D1 push ecx; ret 0_2_004171E4
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0061E91B push ss; iretd 2_2_0061E91C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_006189BB push ebp; ret 2_2_006189BC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0061227F pushad ; ret 2_2_00612280
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00603220 push eax; ret 2_2_00603222
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0061EAA5 pushfd ; iretd 2_2_0061EAA7
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0060CD11 push edx; ret 2_2_0060CD12
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00611518 push esi; iretd 2_2_00611519
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_006145D7 push FFFFFFABh; ret 2_2_006145EB
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00606617 push ebx; iretd 2_2_00606621
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0062D753 push edi; ret 2_2_0062D75C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0061E7F8 push 0000004Bh; retf 2_2_0061E801
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0061DF97 push cs; ret 2_2_0061DF98
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032021AD pushad ; retf 0004h 2_2_0320223F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032308CD push ecx; mov dword ptr [esp], ecx 2_2_032308D6
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032097A1 push es; iretd 2_2_032097A8
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 0_2_004772DE IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed, 0_2_004772DE
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 0_2_004375B0 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput, 0_2_004375B0
Source: C:\Windows\SysWOW64\expand.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Contains functionality to detect sleep reduction / modifications
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 0_2_00444078 0_2_00444078
Switches to a custom stack to bypass stack traces
Source: C:\Users\user\Desktop\Purchase Order.exe API/Special instruction interceptor: Address: 456534C
Source: C:\Windows\SysWOW64\svchost.exe API/Special instruction interceptor: Address: 7FF86B60D144
Source: C:\Windows\SysWOW64\svchost.exe API/Special instruction interceptor: Address: 7FF86B610594
Source: C:\Windows\SysWOW64\svchost.exe API/Special instruction interceptor: Address: 7FF86B60FF74
Source: C:\Windows\SysWOW64\svchost.exe API/Special instruction interceptor: Address: 7FF86B60D6C4
Source: C:\Windows\SysWOW64\svchost.exe API/Special instruction interceptor: Address: 7FF86B60D864
Source: C:\Windows\SysWOW64\svchost.exe API/Special instruction interceptor: Address: 7FF86B60D004
Source: C:\Windows\SysWOW64\expand.exe API/Special instruction interceptor: Address: 7FF86B60D144
Source: C:\Windows\SysWOW64\expand.exe API/Special instruction interceptor: Address: 7FF86B610594
Source: C:\Windows\SysWOW64\expand.exe API/Special instruction interceptor: Address: 7FF86B60D764
Source: C:\Windows\SysWOW64\expand.exe API/Special instruction interceptor: Address: 7FF86B60D324
Source: C:\Windows\SysWOW64\expand.exe API/Special instruction interceptor: Address: 7FF86B60D364
Source: C:\Windows\SysWOW64\expand.exe API/Special instruction interceptor: Address: 7FF86B60D004
Source: C:\Windows\SysWOW64\expand.exe API/Special instruction interceptor: Address: 7FF86B60FF74
Source: C:\Windows\SysWOW64\expand.exe API/Special instruction interceptor: Address: 7FF86B60D6C4
Source: C:\Windows\SysWOW64\expand.exe API/Special instruction interceptor: Address: 7FF86B60D864
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0327088E rdtsc 2_2_0327088E
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\expand.exe Window / User API: threadDelayed 9852 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: foregroundWindowGot 882 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: foregroundWindowGot 878 Jump to behavior
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\Purchase Order.exe API coverage: 3.1 %
Source: C:\Windows\SysWOW64\svchost.exe API coverage: 0.8 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\SysWOW64\expand.exe TID: 5716 Thread sleep count: 122 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe TID: 5716 Thread sleep time: -244000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe TID: 5716 Thread sleep count: 9852 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe TID: 5716 Thread sleep time: -19704000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\SysWOW64\expand.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\expand.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 0_2_00452126 FindFirstFileW,Sleep,FindNextFileW,FindClose, 0_2_00452126
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 0_2_0045C999 FindFirstFileW,FindNextFileW,FindClose, 0_2_0045C999
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 0_2_00436ADE GetFileAttributesW,FindFirstFileW,FindClose, 0_2_00436ADE
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 0_2_00434BEE FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 0_2_00434BEE
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 0_2_0045DD7C FindFirstFileW,FindClose, 0_2_0045DD7C
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 0_2_0044BD29 FindFirstFileW,CopyFileW,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose, 0_2_0044BD29
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 0_2_00436D2D FindFirstFileW,CreateFileW,SetFileTime,CloseHandle,SetFileTime,CloseHandle, 0_2_00436D2D
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 0_2_00442E1F SetCurrentDirectoryW,FindFirstFileW,SetCurrentDirectoryW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 0_2_00442E1F
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 0_2_00475FE5 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime, 0_2_00475FE5
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 0_2_0044BF8D FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 0_2_0044BF8D
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 0_2_0040E470 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo, 0_2_0040E470
Source: explorer.exe, 00000006.00000002.7532753166.0000000009BE3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.4814356361.0000000009BE3000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWROPq
Source: explorer.exe, 00000006.00000002.7539179240.000000000D8C5000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000006.00000000.4814356361.0000000009C04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.7532753166.0000000009C04000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWystem32\DriverStore\en-US\wmiacpi.inf_locL
Source: expand.exe, 00000005.00000002.4885259332.0000000000734000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Windows\SysWOW64\svchost.exe Process information queried: ProcessInformation Jump to behavior
Checks if the current process is being debugged
Source: C:\Windows\SysWOW64\svchost.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0327088E rdtsc 2_2_0327088E
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_006174F3 LdrLoadDll, 2_2_006174F3
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 0_2_0045A259 BlockInput, 0_2_0045A259
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 0_2_0040D6D0 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,GetForegroundWindow,ShellExecuteW, 0_2_0040D6D0
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 0_2_0040EB70 LoadLibraryA,GetProcAddress, 0_2_0040EB70
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 0_2_045655B8 mov eax, dword ptr fs:[00000030h] 0_2_045655B8
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 0_2_04565618 mov eax, dword ptr fs:[00000030h] 0_2_04565618
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 0_2_04563F68 mov eax, dword ptr fs:[00000030h] 0_2_04563F68
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03268322 mov eax, dword ptr fs:[00000030h] 2_2_03268322
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03268322 mov eax, dword ptr fs:[00000030h] 2_2_03268322
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03268322 mov eax, dword ptr fs:[00000030h] 2_2_03268322
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0322E328 mov eax, dword ptr fs:[00000030h] 2_2_0322E328
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0322E328 mov eax, dword ptr fs:[00000030h] 2_2_0322E328
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0322E328 mov eax, dword ptr fs:[00000030h] 2_2_0322E328
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032E4320 mov eax, dword ptr fs:[00000030h] 2_2_032E4320
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032D630E mov eax, dword ptr fs:[00000030h] 2_2_032D630E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0324E310 mov eax, dword ptr fs:[00000030h] 2_2_0324E310
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0324E310 mov eax, dword ptr fs:[00000030h] 2_2_0324E310
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0324E310 mov eax, dword ptr fs:[00000030h] 2_2_0324E310
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0326631F mov eax, dword ptr fs:[00000030h] 2_2_0326631F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0326E363 mov eax, dword ptr fs:[00000030h] 2_2_0326E363
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0326E363 mov eax, dword ptr fs:[00000030h] 2_2_0326E363
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0326E363 mov eax, dword ptr fs:[00000030h] 2_2_0326E363
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0326E363 mov eax, dword ptr fs:[00000030h] 2_2_0326E363
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0326E363 mov eax, dword ptr fs:[00000030h] 2_2_0326E363
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0326E363 mov eax, dword ptr fs:[00000030h] 2_2_0326E363
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0326E363 mov eax, dword ptr fs:[00000030h] 2_2_0326E363
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0326E363 mov eax, dword ptr fs:[00000030h] 2_2_0326E363
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032AE372 mov eax, dword ptr fs:[00000030h] 2_2_032AE372
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032AE372 mov eax, dword ptr fs:[00000030h] 2_2_032AE372
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032AE372 mov eax, dword ptr fs:[00000030h] 2_2_032AE372
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032AE372 mov eax, dword ptr fs:[00000030h] 2_2_032AE372
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032B0371 mov eax, dword ptr fs:[00000030h] 2_2_032B0371
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032B0371 mov eax, dword ptr fs:[00000030h] 2_2_032B0371
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0325237A mov eax, dword ptr fs:[00000030h] 2_2_0325237A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03228347 mov eax, dword ptr fs:[00000030h] 2_2_03228347
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03228347 mov eax, dword ptr fs:[00000030h] 2_2_03228347
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03228347 mov eax, dword ptr fs:[00000030h] 2_2_03228347
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0326A350 mov eax, dword ptr fs:[00000030h] 2_2_0326A350
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032D43BA mov eax, dword ptr fs:[00000030h] 2_2_032D43BA
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032D43BA mov eax, dword ptr fs:[00000030h] 2_2_032D43BA
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032AC3B0 mov eax, dword ptr fs:[00000030h] 2_2_032AC3B0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0325A390 mov eax, dword ptr fs:[00000030h] 2_2_0325A390
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0325A390 mov eax, dword ptr fs:[00000030h] 2_2_0325A390
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0325A390 mov eax, dword ptr fs:[00000030h] 2_2_0325A390
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0322E3C0 mov eax, dword ptr fs:[00000030h] 2_2_0322E3C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0322E3C0 mov eax, dword ptr fs:[00000030h] 2_2_0322E3C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0322E3C0 mov eax, dword ptr fs:[00000030h] 2_2_0322E3C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0322C3C7 mov eax, dword ptr fs:[00000030h] 2_2_0322C3C7
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032363CB mov eax, dword ptr fs:[00000030h] 2_2_032363CB
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032643D0 mov ecx, dword ptr fs:[00000030h] 2_2_032643D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032BE3DD mov eax, dword ptr fs:[00000030h] 2_2_032BE3DD
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032B43D5 mov eax, dword ptr fs:[00000030h] 2_2_032B43D5
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032B0227 mov eax, dword ptr fs:[00000030h] 2_2_032B0227
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032B0227 mov eax, dword ptr fs:[00000030h] 2_2_032B0227
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032B0227 mov eax, dword ptr fs:[00000030h] 2_2_032B0227
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0326A22B mov eax, dword ptr fs:[00000030h] 2_2_0326A22B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0326A22B mov eax, dword ptr fs:[00000030h] 2_2_0326A22B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0326A22B mov eax, dword ptr fs:[00000030h] 2_2_0326A22B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03250230 mov ecx, dword ptr fs:[00000030h] 2_2_03250230
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0322A200 mov eax, dword ptr fs:[00000030h] 2_2_0322A200
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0322821B mov eax, dword ptr fs:[00000030h] 2_2_0322821B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032542AF mov eax, dword ptr fs:[00000030h] 2_2_032542AF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032542AF mov eax, dword ptr fs:[00000030h] 2_2_032542AF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0322C2B0 mov ecx, dword ptr fs:[00000030h] 2_2_0322C2B0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032AE289 mov eax, dword ptr fs:[00000030h] 2_2_032AE289
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0323A2E0 mov eax, dword ptr fs:[00000030h] 2_2_0323A2E0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0323A2E0 mov eax, dword ptr fs:[00000030h] 2_2_0323A2E0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0323A2E0 mov eax, dword ptr fs:[00000030h] 2_2_0323A2E0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0323A2E0 mov eax, dword ptr fs:[00000030h] 2_2_0323A2E0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0323A2E0 mov eax, dword ptr fs:[00000030h] 2_2_0323A2E0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0323A2E0 mov eax, dword ptr fs:[00000030h] 2_2_0323A2E0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032382E0 mov eax, dword ptr fs:[00000030h] 2_2_032382E0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032382E0 mov eax, dword ptr fs:[00000030h] 2_2_032382E0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032382E0 mov eax, dword ptr fs:[00000030h] 2_2_032382E0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032382E0 mov eax, dword ptr fs:[00000030h] 2_2_032382E0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032402F9 mov eax, dword ptr fs:[00000030h] 2_2_032402F9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032402F9 mov eax, dword ptr fs:[00000030h] 2_2_032402F9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032402F9 mov eax, dword ptr fs:[00000030h] 2_2_032402F9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032402F9 mov eax, dword ptr fs:[00000030h] 2_2_032402F9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032402F9 mov eax, dword ptr fs:[00000030h] 2_2_032402F9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032402F9 mov eax, dword ptr fs:[00000030h] 2_2_032402F9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032402F9 mov eax, dword ptr fs:[00000030h] 2_2_032402F9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032402F9 mov eax, dword ptr fs:[00000030h] 2_2_032402F9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032BA130 mov eax, dword ptr fs:[00000030h] 2_2_032BA130
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03260118 mov eax, dword ptr fs:[00000030h] 2_2_03260118
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03236179 mov eax, dword ptr fs:[00000030h] 2_2_03236179
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0322A147 mov eax, dword ptr fs:[00000030h] 2_2_0322A147
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0322A147 mov eax, dword ptr fs:[00000030h] 2_2_0322A147
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0322A147 mov eax, dword ptr fs:[00000030h] 2_2_0322A147
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0326415F mov eax, dword ptr fs:[00000030h] 2_2_0326415F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0326E1A4 mov eax, dword ptr fs:[00000030h] 2_2_0326E1A4
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0326E1A4 mov eax, dword ptr fs:[00000030h] 2_2_0326E1A4
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032641BB mov ecx, dword ptr fs:[00000030h] 2_2_032641BB
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032641BB mov eax, dword ptr fs:[00000030h] 2_2_032641BB
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032641BB mov eax, dword ptr fs:[00000030h] 2_2_032641BB
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03234180 mov eax, dword ptr fs:[00000030h] 2_2_03234180
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03234180 mov eax, dword ptr fs:[00000030h] 2_2_03234180
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03234180 mov eax, dword ptr fs:[00000030h] 2_2_03234180
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0323A1E3 mov eax, dword ptr fs:[00000030h] 2_2_0323A1E3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0323A1E3 mov eax, dword ptr fs:[00000030h] 2_2_0323A1E3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0323A1E3 mov eax, dword ptr fs:[00000030h] 2_2_0323A1E3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0323A1E3 mov eax, dword ptr fs:[00000030h] 2_2_0323A1E3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0323A1E3 mov eax, dword ptr fs:[00000030h] 2_2_0323A1E3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032F81EE mov eax, dword ptr fs:[00000030h] 2_2_032F81EE
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032F81EE mov eax, dword ptr fs:[00000030h] 2_2_032F81EE
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032281EB mov eax, dword ptr fs:[00000030h] 2_2_032281EB
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032401F1 mov eax, dword ptr fs:[00000030h] 2_2_032401F1
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032401F1 mov eax, dword ptr fs:[00000030h] 2_2_032401F1
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032401F1 mov eax, dword ptr fs:[00000030h] 2_2_032401F1
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032401C0 mov eax, dword ptr fs:[00000030h] 2_2_032401C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032401C0 mov eax, dword ptr fs:[00000030h] 2_2_032401C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03238009 mov eax, dword ptr fs:[00000030h] 2_2_03238009
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032EA01A mov eax, dword ptr fs:[00000030h] 2_2_032EA01A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03272010 mov ecx, dword ptr fs:[00000030h] 2_2_03272010
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03236074 mov eax, dword ptr fs:[00000030h] 2_2_03236074
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03236074 mov eax, dword ptr fs:[00000030h] 2_2_03236074
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03260044 mov eax, dword ptr fs:[00000030h] 2_2_03260044
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032B6040 mov eax, dword ptr fs:[00000030h] 2_2_032B6040
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032700A5 mov eax, dword ptr fs:[00000030h] 2_2_032700A5
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032B60A0 mov eax, dword ptr fs:[00000030h] 2_2_032B60A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032B60A0 mov eax, dword ptr fs:[00000030h] 2_2_032B60A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032B60A0 mov eax, dword ptr fs:[00000030h] 2_2_032B60A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032B60A0 mov eax, dword ptr fs:[00000030h] 2_2_032B60A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032B60A0 mov eax, dword ptr fs:[00000030h] 2_2_032B60A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032B60A0 mov eax, dword ptr fs:[00000030h] 2_2_032B60A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032B60A0 mov eax, dword ptr fs:[00000030h] 2_2_032B60A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03304080 mov eax, dword ptr fs:[00000030h] 2_2_03304080
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03304080 mov eax, dword ptr fs:[00000030h] 2_2_03304080
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03304080 mov eax, dword ptr fs:[00000030h] 2_2_03304080
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03304080 mov eax, dword ptr fs:[00000030h] 2_2_03304080
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03304080 mov eax, dword ptr fs:[00000030h] 2_2_03304080
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03304080 mov eax, dword ptr fs:[00000030h] 2_2_03304080
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03304080 mov eax, dword ptr fs:[00000030h] 2_2_03304080
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0322A093 mov ecx, dword ptr fs:[00000030h] 2_2_0322A093
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0322C090 mov eax, dword ptr fs:[00000030h] 2_2_0322C090
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032C6090 mov eax, dword ptr fs:[00000030h] 2_2_032C6090
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032BC0E0 mov ecx, dword ptr fs:[00000030h] 2_2_032BC0E0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0322C0F6 mov eax, dword ptr fs:[00000030h] 2_2_0322C0F6
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032E4730 mov eax, dword ptr fs:[00000030h] 2_2_032E4730
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032E4730 mov eax, dword ptr fs:[00000030h] 2_2_032E4730
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0325270D mov eax, dword ptr fs:[00000030h] 2_2_0325270D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0325270D mov eax, dword ptr fs:[00000030h] 2_2_0325270D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0325270D mov eax, dword ptr fs:[00000030h] 2_2_0325270D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0323471B mov eax, dword ptr fs:[00000030h] 2_2_0323471B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0323471B mov eax, dword ptr fs:[00000030h] 2_2_0323471B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03242760 mov ecx, dword ptr fs:[00000030h] 2_2_03242760
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03260774 mov eax, dword ptr fs:[00000030h] 2_2_03260774
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03234779 mov eax, dword ptr fs:[00000030h] 2_2_03234779
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03234779 mov eax, dword ptr fs:[00000030h] 2_2_03234779
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03252755 mov eax, dword ptr fs:[00000030h] 2_2_03252755
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03252755 mov eax, dword ptr fs:[00000030h] 2_2_03252755
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03252755 mov eax, dword ptr fs:[00000030h] 2_2_03252755
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03252755 mov ecx, dword ptr fs:[00000030h] 2_2_03252755
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03252755 mov eax, dword ptr fs:[00000030h] 2_2_03252755
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03252755 mov eax, dword ptr fs:[00000030h] 2_2_03252755
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0326A750 mov eax, dword ptr fs:[00000030h] 2_2_0326A750
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032DE750 mov eax, dword ptr fs:[00000030h] 2_2_032DE750
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032307A7 mov eax, dword ptr fs:[00000030h] 2_2_032307A7
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032D47B4 mov eax, dword ptr fs:[00000030h] 2_2_032D47B4
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032D47B4 mov eax, dword ptr fs:[00000030h] 2_2_032D47B4
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032D47B4 mov eax, dword ptr fs:[00000030h] 2_2_032D47B4
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032D47B4 mov eax, dword ptr fs:[00000030h] 2_2_032D47B4
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032D47B4 mov eax, dword ptr fs:[00000030h] 2_2_032D47B4
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032D47B4 mov eax, dword ptr fs:[00000030h] 2_2_032D47B4
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032D47B4 mov ecx, dword ptr fs:[00000030h] 2_2_032D47B4
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032CC7B0 mov eax, dword ptr fs:[00000030h] 2_2_032CC7B0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032CC7B0 mov eax, dword ptr fs:[00000030h] 2_2_032CC7B0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032AE79D mov eax, dword ptr fs:[00000030h] 2_2_032AE79D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032AE79D mov eax, dword ptr fs:[00000030h] 2_2_032AE79D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032AE79D mov eax, dword ptr fs:[00000030h] 2_2_032AE79D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032AE79D mov eax, dword ptr fs:[00000030h] 2_2_032AE79D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032AE79D mov eax, dword ptr fs:[00000030h] 2_2_032AE79D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032AE79D mov eax, dword ptr fs:[00000030h] 2_2_032AE79D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032AE79D mov eax, dword ptr fs:[00000030h] 2_2_032AE79D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032AE79D mov eax, dword ptr fs:[00000030h] 2_2_032AE79D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032AE79D mov eax, dword ptr fs:[00000030h] 2_2_032AE79D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0325E7E0 mov eax, dword ptr fs:[00000030h] 2_2_0325E7E0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0326C620 mov eax, dword ptr fs:[00000030h] 2_2_0326C620
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03230630 mov eax, dword ptr fs:[00000030h] 2_2_03230630
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03260630 mov eax, dword ptr fs:[00000030h] 2_2_03260630
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032B8633 mov esi, dword ptr fs:[00000030h] 2_2_032B8633
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032B8633 mov eax, dword ptr fs:[00000030h] 2_2_032B8633
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032B8633 mov eax, dword ptr fs:[00000030h] 2_2_032B8633
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03304600 mov eax, dword ptr fs:[00000030h] 2_2_03304600
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0326666D mov esi, dword ptr fs:[00000030h] 2_2_0326666D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0326666D mov eax, dword ptr fs:[00000030h] 2_2_0326666D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0326666D mov eax, dword ptr fs:[00000030h] 2_2_0326666D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032BE660 mov eax, dword ptr fs:[00000030h] 2_2_032BE660
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03230670 mov eax, dword ptr fs:[00000030h] 2_2_03230670
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03272670 mov eax, dword ptr fs:[00000030h] 2_2_03272670
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03272670 mov eax, dword ptr fs:[00000030h] 2_2_03272670
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0326C640 mov eax, dword ptr fs:[00000030h] 2_2_0326C640
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0326C640 mov eax, dword ptr fs:[00000030h] 2_2_0326C640
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0326265C mov eax, dword ptr fs:[00000030h] 2_2_0326265C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0326265C mov ecx, dword ptr fs:[00000030h] 2_2_0326265C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0326265C mov eax, dword ptr fs:[00000030h] 2_2_0326265C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032F86A8 mov eax, dword ptr fs:[00000030h] 2_2_032F86A8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032F86A8 mov eax, dword ptr fs:[00000030h] 2_2_032F86A8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03240680 mov eax, dword ptr fs:[00000030h] 2_2_03240680
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03240680 mov eax, dword ptr fs:[00000030h] 2_2_03240680
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03240680 mov eax, dword ptr fs:[00000030h] 2_2_03240680
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03240680 mov eax, dword ptr fs:[00000030h] 2_2_03240680
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03240680 mov eax, dword ptr fs:[00000030h] 2_2_03240680
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03240680 mov eax, dword ptr fs:[00000030h] 2_2_03240680
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03240680 mov eax, dword ptr fs:[00000030h] 2_2_03240680
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03240680 mov eax, dword ptr fs:[00000030h] 2_2_03240680
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03240680 mov eax, dword ptr fs:[00000030h] 2_2_03240680
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03240680 mov eax, dword ptr fs:[00000030h] 2_2_03240680
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03240680 mov eax, dword ptr fs:[00000030h] 2_2_03240680
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03240680 mov eax, dword ptr fs:[00000030h] 2_2_03240680
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03238690 mov eax, dword ptr fs:[00000030h] 2_2_03238690
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032BC691 mov eax, dword ptr fs:[00000030h] 2_2_032BC691
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0323C6E0 mov eax, dword ptr fs:[00000030h] 2_2_0323C6E0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032566E0 mov eax, dword ptr fs:[00000030h] 2_2_032566E0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032566E0 mov eax, dword ptr fs:[00000030h] 2_2_032566E0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032AC6F2 mov eax, dword ptr fs:[00000030h] 2_2_032AC6F2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032AC6F2 mov eax, dword ptr fs:[00000030h] 2_2_032AC6F2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032E46CB mov eax, dword ptr fs:[00000030h] 2_2_032E46CB
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032E46CB mov eax, dword ptr fs:[00000030h] 2_2_032E46CB
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032306CF mov eax, dword ptr fs:[00000030h] 2_2_032306CF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032FA6C0 mov eax, dword ptr fs:[00000030h] 2_2_032FA6C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032D86C2 mov eax, dword ptr fs:[00000030h] 2_2_032D86C2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032C66D0 mov eax, dword ptr fs:[00000030h] 2_2_032C66D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032C66D0 mov eax, dword ptr fs:[00000030h] 2_2_032C66D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032DE6D0 mov eax, dword ptr fs:[00000030h] 2_2_032DE6D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0324252B mov eax, dword ptr fs:[00000030h] 2_2_0324252B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0324252B mov eax, dword ptr fs:[00000030h] 2_2_0324252B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0324252B mov eax, dword ptr fs:[00000030h] 2_2_0324252B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0324252B mov eax, dword ptr fs:[00000030h] 2_2_0324252B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0324252B mov eax, dword ptr fs:[00000030h] 2_2_0324252B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0324252B mov eax, dword ptr fs:[00000030h] 2_2_0324252B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0324252B mov eax, dword ptr fs:[00000030h] 2_2_0324252B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03272539 mov eax, dword ptr fs:[00000030h] 2_2_03272539
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0325E507 mov eax, dword ptr fs:[00000030h] 2_2_0325E507
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0325E507 mov eax, dword ptr fs:[00000030h] 2_2_0325E507
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0325E507 mov eax, dword ptr fs:[00000030h] 2_2_0325E507
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0325E507 mov eax, dword ptr fs:[00000030h] 2_2_0325E507
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0325E507 mov eax, dword ptr fs:[00000030h] 2_2_0325E507
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0325E507 mov eax, dword ptr fs:[00000030h] 2_2_0325E507
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0325E507 mov eax, dword ptr fs:[00000030h] 2_2_0325E507
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0325E507 mov eax, dword ptr fs:[00000030h] 2_2_0325E507
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03232500 mov eax, dword ptr fs:[00000030h] 2_2_03232500
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0326C50D mov eax, dword ptr fs:[00000030h] 2_2_0326C50D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0326C50D mov eax, dword ptr fs:[00000030h] 2_2_0326C50D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032BC51D mov eax, dword ptr fs:[00000030h] 2_2_032BC51D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0324C560 mov eax, dword ptr fs:[00000030h] 2_2_0324C560
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0324E547 mov eax, dword ptr fs:[00000030h] 2_2_0324E547
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03266540 mov eax, dword ptr fs:[00000030h] 2_2_03266540
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03268540 mov eax, dword ptr fs:[00000030h] 2_2_03268540
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0323254C mov eax, dword ptr fs:[00000030h] 2_2_0323254C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032C6550 mov eax, dword ptr fs:[00000030h] 2_2_032C6550
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032FA553 mov eax, dword ptr fs:[00000030h] 2_2_032FA553
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032B85AA mov eax, dword ptr fs:[00000030h] 2_2_032B85AA
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032345B0 mov eax, dword ptr fs:[00000030h] 2_2_032345B0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032345B0 mov eax, dword ptr fs:[00000030h] 2_2_032345B0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032AE588 mov eax, dword ptr fs:[00000030h] 2_2_032AE588
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032AE588 mov eax, dword ptr fs:[00000030h] 2_2_032AE588
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0326A580 mov eax, dword ptr fs:[00000030h] 2_2_0326A580
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0326A580 mov eax, dword ptr fs:[00000030h] 2_2_0326A580
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03262594 mov eax, dword ptr fs:[00000030h] 2_2_03262594
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032BC592 mov eax, dword ptr fs:[00000030h] 2_2_032BC592
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0326A5E7 mov ebx, dword ptr fs:[00000030h] 2_2_0326A5E7
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0326A5E7 mov eax, dword ptr fs:[00000030h] 2_2_0326A5E7
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032DE5E0 mov eax, dword ptr fs:[00000030h] 2_2_032DE5E0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032BC5FC mov eax, dword ptr fs:[00000030h] 2_2_032BC5FC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0326C5C6 mov eax, dword ptr fs:[00000030h] 2_2_0326C5C6
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032B05C6 mov eax, dword ptr fs:[00000030h] 2_2_032B05C6
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032665D0 mov eax, dword ptr fs:[00000030h] 2_2_032665D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032C6400 mov eax, dword ptr fs:[00000030h] 2_2_032C6400
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032C6400 mov eax, dword ptr fs:[00000030h] 2_2_032C6400
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0322640D mov eax, dword ptr fs:[00000030h] 2_2_0322640D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032BE461 mov eax, dword ptr fs:[00000030h] 2_2_032BE461
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032FA464 mov eax, dword ptr fs:[00000030h] 2_2_032FA464
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03238470 mov eax, dword ptr fs:[00000030h] 2_2_03238470
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03238470 mov eax, dword ptr fs:[00000030h] 2_2_03238470
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03240445 mov eax, dword ptr fs:[00000030h] 2_2_03240445
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03240445 mov eax, dword ptr fs:[00000030h] 2_2_03240445
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03240445 mov eax, dword ptr fs:[00000030h] 2_2_03240445
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03240445 mov eax, dword ptr fs:[00000030h] 2_2_03240445
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03240445 mov eax, dword ptr fs:[00000030h] 2_2_03240445
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03240445 mov eax, dword ptr fs:[00000030h] 2_2_03240445
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032B0443 mov eax, dword ptr fs:[00000030h] 2_2_032B0443
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0325E45E mov eax, dword ptr fs:[00000030h] 2_2_0325E45E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0325E45E mov eax, dword ptr fs:[00000030h] 2_2_0325E45E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0325E45E mov eax, dword ptr fs:[00000030h] 2_2_0325E45E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0325E45E mov eax, dword ptr fs:[00000030h] 2_2_0325E45E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0325E45E mov eax, dword ptr fs:[00000030h] 2_2_0325E45E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032324A2 mov eax, dword ptr fs:[00000030h] 2_2_032324A2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032324A2 mov ecx, dword ptr fs:[00000030h] 2_2_032324A2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032644A8 mov eax, dword ptr fs:[00000030h] 2_2_032644A8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032C84BB mov eax, dword ptr fs:[00000030h] 2_2_032C84BB
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0326E4BC mov eax, dword ptr fs:[00000030h] 2_2_0326E4BC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03230485 mov ecx, dword ptr fs:[00000030h] 2_2_03230485
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0326648A mov eax, dword ptr fs:[00000030h] 2_2_0326648A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0326648A mov eax, dword ptr fs:[00000030h] 2_2_0326648A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0326648A mov eax, dword ptr fs:[00000030h] 2_2_0326648A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032BC490 mov eax, dword ptr fs:[00000030h] 2_2_032BC490
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0326E4EF mov eax, dword ptr fs:[00000030h] 2_2_0326E4EF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0326E4EF mov eax, dword ptr fs:[00000030h] 2_2_0326E4EF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032364F0 mov eax, dword ptr fs:[00000030h] 2_2_032364F0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032D44F8 mov eax, dword ptr fs:[00000030h] 2_2_032D44F8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032D44F8 mov eax, dword ptr fs:[00000030h] 2_2_032D44F8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0326A4F0 mov eax, dword ptr fs:[00000030h] 2_2_0326A4F0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0326A4F0 mov eax, dword ptr fs:[00000030h] 2_2_0326A4F0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032BE4F2 mov eax, dword ptr fs:[00000030h] 2_2_032BE4F2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032BE4F2 mov eax, dword ptr fs:[00000030h] 2_2_032BE4F2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032544D1 mov eax, dword ptr fs:[00000030h] 2_2_032544D1
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032544D1 mov eax, dword ptr fs:[00000030h] 2_2_032544D1
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0326CB20 mov eax, dword ptr fs:[00000030h] 2_2_0326CB20
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032BCB20 mov eax, dword ptr fs:[00000030h] 2_2_032BCB20
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032BCB20 mov eax, dword ptr fs:[00000030h] 2_2_032BCB20
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032BCB20 mov eax, dword ptr fs:[00000030h] 2_2_032BCB20
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03238B10 mov eax, dword ptr fs:[00000030h] 2_2_03238B10
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03238B10 mov eax, dword ptr fs:[00000030h] 2_2_03238B10
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03238B10 mov eax, dword ptr fs:[00000030h] 2_2_03238B10
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03240B10 mov eax, dword ptr fs:[00000030h] 2_2_03240B10
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03240B10 mov eax, dword ptr fs:[00000030h] 2_2_03240B10
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03240B10 mov eax, dword ptr fs:[00000030h] 2_2_03240B10
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03240B10 mov eax, dword ptr fs:[00000030h] 2_2_03240B10
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0325EB1C mov eax, dword ptr fs:[00000030h] 2_2_0325EB1C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0322CB1E mov eax, dword ptr fs:[00000030h] 2_2_0322CB1E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0323AB70 mov eax, dword ptr fs:[00000030h] 2_2_0323AB70
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0323AB70 mov eax, dword ptr fs:[00000030h] 2_2_0323AB70
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0323AB70 mov eax, dword ptr fs:[00000030h] 2_2_0323AB70
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0323AB70 mov eax, dword ptr fs:[00000030h] 2_2_0323AB70
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0323AB70 mov eax, dword ptr fs:[00000030h] 2_2_0323AB70
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0323AB70 mov eax, dword ptr fs:[00000030h] 2_2_0323AB70
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03236B70 mov eax, dword ptr fs:[00000030h] 2_2_03236B70
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03236B70 mov eax, dword ptr fs:[00000030h] 2_2_03236B70
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03236B70 mov eax, dword ptr fs:[00000030h] 2_2_03236B70
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03304B67 mov eax, dword ptr fs:[00000030h] 2_2_03304B67
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032E6B77 mov eax, dword ptr fs:[00000030h] 2_2_032E6B77
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03264B79 mov eax, dword ptr fs:[00000030h] 2_2_03264B79
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032F8BBE mov eax, dword ptr fs:[00000030h] 2_2_032F8BBE
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032F8BBE mov eax, dword ptr fs:[00000030h] 2_2_032F8BBE
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032F8BBE mov eax, dword ptr fs:[00000030h] 2_2_032F8BBE
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032F8BBE mov eax, dword ptr fs:[00000030h] 2_2_032F8BBE
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03304BE0 mov eax, dword ptr fs:[00000030h] 2_2_03304BE0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0322EBC0 mov eax, dword ptr fs:[00000030h] 2_2_0322EBC0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032B4BC0 mov eax, dword ptr fs:[00000030h] 2_2_032B4BC0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032B4BC0 mov eax, dword ptr fs:[00000030h] 2_2_032B4BC0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032B4BC0 mov eax, dword ptr fs:[00000030h] 2_2_032B4BC0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032B4BC0 mov eax, dword ptr fs:[00000030h] 2_2_032B4BC0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032D6BDE mov ebx, dword ptr fs:[00000030h] 2_2_032D6BDE
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032D6BDE mov eax, dword ptr fs:[00000030h] 2_2_032D6BDE
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03258BD1 mov eax, dword ptr fs:[00000030h] 2_2_03258BD1
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03258BD1 mov eax, dword ptr fs:[00000030h] 2_2_03258BD1
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0326AA0E mov eax, dword ptr fs:[00000030h] 2_2_0326AA0E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0326AA0E mov eax, dword ptr fs:[00000030h] 2_2_0326AA0E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0325EA40 mov eax, dword ptr fs:[00000030h] 2_2_0325EA40
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0325EA40 mov eax, dword ptr fs:[00000030h] 2_2_0325EA40
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032CAA40 mov eax, dword ptr fs:[00000030h] 2_2_032CAA40
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032CAA40 mov eax, dword ptr fs:[00000030h] 2_2_032CAA40
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032B4A57 mov eax, dword ptr fs:[00000030h] 2_2_032B4A57
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032B4A57 mov eax, dword ptr fs:[00000030h] 2_2_032B4A57
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032E6A50 mov ecx, dword ptr fs:[00000030h] 2_2_032E6A50
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032E6A80 mov eax, dword ptr fs:[00000030h] 2_2_032E6A80
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032D0AE0 mov eax, dword ptr fs:[00000030h] 2_2_032D0AE0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032D2AE0 mov eax, dword ptr fs:[00000030h] 2_2_032D2AE0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032D2AE0 mov eax, dword ptr fs:[00000030h] 2_2_032D2AE0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03250AEB mov eax, dword ptr fs:[00000030h] 2_2_03250AEB
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03250AEB mov eax, dword ptr fs:[00000030h] 2_2_03250AEB
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03250AEB mov eax, dword ptr fs:[00000030h] 2_2_03250AEB
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03230AED mov eax, dword ptr fs:[00000030h] 2_2_03230AED
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03230AED mov eax, dword ptr fs:[00000030h] 2_2_03230AED
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03230AED mov eax, dword ptr fs:[00000030h] 2_2_03230AED
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032B0AFF mov eax, dword ptr fs:[00000030h] 2_2_032B0AFF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032B0AFF mov eax, dword ptr fs:[00000030h] 2_2_032B0AFF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032B0AFF mov eax, dword ptr fs:[00000030h] 2_2_032B0AFF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03304AE8 mov eax, dword ptr fs:[00000030h] 2_2_03304AE8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03240ACE mov eax, dword ptr fs:[00000030h] 2_2_03240ACE
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03240ACE mov eax, dword ptr fs:[00000030h] 2_2_03240ACE
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032D4AC2 mov eax, dword ptr fs:[00000030h] 2_2_032D4AC2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032F892E mov eax, dword ptr fs:[00000030h] 2_2_032F892E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032F892E mov eax, dword ptr fs:[00000030h] 2_2_032F892E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032AC920 mov ecx, dword ptr fs:[00000030h] 2_2_032AC920
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032AC920 mov eax, dword ptr fs:[00000030h] 2_2_032AC920
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032AC920 mov eax, dword ptr fs:[00000030h] 2_2_032AC920
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032AC920 mov eax, dword ptr fs:[00000030h] 2_2_032AC920
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0328693A mov eax, dword ptr fs:[00000030h] 2_2_0328693A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0328693A mov eax, dword ptr fs:[00000030h] 2_2_0328693A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0328693A mov eax, dword ptr fs:[00000030h] 2_2_0328693A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0330492D mov eax, dword ptr fs:[00000030h] 2_2_0330492D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03286912 mov eax, dword ptr fs:[00000030h] 2_2_03286912
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03262919 mov eax, dword ptr fs:[00000030h] 2_2_03262919
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03262919 mov eax, dword ptr fs:[00000030h] 2_2_03262919
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0324096B mov eax, dword ptr fs:[00000030h] 2_2_0324096B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0324096B mov eax, dword ptr fs:[00000030h] 2_2_0324096B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03236970 mov eax, dword ptr fs:[00000030h] 2_2_03236970
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03236970 mov eax, dword ptr fs:[00000030h] 2_2_03236970
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03236970 mov eax, dword ptr fs:[00000030h] 2_2_03236970
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03236970 mov eax, dword ptr fs:[00000030h] 2_2_03236970
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03236970 mov eax, dword ptr fs:[00000030h] 2_2_03236970
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03236970 mov eax, dword ptr fs:[00000030h] 2_2_03236970
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03236970 mov eax, dword ptr fs:[00000030h] 2_2_03236970
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0326C944 mov eax, dword ptr fs:[00000030h] 2_2_0326C944
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0325E94E mov eax, dword ptr fs:[00000030h] 2_2_0325E94E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03254955 mov eax, dword ptr fs:[00000030h] 2_2_03254955
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03254955 mov eax, dword ptr fs:[00000030h] 2_2_03254955
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0326C958 mov eax, dword ptr fs:[00000030h] 2_2_0326C958
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0323E9A0 mov eax, dword ptr fs:[00000030h] 2_2_0323E9A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0323E9A0 mov eax, dword ptr fs:[00000030h] 2_2_0323E9A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0323E9A0 mov eax, dword ptr fs:[00000030h] 2_2_0323E9A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0323E9A0 mov eax, dword ptr fs:[00000030h] 2_2_0323E9A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0323E9A0 mov eax, dword ptr fs:[00000030h] 2_2_0323E9A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0323E9A0 mov eax, dword ptr fs:[00000030h] 2_2_0323E9A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0323E9A0 mov eax, dword ptr fs:[00000030h] 2_2_0323E9A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0323E9A0 mov eax, dword ptr fs:[00000030h] 2_2_0323E9A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0323E9A0 mov eax, dword ptr fs:[00000030h] 2_2_0323E9A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032B89A0 mov eax, dword ptr fs:[00000030h] 2_2_032B89A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032689B0 mov edx, dword ptr fs:[00000030h] 2_2_032689B0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032C69B0 mov eax, dword ptr fs:[00000030h] 2_2_032C69B0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032C69B0 mov eax, dword ptr fs:[00000030h] 2_2_032C69B0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032C69B0 mov ecx, dword ptr fs:[00000030h] 2_2_032C69B0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0326C98F mov eax, dword ptr fs:[00000030h] 2_2_0326C98F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0326C98F mov eax, dword ptr fs:[00000030h] 2_2_0326C98F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0326C98F mov eax, dword ptr fs:[00000030h] 2_2_0326C98F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032D0980 mov eax, dword ptr fs:[00000030h] 2_2_032D0980
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032D0980 mov eax, dword ptr fs:[00000030h] 2_2_032D0980
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032309F0 mov eax, dword ptr fs:[00000030h] 2_2_032309F0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032649F0 mov eax, dword ptr fs:[00000030h] 2_2_032649F0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032649F0 mov eax, dword ptr fs:[00000030h] 2_2_032649F0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032389C0 mov eax, dword ptr fs:[00000030h] 2_2_032389C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032389C0 mov eax, dword ptr fs:[00000030h] 2_2_032389C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033029CF mov eax, dword ptr fs:[00000030h] 2_2_033029CF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_033029CF mov eax, dword ptr fs:[00000030h] 2_2_033029CF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032E0835 mov eax, dword ptr fs:[00000030h] 2_2_032E0835
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032E0835 mov eax, dword ptr fs:[00000030h] 2_2_032E0835
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032E0835 mov eax, dword ptr fs:[00000030h] 2_2_032E0835
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032E0835 mov eax, dword ptr fs:[00000030h] 2_2_032E0835
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032E0835 mov eax, dword ptr fs:[00000030h] 2_2_032E0835
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032E0835 mov eax, dword ptr fs:[00000030h] 2_2_032E0835
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032E0835 mov eax, dword ptr fs:[00000030h] 2_2_032E0835
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032E0835 mov eax, dword ptr fs:[00000030h] 2_2_032E0835
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032E0835 mov eax, dword ptr fs:[00000030h] 2_2_032E0835
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032E0835 mov eax, dword ptr fs:[00000030h] 2_2_032E0835
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032E0835 mov eax, dword ptr fs:[00000030h] 2_2_032E0835
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032E0835 mov eax, dword ptr fs:[00000030h] 2_2_032E0835
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032E0835 mov eax, dword ptr fs:[00000030h] 2_2_032E0835
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0326C819 mov eax, dword ptr fs:[00000030h] 2_2_0326C819
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0326C819 mov eax, dword ptr fs:[00000030h] 2_2_0326C819
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032BC870 mov eax, dword ptr fs:[00000030h] 2_2_032BC870
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032B488F mov eax, dword ptr fs:[00000030h] 2_2_032B488F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03256882 mov eax, dword ptr fs:[00000030h] 2_2_03256882
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03256882 mov eax, dword ptr fs:[00000030h] 2_2_03256882
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03256882 mov eax, dword ptr fs:[00000030h] 2_2_03256882
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0327088E mov eax, dword ptr fs:[00000030h] 2_2_0327088E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0327088E mov edx, dword ptr fs:[00000030h] 2_2_0327088E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0327088E mov eax, dword ptr fs:[00000030h] 2_2_0327088E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032E8890 mov eax, dword ptr fs:[00000030h] 2_2_032E8890
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032E8890 mov eax, dword ptr fs:[00000030h] 2_2_032E8890
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0323A8F0 mov eax, dword ptr fs:[00000030h] 2_2_0323A8F0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0323A8F0 mov eax, dword ptr fs:[00000030h] 2_2_0323A8F0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0323A8F0 mov eax, dword ptr fs:[00000030h] 2_2_0323A8F0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0323A8F0 mov eax, dword ptr fs:[00000030h] 2_2_0323A8F0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0323A8F0 mov eax, dword ptr fs:[00000030h] 2_2_0323A8F0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0323A8F0 mov eax, dword ptr fs:[00000030h] 2_2_0323A8F0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032648F0 mov eax, dword ptr fs:[00000030h] 2_2_032648F0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032C88FB mov eax, dword ptr fs:[00000030h] 2_2_032C88FB
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032428C0 mov eax, dword ptr fs:[00000030h] 2_2_032428C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032428C0 mov eax, dword ptr fs:[00000030h] 2_2_032428C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032428C0 mov eax, dword ptr fs:[00000030h] 2_2_032428C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032428C0 mov eax, dword ptr fs:[00000030h] 2_2_032428C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032428C0 mov eax, dword ptr fs:[00000030h] 2_2_032428C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032428C0 mov eax, dword ptr fs:[00000030h] 2_2_032428C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032428C0 mov eax, dword ptr fs:[00000030h] 2_2_032428C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032428C0 mov eax, dword ptr fs:[00000030h] 2_2_032428C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032428C0 mov eax, dword ptr fs:[00000030h] 2_2_032428C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032428C0 mov eax, dword ptr fs:[00000030h] 2_2_032428C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032428C0 mov eax, dword ptr fs:[00000030h] 2_2_032428C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032428C0 mov eax, dword ptr fs:[00000030h] 2_2_032428C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032428C0 mov eax, dword ptr fs:[00000030h] 2_2_032428C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032288C8 mov eax, dword ptr fs:[00000030h] 2_2_032288C8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032288C8 mov eax, dword ptr fs:[00000030h] 2_2_032288C8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032308CD mov eax, dword ptr fs:[00000030h] 2_2_032308CD
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032308CD mov eax, dword ptr fs:[00000030h] 2_2_032308CD
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032B8F3C mov eax, dword ptr fs:[00000030h] 2_2_032B8F3C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032B8F3C mov eax, dword ptr fs:[00000030h] 2_2_032B8F3C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032B8F3C mov ecx, dword ptr fs:[00000030h] 2_2_032B8F3C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032B8F3C mov ecx, dword ptr fs:[00000030h] 2_2_032B8F3C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0324CF00 mov eax, dword ptr fs:[00000030h] 2_2_0324CF00
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0324CF00 mov eax, dword ptr fs:[00000030h] 2_2_0324CF00
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03304F1D mov eax, dword ptr fs:[00000030h] 2_2_03304F1D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03270F16 mov eax, dword ptr fs:[00000030h] 2_2_03270F16
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03270F16 mov eax, dword ptr fs:[00000030h] 2_2_03270F16
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03270F16 mov eax, dword ptr fs:[00000030h] 2_2_03270F16
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03270F16 mov eax, dword ptr fs:[00000030h] 2_2_03270F16
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032EEF66 mov eax, dword ptr fs:[00000030h] 2_2_032EEF66
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03304F7C mov eax, dword ptr fs:[00000030h] 2_2_03304F7C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0325AF72 mov eax, dword ptr fs:[00000030h] 2_2_0325AF72
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03286F70 mov eax, dword ptr fs:[00000030h] 2_2_03286F70
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0322EF79 mov eax, dword ptr fs:[00000030h] 2_2_0322EF79
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0322EF79 mov eax, dword ptr fs:[00000030h] 2_2_0322EF79
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0322EF79 mov eax, dword ptr fs:[00000030h] 2_2_0322EF79
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032D0F49 mov eax, dword ptr fs:[00000030h] 2_2_032D0F49
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032D0F49 mov eax, dword ptr fs:[00000030h] 2_2_032D0F49
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032D0F49 mov eax, dword ptr fs:[00000030h] 2_2_032D0F49
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032EAF50 mov ecx, dword ptr fs:[00000030h] 2_2_032EAF50
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03234FB6 mov eax, dword ptr fs:[00000030h] 2_2_03234FB6
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0325CFB0 mov eax, dword ptr fs:[00000030h] 2_2_0325CFB0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0325CFB0 mov eax, dword ptr fs:[00000030h] 2_2_0325CFB0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_03268FBC mov eax, dword ptr fs:[00000030h] 2_2_03268FBC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032B8F8B mov eax, dword ptr fs:[00000030h] 2_2_032B8F8B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_032B8F8B mov eax, dword ptr fs:[00000030h] 2_2_032B8F8B
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 0_2_00426DA1 CreateFileW,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,SetEndOfFile,GetLastError, 0_2_00426DA1
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 0_2_0042202E SetUnhandledExceptionFilter, 0_2_0042202E
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 0_2_004230F5 SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_004230F5
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 0_2_00417D93 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00417D93
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 0_2_00421FA7 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00421FA7

HIPS / PFW / Operating System Protection Evasion
barindex
Found direct / indirect Syscall (likely to bypass EDR)
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe NtTerminateThread: Direct from: 0x7FF86B5C2651 Jump to behavior
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe NtDelayExecution: Direct from: 0x74D56A1 Jump to behavior
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe NtProtectVirtualMemory: Direct from: 0x74DD28F Jump to behavior
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe NtResumeThread: Direct from: 0x74D5718 Jump to behavior
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe NtDelayExecution: Direct from: 0x74D54D2 Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\Purchase Order.exe Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: NULL target: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: NULL target: C:\Windows\SysWOW64\expand.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe Section loaded: NULL target: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe Section loaded: NULL target: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe Section loaded: NULL target: C:\Windows\explorer.exe protection: read write Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Windows\SysWOW64\svchost.exe Thread register set: target process: 5340 Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe Thread register set: target process: 5340 Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Windows\SysWOW64\svchost.exe Thread APC queued: target process: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\Desktop\Purchase Order.exe Memory written: C:\Windows\SysWOW64\svchost.exe base: 4B0008 Jump to behavior
Contains functionality to execute programs as a different user
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 0_2_0043916A LogonUserW, 0_2_0043916A
Contains functionality to launch a program with higher privileges
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 0_2_0040D6D0 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,GetForegroundWindow,ShellExecuteW, 0_2_0040D6D0
Contains functionality to simulate keystroke presses
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 0_2_004375B0 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput, 0_2_004375B0
Contains functionality to simulate mouse events
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 0_2_00436431 mouse_event,mouse_event, 0_2_00436431
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Purchase Order.exe Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Purchase Order.exe" Jump to behavior
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe Process created: C:\Windows\SysWOW64\expand.exe "C:\Windows\SysWOW64\expand.exe" Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 0_2_00445DD3 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity, 0_2_00445DD3
Source: explorer.exe, 00000006.00000002.7526323118.0000000001163000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.4810052462.0000000001163000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Shell_TrayWnd.\
Source: Purchase Order.exe, RAVCpl64.exe, 00000004.00000002.7527538058.0000000000E51000.00000002.00000001.00040000.00000000.sdmp, RAVCpl64.exe, 00000004.00000000.3269003788.0000000000E50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000002.7527230757.0000000001981000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: RAVCpl64.exe, 00000004.00000002.7527538058.0000000000E51000.00000002.00000001.00040000.00000000.sdmp, RAVCpl64.exe, 00000004.00000000.3269003788.0000000000E50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000002.7526323118.0000000001163000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Progman
Source: Purchase Order.exe Binary or memory string: @3PDASCRWINUPRWINDOWNLWINUPLWINDOWNSHIFTUPSHIFTDOWNALTUPALTDOWNCTRLUPCTRLDOWNMOUSE_XBUTTON2MOUSE_XBUTTON1MOUSE_MBUTTONMOUSE_RBUTTONMOUSE_LBUTTONLAUNCH_APP2LAUNCH_APP1LAUNCH_MEDIALAUNCH_MAILMEDIA_PLAY_PAUSEMEDIA_STOPMEDIA_PREVMEDIA_NEXTVOLUME_UPVOLUME_DOWNVOLUME_MUTEBROWSER_HOMEBROWSER_FAVORTIESBROWSER_SEARCHBROWSER_STOPBROWSER_REFRESHBROWSER_FORWARDBROWSER_BACKNUMPADENTERSLEEPRSHIFTLSHIFTRALTLALTRCTRLLCTRLAPPSKEYNUMPADDIVNUMPADDOTNUMPADSUBNUMPADADDNUMPADMULTNUMPAD9NUMPAD8NUMPAD7NUMPAD6NUMPAD5NUMPAD4NUMPAD3NUMPAD2NUMPAD1NUMPAD0CAPSLOCKPAUSEBREAKNUMLOCKSCROLLLOCKRWINLWINPRINTSCREENUPTABSPACERIGHTPGUPPGDNLEFTINSERTINSHOMEF12F11F10F9F8F7F6F5F4F3F2F1ESCAPEESCENTERENDDOWNDELETEDELBSBACKSPACEALTONOFF0%d%dShell_TrayWndExitScript Pausedblankinfoquestionstopwarning
Source: RAVCpl64.exe, 00000004.00000002.7527538058.0000000000E51000.00000002.00000001.00040000.00000000.sdmp, RAVCpl64.exe, 00000004.00000000.3269003788.0000000000E50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000002.7527230757.0000000001981000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Source: RAVCpl64.exe, 00000004.00000002.7527538058.0000000000E51000.00000002.00000001.00040000.00000000.sdmp, RAVCpl64.exe, 00000004.00000000.3269003788.0000000000E50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000002.7527230757.0000000001981000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Program Manager]
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 0_2_00410D10 cpuid 0_2_00410D10
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 0_2_004223BC GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 0_2_004223BC
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 0_2_004711D2 GetUserNameW, 0_2_004711D2
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 0_2_0042039F GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte, 0_2_0042039F
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 0_2_0040E470 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo, 0_2_0040E470

Stealing of Sensitive Information
barindex
Yara detected FormBook
Source: Yara match File source: 2.2.svchost.exe.600000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.svchost.exe.600000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.4885525142.0000000004250000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.4885598668.00000000042A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.3339599911.0000000002F40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.3338743779.0000000000600000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
OS version to string mapping found (often used in BOTs)
Source: Purchase Order.exe Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPWIN_2000InstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 6, 0USERPROFILEUSERDOMAINUSERDNSDOMAINDefaultGetSystemWow64DirectoryWSeDebugPrivilege:cdeclwinapistdcallnonestrwstrintbooluintlongulongdwordshortushortwordbyteubytebooleanfloatdoubleptrhwndhandlelresultlparamwparamint64uint64int_ptruint_ptrlong_ptrulong_ptrdword_ptridispatch64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYadvapi32.dllRegDeleteKeyExW+.-.+-\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]ISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXISTSEXPANDmsctls_statusbar321tooltips_class32AutoIt v3 GUI%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----
Source: Purchase Order.exe Binary or memory string: WIN_XP
Source: Purchase Order.exe Binary or memory string: WIN_XPe
Source: Purchase Order.exe Binary or memory string: WIN_VISTA
Source: Purchase Order.exe Binary or memory string: WIN_7

Remote Access Functionality
barindex
Yara detected FormBook
Source: Yara match File source: 2.2.svchost.exe.600000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.svchost.exe.600000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.4885525142.0000000004250000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.4885598668.00000000042A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.3339599911.0000000002F40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.3338743779.0000000000600000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 0_2_004741BB socket,WSAGetLastError,bind,WSAGetLastError,closesocket, 0_2_004741BB
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 0_2_0046483C socket,WSAGetLastError,bind,WSAGetLastError,listen,WSAGetLastError,closesocket, 0_2_0046483C
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 0_2_0047AD92 OleInitialize,CreateBindCtx,MkParseDisplayName,CLSIDFromProgID,GetActiveObject, 0_2_0047AD92
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1523569 Sample: Purchase Order.exe Startdate: 01/10/2024 Architecture: WINDOWS Score: 100 23 Malicious sample detected (through community Yara rule) 2->23 25 Multi AV Scanner detection for submitted file 2->25 27 Yara detected FormBook 2->27 29 4 other signatures 2->29 9 Purchase Order.exe 1 2->9         started        process3 signatures4 37 Writes to foreign memory regions 9->37 39 Maps a DLL or memory area into another process 9->39 12 svchost.exe 9->12         started        process5 signatures6 41 Modifies the context of a thread in another process (thread injection) 12->41 43 Maps a DLL or memory area into another process 12->43 45 Queues an APC in another process (thread injection) 12->45 47 Switches to a custom stack to bypass stack traces 12->47 15 RAVCpl64.exe 12->15 injected process7 signatures8 49 Found direct / indirect Syscall (likely to bypass EDR) 15->49 18 expand.exe 15->18         started        process9 signatures10 31 Modifies the context of a thread in another process (thread injection) 18->31 33 Maps a DLL or memory area into another process 18->33 35 Switches to a custom stack to bypass stack traces 18->35 21 explorer.exe 61 1 18->21 injected process11
No contacted IP infos